Você está na página 1de 14

ARTICLE IN PRESS

Journal of Loss Prevention in the Process Industries 21 (2008) 1528 www.elsevier.com/locate/jlp

A systemic approach to managing safety


Jaime Santos-Reyesa,, Alan N. Beardb
a

cnico Nacional, Edif. 5, 2o. Piso, U.P. Adolfo Lopez Mateos, Safety, Risk and Reliability Group, SEPI-ESIME, Instituto Polite xico Col. Lindavista, CP. 07770, Me b Civil Engineering Section, School of the Built Environment, Heriot-Watt University, Edinburgh EH14 4AS, Scotland, UK Received 20 April 2007; received in revised form 22 June 2007; accepted 22 June 2007

Abstract The existing approaches to safety management seem to put emphasis on management functions, guidelines, national and international standards, quality principles, to establish the safety management system (SMS) of organizations. These approaches may represent a step forward to managing safety but may not be enough to address the management of safety effectively. There is a need to adopt a systemic approach to safety management. Systemic may be dened as trying to see things as a whole and attempting to see events, including failure, as products of a working of a system and, within that, see fatality/injury/property loss, etc. as results of the working of systems. A systemic approach has been adopted to construct a systemic safety management system (SSMS) model. The model aims to maintain risk within an acceptable range in the operations of any organization. It is contended here that if the features of the model (i.e. the systems, their associated functions, and the channels of communication) are in place and working effectively then the probability of failure should be less than otherwise. In this way the SSMS has a fundamentally preventive potentiality. It is hoped that this approach will lead to more effective management of safety. r 2007 Elsevier Ltd. All rights reserved.
Keywords: Risk; Safety; System; Systemic; Safety management

1. Introduction Traditionally, both academe and practitioners have tended to address risk by focusing on technical aspects and looking for the immediate causes of accidents or re incidents after they have taken place. Major accidents, such as those at Toulouse explosion, France (BBC, 2001); ndez, 2005); Texas exploPemex, Mexico (Vidal & Ferna sion, (USCSB, 2007) and the more recent explosion at Bunceeld, UK (HSE, 2006) have highlighted the need for addressing safety proactively. In addition to this the emergence of new regulations and international standards has driven organizations to improve their safety performance. As a result of this, organizations have to some extent shifted from a prescriptive approach to a exible approach to risk. Under the prescriptive approach, regulations explain how to achieve safety, whilst with
Corresponding author. Tel.: +52 55 57296000x54663; fax: +52 55 57296000x54588. E-mail address: jrsantosr@hotmail.com (J. Santos-Reyes).

the exible approach, regulations explains what organizations must achieve but leaves how they achieve it to them (Crawley, 1999; Kandola, 1997; Weibye, 1996). Traditionally, safety approaches have emphasized performance failures that immediately precede an accident (Grabowski & Roberts, 1996; Reason, 1991, 1997). These kinds of failures include active failures, which are understood as human errors or violations having an immediate impact on the integrity of a system (Grabowski & Roberts, 1996; Reason, 1997). Researchers have found that the human factor is one of the keys to major disasters (Andreas, 1999; Anjana, 1997). More recently, however, an understanding of organizational errors has been the focus to reduce the frequency of major accidents or disasters (Fortune & Peters, 1995; Grabowski & Roberts, 1996; Hudson et al., 1994; Reason, 1990a, b, 1997). It is clear that addressing organizational failures is as important as focusing on human or technical causes of accidents. A great deal of effort has been made, by both academe and regulators, and industry, to investigate and develop approaches to address safety and the environment.

0950-4230/$ - see front matter r 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.jlp.2007.06.009

ARTICLE IN PRESS
16 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 Table 1 Fundamental characteristics of the SSMS model 1. The SSMS and its environment. 2. A recursive structure (i.e. layered) and relative autonomy. 3. A structural organization which consists of a basic unit in which it is necessary to achieve ve functions associated with systems 15. (See Fig. 1). (a) (b) (c) (d) (e) (f) (g) (h) System 1: Safety-Policy Implementation System 2: Safety-Co-ordination System 3: Safety-Functional System 3*: Safety-Audit System 4: Safety-Development System 4*: Safety-Condential Reporting System System 5: Safety-Policy Hot-line.

The approaches to safety seem to put emphasis on management functions, guidelines, industry standards, quality principles, to establish the safety management system (SMS) of organizations (BS8800, 2004; BS EN ISO14004, 2004; CCPS, 1989; Druker, 1974; George, 1972; HSE, 1997; ILO-OSH, 2001; IOSH, 1997; OHSAS-18002, 2000). These approaches may represent a step forward to managing safety but may not be enough to address the management of risk effectively. Furthermore, it may be argued that these approaches are systematic. To be systematic is to be methodical or tidy. In this context it means that the approaches tend to concentrate on functions dealing with policy, organizing, planning, audit, measuring performance, etc. All of these functions are necessary but may not be sufcient to achieve effectiveness of a SMS. It is certainly important to be systematic. However, a SMS needs to be more than this; it is also necessary to try to be systemic. In this context it means that a SMS should try to consider the organization in its entirety; i.e. from top to bottom; the channels of communication, the people, etc. In addition, it should take into account the environment; i.e., all those circumstances that lie outside the system to which the system response is necessary; for example political and economic drivers. In short, there is a need for a systemic approach. Systemic may be dened as trying to see things as a whole and attempting to see events, including failure, as results of a working of a system and, within that, see fatality/injury/ property loss, etc. as results of the working of systems. A systemic approach has been adopted to construct a systemic safety management system (SSMS) model (the methodology used to construct the model has been described by Santos-Reyes, Beard, & Clark, 2001). This paper presents a new version of the earlier one which was proposed for the management of re safety (Santos-Reyes & Beard, 2001). This version addresses the environmental factors in detail and the concept of recursion is being developed further; examples in relation to an oil and gas organization are used in order to illustrate the features of the model. 2. An SSMS model The SSMS model is intended to maintain risk within an acceptable range in an organizations operations. The model is proposed as a sufcient structure for an effective safety management system. It has a fundamentally preventive potentiality in that if all the sub-systems and connections are present and working effectively the probability of a failure should be less than otherwise. Table 1 lists the characteristics of the model. This section is intended to describe three characteristics of the model; i.e.: (1) the SSMS and Its environment; (2) recursive structure; and (3) the structural organization (systems 15). It should be pointed out that the details of the characteristics (4), (5), (6) and (7) are described in the references given in Table 1.

Note: whenever a line appears in Fig. 1 representing the SSMS model, it represents a channel of communication, except for the lines that connect the balancing loop that connects systems 4 and 3. 4. Commitment to Safety. See Santos-Reyes & Beard (2001, 2006a, 2006b, 2006c) for further details about this concept. 5. The concept of MRA (maximum risk acceptable), Viability and acceptable range of risk. See Santos-Reyes and Beard (2006c) for further details about these. 6. Four principles of organization. See Santos-Reyes and Beard (2001, 2006a, b, c) for further details about these. 7. Paradigms are intended to act as templates giving essential features for effective communication, control and human factors. See SantosReyes and Beard (2006a, b, c) for details of the application of some of these paradigms.

2.1. The SSMS and its Environment The organizational structure of the SSMS is shown as interacting in a dened way with its environment through system 1s operations, and through system 4, as illustrated in Fig. 1. Environment may be understood as being those circumstances to which the SSMS response is necessary. Environment lies outside the system but interacts with it; it is the source of circumstances to which the system response is necessary; thus it is important to consider it. System 4 deals with both the total environment represented as an elliptical broken line symbol and the safety future environment embedded into the total environment as shown in Fig. 1. The safety future environment is concerned with threats and opportunities for the future development of safety. If the SSMS is going to be effective it has to have the means to scan, interpret and respond to the implications of all those external factors. Table 2 lists some environmental factors; Waring (1996) describes several external factors that may be considered by the SSMS. A brief description of each of the factors listed above will be given in the subsequent sections.

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 17

System 5 System 4 4* System 3 3* System 1 hot-line Total Environment System 2

Safety future environment

Operations local environment

SMU

Fig. 1. A systemic safety management system (SSMS) Model. Note: see Appendix A for a description of the abbreviations and acronyms. Table 2 Environmental factors Socio-political factors Economic factors Insurers Trading conditions Economic interests Physical factors

Legislation Safety, health and environmental standards Regulatory enforcement Major accidents or disasters Professional bodies Public opinion Technology Suppliers of goods and services Trade unions Product and labour markets National and local cultures

Geographical location Climate

the exible approach regulations explain what organizations must achieve but leaves how they achieve it to them. In the UK, for example, the health and safety legislation stems from the Health and Safety at Work, etc. Act 1974 (HSWA). HSWA duties are qualied by so far as reasonably practicable which means that the costs and risks of taking a particular action need to be weighed against the costs and risks of not taking it. 2.1.1.2. Safety, health and environmental standards. Some organizations derive their SMS from national and international standards such as ISO 9000 and 14001 series, standards for safety, quality and environmental has been described in Section 2. Others prefer to develop their own SMS. In general, national and international standards have an important inuence on an organizations SMS. 2.1.1.3. Regulatory enforcement. In many countries there are agencies charged with enforcing health and safety legislation and are bound to have an effect on an organizations SMS. For example, the Health and Safety Executive (HSE) is the agency in charged with the safety legislation enforcement in the UK. Furthermore these

2.1.1. Socio-political 2.1.1.1. Legislation. In general, organizations have to some extent shifted from a reactive approach to a exible approach to safety. Under the prescriptive approach, regulations explain how to achieve safety, whilst with

ARTICLE IN PRESS
18 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528

agencies publish detailed guidance on compliance with health and safety legislation. 2.1.1.4. Major accidents or disasters. The occurrence of major accidents or disasters has driven organizations to improve their safety performance. For example, in the UK major changes were emphasized by the Cullen report (Cullen, 1990) into the Piper Alpha disaster. Examples of legislation that address the recommendations made by Cullen report include, inter alia, the offshore installation Safety Case (HSE, 1992) regulations and the Prevention of Fire and Explosion and Emergency Response (PFEER) regulations (UKOOA, 1995). The Safety case regulation requires organizations to demonstrate that the offshore installations operations are acceptably safe. On the other hand, the PFEER regulations involve the prevention of res and explosions, as well as all aspects of emergency response, including evacuation, escape and rescue. 2.1.1.5. Professional bodies. Professional bodies, whether representing those engaged fully in health and safety at work or those whose work involves considerable health and safety responsibilities, are increasingly seeking to inuence safety management in organizations through the practices of their members. For example, in the UK the Institution of Occupational Safety and Health (IOSH) has prepared and published a variety of subjects related to safety management. Major professional engineering institutions in the UK; such as the Royal Academy of Engineering (RAE) which publishes periodically reports on several issues including risk (see for example, RAE, 2004; Turnbull, 2005). Organizations should be aware of such professional bodies so that they can learn of the state of the art of issues related to safety. 2.1.1.6. Public opinion. Although members of the public may not be aware of topics such as SMSs they are well aware of major accidents and do form opinions about risks and their acceptability. The opinions are usually expressed through the mass media and these bring pressure on employers and governments to take action. Examples include the Paddington railway accident which occurred in the UK in 1999 (Cullen, 2001) and many others worldwide. 2.1.1.7. Technology. Technology is bound to affect organizations SMSs since there are usually safety implications. The SMS should examine and assess the implications for safety in advance before such technology is introduced into the organization so that adequate technical and management precautions can be taken. (See Section 2.3.5 for more details about this). 2.1.1.8. Suppliers of goods and services. Organizations purchase, lease or hire products or services during the course of their operations. These products or materials may pose a risk to the health and safety of the employees;

the SMS should include adequate arrangements for monitoring the resources (e.g. materials, men, machines) and information entering the organization; so that hazards and risk are eliminated or minimized. 2.1.1.9. Trade unions. In general, trade unions have promoted health and safety as an essential employment right of their members. In some countries, such as the UK, the trade union safety representatives have statutory rights. Nevertheless, the power of trade unions has diminished in recent years as a result of several factors such as government labour legislation, economic recession, unemployment, part-time working, labour contracting, emergence of new labour efcient technology, etc. However, unions have adapted to the new economic drivers and have sought to revitalize their policy and approach to employment issues, including safety. 2.1.1.10. Product and labour markets. In recent years one of the developments that have affected almost all industry sectors is that of labour contracting as a response to increased competition in product markets. Although labour contracting and subcontracting can bring reduced overhead costs, they tend to create potential problems of control in safety management. The larger the number of different organizations having differing skills, work methods, cultures, the greater the problems of management of safety by the client or contractor. A typical example is the case of the privatization of the British railway system in 1994. The former British rail (BR) organization had been split into more than 100 organizations and sold or franchised. A consequence of this was the separation of the management of track from that of train. In addition, thousands of experienced engineers, operators and supervisors departed from the industry. Since the fragmentation of the railway system several railway accidents have occurred, including those at Edge Hill (1999), Paddington (1999), Hateld (2000), Selby (2001) and Potters Bar (2002). On the other hand, where labour is scarce it can be very difcult to ensure that personnel of the right skills and quality are hired. 2.1.1.11. National and local cultures. World views at national and regional levels should be considered by the safety management system. For example, foreign-based companies SMS might be appropriate in their own countries but they may have problems in other countries. For example, Western assumptions and values may not be a priority. Some countries, for example, timetables and deadlines are not seen as a priority and this is not a question of laziness or poor organization but a perception of the value of time. In the West, costs are time linked and so there is great pressure for time efciency. In general, organizations operating in such regions, should take into account local cultures otherwise local workforces are unlikely to fully accept the SMS.

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 19

2.1.2. Economic 2.1.2.1. Insurers. Different insurance schemes operate in different countries to cover employers against claims for damages from employees injured during the course of their employment or from liability for injuries to third parties, including the public. Thus the SMS presents the insurance market with benets in that: (a) a model that can be promoted to employers to help to reduce the risk and (b) the availability of a model against which to audit a clients activities and assess risks. 2.1.2.2. Trading conditions and economic interests. The state of the economy and of the industry sector of the organization is bound to affect the performance of the SMS. For example, when prots are high a company may be more willing to invest in safety than when prots are low. However, this depends on how, in real-world terms, the organization perceives the value of the lives of employees and public. It may be the case that an organization may regard product quality as being more important than safety. In such a case, quality is likely to be seen as a core investment area, whereas safety is likely to be seen as a cost area to be avoided or at best addressed on a minimal legal compliance basis. 2.1.3. Physical 2.1.3.1. Geographical location of the organization. Some aspects of the safety management system of an organization may be affected if it is operating in different parts of the world. For example, a SMS designed for an organization operating in the North Sea may not be adequate to be implemented in South America. It is important to ensure that the SMS in each region reects the actual risks in that particular region and it should not be a copy of what corporate headquarters assumed is adequate for every part of the organization. 2.1.3.2. Climate. The physical conditions and climate may affect the performance of an organizations safety management system. For example, offshore exploration and production for oil and gas, especially in the North Sea, where extreme cold and high winds are prevalent, and in the Gulf of Mexico where hurricanes and tropical storms occur; therefore, the necessary management procedures and technical precautions should be provided in order to ensure the workers safety. It should be pointed out that most of the factors mentioned above overlap and the order given is not meant to imply any kind of order of importance but it is simply a list of some of the factors, which might be considered by the SSMS. Other factors may also be relevant. 2.2. Recursive structure of the SSMS model A Recursion may be regarded as a level, which has other levels below or above it. The concept of recursion is intended to help to identify the level of the organization

being modelled or being considered for analysis. Very often, it is not very clear in the safety literature whether a SMS refers to an entire organization, several parts of it, or just part of it. This section intends to address this issue. Fig. 2 is intended to show three levels of recursion for an organization. System 1 at level 1 contains the sub-system of interest; i.e. the total operations (TO) which may be taken to be the highest level of the system of interest. The subsystem is represented as an elliptical symbol that contains two essential elements: (1) the total safety management unit (TSMU) represented by a parallelogram symbol which is concerned with the safety management of all the activities involved in the running of the TO of the organization. (2) The TO, is where the risks are created, within system 1, due to the interaction of all the processes that take place in order to produce products and services by an organization. There may be other risks due to interaction with the environment; e.g., the external factors discussed in Section 2.1. Note that the double arrow line connecting (1) and (2) represents the managerial interdependence; see Section 2.3.1 for more details about this. The obvious question that arises at this stage is this: How the TO may be de-composed further? As described in Santos-Reyes and Beard (2006a, b), the fundamental decomposition of the TO may be carried out in different ways. In particular, it was pointed out that de-composition might be on a basis of geography or function; effectively, a de-composition on a basis of function has been assumed in the present paper. Given the above, increasing the level of resolution of the system of interest, i.e., TO at one level below recursion 1 will result in the A-Operations (AO) and B-Operations (BO) and this is shown at level 2 in Fig. 2. It must be pointed out that each of the above sub-systems can be decomposed into further sub-systems depending on our level of interest. For instance, A1-Operations (A1O), A2-Operations (A2O) and A3-Operations (A3O) are shown as sub-systems of the AO at level 3. In principle, each sub-system that forms part of system 1 at level 3 can be de-composed further depending on the level of interest of the SMS modeller or analyst. Fig. 3 shows an example of recursive safety management systems when applied to the case of an oil and gas organization. 2.2.1. Vertical inter-dependence Figs. 2 and 3 show the vertical inter-dependence of safety management systems. It should be noted that missing connections between levels of recursion may result in a poor performance of a SMS. The SSMS model as shown in Figs. 1, 2 and 4 is intended to manage safety at two levels of recursion only (Fig. 4 should be seen in the context of Fig. 2). Figs. 1, 2 and 4 will be used as the basis for the description of the model. All the aspects related to system 1

ARTICLE IN PRESS
20 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528

TSMU System 1 TSMU= Total Safety Management Unit TO= Total Operations TO

Recursion 1 (Level 1)

System 1

BO

AO

B-Operations System 1 B3O

Recursion 3 (Level 3)

B3SMU B2O

B2SMU B1O

B1SMU Recursion 3 A-Operations

Sub-systems that form part of system 1 A3O

A3SMU A2O

A2SMU A1O

A1SMU

HORIZONTAL INTER-DEPENDENCE

System 1

B1SMU= B1-Safety Management Unit B1O = B1-Operations B2SMU = B2-Safety Management Unit B2O = B2-Operations B3SMU= B3-Safety Management Unit B3O = B3-Operations TSMU

A1SMU= A1-Safety Management Unit A1O = A1-Operations A2SMU = A2-Safety Management Unit A2O = A2-Operations A3SMU= A3-Safety Management Unit A3O = A3-Operations

represents the management unit; i.e. systems 2-5

Fig. 2. A recursive structure of a SSMS. Note: see Appendix A for a description of the abbreviations and acronyms.

such as its function, its components, its de-composition, etc. will be dealt with in Section 2.3.1. 2.2.2. Relative autonomy and decision making The SSMS contains a structure that favours relative autonomy and local risk related problem solving capacity. Relative autonomy means that each operation of system 1 of the SSMS is responsible for its own activity with minimal intervention of systems 25. The organizational structure allows decisions to be made at local level; decision making is distributed throughout the whole organization. The decision makers within system 1 should be relatively

autonomous in their own right and act independently based on their own understanding of risk, safety and their specic tasks. Given the above, it is important for sub-systems to have relative autonomy in carrying out their tasks; while at the same time being subject to the requirements of the safety management system as a whole. A good example of the need for relative autonomy is seen in the case of the Piper Alpha disaster (Cullen, 1990), where the offshore installation manager (OIM) of the Claymore platform was extremely reluctant to shut down production without specic instructions from his organizational superiors.

VERTICAL INTER-DEPENDENCE

ASMU= A-Safety Management Unit AO = A-Operations BSMU = B-Safety Management Unit BO = B-Operations

Total Operations BSMU TSM ASMU

Recursion 2 (Level 2)

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 21

TOGSMU System 1 TOGSMU= Total Oil/Gas Safety Management Unit TOGO= Total Oil/Gas Operations TOGO

Recursion 1 (Level 1)

TOGO OFSMU= Offshore Safety Management Unit OFO = Offshore Operations ONSMU = Onshore Safety Management Unit ONO = Onshore Operations System 1 ONO ONSMU TSM OFO OFSMU

Recursion 2

Onshore Operations (ONO) System 1 FDO FDSMU RO RSMU OTO OTSMU

Recursion 3

Recursion 3 Offshore Operations (OFO)

Sub-systems that form part of system 1 OGFO-C

FCSMU OGFO-B

FBSMU OGFO-A

FASMU

System 1

HORIZONTAL INTER-DEPENDENCE

OTSMU= Oil Terminal Safety Management Unit OTO = Oil Terminal Operations RSMU = Refinery Safety Management Unit RO = Refinery Operations FDSMU= Fuel Depot Safety Management Unit FDO = Fuel Depot Operations

Field-A Safety Management Unit = FASMU Oil/Gas Field Operations-A = OGFO-A Field-B Safety Management Unit = FBSMU Oil/Gas Field Operations-B = OGFO-B Field-C Safety Management Unit = FCSMU Oil/Gas Field Operations-C = OGFO-C

Fig. 3. Recursive structure of a SSMSan example of nested safety management systems applied to the case of an oil/gas organization. Note: see Appendix A for a description of the abbreviations and acronyms.

He evidently feared possible reprisals because of lost production. The failure to shut down earlier certainly made the disaster worse. Deciding on the extent of relative autonomy is a difcult matter and certainly sub-systems must not become isolated. It is important, however, for as much relative autonomy as possible to be exercised, compatible with the effective functioning of the SMS as a whole. 2.3. Structural organization of the SSMS The SSMS model has a basic unit in which it is necessary to achieve ve functions associated with systems 15. Systems 25 facilitate the function of system 1, as well

as ensuring the continuous adaptation of the organization as a whole. 2.3.1. System 1: safety-policy implementation System 1 may be regarded as the core of the SSMS model. That is, it is where the business process of an organization takes place and therefore, it is where risks are created (there may be other risks due to the interaction with the environment; e.g., see Section 2.1 for more details about this). This section will describe system 1 in some detail and the following aspects will be covered: (1) its function; (2) its main components; (3) the risk management and monitoring process; (4) its de-composition; (5) the

VERTICAL INTER-DEPENDENCE

ARTICLE IN PRESS
22 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528
Recursion 1 or Level 1 (See Fig. 2)

Total Safety Management Unit (TSMU) System 5

Safety future environment

System 4 4*

System 3

3*
System 1 Total environment

System 2

hot-line

A environment

AO

ASMU

B environment

BO

BSMU

Total Operations (TO) Recursion 2 or Level 2 (See Fig. 2)

Fig. 4. Illustrates two levels of recursion; i.e. levels 1 & 2 are shown in the format of the structural organization of the SSMS model. This gure should be seen in the context of Fig. 2. In particular, it can be seen that TO (at recursion 1) has been de-composed into two sub-systems (AO & BO) and these are depicted as representing system 1 at recursion 2. Note: see Appendix A for a description of the abbreviations and acronyms.

horizontal interdependence amongst the sub-systems that form part of system 1. 2.3.1.1. Function of system 1. System 1 implements safety policies in the operations of system 1. System 1 consists of one or more operations within an organization that deal directly with the organizations core activities. How system 1 might be broken down further is a key question; for example, system 1 might be de-composed on a basis of geography or functions. For the purpose of the present paper system 1 has been de-composed on a basis of functions. 2.3.1.2. The components of system 1 and its environment. Fig. 1 shows the main components of system 1 and each of them will be described briey. (a) The square box deals with all the managerial activity needed to run the operations of that particular system

and implements the safety policy of the organization. In addition, it monitors on a continuous basis the level of risk in the operations. (b) The circle encloses all the relevant operations or activities that take place to produce products or services. It should be monitored because it is here where risks are created. It should be noted that the square and circle constitute system 1. However, there is a third element that needs to be considered; i.e., system 1s environment. (c) The elliptical symbol represents the environment of system 1. Environment lies outside the system 1 but interacts with it. It inuences and is inuenced by system 1. Thus, it is important to consider it. For instance, system 1 should monitor the resources and information entering the organization; so that hazards and risks are eliminated or kept within an acceptable range. In addition, system 1 should consider all those aspects described in Section 2.1.

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 23

The lines that connect the square, circle and the elliptical symbol refer to the channels of communication. 2.3.1.3. Safety management and the monitoring process. Control and communication may be regarded as the key concepts in the process of safety management and monitoring. The objective of the SMS is to maintain risk within an acceptable range in the operations it manages. The safety management unit (SMU) plays a key part within the SMS. The main activities of the SMU are the following: (a) To monitor the resources (e.g. materials, people, machines) and information entering the organization; i.e. the operations, so that hazards and risks are eliminated or kept within an acceptable range. (b) To plan or set safety objectives (e.g. performance standards). These safety objectives may be represented in comparators. The function of a comparator is to enable comparison with the risk related output, that is, to compare risk related performance with the planned safety objectives. In doing this, the SMU can detect any deviation from the planned safety objectives through the comparator. If a deviation occurs then the SMU would adjust the operations and bring it in line with the accepted criteria. (c) To manage risk proactively; this activity can, in principle, be achieved by anticipating any deviation from the organizations safety objectives. In order to do so, the SMU activities would involve modifying the operation. This process can be accomplished through modelling risk for the whole system; i.e., the operations. If the SMU is able to do so then it can be said that it is an adaptive system. (d) To devise risk control systems (RCS) which should, in principle, address the risks created in the operations of the organization. The RCS should reect the risk prole; that is, the greater the risk, the more robust and reliable the control systems need to be. The main activities involved are the following: (1) Hazard identication: nding out what could possibly happen within the system, which could lead to harm. This means identifying crucial events and possible consequences (Beard, 2005a, b, c). (2) Risk analysis: to estimate the probabilities of particular consequences. (3) Risk evaluation: deciding what to do; i.e., how to control the risk; deciding on suitable measures to control or eliminate risk. In general, the above underpins legislation, which aims to improve the management of safety. For instance, in the UK the Management of Health and Safety at Work Regulations 1999 (MHSW Regulations) and the Control of Substance Hazardous to Health (COSHH) Regulations

2002 are considered to conduct the activities mentioned above. 2.3.1.4. De-composition of system 1. System 1 may be decomposed into geography or functions. For the purpose of the present paper system 1 has been de-composed on a basis of functions; several examples are shown in Fig. 5. From the above, it should be noted that the zigzag lines amongst the operations (circles) indicate the physical interdependence amongst the sub-systems that form part of system 1. The physical inter-dependence may be weak or strong. For instance, there was a strong physical interdependence between Piper Alpha and Claymore platforms; i.e., a gas pipeline was laid between them to allow gas to be imported from Piper. The gas pipeline from Piper to Claymore was about 34.4 km long and 40.6 cm diameter (Cullen, 1990). On the other hand, a weak interdependence would be, for example, between Claymore and MCP-01 platforms; there was not physical interdependence between them. This was because Claymore was a production platform that exported oil only whereas the MCP-01 dealt only with gas. However, it may be argued that a failure of any of the two will affect the functioning of the other installations; therefore the overall performance of the SMS. Fig. 5 also shows lines amongst the safety management units (rectangles); these indicate the managerial interdependence amongst them. It should be pointed out that lines indicating channel of communication amongst the operations (circles) have been left out for clarity of Fig. 5. However, they should be taken into account by the SMS, see Fig. 2. 2.3.1.5. Horizontal inter-dependence. Fig. 5 shows the horizontal inter-dependence amongst the various subsystems that form part of system 1. If something goes wrong in any of the sub-systems; i.e. if a deviation from the accepted criteria occurs in a particular sub-system, then this would be expected to affect the performance of the other sub-systems and the overall performance of the SMS. 2.3.2. System 2: safety-co-ordination The function of system 2 is to co-ordinate the activities of the operations of system 1 in relation to the SSMSs total environment. System 2, along with system 1 management units, implements the safety plans received from system 3. It informs system 3 about routine information on the performance of the operations of system 1. To achieve the plans of system 3 and the needs of system 1, system 2 gathers and manages the safety information of system 1s operations. There are other organizations within the total environment that may create some conicting situations in the operation of system 1. An example of co-ordination activity could be the solving of any conict that may arise amongst the offshore platforms that form part of an oil and gas eld; for example, Piper Alpha eld (see Fig. 5(c)).

ARTICLE IN PRESS
24 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528

System 1
RO RSMU FDO has been de-composed into three sub-systems (see figure on the right)

System 1
FSTAO TASMU

FSTBO FDO FDSMU FSTCO RSMU= Refinery Safety Management Unit RO = Refinery Operations FDSMU = Fuel Depot Safety Management Unit FDO = Fuel Depot Operations

TBSMU

TCSMU

Tank-A Safety Management Unit = TASMU Fuel Storage Tank-A Operations = FSTAO Tank-B Safety Management Unit = TBSMU Fuel Storage Tank-B Operations = FSTBO Tank-C Safety Management Unit = TCSMU Fuel Storage Tank-C Operations = FSTCO

System 1
PAO PSMU

PAO has been de-composed into four sub-systems (see figure on the right) AMO

System 1
AMSMU

CLO

CSMU BMO BMSMU

TARO

TSMU CMO CMSMU

MCO

MCSMU DMO DMSMU

FLO

FSMU A-Module Safety Management Unit = AMSMU A-Module Operations = AMO B-Module Safety Management Unit = BMSMU B-Module Operations = BMO C-Module Safety Management Unit = CMSMU C-Module Operations = CMO D-Module Safety Management Unit = DMSMU D-Module Operations = DMO

PSMU= Piper Safety Management Unit PAO = Piper Alpha Operations CSMU = Claymore Safety Management Unit CLO = Claymore Operations TSMU= Tartan Safety Management Unit TARO = Tartan Operations MCSMU = MCP-01 Safety Management Unit MCO = MCP-01 Operations FSMU = Flotta Safety Management Unit FLO = Flotta Operations

Fig. 5. Examples of de-composition of system 1. (a) Renery and Fuel Depot Operations (b) Fuel Depot Operations (FDO) (c) Piper Alpha Field (d) Piper Alpha Operations (PAO).

2.3.3. System 3: safety-functional System 3 is directly responsible for maintaining risk within an acceptable range in system 1, and ensures that system 1 implements the organizations safety policy. It achieves its function on a day-to-day basis according to its own safety plans and the strategic and normative safety plans received from system 4. The purpose of these plans is

to anticipate and act proactively to maintain the risk, arising from the operations of the sub-systems that form part of system 1, substantially below the maximum risk acceptable (MRA); see Santos-Reyes and Beard (2006a, b, c). System 3 requests from systems 1, 2, and 3* information directly related and not directly related to the safety performance of system 1 to formulate its

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 25

programmatic safety plans. These plans are then communicated to systems 1, 2 and 3*. It is also responsible for allocating the necessary resources to system 1 to accomplish the organizations safety plans. 2.3.4. System 3*: safety-audit System 3* is part of system 3 and its function is to conduct audits sporadically into the operations of system 1. System 3* intervenes in the operations of system 1 according to the safety plans received from system 3. System 3 needs to ensure that the accountability reports received from system 1 reect not only the current status of the operations of system 1, but are also aligned with the overall objectives of the organization. The audit activities should be sporadic (i.e. unannounced) and they should be implemented under common agreement between system 3* and system 1. System 3* must know the safety performance of the sub-systems that form part of system 1 and the system 3 safety plans, as well as its own safety commitment. In addition system 3* should be able to identify and inhibit all possible performances that do not conform to the planned safety objectives of system 1s operations. 2.3.5. System 4: safety-development System 4 is concerned with safety research and development (R&D) for the continual adaptation of the system as a whole. By considering strengths, weaknesses, threats and opportunities, system 4 can suggest changes to the organizations safety policies. This function may be regarded as a part of effective safety planning. System 4 achieves its function according to the safety policy of system 5; i.e. to maintain risk within an acceptable range in the organizations operations. System 4 deals with strengths and weaknesses, opportunities and threats to the whole system. System 4 should sense, scan and attempt to respond appropriately to the various threats and opportunities identied in the systems total environment (see Section 2.1 for details of the environmental factors). There are two main safety issues which system 4 has to deal with regarding the total environment. First, the large broken line elliptic symbol represents the total environment of the system, which also includes the collection of local environments of the sub-systems that form part of system 1. The total environment is characterized by all those factors described in Section 2.1 which the organization (i.e. the system of interest) is embedded. Second, system 4 should deal with the safety future environment. The safety future environment is concerned with threats and opportunities relating to future development of safety that may be relevant for the organization. Therefore, the SSMS deals not only with current safety problems, but also anticipates or prevents possible safety accidents. All relevant needs or requirements of the organizations environment are deal with in system 4 and communicated to system 5. System 4 also deals with current system 1 need and its potential future requirements are reected in the

system 1 local environments. On the other hand, system 3 communicates to system 4 all relevant needs of the existing safety performance of system 1s operations. Furthermore, system 3 should make clear the difculties with which the existing performance of system 1 will be faced in trying to assimilate new safety developments that do not conform to the existing safety technology and the established safety culture. To accomplish the organizations safety policy, system 4 should respond proactively to the threats and opportunities regarding the operations of system 1. For example, system 4 should identify current and possible new regulations. It should understand the trends in new technology regarding the design of installations. This new technology may include an inherently safer design, which addresses safety in an early design phase of an installation (Hale, Kirwan, & n, 2007; Kjelle n, 2007; Kletz, 1998; Taylor, 2007). Kjelle Moreover, the system leading to fatality, harm, loss of property, etc. is continuing changing; the system becomes disordered and disorganized with time (Critchley, 1988). This implies that risk assessment needs to be an on-going process; the activities of System 4 are vital to the prevention or anticipation of these retrograde changes. Furthermore, risk assessment implies the use of models and these have the potential to produce poor design because of uncertainty, exibility of application or inappropriate interpretation (Beard, 2005a, b, c). Again, system 4 plays a vital role in ensuring, as far as possible, the acceptable use of models as part of the process of decision making. 2.3.6. System 4*: safety-condential reporting system System 4* is part of system 4 and is concerned with condential reports or causes of concern from any employee, about any aspects, some of which may require the direct and immediate intervention of system 5. This means that system 4* analyses all information coming through this channel and develops and plans actions to act upon what has been reported so that these or similar incidents or causes of concern do not occur in the future. Individuals, team groups or departments within system 4* should have both authority and responsibility because of their understanding of the need for condentiality. This commitment and knowledge involves: condentiality or deidentication, immediate, useful, accessible feedback to the reporting community. System 4* must be perceived by all members of the workforce to be completely independent of management, thus giving the necessary assurance of condentiality. Corporate management, via system 5, must be willing to guarantee the independence of system 4*. This may be seen as a part of the safety culture of the organization. 2.3.7. System 5: safety policy System 5 is responsible for deliberating safety policies and for making normative decisions. According to alternative safety plans received from system 4, system 5

ARTICLE IN PRESS
26 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528

considers and chooses feasible alternatives, which aim to maintain the risk within an acceptable range throughout the life cycle of the total system. Furthermore, these safety policies should: reect the safety values and beliefs of the whole organization; address the anticipation of accidents due to activities of the physical installations; reect the needs of employees of the whole system about issues directly related and not directly related to safety; promote safety culture throughout the organization. System 5 also monitors the interaction of system 3 and system 4, as represented by the lines that show the loop between systems 3 and 4 as shown in Figs. 1 and 4. 2.3.8. Hot-line Figs. 1 and 4 show a dashed line directly from system 1 to system 5, representing a direct communication or hotline for use in exceptional circumstances; e.g. during an emergency. It represents initially one-way communication channels but they may become two-way communication channels between systems 1 and 5. 3. Discussion The present work contends that fatality, injury and loss of property in general result from the working of an entire system. This involve, inter-alia, organizational structure, infrastructure, operation, people; as well as environmental factors; i.e., socio-economic and political (see Section 2.1). Moreover, the system leading to fatality, injury, loss of property is continually changing. This raises the following question: how do we create a safety management system, which is capable of coping with this? The proposed SSMS model is a dynamic system, which aims to maintain risk within an acceptable range in a coherent way in an organizations operations. It consists of a set of ve necessary and sufcient interrelated subsystems, called systems 1 to 5. System 1, safety policy implementation, consists of various operations of the oil and gas organization in which the organizations safety policy must be implemented. System 2, safety co-ordination, ensures that the various operations of system 1 operate in agreement. System 3, safety functional, ensures that system 1 implements the organizations safety policies. System 3*, safety audit, is part of system 3 and it is concerned with safety sporadic audit. System 4, safety development, is responsible for identifying strengths, weaknesses, threats, and opportunities that can suggest systemic changes to the organizations safety policies. System 4*, condential report, is part of system 4 and it is concerned with condential reports or causes of concern that may require direct and immediate intervention of the corporate management. Finally, system 5, safety policy, is responsible for establishing safety policies for the whole organization. These ve functions have some similarities with those key management elements presented by BS8800 (2004), BS EN ISO-14004 (2004), CCPS (1989), Druker (1974), EPSC (1994), George (1972), HSE (1997) ILO-OSH (2001), IOSH, (1997),

OHSAS-18002 (2000). However, these approaches lack an organizational structure. The SSMS, on the other hand, possesses an organizational structure, which interacts in a dened way with its local and wider environment; both inuencing it and being inuenced by it. The structural organization of the model may help to adapt continuously to threats and opportunities, and weaknesses and strengths as presented in the organizations local and wider environment. Moreover, the structural organization of the model is intended to manage safety in a coherent way by treating an organization as both vertically and horizontally interdependent. Vertical interdependence is dealt with through the concept of recursion. This favours relative autonomy; hence it helps to maintain risk within an acceptable range at each level of recursion effectively. The horizontal interdependence is dealt with through the interrelationships amongst the various subsystems that form part of system 1. For example, the subsystems A1O, A2O, and A3O form part of system 1, as illustrated in Fig. 2. Each operation or subsystem of system 1 is dedicated to achieving its own safety concerns with a minimal intervention of systems 25. The organizational structure allows decisions to be made at local level; decision making is distributed throughout the whole organization. Finally, the SSMS is intended to help to provide a structural organization that may facilitate the implementation and maintenance of safety culture. 4. Conclusions and future work A SSMS model has been put forward. The SSMS aims to maintain risk within an acceptable range in the operations of any organization in a coherent way. If the features of the model; i.e. the systems, their associated functions, and the channels of communication are in place and working effectively then the probability of failure should be less than otherwise. In this way the SSMS has a fundamentally preventive potentiality. The model is capable of being applied proactively in the case of a new system or an existing one as well as reactively. In the latter case a past failure, whether disastrous or not, may be examined using the SSMS model. In this way, lessons may be drawn from past accidents. It may also be employed as a template to examine an existing safety management system. In the case of a new installation the safety management system should be considered at the very beginning of the design stage; not as a bolt-on at the end. As future work, it is intended to: (a) apply the model proactively; currently, a case study is being conducted to the case of an oil and gas organization; (b) apply the model reactively; currently, the Piper Alpha disaster is being analysed by employing the model; other accidents and from different industries should be analysed by using the model in order to illustrate its potentiality as an accident investigation tool; (c) apply the model as a template to examine an existing SMS; and (d) assess quantitatively the

ARTICLE IN PRESS
J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 27

effectiveness of a SMS by employing the concept of viability which has been dened as: Viability P (the SSMS has the capacity to maintain the risk within an acceptable range for a stated period of time). (Santos-Reyes & Beard, 2006b, c).

Table A1 (continued ) CMO C-Module Operations CMSMU C-Module Safety Management Unit COSHH Control of Substances Hazardous to Health Regulations DMO D-Module Operations DMSMU D-Module Safety Management Unit FASMU Field-A Safety Management Unit FBSMU Field-B Safety Management Unit FCSMU Field-C Safety Management Unit FDO Fuel Depot Operations FDSMU Fuel Depot Safety Management Unit FLO Flotta Operations RO Renery Operations RSMU Renery Safety Management Unit SMS Safety Management System SMU Safety Management Unit SSMS Systemic Safety Management System TARO Tartan Operations TASMU Tank-A Safety Management Unit TBSMU Tank-B Safety Management Unit TCSMU Tank-C Safety Management Unit TOGO Total Oil/Gas Operations

Acknowledgements This project was funded by CONACYT and SIP-IPN under the following grants: CONACYT: No-52914 and SIP-IPN: No-20071593.

Appendix A For abbreviations and acronyms see Table A1.


Table A1 Abbreviations and acronyms A1O A1-Operations A1SMU A1-Safety Management Unit A2O A2-Operations A2SMU A2-Safety Management Unit A3O A3-Operations A3SMU A3-Safety Management Unit AMO A-Module Operations AMSMU A-Module Safety Management Unit AO A-Operations ASMU A-Safety Management Unit B1O B1-Operations B1SMU B1-Safety Management Unit B2O B2-Operations B2SMU B2-Safety Management Unit B3O B3-Operations B3SMU B3-Safety Management Unit BMO B-Module Operations BMSMU B-Module Safety Management Unit BO B-Operations ISO International Standards Organization MCO MCP-01 Operations MCSMU MCP-01 Safety Management Unit MHSW Management of Health and Safety at Work Regulations MRA Maximum Risk Acceptable OFO Offshore Operations OFSMU Offshore Safety Management Unit OGFAO Oil/Gas Field-A Operations OGFBO Oil/Gas Filed-B Operations OGFCO Oil/Gas Field-C Operations OH&S Occupational Health and Safety OHSAS Occupational Health and Safety Assessment OIM Offshore Installation Manager ONO Onshore Operations ONSMU Onshore Safety Management Unit OTO Oil Terminal Operations OTSMU Oil Terminal Safety Management Unit PAO Piper Alpha Operations

TOGSMU Total Oil/Gas Safety Management Unit FSMU Flotta Safety Management TOO Total Operations Unit FSTAO Fuel Storage Tank-A TOSMU Total Safety Management Operations Unit FSTBO Fuel Storage Tank-B TSMU Tartan Safety Management Operations Unit FSTCO Fuel Storage Tank-C UKOOA United Kingdom Offshore Operations Operators Association HSE Health and Safety Executive (UK Safety Regulator) HSWA Health & Safety At Work Act ILO International Labour Organization IOSH Institution of Occupational Safety & Health

References
Andreas, W. (1999). Wake up call. The Scotsman, 22, 12. Anjana, A. (1997). Accidents and the human factor. The Times, 27, 17. BBC. (2001). Anger at Toulouse blast location. BBC News /http:// news.bbc.co.uk/2/hi/europe/1557644.stmS. (15 June 2007). Beard, A. N. (2005a). Prevention and protection: General concepts. In A. Beard & R. Carvel (Eds.), The handbook of tunnel re safety (pp. 7992). London: Thomas Telford (Chapter 4). ISBN:07277-31688. Beard, A. N. (2005b). Problems with using models for re safety. In A. Beard & R. Carvel (Eds.), The handbook of tunnel re safety. London: Thomas Telford. Beard, A. N. (2005c). Requirements for acceptable model use. Fire Safety Journal, 40, 477484. BS 8800. (2004). Occupational health and safety management systems Guide. UK: British Standard Institute. BS EN ISO 14004. (2004). Environmental management systems-General guidelines on principles, systems and support techniques. British Standard Institute, UK /http://www.bsi-global.com/bsonlineS (15 June 2007). CCPS. (1989). Guidelines for technical management of chemical process safety. Centre for Chemical Process Safety (CCPS). American Institute of Chemical Engineers. Crawley, F. K. (1999). The change in safety management for offshore oil and gas production systems. Institution of Chemical Engineers, Trans. ICHemE, 77(B), 143148.

PFEER Prevention of Fire & Explosion & Emergency Regulations BSMU B-Safety Management Unit PSMU Piper Safety Management Unit CLO Claymore Operations RAE Royal Academy of Engineering (UK) CLSMU Claymore Safety RIDDOR Reporting of Injuries, Management Unit Diseases and Dangerous Occurrences Regulations

ARTICLE IN PRESS
28 J. Santos-Reyes, A.N. Beard / Journal of Loss Prevention in the Process Industries 21 (2008) 1528 OHSAS 18002. (2000). Occupational health and safety management systemsGuidelines for the implementation of OHSAS 18001, 1999. British Standard Institute, UK /http://www.bsi-global.com/bsonlineS (15 June 2007). RAE. (2004). The risk debate-trust me, Im an engineer. The Royal Academy of Engineering /http://www.raeng.org.ukS (15 June 2007). Reason, J. (1990a). Human error. New York: Cambridge University Press. Reason, J. (1990b). The contribution of latent human failures to the breakdown of complex systems. Philosophical Transactions of the Royal Society of London, 327, 475484. Reason, J. (1991). The reliability of management in decision making. Seminar reliability, the risk of management. London, UK: Inst Mech Eng. Reason, J. (1997). Managing the risks of organizational accidents. Ashgate. Santos-Reyes, J., & Beard, A. N. (2001). A systemic approach to re safety management. Fire Safety Journal, 36, 359390. Santos-Reyes, J., & Beard, A. N. (2006a). A systemic analysis of the Paddington railway accident. Journal of Rail and Rapid Transit: (Proc. IMechE. Part-F), 220(2), 121151. Santos-Reyes, J., & Beard, A. N. (2006b). A systemic approach to safety management. Proceedings of the 3rd international conference on working on safety, 1215 September 2006, Netherlands. Santos-Reyes, J., & Beard, A. N. (2006c). Viability of a systemic safety management system. In proceedings of safety and reliability conference, ESREL-2006, 1822 September 2006, Portugal. Santos-Reyes, J., Beard, A. N., & Clark, P. J. (2001). A systemic approach to re safety offshore. applied re sciences in transition seriesspecial problems in re protection engineering, Vol. IV. USA: Baywood Publishing. Taylor, J. R. (2007). Understanding and combating design error in process plant design. Safety Science, 45, 75105. Turnbull, J. (2005). Humans in complex engineering systems. The Royal Academy of Engineering /http://www.raeng.org.ukS (15 June 2007). UKOOA. (1995). Guidelines for re and explosion hazard management. London, UK: UK Offshore Operators Association. USCSB. (2007). Investigation reportrenery explosion and re. US Chemical Safety and Hazard Investigation Board. Report no. 2005-04I-TX, March 2007, US. xodo por fuga de gas en Tepetlaoxtoc. ndez, R. (2005). E Vidal, M., Ferna EL Metro, pp. 8, 26 August. Waring, A. (1996). Safety management systems. Chapman & Hall. Weibye, B. (1996). Safety management under different regimes. Proceedings of the offshore northern seas (ons) conference. Stavanger, Norway, 2730 August. Critchley, D. H. (1988). Reliability degradationThe problem of an insidious hazard. In Proceedings of an international conference on radiation protection in nuclear energy (pp. 9199). Organised by the international atomic energy agency and held in Sydney, 1822 April. Cullen, W. D. (1990). The public inquiry into the Piper Alpha disaster. Parts 1 and 2. London: HMSO. Cullen, W. D. (2001). The Ladbroke Grove Rail Inquiry, Parts 1 and 2. HSE Books. Druker, P. (1974). Management-tasks, responsibilities, practices. Heinemann. EPSC. (1994). Safety management systems. Rugby, UK: European Process Safety Centre (EPSC), IChemE. Fortune, J., & Peters, G. (1995). Learning from failureThe systems approach. Wiley. George, C. S. (1972). The history of management thought (2nd ed). Prentice-Hall Inc. Grabowski, M., & Roberts, K. H. (1996). Human and organizational error in large scale systems. IEEE Transactions on Systems Man Cybernetics. Part ASystems Humans, 26(1), 216. n, U. (2007). Safe by design: Where are we Hale, A., Kirwan, B., & Kjelle now? Safety Science, 45, 305327. HSE. (1992). A guide to the offshore installations (safety case) regulations 1992. London, UK: HMSO. HSE. (1997). Successful health and safety management HSG65. Health and safety executive (HSE). HSE Books. HSE. (2006). Bunceeld major incident investigation initial report to the health and safety commission and the Environmental Agency of the investigation into the explosions and res at the Bunceeld oil storage and transport. Hemel Hempstead, on 11 December 2005, UK. Hudson, P. T. W., Reason, J., Wagenaar, W. A., Bentley, P. D., Primorose, M., & Visser, J. P. (1994). Tripod Delta: Proactive approach to enhanced safety. Journal of Petrol Technology (JPT), 46, 5862. ILO OSH. (2001). Guidelines on occupational safety and health management systems. /http://www.ilo.orgS (15 June 2007). IOSH. (1997). Policy statementIntegrated management systems. Leicester: IOSH. Kandola, B. S. (1997). Risk based approach to re safety engineering. Fire Engineers Journal, 2126. n, U. (2007). Safety in the design of offshore platforms: Integrated Kjelle safety versus safety as an add-on characteristic. Safety Science, 45, 107127. Kletz, T. A. (1998). Process plants: A handbook for inherently safer design (2nd ed). Philadelphia, PA, USA: Taylor & Francis.