Guidance Note

Safety Management Systems for major hazard facilities

Advice for operators of major hazard facilities on developing and implementing a Safety Management System.

June 2011

1. 1.1.

Introduction Features of successful sms development  and implementation

1 2 2 3 4 5 5 7 8 8 8 9 13

1.

Introduction

1.2. Core concepts  1.3. Key definitions  1.4. Report of the Longford Royal Commission 2. 2.1. Planning and preparation  Role of the sms

The major hazard facility parts of the Occupational Health and Safety Regulations 2007 (OHS Regulations) set out legal duties for control of risks from operating a major hazard facility (MHF). They apply to the operator of a facility who is the employer with management or control of the facility. To obtain a licence to operate an MHF in Victoria, operators are required to submit a Safety Case which sets out how the facility will be operated safely. This guidance note will assist an operator through the process of establishing and implementing a Safety Management System (SMS). The SMS is a significant part of the Safety Case as well as being the primary means of ensuring the safe operation of the MHF. The MHF regulations require the operator to establish, implement and use an SMS. The SMS should embrace all attributes of the facility affecting safe operation, over which the operator has direct or indirect control. These attributes may include: leadership; responsibilities; targets; planning; roles; culture; and the control measures for safe operation. Overall, each facilitys SMS needs to address prevention and control of all risks to health and safety. However, only those elements of the SMS that relate to prevention and control of major incidents are specifically relevant to the MHF regulations, and hence comments within this guidance note are directed to those aspects of SMS that have an influence on major incidents. The operator may have to develop a whole SMS, develop or modify parts of an existing SMS, or may adopt systems developed by others (eg industry bodies) and adapt these to be suitable to the specific facility. The MHF regulations do not prescribe a specific standard or model for the SMS, provided the system is capable of managing and maintaining the adopted control measures and its content meets regulatory requirements. The MHF regulations require that the operator continually improve the system through a process of monitoring, audit and review.

2.2. Ensuring a compliant sms 2.3. Workforce requirements 3. 3.1. The Safety Management System Required elements of the sms

3.2. Establishing the sms 3.3. Comprehensive and integrated sms

3.4. Managing control measures within the sms 14 3.5. Performance standards for the sms 3.6. Summary of the sms for the Safety Case 4. 5. 6. Review and revision Compliance checklist Further reading 15 17 17 17 19

GUI0128/01/02.11

Guidance Note Safety Management Systems for major hazard facilities

1.1. Features of successful SMS development and implementation

The following factors are critical to the SMS. The SMS: must be comprehensive and integrated with respect to the adopted control measures must be implemented in practice and used as the primary means of ensuring safe operation should be consistent with the understanding of risk gained from the Safety Assessment should have sufficient focus on major incident safety, from planning through to operations must be documented and readily accessible and comprehensible to those who use it must contain all of the required aspects identified in reg 5.2.5 and Schedule 10 should contain the elements of a generic management cycle eg define objectives; plan and implement activities; monitor, audit and review performance; act on deficiencies must have performance standards, which enable the operator to measure the effectiveness of the SMS in ensuring safe operation needs to cover the whole facility defined within the Safety Case should be dynamic and continually improving to adapt to changes and to reflect reality should reflect the overall safety culture and values of the facility. It should not be a pure paperwork system divorced from actual behaviours and attitudes of workers all persons involved in safe operation should have knowledge of and be committed to the SMS.

1.2. Core concepts

The operator of an MHF must establish and implement an SMS which provides a comprehensive and integrated system for the management of all aspects of the adopted risk control measures. The SMS must be the primary means of ensuring safe operation in respect of major hazards, which is achieved by managing and assuring the performance of the adopted control measures. The SMS needs to reflect the hazards that are present and support the actual practices on the facility. An SMS that is divorced from reality or fails to focus on the specific requirements for safe operation will not meet the regulatory requirements.

The MHF regulations do not prescribe any particular standard or model for the SMS. Each facility operator needs to implement a workable system appropriate to the particular facility, its potential major incidents and associated hazards, the adopted control measures and resultant level of risk. The SMS must be documented, and needs to be accessible and comprehensible to those who use it, to ensure that it is followed correctly and is understood. Documentation of the SMS will also enable the operator to test its implementation and assure its performance, and will enable WorkSafe to test the adequacy of the system and its implementation. A summary of the SMS must be contained within the Safety Case. The SMS should incorporate processes to identify, select, define, implement, monitor, maintain, review and improve the range of control measures on which safe operation depends. Errors, deviations and breakdowns in control measures and corresponding parts of the SMS need to be tracked under the SMS, to provide data on the actual safety performance of the facility. Performance standards must be used to facilitate this process. The SMS should be consistent with the safety management approach or philosophy at the facility, and the companys overall business management system, and applicable to the facility as a whole. Those responsible for the SMS should ensure it fully recognises the potential for major incidents at the facility, incorporates understanding of causes and contributors to major incidents and activates a commitment to effectively manage the associated risk. Management and workers need to participate in and understand the SMS. The SMS should incorporate the generic management system cycle of planning, implementation, monitoring, corrective action and review, so that safety is maintained and improved. The SMS should be subject to regular review and improvement. The processes for generating or reviewing a Safety Case should be incorporated into the SMS so that the Safety Case is a product of the established SMS.

Guidance Note Safety Management Systems for major hazard facilities

Figure 1.1 Requirements of the SMS

SMS tests Comprehensive?

Control measures Design and construction standards Knowledge of facility Resources

Integrated? Accessible? Comprehensible? Documented? Facility-wide?

Process control systems Engineering projects

Engineering controls

Operational/maintenance procedures

Mechanical integrity of facility assets Materials used in facility

continual improvement policy and objectives

review

standards and targets planning and prioritising

Realistic?
corrective action

Dynamic?
audit

Improving?

monitoring

implementation

Management system elements

1.3. Key definitions

Control measure (control): Any system, procedure, process, device or other means of eliminating, preventing, reducing or mitigating the risk of major incidents arising at an MHF. Controls include physical equipment, process control systems, management processes, operating or maintenance procedures, the emergency plan and key personnel and their actions. Hazard (related to an MHF): Any activity, procedure, plant, process, substance, situation or any other circumstance that could cause, or contribute to causing, a major incident. Hazard identification: The process of identifying hazards as described in the WorkSafe guidance note Hazard identification. Major incident (related to an MHF): An uncontrolled incident, including an emission, loss of containment, escape, fire, explosion or release of energy, that (a) involves Schedule 9 materials and (b) poses a serious and immediate risk to health and safety.

Safety Assessment: A Safety Assessment process consistent with international risk assessment standards, including AS/NZS ISO 31000 Risk management. A Safety Assessment involves an investigation and analysis of the major incident hazards and major incidents to provide the operator with a detailed understanding of all aspects of risk to health and safety associated with major incidents, including (a) the nature of each hazard and major incident (b) the likelihood of each hazard causing a major incident (c) in the event of a major incident occurring (i) its magnitude and (ii)  the severity of its consequences to persons both on-site and off-site (d) the range of control measures considered. Safety Management System (SMS): Comprises all policies, objectives, roles, responsibilities, accountabilities, codes, standards, communications, processes, procedures, tools, data and documents for managing safe operation of the facility. In the context of the MHF regulations, the SMS focuses on the prevention, reduction or mitigation of major incidents. The SMS is not just documentation but is the actual implementation of processes, systems, procedures and practices on the site.

Guidance Note Safety Management Systems for major hazard facilities

So far as is reasonably practicable: To reduce risk to a level so far as is reasonably practicable involves balancing reduction in risk against the time, trouble, difficulty and cost of achieving it. This requires consideration of: (a) the likelihood of the hazard or risk concerned eventuating (b) the degree of harm that would result if the hazard or risk eventuated (c) what the person concerned knows, or ought reasonably to know, about the hazard or risk and any ways of eliminating or reducing the hazard or risk (d) the availability and suitability of ways to eliminate or reduce the hazard or risk (e) the cost of eliminating or reducing the hazard or risk. More information on so far as is reasonably practicable as applied to major incident risk is found in the Guidance note Requirements for demonstration. More information on key terms is found in other MHF guidance material available from the WorkSafe website and in the definitions of the OHS Regulations (reg 1.1.5).

1.4. Report of the Longford Royal Commission

The MHF regulations aim to address the findings of the Royal Commission on the 1998 Longford Gas Plant Incident to ensure similar incidents are prevented. The Longford Royal Commission report contains a wide range of observations and recommendations regarding safe operation, many of which can be related broadly to the management systems in place at an MHF. Some of the key lessons from this particular incident are summarised below, starting with fundamental issues and leading on to the immediate causes or contributing factors of the incident. The list is not intended to be exhaustive and all points will not necessarily apply in all cases. Ensuring the SMS is implemented and effective. Are the procedures within the SMS implemented and are they effective in ensuring safe operation? Is there effective monitoring, auditing, identification of deficiencies and corrective action? Is the SMS documentation comprehensible and used by workers? Organisation, structure, roles and responsibilities. Are safety roles and responsibilities clearly defined for all parts of the facility, all levels of the organisation, all operating conditions and all control measures? Management of knowledge. Is there an effective system for providing sufficient individual and collective knowledge, skills and experience to operate the facility safely in the first place and then for retaining that knowledge, skills and experience? Is this system

providing sufficient knowledge of critical safe operating parameters, control measures, hazards, and potential major incidents? Management of change. Are changes to the facility, management systems, organisational structure and human resources analysed and their impacts on safety managed? Are Safety Assessment programmes keeping up with the intended assessment schedules and with plant changes? Learning from incidents. Are learning opportunities from near misses and other incidents being properly worked through, from analysis of root causes to communication of lessons and solutions? Does the incident reporting and investigation system facilitate learning or hinder it? Management of human resources. Are there adequate human resources for carrying out all safety roles? Is the management system actually devoting resource to where it is needed for safe operation? Is there an effective process for ensuring the necessary skills and resources are available at all times? Are handover requirements properly implemented? Are absences managed correctly? Is there adequate supervision of workers and checking of work, response to process information, adherence to procedures? Communications. Do communications ensure all relevant persons are aware of key process conditions, the status of control measures and other key issues? Do operating, engineering, maintenance and other departments communicate with each other, to use each others expertise, and to work together effectively to plan and ensure safe operation? Is there effective two-way communication to ensure senior management and workers are aware of problems and solutions? Are operational communications unambiguous or can they be misheard or misinterpreted? Are personnel making correct assumptions about safety critical issues? What level of checking or verification of communications and operational assumptions occurs? Plant surveillance, facility oversight, trouble-shooting. Is there any routine process for monitoring plant/ process condition and operational practices to identify abnormal and potentially hazardous conditions? Is process or equipment monitoring information used to identify underlying problems, evaluate trends and assist decision-making? Does any group or individual have an overview of the facility as a whole? Is there sufficient awareness of the potential for interactions between different equipment and installations within a complex integrated facility? Once a potentially significant process deviation develops, is there an effective and timely means of addressing the problem? Are there sufficient procedures, authorities, resources and expertise to step back, evaluate and control

Guidance Note Safety Management Systems for major hazard facilities

the situation? Have all of the safety implications of abnormalities and deviations been thought through, and procedures developed accordingly? Are safety hazards spelled out alongside production issues in operating and trouble-shooting instructions? Recognition of critical safety control measures. Do operators and other workers recognise critical procedures, equipment or controls and the implications of their failure? Are steps taken to prevent overriding of these measures? Understanding significance of process information. Are operators able to understand the significance of the signals provided by the process and other monitoring systems regarding the state of the facility? Are all the necessary critical operating parameters known and their safe operating limits defined? Are critical alarms discernible from and prioritised over other alarms? Are operators able to respond to the information being generated by the facility during day-to-day and abnormal conditions, and make safe decisions? Do procedures ensure safe response to alarm and other abnormal conditions? Do operators have the necessary time, resources, support and ability to refer matters to additional expertise or authority if needed? Production demands. Could production demands potentially compromise the ability to operate safely? Is there sufficient time and capacity within the system to be able to limit or halt production on safety grounds? Do production demands result in short cuts being taken with critical control measures? Emergency response strategies, resources, procedures and communications. Is there a robust and practised emergency response plan which assists decisionmaking and reflects the scale, nature and duration of incidents that can occur? Is there an effective communications channel to ensure timely response? Are personnel clear on the roles they should adopt in the event of an emergency? Is there adequate understanding of the overall approach and strategy for firefighting? Are adequate resources available to carry out this strategy? Is there up-to-date information on the available inventory, isolation points and isolation priorities? Is a credible emergency isolation and shutdown strategy in place?

Corporate culture. Does the corporate culture lead to a challenging of norms? Is potential for corporate blindness recognised and guarded against? Is the operator prepared to test and revise their systems for safe operation? Do the communication and reporting systems encourage an open exchange of critical views and information? MHF operators should read the Longford report and other relevant incident reports (eg bp Texas City; Flixborough; Buncefield) and take account of the issues raised in the reports when establishing and implementing their own sms.

2.

Planning and preparation

2.1. Role of the SMS

Reg 5.2.5 and 5.2.15 of the MHF regulations require that an SMS provide a systematic means of ensuring safe operation for the facility by managing the adopted control measures in a comprehensive and integrated manner. Most modern management system standards or models feature a set of generic elements, forming a continual improvement cycle. For example, Figure 2.1 shows the basic management elements required by AS/NZS 4804:2001 Occupational health and safety management systems. No particular management system model is correct or best; but it is generally recognised that sound management systems are all similar in fundamental terms. Compliance with the MHF regulations does not require any particular standard to be used, nor will compliance with an existing management standard ensure compliance with the SMS requirements of the MHF regulations. However, adoption of a proven standard may assist an MHF operator by providing a sound framework on which to base their specific SMS.

Guidance Note Safety Management Systems for major hazard facilities

Figure 2.1 Elements of the generic management system

continual improvement policy and objectives review standards and targets

corrective action

planning and prioritising

audit monitoring

implementation

The management system must manage and support those specific aspects of the facility and its operations that form the control measures adopted to prevent and control major incidents. The links between the management of control measures and the SMS need to be clear. There may be other health and safety issues (eg occupational exposure to chemicals or to noise) which are important and also managed through the SMS. Similarly, there may be other types of risk associated with the facility (eg production loss, quality loss, damage to the environment) which the operator wishes to manage through the same integrated management system. However these are not specifically relevant to the MHF regulations, and for the purpose of determining compliance with the MHF regulations, the SMS needs to have a specific and adequate focus on those control measures which have a role in relation to potential major incidents. For more information, see the guidance note Control measures. Some example control measures are:

design and construction standards and procedures process control and automation systems physical engineered devices which eliminate, reduce or mitigate major incidents corporate and individual knowledge of the facility and its safe operation culture, attitudes and values of the operator and workers in relation to safety organisation, supervision and resourcing of tasks and processes required to ensure safe operation, permit to work and equipment isolation procedures processes to maintain mechanical integrity of critical assets (testing, inspection, maintenance, replacement) operations/maintenance procedures needing to be performed in a certain manner to maintain safe operation procedures for procurement of devices, parts, raw materials and other commodities used in the process emergency plans and procedures.

Guidance Note Safety Management Systems for major hazard facilities

2.2. Ensuring a compliant SMS

The SMS must be comprehensive and integrated with respect to these control measures. This means incorporated within a rational management cycle which contains the elements of good management practice and which drives ongoing improvement (reg 5.2.5). A comprehensive SMS combines all the generic management system elements and supports all the control measures in proportion to their influence on safe operation. This concept is illustrated in Figure 2.2. There are a number of problems or mistakes that can influence the effectiveness of the SMS and compromise compliance with the requirements of the MHF regulations.

These include: An SMS contains the right management elements and addresses the correct control measures but does not reflect how these control measures are managed in practice ie the elements exist but do not reflect reality An SMS contains the right management elements but manages the wrong control measures ie those not relevant to major incidents. An SMS addresses the appropriate control measures and reflects reality but does not have the appropriate management system elements to ensure proper monitoring and improvement of performance ie the SMS manages the controls but does not monitor or improve performance.

Figure 2.2 A comprehensive SMS

Design and construction standards Process control systems Engineering projects

Knowledge of facility Resources

Hazard identification, safety /risk assessment and review of control measures determines what control measures are necessary and sets standards for their performance.

Engineering controls

Operational/maintenance procedures

Mechanical integrity of facility assets Materials used in facility

continual improvement policy and objectives

review

standards and targets planning and prioritising The SMS management cycle assures (and improves upon) the necessary performance.

corrective action

audit

monitoring

implementation

Guidance Note Safety Management Systems for major hazard facilities

2.3. Workforce requirements

The MHF regulations have requirements which specify that workers must have a safety role, including in following procedures for the establishment and implementation of the SMS. The operator must consult in relation to establishing and implementing an SMS. The operator is also required to provide information, instruction and training to workers in relation to the content and operation of the SMS. Hence the workforce requirements relate to both establishing and implementing the SMS, and ensure ongoing functionality of the SMS.

3. The Safety Management System 3.1. Required elements of the SMS

Reg 5.2.5 and Schedule 10 define the matters that must be included in the SMS. The extent and means of addressing these matters must be such that the SMS is used as the primary means of achieving safe operation, including providing for compliance with divisions 3 and 5 of the MHF regulations. These prescribed elements are expected to provide a good basis for an SMS for all MHFs, although further elements are likely to be needed for specific MHFs. The elements, previously summarised in section 2.1, are detailed below: Safety policy and objectives. The MHF regulations do not require a policy on major hazards but they do require a clear safety policy including the broad aims for the safe operation of the MHF, which need to relate to the existence of major hazards. WorkSafe will look for evidence that, at a high level, the operator recognises the potential for major incidents at the facility and is committed to controlling the associated risk. Detailed objectives must be set. Organisation and personnel. The MHF regulations require an explanation in the SMS of the organisation and personnel arrangements. This should define the roles and responsibilities of individuals in ensuring safe operation, and the overall means of ensuring they have the necessary knowledge and skills to enable them to perform their allocated tasks and discharge their allocated responsibilities. It should also address the wide range of human factor issues that can impact safe operation, such as: management of knowledge; competency assurance; staff turnover; changes in skills or knowledge; clarity of command structures and responsibilities; handling workloads, morale, fatigue and shift work; communications; empowerment; disputes etc.

Operational controls. Operational controls include all processes and procedures impacting on safe operation, for all modes of operation. Operational controls likely to be of particular importance at MHFs are the processes and procedures for operating plant and equipment; maintaining the integrity of that equipment; permitting work; starting up plant or commissioning; shutting down plant or de-commissioning; achieving safe isolation of equipment and controlling abnormal conditions. Operational controls should in particular include processes for identifying, handling and reducing or eliminating human error, such as procedural checks, error reporting, alarm handling procedures, fault-tolerant procedures and processes for improving compliance with procedures. Processes for compliance with divisions 3 and 5 also need to be included in the SMS eg procedures for carrying out hazard identification and Safety Assessment and for consulting with health and safety representatives (HSR). Management of change. This is an essential element of a robust and comprehensive SMS, as changes can introduce new major hazards or potential major incidents, or can increase the risk arising from existing hazards. There needs to be effective management of all changes in the facility (past, present and future), including operational, organisational, procedural and equipment changes. This subject is addressed in more detail in the guidance note Management of change. The MHF regulations note that a modification to the facility could create a new hazard or increase the likelihood or consequences of major incidents, and therefore requires review and revision of hazard identification, major incidents, control measures and Safety Assessment. The MHF regulations also require a review and, if necessary, a revision of the SMS if a modification is made to the MHF. Hence management of change needs to track changes to the facility, the control measures and the SMS itself, and then trigger reviews and revisions as necessary. This is to ensure that the SMS as a whole is monitored and revised so that it continues to be applicable and appropriate to the facility. Modifications with potential to erode the effectiveness of the SMS, either due to obsolescence or mis-application of parts of the SMS, need to be avoided.

Guidance Note Safety Management Systems for major hazard facilities

Figure 3.1 Management of change within the SMS Policy and objectives Standards Resourcing Training Culture

Consulting and informing Roles and responsibilities Management of change

Improvement/corrective action

Audit Review Incident reporting Investigation Records and drawings Knowledge base

Supervision Troubleshooting Operational procedures Maintenance systems Process condition data Existing controls Managing current conditions and variations

Hazard identification New controls Emergency response plans Safety Assessment Modification projects Plant condition monitoring Anticipated future intended or unintended changes and events

Learning from experience

Principles and standards. These can include any documents or concepts used as the basis for ensuring safe operation. These should be consistent with the sites Safety Case approach and can include technical, engineering or management principles developed or applied by the operator. Examples include principles for management of human factors; standards for development or implementation of operating procedures; design principles for control rooms and alarm systems; engineering design standards; fire protection standards; maintenance standards; loss control principles; layers of protection and process control systems design basis. Monitoring, audit and review. Monitoring comprises the routine checking that activities under the SMS are actually being conducted, the measurement of actual performance of the SMS elements and the comparison of this performance with the defined standards or targets. Audit is the process of checking that the overall established SMS is understood and is being used, and that the management framework (in particular the monitoring and corrective action processes) is being implemented and is effective. It can also include evaluation of the degree of compliance against the defined standards. Both quality

control and quality assurance are necessary as part of these processes: that is, checks are required that activities occur, that the activities are being performed to a suitable standard; and that the systems, procedures, controls etc are achieving the desired results. Review is the regular but less frequent process of stepping back and asking if the entire system and the standards within it remain adequate, fit-for-purpose, and in-line with current good practice. A combination of monitoring, audit and review is necessary to ensure the ongoing effectiveness of the SMS and to drive continual improvement. Reporting and investigation of hazards and incidents are important aspects of safety management and need to be included within the operational controls and/or the processes of monitoring, audit and review.

3.2. Establishing the SMS

The SMS should be established to reflect the true safety management approach of the facility (see the guidance note Safety Case overview). For example, if the operator places a significant amount of reliance on workers to show responsibility and initiative in maintaining safe operation, then the SMS should be customised to focus

Guidance Note Safety Management Systems for major hazard facilities

on competency, information, knowledge and training to support the workers in this role. Alternatively, if the operator emphasises the strict adherence to systems and procedures, there may be less emphasis on worker elements and more emphasis on written procedures and ensuring compliance with these procedures. Another example would be an operator reliance on engineering controls, so the SMS may emphasise maintenance and design standards rather than operating procedures. It is unlikely that such differences would result in any basic elements being absent but a different balance of emphasis should be discernible from the Safety Case philosophy.

Examples of modern SMS standards applicable to control of major hazards are: AS/NZS 4804:2001 Occupational health and safety management systems General guidelines and AS/NZS 4801:2001. Occupational health and safety management systems Specification American Petroleum Institute, API 9100 (1998), Model Environmental Health and Safety Management System and Guidance Document US OSHA 3132/3133, Process Safety Management AIChE/CCPS, Guidelines for Implementing Process Safety Management Systems UK Health and Safety Executive HSG65, Successful Health and Safety Management Figure 3.2 shows some examples of standards that may be relevant, taken from the American Occupational Safety and Health Administration (OSHA).

Figure 3.2 OSHA Process Safety Management standard

Process safety information Workplace and process hazard analysis, consultation and action planning Responsibilities and participation of personnel Written operating procedures for all operating phases and limitations Permit system Compliance auditing Employee and contractor safety information and training Mechanical integrity evaluation and maintenance systems Quality assurance for design, fabrication and installation Emergency planning and training Pre-start up safety reviews Management of change procedure Incident investigation

10

Guidance Note Safety Management Systems for major hazard facilities

Some companies, in particular operators of multiple sites, may have corporate standards for the SMS. These may prescribe the entire SMS or only common high-level components such as the overall policies and procedures. In other cases, corporate SMS requirements may be limited, and the site will then need to develop its own systems. Many corporate systems specify that local regulations override corporate requirements if they are more stringent. Depending on their corporate requirements and business culture, some companies may employ specific, dedicated management systems for individual issues such as health

and safety, quality, production, environment and finance (see Figure 3.3 for example). Other companies may employ integrated management systems for the business as a whole. It is up to the operator to choose how the SMS is structured. However, in all cases the SMS must provide a management focus on the specific control measures required for safe operation of the particular facility with regard to major incidents. Any corporate or standard management system should be tailored and/or supplemented to reflect the specific conditions and control measures of the facility.

Figure 3.3 API Model Environmental Health and Safety Management System

Corporate vision policy management commitment Adjust Management review and adjustment Continual improvement Plan Management leadership, responsibilities/accountabilities Risk assessment/management Assess EHS performance monitoring and measurement Incident investigation, reporting and analysis EHS management system Audit Do Personnel, training and contractor services Documentation and communications Facilities design and construction Operations, maintenance and management of change Community awareness and emergency response Continual improvement Compliance and other requirements EHS management planning and programs

11

Guidance Note Safety Management Systems for major hazard facilities

Major incident risk requires a more disciplined approach to the management of risks than common OHS risks due to the inherently lower frequency of major incident type hazards. This is to ensure control of these hazards is not overshadowed by more frequent but less severe hazards. While there may be some overlap between the different types of risk, a specific and targeted focus on major incident risk management is required for all facilities. Whatever SMS basis is used, WorkSafe expects that the operator will document the basis of the SMS and show that it provides this focus and is appropriate to the specific facility. If an integrated management system, which addresses a range of issues, is presented, the operator will need to
Figure 3.4 Fit for purpose SMS
Inherent risk of facility

demonstrate that major incident safety issues are not being neglected or obscured by other issues like keeping the plant running and controlling routine emissions. Conversely, if a management system specific to major incidents is presented, there needs to be a demonstration of the ability of the operator to implement this alongside other management systems. The intent of the MHF regulations is not to create an overly complex system relative to the nature of the facility, as this may divert attention from the fundamental activity of managing safe operation, but to develop and implement a system that is fit for purpose (see Figure 3.4), reflects the complexity and risks inherent in the facility and achieves the basic requirements outlined in the MHF regulations.

High risk

Simpler SMS Extensive monitoring, auditing, review

World-class high integrity SMS Less extensive monitoring, auditing, review

Low risk

Simpler SMS Less extensive monitoring, auditing, review

World-class high integrity SMS Extensive monitoring, auditing, review

Size and complexity of facility Small, simple Large, complex

12

Guidance Note Safety Management Systems for major hazard facilities

3.3. Comprehensive and integrated SMS

The key factor that needs to be demonstrated in the Safety Case is that the SMS is comprehensive and integrated with respect to the control measures. There are some additional fundamental principles that need to be addressed, which follow from the MHF regulations and the lessons of the Longford incident described previously, and that are good management practice. These principles include that the SMS should be accessible, comprehensible, documented, facility-wide, realistic , dynamic and continuously improving. These factors do not need to be explicitly demonstrated in the Safety Case but they may impact on the MHF licence requirements and therefore need consideration. For the SMS to be comprehensive, it needs to ensure that any risk control measure is properly implemented and maintained in every sense. This can include: identifying what are the control measures defining their performance requirements implementing the measures themselves and any associated training etc monitoring and maintaining the control measures against the performance requirements rectifying any shortcomings that may arise reviewing and improving the control measures. These elements should ensure that the operator has an understanding of the effectiveness of a control measure in eliminating or controlling major incidents. Situations where the assumed effectiveness of a control measure was not achieved in practice would indicate that the SMS is not comprehensive in relation to that control measure. In this regard, it is more important for the SMS to accurately portray standards achieved in practice (ie reality) than to promote any particular standard of performance that might not be achieved in practice and may therefore result in a false sense of security. If the SMS does not give an accurate measurement of the effectiveness of the control regime, then adequacy of safe operation cannot be demonstrated and the Safety Case will be fundamentally flawed. The requirement for the SMS to be integrated with respect to the control measures recognises the fact that failures in complex systems often stem from a complex combination of circumstances. For example, frequent failures of instrumentation may not become critical as long as the failures are reported and rectified promptly, and there are other control measures fully functional in the interim. However, the problem may become serious if procedures or communications break down, failures are not recognised or not rectified, or if other control measures are also

disabled. Hence the SMS needs to ensure that the control measures work together effectively as a whole, in particular that they do not conflict with each other, and hence provide layers of defence. Furthermore, to ensure that the core elements of the SMS work together effectively, communications and actions should be linked and consistent throughout the SMS. For example, if monitoring indicates that there are problems in implementation of a particular procedure, this should be reflected in the corrective action processes. The SMS should provide a communication, decision-making and action process which is on the look-out for interactions within the system which could combine to cause major incidents. The MHF regulations require the SMS to be accessible, comprehensible and documented. For the SMS to be accessible, the contents, layout, format and location of the SMS should enable all workers who use the SMS to access the parts they need, so that they understand the relevant SMS requirements before carrying out any safety critical task. The SMS should be written in such a way that the users of the SMS can understand it and exactly what is required to implement it. All critical information and decisions should be documented sufficiently to provide an audit trail which enables both the organisation and WorkSafe to be satisfied that the SMS is functioning effectively and is being implemented in practice. The SMS should be applicable facility-wide. Priority levels within the SMS for different parts of the facility, and different risks, should be determined by their relative importance to safe operation. However an SMS which neglects entire components of the facility may be flawed. The SMS should be realistic and should reflect the actual practices on the facility. The SMS is not purely an OHS documentation activity. It should incorporate the wide range of human culture issues, commitment levels, attitudes and communication and control processes, any of which can have a profound effect on the risk of major incidents. All workers and management who have a role in safety participate in and influence this broad system. The MHF regulations stipulate that establishing and implementing the SMS must be the subject of consulting, informing, instructing and training of workers to ensure that the final SMS is realistic. Any systematic difference between the SMS and actual practices on the facility may be a major flaw in the safe operation of the facility. However, occasional divergences or non-compliance events may arise because of the complexity of some operations. These do not indicate failure of the SMS, as long as they are monitored and corrected (whether correcting the practice or modifying the system).

13

Guidance Note Safety Management Systems for major hazard facilities

The SMS should be dynamic . An SMS that does not adapt to changing conditions at the facility will not retain the ability to ensure safe operation and will lead to deterioration in safe operations. As well as monitoring and reactively responding to changes, the SMS should be proactive by setting goals and forcing necessary change on the facility. An important aspect of a dynamic SMS is that it is able to accommodate and learn from any variability or change in the facility which may require workers to take action above and beyond established working procedures and instructions. This is a crucial point which relates back to the safety management approach and workplace culture: the SMS does not necessarily need to override workers taking initiative and making adjustments in the face of developing events within the facility if that is required to ensure safe operation. The SMS should however support and adapt to this way of working and this should be reflected in the defined responsibilities and working procedures. The SMS should not be such as to prevent the worker from being able to recognise and deal with unexpected circumstances. Continual improvement is required in all aspects of the SMS. This may mean improving actual safety performance by more diligent application of existing systems or it may mean improving the system to improve performance or to cater to new hazards which have been introduced. Ensuring continual improvement requires performance standards and indicators for the SMS itself.
Figure 3.5 Decision-making and resource allocation within the SMS

3.4. Managing control measures within the SMS

The identity and relative importance of the different adopted control measures are likely to be specific to each facility and their significance should be determined in the Safety Assessment process. The level of priority and resource allocated in the SMS to each control measure should then be broadly proportionate to its influence over the overall risk level of the facility (ie a risk-based approach should be used), and should be made clear in the SMS. There can be exceptions to this, where for some other reason a particular control requires more or less attention than its influence on risk would suggest, or the SMS has elements due to corporate requirements or good management practice, but not directly linked to the risk of major incidents. However, the SMS should provide a rational basis for the decision-making and resource allocation processes influencing safe operation. Hence the links between the SMS, the control measures and the Safety Assessment should be clear. These concepts are illustrated in Figure 3.5 below.

Are there new safety problems developing?

What are the safety priorities?

What are the effects of change?

How should resources be allocated?

How do decisions influence safe operation?

What are the key safety problems?

Safety Assessment

Control measures

SMS

14

Guidance Note Safety Management Systems for major hazard facilities

The priority elements within the SMS at any time may include a set of issues which require ongoing attention and resources, and a set of new issues which have arisen or may be about to arise which require attention. MHFs are expected to rely on a number of different control measures which have an influence on safe operation. The relative priorities of these will change from time to time as management effort takes effect, existing key concerns are brought under control, conditions in or around the facility alter and new knowledge or problems arise. As a result there will be a variety of control measures managed under the SMS, with control measure improvements identified and given priorities under the SMS. The improvement priorities will change over time, as specific improvements are implemented, existing problems resolved and new problems and improvement opportunities identified. The SMS should identify the changing priorities for safety management/improvement based on the Safety Assessment process.

operator to have performance standards for measuring the effectiveness of the SMS. These need to relate to all aspects of the SMS. Performance standards should be of sufficient detail and transparency to enable the effectiveness of the SMS to be apparent from the documentation. They should be defined in such a way as to provide a meaningful measure of effectiveness. For the purposes of continuous improvement of the SMS, there should also be processes and measures designed to identify and implement improvements to the system itself. A comprehensive set of workable SMS performance standards appropriate to the facility will be necessary. Performance standards can be defined at a high level for the system as a whole, and at a lower level for individual elements of the system. The standards could include both the current required level of performance, and also a target level to be achieved within a specified timeframe. Operators should consider the principle of SMART (Specific, Measurable, Achievable, Realistic, Targeted) in defining performance standards. Operators should also consider using a combination of performance standards which include both proactive standards (ones that measure the activities or inputs of the organisation to managing safety) and reactive standards (ones that measure the outputs or actual performance achieved).

3.5. Performance standards for the SMS

The operator must develop and apply performance standards for the SMS. These should support the operators safety objectives, which mean that performance standards need to be set for the systems and procedures that are in place to ensure that the objectives are met (reg 5.2.5). In particular, Schedule 10(7) requires the
Table 3.1 Examples of SMS performance standards

System expectation (standard) Process measures

Safety critical equipment A system is in place to identify test and maintain the equipment to ensure the required design and reliability standards for safety critical equipment are met.

Performance measure Outcome measure

Results from scheduled testing. Results from breakdown maintenance. Results from incident investigations where safety critical equipment caused or contributed to incident. Actions from audits, testing and incidents etc relating to safety critical equipment is completed to schedule to ensure system is continuously improved.

Selection, design, modification etc in accordance with company standards. Equipment tested to schedule. Audits of the above processes completed to schedule.

15

Guidance Note Safety Management Systems for major hazard facilities

System expectation (standard) Process measures

Mechanical integrity A system is in place to test, inspect and maintain mechanical assets to applicable standards.

Performance measure Outcome measure

Number of incidents/leaks due to mechanical integrity issues. Results from inspection and testing of assets. Actions from audits, testing and incidents etc relating to safety critical equipment is completed to schedule to ensure system is continuously improved. Number of procedures current and available for use (eg results from audits). Number of incidents with cause(s) relating to inadequate procedures. Actions from audits and incident investigations completed to schedule to ensure procedures are effective. Required training (including refresher training) for specific jobs completed to schedule. Audit on training requirements for specific jobs (eg status against risk matrix, number attending training sessions etc). Number of approved temporary changes still in place beyond approval expiry date. Number of changes made that bypassed or shortcut the MOC process. Audit or quality review of change documentation, sign off and approval process are completed to schedule. Number of incidents related to inadequate/insufficient training. Findings from survey or tests on competency and knowledge. Actions from audits and incident investigations completed to schedule to ensure training system is effective. Number of incidents related to MOC process inadequacy. Actions from audits and incident investigations completed to schedule to ensure MOC process is effective.

Mechanical assets inspected and tested to schedule. Temporary/interim repairs replaced with permanent repair to schedule. Reported mechanical defects corrected to schedule. Audits of the above processes completed to schedule.

Procedures A system is in place for the development, implementation and review and revision of effective operating and maintenance procedures.

Procedures issued and reviewed and revised to schedule. Audit of the above processes.

Training A system is in place to ensure employees have necessary skills and knowledge to effectively do their job.

Management of change (MOC) A system is in place for the management of temporary and permanent changes.

16

Guidance Note Safety Management Systems for major hazard facilities

It is important to establish standards and systems that are practical, and which ensure open, comprehensive and accurate reporting of errors or problems. This means the systems should not place an unworkable burden on workers, or result in repercussions that may discourage open reporting. The SMS should enable the operator to look into the detail of the performance monitoring information and decide if an absence of evidence of problems really is indicating high performance, or whether there is a breakdown in recognition or communication of problems.

summary of the links between the SMS, hazard identification, Safety Assessment and adopted control measures. The SMS matters listed in schedule 12 are additional to the above.

4. Review and revision

An MHF operator must review and revise the SMS if a modification is made to the MHF or a major incident occurs at the MHF and at least once every five years. In practice the review and revision of the SMS as a whole at least once every five years often coincides with the review and revision of the Safety Case for relicensing purposes. MHF operators also often review and revise elements of the SMS at different times, depending on current needs and knowledge, but operators need to ensure that the SMS continues to function as a whole and that the different elements do not contradict or conflict with one another following partial review and revision.

3.6 Summary of the SMS for the Safety Case

Reg 5.2.15 requires the Safety Case to include a summary of the content of the SMS. The following aspects should be included in this summary: identification and brief description of all key elements of the SMS indication of how these elements relate to each other overview of the foundations, standards or models on which the SMS is based outline of how the SMS meets the requirements identified in section 3.1 of this guidance note
Table 5.1 MHF regulations relating to SMS

5. Compliance checklist
Table 5.1 contains information on the MHF regulations as they relate to SMS.

Section
Reg 5.2.5

Requirement
The operator of an MHF must establish and implement an SMS for the MHF. The operator must use the SMS as the primary means of ensuring the safe operation of the MHF. It must be documented and provide a comprehensive and integrated management system for all aspects of risk control measures adopted under this part. The SMS must be readily accessible and comprehensible to persons who use it. The SMS must contain the safety policy, the operators broad aims in relation to safe operation and the operators specific safety objectives. It must describe the systems and procedures for achieving these, and must describe how the operator intends to comply with divisions 3 and 5 of the MHF regulations. The SMS must be reviewed and, if necessary, revised if a modification is made to the MHF or a major incident occurs at the facility and, in any event, at least once every five years.

Reg 5.2.13 Reg 5.2.15

The operator must develop a role for the operators employees including the specific procedures employees are required to follow to assist the operator to (d) establish and implement an SMS. The Safety Case must contain a summary of the content of the SMS, and must be sufficient to demonstrate that the SMS provides a comprehensive and integrated management system of risk control measures in relation to major incident hazards and major incidents. The Safety Case must include a signed statement by which the operator certifies that the summary of the SMS is accurate and that persons who participate in the implementation of the SMS have the necessary knowledge and skills to enable them to undertake their tasks and discharge their responsibilities in relation to the SMS.

Reg 5.2.18

The operator of an MHF must consult in relation to (d) establishing and implementing an SMS.

17

Guidance Note Safety Management Systems for major hazard facilities

Reg 5.2.19

The operator of an MHF must provide information, instruction and training to employees of the operator in relation to (d) the content and operation of the SMS. The information, instruction and training is monitored, reviewed and, if necessary, revised in order to remain relevant and effective. WorkSafe may suspend or cancel an MHF licence if it is satisfied in the case of an MHF that the SMS for the MHF no longer provides a comprehensive and integrated management system for all aspects of risk control measures adopted in relation to major incident hazards and major incidents. The SMS must incorporate the following: The safety policy and safety objectives, including the means of communicating these and an express commitment to ongoing improvement of all aspects of the SMS. Description of the organisation and personnel, including identification of persons participating in the SMS, their responsibilities and accountabilities, the means of ensuring they have the necessary knowledge and skill, and the command structure. Description of the operational controls (whether technical, organisational or managerial). The procedures for safe operation of plant, for mechanical integrity, for plant processes, and for control of abnormal and emergency activities. The provision of means of isolation for servicing and maintenance, and in emergencies. The roles of personnel, and of the interfaces between plant and personnel. Provision for alarm systems. Description of the means of compliance with divisions 3 and 5 of the MHF regulations. Processes for management of change. Principles and standards for design and operation. Processes for performance monitoring of the SMS and of adopted control measures. Processes for audit, in particular of performance against standards.

Reg 6.1.44

Schedule 10

Schedule 12

The Safety Case must contain clear references to the documented SMS. It must also contain a description of those parts of the documented SMS that address the maintenance of the SMS (that is, its ongoing effective implementation and its ongoing improvement).

18

Guidance Note Safety Management Systems for major hazard facilities

6. Further reading
UK HSE (1998), HSG65, Successful Health and Safety Management. UK HSE (1999), HSG48, Reducing Error and Influencing Behaviour. NSW Department of Infrastructure, Planning and Natural Resources (August 2004), (Consultation Draft) Major Industrial Hazards Advisory Paper No. 4 Safety Management Systems. US Department of Labour, OSHA Standard CFR 29 1910.119, Process Safety Management. American Petroleum Institute (1998), API 9100A, Model Environment, Health and Safety Management System. American Petroleum Institute (1998), API 9100B, Guidance Document for Model EHS Management System. American Petroleum Institute (1990), API RP750, Management of Process Hazards. American Institute of Chemical Engineers, Center for Chemical Process Safety (1994), Guidelines for Implementing Process Safety Management Systems. Australian Standard, AS/NZS 4804:2001 Occupational health and safety management systems.

Further Information

Contact the WorkSafe Victoria Advisory Service on 1800 136 089 or go to worksafe.vic.gov.au

Related WorkSafe publications

Guidance Note Requirements for demonstration Guidance Note Hazard identification Guidance Note Control measures Guidance Note Management of change Guidance Note Safety Case overview
Note: This guidance material has been prepared using the best information available to the Victorian WorkCover Authority and should be used for general use only. Any information about legislative obligations or responsibilities included in this material is only applicable to the circumstances described in the material. You should always check the legislation referred to in this material and make your own judgement about what action you may need to take to ensure you have complied with the law. Accordingly, the Victorian WorkCover Authority cannot be held responsible and extends no warranties as to the suitability of the information for your specific circumstances; or actions taken by third parties as a result of information contained in the guidance material.

19