Sie sind auf Seite 1von 33

See discussions, stats, and author profiles for this publication at: https://www.researchgate.


Total Safety Management: Principles, processes and methods

Article  in  Safety Science · October 2016

DOI: 10.1016/j.ssci.2016.09.015

10 7,975

3 authors:

Tom Kontogiannis Maria Chiara Leva

Technical University of Crete Technological University Dublin - City Campus


Nora Balfe
Trinity College Dublin


Some of the authors of this publication are also working on these related projects:

View project

PROSPERO (PROactive Safety PERformance for Operations) View project

All content following this page was uploaded by Tom Kontogiannis on 10 November 2019.

The user has requested enhancement of the downloaded file.

Total Safety Management: Principles, processes and methods

T. Kontogiannisa, M.C. Levab & N. Balfeb

a: Technical University of Crete, Dept. Of Production Eng & Mngt, Chania, Greece
b: Trinity College Dublin, Centre for Innovative Human Systems, Dublin, Ireland

1. Introduction
Over the recent past, the incidence of major mishaps, crises and accidents have made it clear that
organizations must still improve their capabilities to address safety through the application of a
systematic and proactive approach. Whereas traditional safety programs were mostly reactive
and implemented on the basis of incident investigations, or as a result of enforcement, new
integrated and proactive approaches have been endorsed by safety advisory and regulatory
bodies. Safety management systems (SMS) are changing from a prescriptive style to a more
‘self-regulatory’ and ‘performance oriented’ model (Frick and Wreb, 2000; Bluff, 2003) that is
more proactive, participative and better integrated with business activities. To this end, several
proposals have been made in safety management systems (e.g., Strategic Safety Management
and Integral Health Management) and international standards (e.g., ISO 31000).

For many years, the Total Quality Management principles have provided a basis for
developing several health and safety systems. Building on TQM, Goetsch (1998) introduced
the concept of Total Safety Management (TSM) as a performance-oriented approach that gives
organisations a sustainable advantage in the marketplace by establishing a safe work
environment that is conducive to peak performance and continual improvement. The
fundamental elements of TSM include a strategic approach to safety, emphasis on performance
assessment, employee empowerment, reliance upon robust methods of risk analysis, and
continual improvement. However, more specific and practical organisational processes for total
safety have been proposed by the Strategic Safety Management (SSM) approach that emphasised
an integration of safety into the corporate strategy and the demonstration of a business value of
safety (Rahimi, 1995; Zou and Sunindijo, 2015). In a total safety approach, business processes
are integrated with safety engineering techniques within a continuous improvement culture that
affects all levels in the organisation. In the SSM approach, the safety target becomes the analysis
of ‘work processes’ rather than the analysis of isolated safety-critical activities. A work process
is a complex web of interdependencies between physical entities, information, communication
and knowledge channels and decision-making activities. Hence, by analyzing what is wrong
with a work process, safety practitioners can evaluate the entire system and cater for safety,
quality and productivity. The SSM is deeply ingrained with participative safety management in
the form of self-managed teams as advocated by TQM approaches. To exploit operational
feedback, the SSM relies on performance measures that relate to work processes rather than

work outputs (e.g., incident and injury rates). These SSM principles have been applied by Zou
and Sunindijo (2015) in the development of safety programs for the construction industry.

In the Integral Health System (IHM), the value of health is seen as a key element of
corporate policy in addition to the reduction of incidents and their associated costs (Zwetsloot et
al., 2003; Zwetsloot and van Scheppingen, 2007). The IHM principles have been based on
earlier TQM approaches and Business Excellence Models which provide a good basis for
integrating safety with quality and other business processes. The IHM approach requires a shift
from solving safety problems and reducing risks to the positive business values that safety can
bring to the organization. The focus is no longer on risk reduction, medical problems or product
safety but on a combination of them and their relationships to organizational and business
development. In this sense, health and safety is associated with business values which increases
its strategic role.

The integration of safety with quality, environment and productivity can be done at
different levels, according to Jorgensen et al (2006):

 Strategic and cultural integration in order to enhance learning, continuous performance

improvement, stakeholder involvement and participative management;
 Coordination of common business processes between safety, quality and environment
(e.g., policy, planning, procedures, audits, control of non-compliance, preventive and
corrective actions and management reviews);
 Correspondence of different standards (e.g., ISO 9001, ISO 14000, OHSAS 18001)
with cross-references and possibly a common information system.

The earlier SSM and IHM approaches have mainly addressed the strategic and cultural
integration and, to a lesser extent, the coordination of common business processes. The
correspondence of standards usually falls outside the remit of safety advisory bodies but has been
taken on board by many safety consulting firms aiming to develop informational systems that
facilitate transfer of data and analysis of compliance across standards. In addition, there are a
growing number of studies focusing on conceptual frameworks and methods to map standards of
safety, quality and environment in an Integrated Management System (e.g., Santos et al. 2012;
Hamidi et al., 2012; Bragatto et al., 2007).

Building on the advances in strategic and cultural integration, further studies are now
needed to examine the coordination of common processes to support the integration of safety
with other business activities and demonstrate the benefits of Total Safety Management.
Therefore, the aim of this paper is to consider the principles of TSM and examine how safety can
be integrated with other business processes that may be used for quality, productivity and design.
The first part presents the five principles of TSM whilst the second part describes an integration
of safety processes. The third part presents an overview of the results of a European project
(Total Operations management of Safety Critical Activities) that developed specific tools to

manage a Total Safety Management approach. Detailed descriptions of some of the TSM tools
of the TOSCA project are presented in a number of papers published in this special issue of
Safety Science.

2. Principles of Total Safety Management

Over the past two decades, a number of risk management (RM) standards have been developed
to meet new demands from industry and higher expectations from regulators for managing risks
(e.g., AS/NZS 4360; FERMA; COSO; ISO 31000). Most RM standards share common
principles and processes as they require systematic methods in safety oversight, understanding of
acceptable risk tolerances (ALARP), formal risk assessment, risk mitigation, communication of
risks and review of safety investments.

The new ISO 31000:2009 standard offers principles and guidelines for risk management
(RM) and remains widely applicable to industry. It also serves to unite risk management
processes with existing standards of quality and environmental management and offers a
common approach to address risks without leading to a process of certification. The standard
can be used by any public, private or community enterprise, association, group or individual.

ISO 31000 provides general principles for risk management and proposes management
processes for implementing a system for managing risks. It can be applied to both industrial
safety and project risk management which provides a good basis for elaborating the principles of
Total Safety Management. In particular, the principles of effective risk management in ISO
31000 are as follows:

1. Risk management should create and protect business values;

2. RM should be central to the organization’s processes;
3. All decision making within the organization involves the explicit consideration of risks
and the application of risk management to some appropriate degree;
4. RM should be based on best available information;
5. Continual communication with external and internal stakeholders, including
comprehensive reporting of safety performance;
6. RM should be comprehensive and clear about accountability for risks, controls, and risk
treatment processes;
7. It should be systematic, structured, and timely applied to critical activities;
8. It should take into account human and cultural factors;
9. It must be dynamic, iterative, and responsive to change;
10. It must facilitate continual improvement of the organization.

The first three principles refer to what has been termed the ‘business value of safety’ (CCPS,
2008) where all decision making and organizational processes should involve the explicit
consideration of risks while risk management provides a capability for creating value for
business. The fourth principle suggests that RM should be based on best available information
about hazards, available methods and safety measures that have been implemented. This
principle on the use of best available risk information is elaborated by the NORSOK Standard Z-
013 which proposes an inventory of risk information about hazards, risk acceptance criteria, risk
contributing factors, risk assessment tools, and uncertainties or assumptions related to such
information. The fifth principle refers to the involvement of external and internal stakeholders in
the risk management process as well as to their continual communication including the reporting
of risk information. This is similar to the participative management approach pointed out by
Strategic Safety Management and Total Quality Management.

A vital part of all safety standards concerns the risk assessment process, the people who
would be involved, the techniques, the scope of analysis, and the context of work. The next
three principles (6, 7 and 8) refer to the allocation of safety responsibilities and the conduct of
risk assessment that should take into account the context of work (i.e. the technical environment
and the human factor). In this regard, the organization should manage any valuable knowledge
about risks (e.g., people’s views, standard procedures, audit reports, incident investigations) and
make it available to the risk assessment process. Finally, the last two principles refer to a
feedback mechanism that monitors risk reduction measures, evaluates results and facilitates
continual safety improvement.

The proposed TSM approach builds on these principles and further elaborates the
performance requirements of a risk management system as follows:

1. RM should be part of all decision making and organizational processes and provide a
capability for creating value for business;
2. RM should be based on best available risk information to create a common operational
picture about risks;
3. Participative risk management must ensure that all the needs of stakeholders are taken
into account while their knowledge about risks is brought into play;
4. Knowledge management should be part of risk management so that all knowledge about
risks is managed effectively and all RM techniques are better integrated;
5. Performance monitoring and operational feedback is necessary for making RM dynamic,
iterative, and responsive to change. At the same time, this will facilitate continual
improvement of the organization
The five TSM principles are further elaborated below, using existing knowledge from risk
management standards, earlier approaches to total safety and our recent experience with a three-
year European project (TOSCA) that applied the TSM principles to develop useful processes and
methods in Total Safety Management.

2.1 Business case for safety
Employers are required by legislation, and by social responsibility, to provide a safe working
environment while also being required by shareholders to deliver financial profit. For many
years, process industries have viewed productivity as being at odds with safety. This is partly
justifiable since investments in safety may not show short-term returns whilst major accidents or
injuries may occur after long time periods; this can make managers quite skeptical in investing in
safety and biased towards attending to pressing production issues to ensure economic survival in
a competitive world. For this reason, many institutions and researchers have emphasized the
need for risk management to demonstrate a business value to organizations.

For instance, in its HSG96 publication, the Health & Safety Executive (HSE, UK)
provided some evidence that ‘Good Health is Good Business’, since work accidents can come at
a high cost to the business. Other studies argued that the ‘business case’ of safety should be
supplemented with an ‘ethical case’ of safety. For instance, Wright (1998) suggested that many
managers are more likely to be motivated by factors such as company values, peer expectations
and perceived threats to individual and corporate reputation. The Royal Society for the
Prevention of Accidents (RoSPA, UK) supported the idea that the ethical case needs to be
advanced as the primary reason for taking action on health and safety (Bibbings, 2003). For
example, Small-Mediums Enterprises (SMEs) often ‘care’ about their employees but do not
know how to turn this ‘care’ into practical action. In 2006, the Centre for Chemical Process
Safety conducted a benchmark study with the chemical processing and petroleum industries and
found that companies that implemented efficient safety management systems achieved many
returns from their investment such as, productivity increases, production and maintenance cost
decreases, lower capital budgets and lower insurance premiums.

It appears then that we should seek to set out a much broader ‘business case’ for safety
showing how a proactive safety approach can benefit the business by improving quality and
reliability, encouraging workforce innovation and enhancing corporate reputation. Recent
studies have shifted their emphasis and presented safety more in terms of improving
effectiveness rather than simply avoiding accidents. In this respect, there has been an emphasis
on how to relate safety to productivity, workforce morale and corporate culture, empowerment
innovation and competitiveness. Hence, there is a need for modelling aspects of safety, quality
and productivity in a joint manner. In the past, ‘Balanced Scorecards’ have been used for
integrating performance indicators for safety, quality and productivity with some degree of
success (Mearns and Havold, 2003). Balanced scorecards take a global approach but they are
not very helpful in considering how specific safety interventions (e.g., modified task sequences)
impact on quality, maintenance and productivity. Other methods from Total Quality
Management can also be considered (e.g., Quality Function Deployment diagrams) to examine
how modifications in a critical task may affect key performance indicators. Finally, the Total
Productivity Management approach may offer some insights how to achieve integration between
safety, quality and productivity (Sumanth, 1997).

1.2. Common Operational Picture
Traditionally, safety management has focused on correcting safety problems and on taking
remedial actions to bring the system back to normal operation. Existing safety management
systems (SMS) seem to practise what is commonly known as feedback control (Fig. 1) where
poor feedback guides further action. However, there are no predictive or anticipatory
capabilities where organisations are able to anticipate future states of the system and foresee the
effects of corrective actions. This requires model-driven control (Fig. 2) that can predict future
states and evaluate alternative actions in terms of effectiveness and cost.

Safety Disturbances
target & threats

Inputs + Outputs
Safety Control Process
_ manegement action

Feedback about actual process state

Fig 1. A reactive safety management system

Safety Disturbances
target Compare Performance
& threats
forward costs & indicators
Inputs + Outputs
Safety Control & Process
_ manegement variability


Feedback about actual process state

Fig. 2. A proactive safety management system

Model-driven control enables safety practitioners to cope with information overload and
directs attention to critical events in a timely fashion. Safety practitioners should be able to
monitor what could become a threat in the near term and what could impair their abilities to
respond. This monitoring capability is supported by an ‘internal model’ of how the technical
process works, how people organize their jobs and how the environment affects the process and
the people. The internal model should also address how safety is measured and what

‘performance indicators’ can be monitored to measure not only ‘final outcomes’ but also
‘antecedents’ so that changes are made before undesired outcomes are produced.

Some authors have used the term Common Operational Picture (COP) to refer to this
‘internal model’ of the system that provides new capabilities for safety management. A COP is a
single source, usually a display, of relevant operational information about risks. The term
originated from the military domain to describe the complete battlefield information used by
commanders to make effective decisions (Looney, 2001). The aim of a Common Operational
Picture (COP) is to share situation awareness among distributed stakeholders and the concept has
also been applied in emergency management and crisis management (McNeese et al, 2006), and
the idea can be transferred to the sharing of information in safety management (Leva et al.,
2015). Figure 2 shows a ‘model-driven’ safety management system that comprises the four
functions of resilience engineering (i.e., respond, monitor, anticipate and learn):

 Given a specified safety target, the safety practitioner has to ‘respond’ and take control
action that changes the technical process in order to produce the desired output; in turn,
this is measured by suitable indexes and feedback mechanisms (‘monitor’).
 The ‘internal model’ (COP) must enable safety practitioners to ‘anticipate’ disturbances
so that control actions are taken beforehand. The advantage here is that control actions
can prevent adverse events from taking place or intervene before their consequences have
had time to spread to other parts of the system.
 Safety practitioners should also be able to control threats from internal variability due to
fatigue of personnel, changes in team composition, unavailability of tools and so forth.
 Safety practitioners must be able to ‘learn from experience’ which includes modifying
their internal model of the process.
There is limited information on what constitutes a common operational picture’ in a
safety management system. To a large extend, a ‘risk registry’ can be part of the COP so that all
stakeholders and operators are aware of the whole spectrum of risks in an installation. However,
it is interesting to ask whether the COP should also address the risk analysis tools, their
limitations, the people participated in risk analysis, and the influence of the conditions under
which the analysis took place. Other issues may concern the level of detail that should be
presented about risk items such as the description of risks, the possible control measures, the
responsible persons, etc. We can view the common operational picture as a database of risk
information that should be accessible to key players but the challenge remains of ‘who’ should
see ‘what’ information.

2.3 Participative risk assessment

Risk assessment (RA) is a complicated process that is usually performed by safety practitioners
well versed in engineering and reliability aspects of system design. Operational concerns in the

use of equipment that may give rise to hazards are usually based on job descriptions in standard
operating procedures. However, any informal practices with safety critical consequences cannot
be considered in this engineering approach because these are not documented. In most cases, a
risk assessment is performed on how jobs should be performed rather than on how they are
actually performed in practice. As a result, critical diversions or violations of procedures are
missed in this analysis. To avoid this oversight, a participative risk assessment is required that
would involve people at all organisational levels in certain stages of the analysis. This has the
advantage of capturing risks associated with how the work is done and also engages staff in
safety management. Another advantage of this approach would be that the workforce is
encouraged to monitor emerging hazards and report them, which can update and improve the
results of earlier analysis. Finally, it would be easier to design safety measures and barriers that
are compatible to the competencies and preferences of workers when they are part of that
process, hence enabling a more efficient human-system interaction.

2.4 Knowledge management

There is a body of literature which promotes the idea that a knowledge management system
(KMS) with a learning module can improve health and safety practices (Sherehiy and
Karwowski, 2007; Hugenholtz et al., 2007; Podgorski et al., 2010; Floyde et al., 2013). In this
approach, KMS view the knowledge capital of managers and operators as yet another resource
that can be used to support safety management. An e-learning facility can assist in collecting
and disseminating knowledge about safety matters across organisational levels. Another sort of
knowledge management system refers to technical knowledge in handling complex equipment,
recognizing failure modes and operational hazards, choosing the right people for the jobs,
applying standard operating procedures and evaluating work in progress. In most installations,
this knowledge is kept in silos, which hinders wide access to many practitioners. The fact that
this knowledge is usually cast in paper format exacerbates the problem of accessibility.
Knowledge management can overcome this problem by bringing all plant knowledge into a
single database, reshaping its format to enable better integration of items and organizing
knowledge so that different users can find and use what elements are suitable for their positions.
The advantages of knowledge management include: more efficient analysis of tasks and hazards,
better transfer of data with subsequent methods of risk quantification, streamlining of risk
matrices and better monitoring of safety measures.

2.5 Performance monitoring and feedback

New safety standards (e.g., ISO 31000) highlighted the important role of performance
monitoring and operational feedback in the safety control loop. In the past, most industries have
relied on ‘lagging indicators’ (e.g., Incident Rate, Potential Loss of Life, Fatal Accident Rate,
Lost-Time Injury Rate) to determine the reduction of risk as a result of safety interventions.

Unfortunately, these measures do not provide any indication of the progress made before an
accident occurs. There is a need, therefore, for ‘leading indicators’ that can identify early
warnings so that timely corrections are taken to mitigate risks. Recently, there has been a
growing body of research on the types of leading indicators that should be monitored, such as
number of violations, frequency of procedure revisions, percentage of complaints addressed,
training investments and so on (Hopkins, 2009 ; Oien, et al., 2011; Reiman and Pietikäinen,
2012). Other researchers have claimed that measures of productivity, maintenance, product
quality and cost considerations can be a useful basis for evaluating short-term benefits of safety
interventions (e.g., a new job procedure may produce short-term benefits such as faster
performance, fewer maintenance failures or improved quality before any safety benefits are
manifested). The right mixture of lagging and leading indicators remains an empirical question
that requires further research in performance monitoring and feedback mechanisms.

3. Safety processes of Total Safety Management

To achieve the safety principles of the TSM approach, it is necessary to highlight a set of
management processes that will define, plan, perform and evaluate the risk management process.
The central spine of the RM process is common to many safety standards and is concerned with
preparing for and then conducting risk assessment that leads to the final treatment of the risk.
ISO 31000 starts with a definition process of ‘establishing the context’ that is an essential
precursor to risk management. The RM process starts with defining what the organization wants
to achieve and the external and internal factors that may influence success in achieving those
objectives. In most standards, risk assessment comprises the three steps of risk identification,
risk analysis, and risk evaluation. Risks must be firstly identified with a systematic process and
subsequently quantified to establish priorities for risk treatment through the application of risk
acceptance criteria developed when the context was established. In particular, risk treatment is
the process by which existing controls are improved or new controls are developed and
implemented. It involves an analysis of costs and benefits as well as an assessment of new risks
that might be generated by different options.

ISO 31000 proposes two additional RM elements that can be considered as continually
acting. The first element refers to ‘communication and consultation’ with stakeholders to gain
their input to the process and their ownership of the outputs. This is also important to understand
stakeholders’ objectives, so that their involvement can be planned and their views can be taken
into account in setting risk criteria. The second element refers to ‘monitoring and review’, so
that appropriate correction occurs as new risks emerge and existing risks change as a result of
changes in the work environment. This involves environmental scanning by risk owners, control
assurance, taking on board new information and learning lessons about risks and controls from
the analysis of successes and failures. These management processes of IS0 31000 have been
used to develop the TSM processes (Fig. 3) so that this proposal is also compatible with the four
pillars of safety management advocated by CCPS (2008). The TSM processes are centred on a
Common Operational Picture which links together the four areas of commitment in action,
understanding risks and hazards, managing/treating risks, and learning from experience. Methods
and tools in each area can help organisations to develop an approach tailored to their needs.

Fig. 3. Safety processes of TSM organised in four pillars according to CCPS (2008)
‘Commitment in action’ is an important TSM process which identifies safety-critical
activities that will become the target of stakeholder and worker engagement. Since safety critical
activities may also pose threats to the continuity of operations, an integrated approach is needed
where risk management becomes part of many decision making and organisational processes to
protect business values. ‘Continual communication of risk information’ and ‘consultation with
all stakeholders’ is required so that plant management makes the necessary investments to
support operations, in terms of equipment, technical design solutions and the human capital
involved. Finally, the scope and context of risk assessment should be set at a strategic level to
achieve a better integration of safety and other business processes.

Second, a thorough understanding of hazards and risk is always needed of the conditions
that give rise to hazards, cause failures of protective barriers or failures of recovery barriers, and

thus increase the likelihood and severity of incidents. Risk identification requires the application
of a systematic process to understand what could happen, how, when, and why. Risk analysis
involves some degree of quantification of the risks presented by hazards, barrier failures and
human errors. Finally, risk evaluation involves making decisions about the level of risk and the
priority for attention through the application of the criteria developed when the context was

The Common Operational Picture (COP) can play an important role in supporting the
first TSM pillar by providing an overview of Key Performance Indicators (KPIs) to support the
integration of safety with other business processes. The ‘context of risk management’ can also
be supported by the COP with an inventory of risk information regarding hazards, risk
acceptance criteria, risk contributing factors, risk assessment tools, and uncertainties or
assumptions related to risk assessment. In the same regard, the COP can provide valuable input
to the second TSM pillar so that appropriate risk assessment methods are selected and integrated
to achieve safety improvements in a set of KPIs.

Third, ‘managing or treating risks, involves the selection and implementation of several
barriers to achieve risk prevention, risk elimination or risk mitigation. Managing risks involves a
cyclical process of assessing barriers or counter-measures, deciding whether residual risks are
tolerable and evaluating the effectiveness of barriers. This process also involves an analysis of
costs and benefits and assessment of new risks that might be generated by new safety
interventions and changes. Hence, the management of changes (MOC) becomes an important
aspect of managing risks.

Knowledge management has been shown in Fig. 3 as part of the third TSM pillar because
it brings all relevant plant knowledge into a single database and provides a better organisation of
knowledge so that new safety interventions are implemented without causing any side effects to
other parts of the system. However, it is conceivable that knowledge management can also
support the second TSM pillar in performing a comprehensive analysis of tasks and hazards,
enabling data transfer between methods and streamlining risk matrices in the process of risk

In order to select and evaluate appropriate management controls of risk reduction it is

necessary to develop a prototype or representation of the workplace. Examples may include
diagrams, pictures, physical mock-ups of the workplace, 2D representations and virtual reality
prototypes. Workplace prototyping offers a visual representation of the workplace, the
equipment, the tools and the workers, which enables safety practitioners to visualise and foresee
the impact of safety interventions before they are implemented.

Fourth, risk information that is collected from incident reporting and daily monitoring of
activities can provide a good basis for early warnings and feedback about operational and safety

performance. Hence, ‘learning from experience’ enables organisations to achieve wide
knowledge management of risks, best practices and lessons learned for continuous improvement.

The TSM processes are further explained in the next subsection as they have the potential to
offer the following benefits to the organisation:

 Compliance with relevant legal, regulatory & international norms;

 Improvement of the identification of opportunities and threats;
 Improvement of stakeholder confidence and trust;
 Establishment of a reliable basis for decision making and planning;
 Encouragement of proactive management;
 Effective measures for risk treatment;
 Improvement of mandatory and voluntary reporting;
 Improvement of operational effectiveness and efficiency;
 Enhancement of safety performance as well as environmental protection;
 Better organizational learning.

3.1 Processes for fostering commitment in action

One of the key TSM pillars regards a shift in the role of safety from the need to comply with
safety regulations to the need to promote a total view of safety. This has been expressed as the
‘business case’ of safety where the organization ensures a safe working environment, hence
achieving higher productivity, meeting client demands and being a ‘good’ employer. The
business case for safety relates to the common operational picture that should be shared amongst
all stakeholders so that all workers and managers are ‘on the same page’ about what risks exist in
the plant site, what measures have been taken, how productivity can benefit from safety and
where they go next. The business case can increase management commitment in taking safety
actions and in investing in safety because Safety, Health and Environmental (SHE) issues will be
seen as an integral part of doing ‘good business’ and maintaining reputation.

The first TSM pillar should consider the ‘context of risk management’, that is, the
external and internal parameters to be taken into account when managing risks as well as the
scope and the criteria for risk management. For high priority safety areas, organisations should
specify the scope and detail of risk assessment, the plant areas under further investigation, the
methods to be employed and the safety investment to be made. It is also important that
organisations decide the ‘risk criteria’ that should determine risk tolerance levels. In addition,
the requirements of safety, commitment in action and context of risk are better served when a
communication and consultation process is in place. The challenge in making the first pillar
work is to ensure that all stakeholders are involved in risk management and volunteer risk
information. In order to make Safety Health & Environment (SHE) programs successful,
managers and safety practitioners should combine health and safety with other management

goals, measure safety performance, evaluate the effects of organizational changes as well as
involve workers and supervisors in safety programs. To close the safety control loop, operators
and supervisors should provide reliable feedback on risks in a timely fashion. In applying the
processes of the first TSM pillar, practitioners should be able to respond to several challenges in
terms of prioritisation, coordination and methods of analysis as reviewed in Table 1.

Table 1. Challenges in commitment and supervision of safety processes

 Creating business value from safety programs

 Integrating safety management with other organizational processes
 Utilising safety management as a basis for making decisions rather than a means of
compliance with regulations
 Integrating safety performance Indicators with business Key Performance Indicators
(KPIs) to increase managers’ interest in safety
 Facilitating the communication and consultation process to capture the knowledge of
sharp-end staff and avoid unrealistic assumptions in risk analysis
 Harmonising the risk categories and risk matrices used by different stakeholders
 Ensuring that safety becomes the driving force of change and maintaining momentum
after its initial activation

3.2 Processes for understanding hazards and risks

Risk assessment is important because it helps create awareness of hazards and risks related to
critical work activities. It purports to reduce the probability and severity of the consequences of
hazards by designing suitable safety measures and precautions. Risk assessment also prioritizes
hazards and helps determine how to ensure loss prevention and business continuity.
Communication of risk knowledge is necessary in order for people to take responsibility for
consistent implementation of control measures.

The common operational picture (COP) provides useful information for the risk model to
be used for hazard identification, risk analysis and risk evaluation as explained below:

 Hazard Identification. ISO31000 calls for methods/tools to identify risks under the direct
or indirect influence of organisational processes. The exact methods and tools depend on
the needs of the organization, which should be identified by a participatory approach
including practitioners, risk assessors and stakeholders. Workplace prototyping tools can
be explored to assist the visualisation of hazards and their early recognition.
 Risk Analysis. ISO31000 provides limited guidance on the actual process of risk
assessment, requiring only that a risk assessment is carried out that fully accounts for the
hazards and their likelihood. Risk registries and knowledge management tools can ensure
that analysts have adequate information to make a good assessment of the level of risk
within an organisation.

 Risk Evaluation. This involves a comparison between the level of risk that has been
calculated in risk analysis and the criteria of risk acceptance as decided earlier in the
‘context’ of risk assessment. Tools that support a common operational picture can assist
in this process by producing safety dashboards allowing management to quickly identify
areas of risk that are unacceptable to the organisation.
The TSM principles and processes can be useful in meeting some challenges in developing
risk assessment methodologies for process industries (Table 2). A promising process regards a
functional analysis of the technical system and the organizational work system involved in safety
critical activities. A participative approach to this analysis will allow workers and supervisors to
update the risk analysis with daily information about critical risks in the workplaces and
technical processes. Another challenge regards the treatment of unrealistic assumptions that are
gradually built in risk analysis. This issue can be tackled by developing workplace prototyping
tools that allow analysts to preview hazards and test their assumptions on how to avoid or control
hazards. Hence, a process of ‘safety preview and screening’ would be necessary at the start of
risk analysis.

Table 2. Challenges in risk assessment

 Using a risk register to guide the ‘context of risk analysis’

 Developing risk analysis into a practical tool that is used, not only in the design
and modification stages but also during daily operations
 Building the daily generation of knowledge regarding plant risks into the risk
 Considering hazards related to organizational issues
 Updating risk analysis after changes in design or procedures
 Achieving standardization of risk matrices
 Avoiding making unrealistic assumptions about risks
 Avoiding an increase of complexity due to risk controls and redundancies
introduced in risk analysis

Some challenges related to overcoming common weaknesses of risk assessment (i.e.,

standardisation of risk matrices, dependencies and residual risks) should be addressed through
new developments in risk assessment methods. Other methods may rely on a more regular but
qualitative approach where practitioners use a broad spectrum of methods for assessing risk –
e.g., procedures, plant knowledge, and experience – in order to monitor and understand what is
going on, adapt to activities and anticipate the outcomes of their decisions. The implication here
may be that TSM should place an equal emphasis on resilient methods for anticipating –
monitoring – and responding to risks as well as applying risk quantification methods.

3.3 Processes for managing risks
Total Safety Management expands the spectrum of managing risks entailed in ISO 31000,
particularly for the risk treatment area. Managing risks includes three processes:

 Managing risks in everyday operations as they arise from known variations of the
performance of equipment and people (‘ordinary risks’).
 Managing risks that arise from well-intentioned efforts of organizational changes to
control spotted hazards (‘residual risks’).
 Managing risks encountered during emergency responses to control hazards such as
spillages, fire, explosions, and blowdowns (‘emergency response risks’).
ISO31000 requires that the following information is available in managing or treating risks:

 Justification for the selection of treatment options;

 Identification of people accountable for approving and implementing plans;
 Proposed actions;
 Resource requirements;
 Performance measures and constraints;
 Reporting and monitoring requirements .
The TSM principles can be useful in meeting many challenges in managing risks after an
evaluation has been made of the existing risk level in consultation with the risk acceptance
criteria (Table 3).
Table 3. Challenges to managing risks
 Identifying suitable barriers and safety countermeasures to be considered
 Representing plant barrier knowledge in a single database to support future proposals for
new barriers
 Managing risks arising from well-intentioned efforts of organizational changes to control
earlier hazards
 Identifying and deploying facilities to preview the effectiveness of barriers before
 Identifying and deploying workplace prototyping tools to represent the interactions of
operators with the system
 Identifying and deploying tools to consider safety and optimisation of a process
 Identifying and deploying information technology systems to support the management of
A knowledge management tool can bring together all risk information related to existing
barriers to support their assessment and control. Workplace prototyping tools can supplement
the function of knowledge management and provide facilities for previewing the effectiveness of
barriers before implementation. In this way, organisations can manage residual risks arising
from well-intended efforts to manage safety interventions.

3.4 Processes for learning from experience
‘Learning from experience’ creates a feedback loop to other TSM pillars until management and
operations achieve a satisfactory level of safety. Learning involves a monitoring process of near-
misses, changes and successes/failures of modifications as well as a reviewing process of
strengths/weaknesses of risk analysis, unreliable risk assumptions and problematic risk
acceptance criteria. This TSM pillar also includes communication and training intended to
provide safety information and skills to the workforce to manage risks. Communication involves
transmission of information throughout the organizational hierarchy and feedback from the
workforce. Safety training complements the transmission of safety information for critical
situations that demand important safety skills. Safety training can take several forms such as
classroom seminars, apprentice training, simulator training and virtual reality training.

Although many Small-Medium Enterprises (SMEs) may have understood the importance
of safety monitoring, they rarely know what data to collect, what safety parameters are
important, how often to collect data and how to guarantee data reliability and confidentiality. As
a result, several problems may arise in monitoring safety. For instance, many workers may hold
important risk information but they do not know when and how to report it. Other cases involve
the reporting of near misses in standard forms without the identification of causal factors. Last
but not least, raw data about safety are collected but it remains difficult to make sense of them.
Table 4 summarizes these challenges in safety monitoring.

Table 4. Challenges to monitoring and reviewing

 Creating a comprehensible but practical reporting system for the workforce to voice their
 Specifying the frequency and depth of organisational risk reviews and updates
 Putting key performance indicators in place to track safety performance
 Regular management performance indicators reviews to monitor safety
 Periodic safety policy reviews to ensure continued appropriateness
 Reviewing and updating legal & regulatory requirements regularly

A risk registry can be useful in specifying what risk information should be collected and
how this information relates to Key Performance Indicators (KPIs). In addition, appropriate risk
models may enable people to anticipate threats and weaknesses in barriers that can lead to
hazards as well as to evaluate how recovery barriers can reduce risk. With respect to safety
communication and training, several challenges are presented in Table 5. Safety communication
involves a two-way communication where the workforce receives information and instructions
about workplace risks and reports back to plant management about residual risks, delays and
weakness of safety controls. Safety information can be transmitted in many forms (e.g., safety
posters, safety classroom seminars, company safety journals etc.) that should be coordinated so
that safety concerns are transmitted to the right people, at the right time, in the right
communication media.

Table 5. Challenges to communication and training
 Communicating key risks and safety controls to the workforce
 Providing channels for communicating safety information to contractors
 Identifying, analysing and documenting staff training needs
 Providing relevant safety training to all staff
 Transferring skills learned in a virtual environment (VE) transfer to the real world
 Balancing VE complexity to increase transfer and VE simplicity to meet the limited SME
 Evaluating training for effectiveness

Undoubtedly, plant management cannot ensure that all safety information is correctly
assimilated by the workforce and put into practice at the workplace. Hence, there is a need to
provide some form of safety training that enables workers to identify and control risks. Some
industries rely on traditional classroom training or apprentice training (‘sitting by nellie’) where
trainees sit around an experienced colleague who provides training whenever opportunities arise.
This traditional form of training is very ‘live’ and ‘interactive’ but it is sometimes provided in a
haphazard fashion.

4. TSM methods and tools developed in TOSCA

The Total Operations Management for Safety Critical Activities (TOSCA) project was a
European project aimed at developing an innovative approach to integrate and enhance safety,
quality and productivity. The scope of TOSCA establish an economically suitable framework in
which innovative techniques and tools (advanced 3D software, virtual reality, innovative
theoretical models, information exchange protocols etc.) operate together, exploit synergies in
processing requirements, fulfil regulations, improve safety and enhance productivity. The
TOSCA project has developed a set of methodologies and tools that exemplify how the TSM
principles and processes can be applied in the context of small, medium and large chemical
installations. The tools deployed in the TOSCA project to support each TSM Safety Process are
described in the following sections and many of the individual tools are described in further
detail in this special issue.

4.1 Methods and tools for fostering commitment in action

The Common Operational picture forms to core of safety management in TSM, and therefore is
key in fostering commitment in action. In TOSCA, the main methodological approach for the
first TSM pillar fostered the Common Operational Picture (COP) to assist in the process of
identifying the external and internal parameters that need to be accounted for when managing
risks. The COP could be the basis for developing a risk model to ensure a common
understanding of hazards within the organisation so that practitioners have a common mind-set.

The COP or ‘risk picture’ shall be understandable by all relevant personnel, decision makers as
well as engineering and/or operating personnel. TOSCA has outlined the following specification
for the COP:

 It should facilitate a description of the ‘context of analysis’ (i.e., system boundaries and
scope of risk analysis);
 It should provide justification for the risk methodology and risk acceptance criteria;
 It should provide a balanced picture of the risk contributing factors;
 It should look at the limitations of the methodologies (i.e., the level of uncertainty,
possible unexpected outcomes, and invalid assumptions or insufficient knowledge).

In TOSCA, the COP was practically realised in the form of a risk registry for the
accumulation of knowledge about risks, their prioritisation and the selection of appropriate risk
models. In order to maintain safe operations, organisations must continuously review and
monitor their risks. This means that the results of risk management must be translated into a
format that can be analysed and acted upon and generate new data about the level of risk that are
continuously collected to keep the risk information updated.

From our experience (Leva et al., 2016; this issue), TOSCA developed a web-based risk
register in order to provide an overview of all critical risks associated to safety critical
operations. The risk register comprised the following modules (Fig. 4):

 A dashboard to report against different KPIs;

 An operations register to screen all safety critical tasks and identify hazardous scenarios
related to safety critical items or company assets;
 A reporting tool for monitoring incident, accidents and audit reporting as well as
assessing the impact of safety intervention on a set of KPIs;
 A module to organize and collect the previous information and organize actions to
prevent or mitigate the risks identified earlier;
 A tool to evaluate the effectiveness of the corrective actions.
The dashboard is critical for performance monitoring and receives inputs from all other facilities
of the risk register. In Fig. 4, the left part of the dashboard rates several activities according to
their impact on production, their hazard potential and their handling complexity; a total criticality
score is then calculated and assigned to three broad categories. The right side part of the
dashboard provides an overview of the causes of operational deviations in terms of human error,
procedures, human-machine interface, technical factors and issues related to the work
environment. Bringing together all the hazard and risk information across an organisation,
accessible to different levels of operations and management, gives the organisation a common
ground to develop their understanding of risk and plan appropriate action.

Fig. 4. Part of the menus in a risk registry
Another method to support commitment in action is the use of participatory approaches
across all the TSM pillars. TOSCA used a variety of soft methods (e.g., focus groups and
workshops, site visits and interviews, etc.) to engage key stakeholders from the shop floor to
senior management and capture the work as done, as opposed to the work as designed
(Hollnagel, 2014). In addition to improving the realism of the risk assessments and practicality of
risk mitigation measures, involving staff in the analysis promoted greater awareness of and
personal responsibility for safety.

4.2 Methods and tools for understanding risks and hazards

In general, a TSM approach should consider risk assessment within the framework of a
functional system model that describes both the activities of operators and the business processes
that support human performance (i.e., supplies, tools, workplaces, training). Human operations
are analysed in terms of tasks, information needs, decisions and coordination. Business processes
can be analysed in terms of task allocation, workload management, training, teamwork and team
coordination. TOSCA uses a process model that provides a rich picture of what happens in

normal practice inside the organisation (Leva et al., 2015). It is a model of the work system and
its business processes which incorporates rich layers of knowledge about how the system works
in practice. The software behind the tool allows the tasks, actors, information and equipment
used in a work system to be mapped, and supports a subsequent analysis of the possible
deviations that could lead to losses.

The TOSCA risk methodology supports three general safety functions:

 Task design and high-level functional hazard analysis. There is a requirement for a
participatory approach to hazard identification that stems from a functional analysis - not
only of the technical equipment - but also of the organizational work system involved in
the safety critical activities. This functional hazard analysis also provides input to a more
detailed risk model (e.g., a bow-tie model)
 Operational risk screening. The functional hazard analysis and the risk registry feed into
bow-tie diagrams in order to identify important technical and human barriers that prevent
or mitigate hazards. Data can be obtained from task and error analysis, revision of
operating procedures and near miss reports. Operational risk screening is used to reach a
decision whether barrier failures should be analysed further and quantified in the
following step.
 Quantified risk assessment (QRA). For complex scenarios, there is a need to perform a
quantified risk analysis using a comprehensive risk model (e.g., fault trees and dynamic
event trees). In TOSCA, more complex scenarios were analysed using advanced bow-ties
based on the DyPASI method (Dynamic Procedure for Atypical Scenarios Identification;
Paltrinieri et al. 2013)

IS0 31000 requires that the results of risk assessment be validated against operational
experience (i.e., operating staff can validate the results) and external experience (i.e., other risk
analysis performed in similar installations and regulatory guidelines). TOSCA facilitated internal
validation of results by providing a workplace prototyping tool and a knowledge management
system that are accessible by all personnel. The prototyping tool can range in degree of
complexity from presenting simple 3D pictures that are properly integrated into a virtual
workplace up to more realistic interactive workplace where operators can use controls and panels
to change the system. This provides input to QRA to generate estimates about risks, compute
performance indicators and perform sensitivity analysis of mitigation actions.

These tools can facilitate:

 a bottom-up dissemination of knowledge of working practices (e.g., the workplace

prototypes can be used by operators to demonstrate their practices);
 a top-down dissemination of risk information to all operators by gaining access to the
knowledge management tool. In this way, TOSCA makes provisions for facilitating the
validation phase of the risk analysis results.

Risk management may take resources and time as it requires access to different types of
plant and equipment data, human performance data, risk analysis data, and safety management
information. To alleviate this burden, TOSCA has built a knowledge management system that
manages data pertaining to system functioning and operator performance. The knowledge
management system (KMS) allows analysts to sketch ‘bow-ties’ and identify critical barriers
where humans have a significant role to play. It also enables quantitative predictions with the
use of mathematical models built into the software system. A strategic issue in RA concerns the
integration of methods and tools as applied to several case studies. An integration of the Task
analysis tool, the Bow-tie analysis tool and the knowledge management tool has been made in
the Computerised Barrier Management Software (CBMS) which is described in the next section.

4.3 Methods and tools for managing risks

Managing safety basically involves the setting of safety measures and barriers to prevent, control
and mitigate risks. To achieve this, a risk model should identify the threats, hazards, accident
sequences, barriers and proximal or distal factors that affect the likelihood of accidents. Risk
models can vary in complexity from bow ties to event and fault trees, cause-consequence models
and finally, dynamic risk assessments. As argued in Section 4.2, risk models require extensive
knowledge of technical systems, human-system interactions and operations, reliability issues and
factors affecting performance. In this respect, a knowledge management system (KMS) can be
useful in assessing existing barriers, designing new ones and monitoring their performance after
an intervention.

TOSCA has proposed a Computerised Barrier Management System (CBMS) for

exploring system knowledge and managing safety barriers. Its knowledge base contains
information about many aspects such as:

 Plant equipment and systems

 Failure modes and hazards
 Standard operating procedures and work permits
 Competency and accreditation requirements
 Linkage to safety rules and regulations
The knowledge database is linked to a risk model of bow-ties that specify prevention
barriers and mitigation barriers. The barrier system has the following functionalities:

 Graphical layout of barriers in bow ties

 Descriptions of human tasks for operating the barriers
 Modelling of barrier failures
 Quantification of barrier failures
 Design and evaluation of new barriers

 Workflow processes for implementing barriers
Finally, the CBMS is used to identify important KPIs from the bow ties so that the
evaluation of barriers is performed at a higher organisational levels as well.

A CBMS has been developed for a chemical manufacturing plant (Aneziris et al., 2016
this issue) in order to provide the following set of capabilities:

 Handle all plant documentation in a single database

 Transform the whole process of plant state management into an e-solution tool. The
everyday plant management includes, standard operation procedures, preventive
inspections and preventive & corrective maintenance.
 Support emergency plant management
Figure 5 shows a display of the CBMS with a description of tasks, roles, procedures, critical
activities and other related operations.

Fig.5. A screen of the CBMS showing a description of tasks, roles, procedures, critical activities
and other related operations

At the top of the screen there is a bow-tie analysis of the task of unloading a hazardous
material from a car truck with the use of AND/OR gates. The bottom part of the screen shows
contextual information that bears on the bow-tie analysis. The bottom-left part shows the
operator roles, the procedures they use, their tools and the equipment of the workplace. The
bottom-right part displays the existing barriers for controlling hazards, a list of critical activities
associated with this task and other operations that may be affected by the outcome of the current
task. This information is required in order to identify barriers, assess their likelihood of failure,
and recommend improvements or new barrier designs.

Advanced prototyping tools have also been developed that combine virtual workplaces
with simulations of tasks performed by humans and machines (Figure 6). This process simulation
allows complex tasks and systems to be modelled accurately, giving safety practitioners a
realistic environment to form and test hypotheses, and train operators using a trial and error
approach, something that can seldom be done on a real plant (Gerbec et al., 2016 this issue).

Fig.6. A screen of the CBMS showing a description of the foam sprinklers for firefighting, its
operating procedure and their location on the plant

Human interactions in the system are investigated with the process modeller in order to
provide input to the simulation which models the tasks, the tools and the materials used to do the
jobs. The task and equipment behaviours are then modelled with respect to time, thus creating a
four dimensional system. The 4D discrete event simulation has been used extensively in
manufacturing looking into for production, facility analysis and optimization. Its expected
benefits include the ability to visualise work procedures, model risks of critical activities and
improve project management.

The dynamic nature of chemical and other industrial plants suggests that they are
constantly seeking changes and modifications of their production processes and their
management. ‘Management of change’ (MOC) is an established part of safety management for
organizations that are subject to major accident hazards. The formal requirement for explicit
management of change applied to technical issues is currently part of EU Seveso directive
2012/18/EU. As TOSCA advocates for a total management of productivity and safety, the
continuous changes that occur must be subject to risk assessment. In this respect, TOSCA
proposed an integrated approach to manage changes based on the five TSM principles as

 A business case for changes should consider the impact of technical changes on
productivity, safety and quality. Other sorts of impact refer to the work system as a
whole including workload increases due to downsizing, deterioration of skills, changes in
task allocation and teamwork, changes of work methods, modifications of information
flows, and so on.
 A risk registry should record all anticipated risks associated with technical and
organisational changes. The risk information should be communicated to the people
affected by the change initiative and provide a timeline of the lasting effects of changes
 Participative risk management will ensure that all side-effects of a proposed change are
identified at all levels in the organization and the production process.
 Knowledge management tools can exploit information technology and provide adequate
means of coordinating all actions in implementing change, ensuring proper management
of documents, facilitating the approval process and providing opportunities for
 Performance monitoring is necessary for checking the effectiveness of change
management, mitigating new hazards and making further improvements.
Although, the ‘management of change’ (MOC) process has been well documented by
several regulatory and advisory authorities, these facilities that rely on the TSM principles offer
additional benefits in recognizing the need for a MOC process, planning and implementing
changes as well as monitoring the results and making finer improvements.

4.4 Methods and tools for learning from experience
With regard to the monitoring and reviewing processes, TOSCA utilises the risk registry which
acts as a constantly updating ‘store’ of information pertaining to safety. In the risk registry,
information is updated by reviewing risk assessments and by collecting reports from near misses
or incidents. Several automated facilities (e.g., safety dashboards) are linked to the risk registry
to assist management in their reviewing process.

TOSCA also focussed on tools for safety training, and proposed a new way of designing
training that is integrated with risk assessment which feeds into a Training Needs Analysis
(TNA) phase and the selection of training methods and instructional media. To support a truck
unloading scenario, the risk information from the risk assessment was fed into a Training Needs
Analysis (TNA) that specified operator skills to enable people to avoid, recognise and control
hazards. For instance, truck drivers should possess structural knowledge in recognizing hazards
(e.g., hose wear), procedural skills to do their jobs without giving rise to hazards (e.g., aligning
the valves correctly) as well as emergency response and decision skills (e.g., cleaning up product
spills or managing fires). Finally, a virtual environment was built to enable operators to practice
the car unloading scenario safely in difficult conditions where the automated loading system is

To understand how Virtual Reality can be used to support training of complex skills,
TOSCA has proposed a training methodology (Fig. 7). First, a risk screening process is
implemented to identify critical tasks where human errors, coordination problems and technical
problems are likely to occur. A Training Needs Analysis (TNA) follows to determine how tasks
should be learned, what virtual reality features and simulation systems are required and how
training should be delivered. Third, several training exercises should take place so that workers
become familiar with the virtual equipment, practice their tasks and get feedback about their
actions. Finally, the performance of training can be assessed on several criteria, including: speed
of executing a task, task accuracy and number or types of errors made.

Training Needs Analysis (TNA) is usually a critical phase of training and deserves further
attention. First, the TNA should identify the tasks for training and the required types of skills
and knowledge (e.g., procedural skills and cause-effect knowledge). Second, the features of VR
(e.g., multiple sensory cues, multiple perspectives, and immersive 3-D representations) are likely
to influence both the learning experience (e.g., the information that learners attend and the
strategies they use) and the learning outcome (e.g., the skills to learn, the types of errors made,
and the ability to remember tasks). An important issue here is the representation of the technical
system in terms of dynamic features. For instance, a static system may not allow trainees to
perform tasks in ways that differ from standard operating procedures. In contrast, a task
simulation would allow people to explore different ways of doing their tasks. As a result these
factors will influence the modes of human interaction with the VR (e.g., animations, procedural

mode, free mode of interaction). Third, the TNA should identify the training methods to be used
for different types of skills, the variety of scenarios to be used (e.g., normal scenarios, emergency
response scenarios etc.) and the number of training exercises.

Risk screening
for critical

Tasks, skills &

knowledge for

VR interaction
features, Learning Training
modes and experience methods


Fig 7. Simplified diagram of the stages in delivering safety training (dark boxes refer to
‘training needs analysis’)
TOSCA has developed a VR training program for procedural skills in a car tank loading
scenario (Balfe et al., 2014). The VR interaction modes refer to the ways in which trainees
interact with the system, their degrees of freedom in doing things, the constraints and fidelity of
the technical systems and the capabilities for recording their actions for further evaluation.

Finally, the training methods regard the actual instructional methods, the variety of
training exercises and the intensity of training. Training methods can take several forms such as
theoretical or hands-on training, aided or unaided practice, part-task or whole-task training and
so on. The training method should be chosen carefully by taking into account the type of training
task, the preferences of the trainee and the type of human performance. For instance, an
emphasis on the rapid acquisition of performance may set different selection criteria than the
transferability of performance to unknown scenarios. Rapid acquisition of performance would
favour a combination of practical training, aided instruction and part-task training. In contrast,
skill transferability would favour a combination of theoretical training, unaided performance and
whole-task training so support trainees in acquiring versatile skills.

5. Conclusion
Over the recent past, we have witnessed a shift of safety management systems from a
prescriptive organization of rules and control structures to a more proactive, integrative and
performance-oriented organization. The integration of safety with other management systems
(e.g., quality, environment and productivity) has been addressed mainly at a strategic level (e.g.,
SSM and IHM) and at a standardization level (e.g., cross referencing across ISO 9001, ISO
14000, OSHA 18001). Relatively few studies have been concerned with the practicalities of the
coordination between business processes that are common to these management systems
(Jorgensen et al., 2006). As a result, our efforts in this article have focused on a practical
framework for integrating several principles of total safety and exploring safety processes that
may provide valuable services to other management systems. In this sense, the four pillars of
safety management advocated by CCPS (2008) have been modified to reflect the safety
processes of Total Safety Management.

A potential criticism of our ideas may be that many of the proposed ‘new’ TSM
framework have been with us for a long time. In some respects this criticism may be valid, but
the contribution of our approach has been on building on existing principles of total safety and
international standards of safety management (e.g., ISO 31000) to develop a coherent framework
that can be put readily in practice by many industries. Certainly, the principles of ‘common
operational picture’ and ‘knowledge management’ are relative new and have been integrated
with the other principles. An effort has been made to develop methods and tools that would
demonstrate how these principles can be put into practice such as, the risk registry and the
Computerised Barrier Management System (CBMS).

Criticism can also be targeted at the maturity of the proposed TSM framework and its
degree of completeness. So the question of whether the five principles of TSM are sufficient to
deal with the complexity of safety critical systems is a legitimate one. At this stage of
development, our efforts have focused on coherently integrating a small number of TSM
principles, using several information technology facilities for operationalizing theoretical
concepts such as COP and knowledge management. The other principles of the business case of
safety, participative risk management and performance monitoring have been well addressed in
the literature. It is anticipated that the TSM framework can be enhanced with more principles by
other approaches to the extent that these are well integrated together and associated with methods
and tools for practical implementations.

A related criticism may concern the theoretical background that underlines the TSM
framework. As discussed in the previous sections, the proposed framework has drawn upon
earlier management systems (e.g., TQM, SSM, IHM) and international standards (e.g., ISO
31000, CCPS 2008) to develop a system view of safety in terms of goals, mental models,
procedures, coordination and feedback mechanisms (Leveson, 2011; Wahlstrom and

Rollenhagen, 2014). The goals of safety are integrated with other business objectives while a
mental model or a common operational picture supports the sharing of goals and risk
information. The procedures of risk assessment are enhanced with the principle of knowledge
management so that the RA methods are better integrated and the analysts are granted higher
diversity and novelty in the choice of control measures. Finally, the principles of participation
or consultation and monitoring and review operate constantly on the other principles as
advocated by ISO 31000.

Further developments in the TSM framework can come from its comparison with modern
safety approaches. For instance, Reiman et al (2015) have advocated how the principles of
complex adaptive systems (CAS) can be applied to safety critical organizations. According to
this complexity science-based view of safety, Reiman et al. (2015) proposed eight principles of
safety management that can be mapped onto the five principles of TSM (see Table 6). This
comparison is a worthwhile exercise since it indicates the way forward for thinking of new
enhancements in any proposal about safety management system.

Table 6. Mapping TSM to the principles of complex adaptive systems

(Black boxes refer to primary mappings whilst grey boxes to secondary ones)

TSM Business Common Knowledge Participative Monitoring

Case for operational Management Risk
Safety Picture Assessment
1. Promote safety as
a guiding
2. Integrate safety
efficiency and
3. Facilitate
interactions and
4. Set objectives
and prioritize
5. Set capability for
self- organization
6. Define safety
constraints and
7. Facilitate novelty
and diversity
8. Monitor
behaviors and

In particular, two principles of the CAS approach (# 2, # 4, Table 6) are related to the
‘business case of safety’ since they require an integration of safety with efficiency- productivity

that can be used as a basis for setting safety objectives and prioritizing safety measures. The
common operational picture is a relatively broad principle that can cover the two CAS principles
but its main contribution lies in promoting safety as a guiding model and facilitating interactions
and connections between different stakeholders (# 1 and # 3). Knowledge management is also a
broad principle that refers to facilities for defining safety constrains and standardizing
performance with standard operating procedures and safety instructions. In addition, knowledge
management can allow more degrees of freedom to safety practitioners to adjust procedures for
new situational demands and increase human variability in the system. This form of diversity
and self-organization should not be at the expense of efficiency and productivity. Hence,
knowledge management can be mapped into four CAS principles (# 2, # 5, # 6, #7, Table 6).
Finally, the principles of participative management and monitoring of performance can be
mapped directly on the corresponding CAS principles (#3 and # 8).

Although there seems to be a good mapping between the TSM and CAS approaches,
there are two important CAS principles where the mapping appears illusive. Specifically,
building novelty or diversity into a safety system and making provisions for self-organization (#
5 and # 7) are two distinguishing elements of complex adaptive systems that cannot be
adequately covered by the knowledge management principle as it has been framed in the TSM
approach. Diversity and self-organization are essential features of complex systems that can
adapt to contingencies and emergency situations. Although the TSM framework is effective in
organizing safety experience in dealing with critical situations, managing contingencies and
other low probability – high consequence events requires further developments of the TSM

Overall, Total Safety Management can be seen as a way forward in expanding classical
safety management systems in order to elevate the role of safety in business management and
provide a better service to the issues of safety, health and environment. The discussion of the
four TSM pillars presented several challenges to the safety processes but only some parts have
been dealt with by the proposed methods and tools in the TOSCA project. Without doubt,
further developments are required in the processes and methods of Total Safety Management
while its guiding principles should remain open for new elaborations.

Aneziris, O., Nivolianitou, N., Konstantinidou, M., Plot, E., Mavridis, G., 2016) Knowledge
management in total safety for major hazards plants. Special Issue of Safety Science (to be
AS/NZS-4360:2004. Risk Management Standards, Australian Standards, New Zealand
Balfe, N., Leva, M.C., Ciarapica, C., O’Mahony, S., 2016. Total project planning: Integration of
task analysis, safety analysis and optimisation techniques. Special Issue of Safety Science
(to be submitted)

Balfe, N., Leva, C., Sbaouni, M., 2014. Picture this: Combining virtual reality with risk
assessment, The Chemical Engineer, 881, 32-35
Bibbings, R., 2003. Strategy for meeting the occupational safety and health needs of SMEs: A
summary of ROSPA’s views. Safety Science Monitor, Issue 1, Article I-1
Bluff, L., 2003. Systematic management of occupational health and safety, Working Paper 20,
National Research Centre for Occupational Health and Safety Regulation, Regulatory
Institutions Network, Research School of Social Sciences, Australian National University
Bragatto, P., Monti, M., Giannini, F., Ansaldi, S., 2007. Exploiting process plant digital
representation for risk analysis. Journal of Loss Prevention in the Process Industries, 20,
CCPS - Guidelines for Risk Based Process Safety, 2008. American Institute of Chemical
Engineers, NY: Wiley & Sons
CCPS - The Business Case for Process Safety, 2006. American Institute of Chemical Engineers,
NY: Wiley & Sons
COSO, 2004. Enterprise Risk Management: Integrated Framework. Committee of Sponsoring
Organizations of the Treadway Commission.
FERMA, 2002. A Risk Management Standard. Federation of European Risk Management
Floyde A., Lawson G., Shalloe S., Eastgate R., D’Cruz, M., 2013. The design and
implementation of knowledge management systems and e-learning for improved
occupational health and safety in SMEs. Safety Science, 60, 69–76
Frick, K., Wren, J., 2000. Reviewing occupational safety and health management: multiple roots,
diverse perspectives and ambiguous outcomes. In: K. Frick, P. Jensen, M. Quinlan and T.
Wilthagen (eds), Systematic Occupational Safety and Health Management: Perspectives on
an International Development, Bingley: Emerald Group Publishing Limited,.
Hamidi N., Omidvari M., Meftahi, M., 2002 The effect of integrated management system on
safety and productivity indices: Case study from Iranian cement industries. Safety Science,
50, 1180–1189
Hollnagel, E., 2014. Safety-I and Safety-II : The Past and Future of Safety Management.
Aldershot: Ashgate.
Hopkins, A., 2009. Thinking about process safety indicators. Safety Science, 47, 460–465.
Hugenholtz, N.I.R., Schreinemakers, M.A., A-Tjak, M.A., van Dijk, F.J.H., 200). Knowledge
infrastructure needed for occupational health. Industrial Health, 45, 13–18.
HSG65- Health & Safety Executive, 1997. Successful Health and Safety Management. Second
edition. Health & Safety Executive, UK
Gerbec, M., Balfe, N., Leva M.C. Prast S., 2016. Risk assessment and optimization for rare, new
or complex processes: Combining task analysis, 4D process simulation, hazard analysis and
optimization. Special Issue of Safety Science (to be submitted)
Goetsch, D.L., 1998. Implementing Total Safety Management: Safety, Health and
Competitiveness in the Global Market. NJ: Prentice Hall
ISO-9001, 2008, Quality Management Systems: Requirements, The International Standards
Organisation, Geneva, Switzerland.
ISO-14001, 2004, Environmental Management Systems: Requirements with Guidance for Use.
The International Standards Organisation, Geneva, Switzerland
ISO-31000, 2009. Risk management, The International Standards Organisation, Geneva,
Jorgensen T.H., Remmen A., Mellado M.D., 2006. Integrated management systems: three
different levels of integration. Journal of Cleaner Production, 14, 713-722.
Leva M.C., Balfe, N., Rocke N., McAleer B., Dooley G., 2016. Risk registers: Structuring data
collection to develop risk intelligence. Special Issue of Safety Science (to be submitted)
Leva, M.C., Kontogiannis, T., Balfe, N., Plot, E., Demichela, M., 2015. Human factors at the
core of total safety management: The need to establish a common operational picture. In : S.
Sharples, S. Shorrock, P. Waterson (Eds.) Contemporary Ergonomics 2015 (pp. 163-170).
London: Taylor & Francis.
Leva, M.C., Naghdali, F., Balfe, N., Gerbec. M., DeMichela, M., 2015. Remote risk assessment:
A case study using SCOPE software. Chemical Engineering Transactions, 43, 1213-1218.
Leveson, N., 2011. Engineering a Safer World: Systems Thinks Applied to Safety. MIT Press,
Looney, C.G., 2001. Exploring fusion architecture for a common operational picture.
Information Fusion, 2, 251-260.
McNeese, M.D., Pfaff, M.S., Connors, E.S., Obieta, J.F., Terrell, I.S., Friedenbery, M.A., 2006.
Multiple vantage points of the common operational picture: Supporting international
teamwork. In Proceedings of the Human Factors and Ergonomics Society, 50th Annual
Meeting (pp. 467-471).
Mearns, K., Havold, J.I., 2003. Case Study: Occupational health and safety and the balanced
scorecard. The TQM Magazine, 15, 408-423.
NORSOK Standard Z-013 (2010). Risk and Emergency Preparedness Analysis. Third edition.
Norwegian Technology Centre, Oslo, Norway
OHSAS-18001, 1999. Occupational Health and Safety Management Systems: Specification.
British Standards Institution, London
Oien, K., Utne, I.B., Herrera, I.A., 2011. Building safety indicators: Part 1 Theoretical
foundation. Safety Science 49, 148–161.
Paltrinieri N., Tugnoli A., Buston J., Wardman M., Cozzani V., 2013. Dynamic Procedure for
Atypical Scenarios Identification (DyPASI): A new systematic HAZID tool. Journal of Loss
Prevention in the Process Industries 26, 683-695
Podgorski, D., 2010. The use of tacit knowledge in occupational safety and health management
systems. International Journal of Occupational Safety and Ergonomics, 16,283–310.
Rahimi, M., 1995. Merging strategic safety, health and environment into total quality
management. International Journal of Industrial Ergonomics, 16, 83-94.

Reiman, T., Pietikäinen, E., 2012. Leading indicators of system safety – Monitoring and driving
the organizational safety potential. Safety Science, 50, 1993–2000
Reiman, T., Rollenhagen, C., Pietikäinen, E., Heikkila J., 2015. Principles of adaptive
management in complex safety-critical organizations. Safety Science, 21:,80-92.
Santos, G., Mendes, F., Barbosa, J., 2011 Certification and Integration of Management Systems:
The Experience of Portuguese Small and Medium Enterprises. Journal of Cleaner
Production, 19, 1965-1974.
Sherehiy, B., Karwowski, W., 2006. Knowledge management for occupational safety, health and
ergonomics. Human Factors and Ergonomics in Manufacturing 16, 309–319.
Sumanth, D.J., 1997. Total Productivity Management (TPmgt): A Systemic and Quantitative
Approach to Compete in Quality. CRC Press
Wahlstrom B., Rollenhagen, C., 2014. Safety management – A multi-level control problem.
Safety Science, 69, 3–17
Wright M.S., 1998. Factors Motivating Pro-active Health and Safety Management. HSE Contract
Research Report 179
Zou, P.X.W., Sunindijo, R.Y., 2015. Strategic Safety Management in Construction and
Engineering. NY: Wiley & Sons
Zwetsloot, G.. 2003. From management systems to corporate social responsibility. Journal of
Business Ethics, 44, 201–207
Zwetsloot, G., van Scheppingen, A., 2007. Towards a Strategic Business Case for Health
Management. In: U. Johansson, G. Ahonen and R. Roslander (eds.), Work Health and
Management Control (pp. 183–213). Stockholm: Thomson Fakta.

This research has been carried out under the auspices of a European project TOSCA (Total
Operations management of Safety Critical Activities).


View publication stats