Safety Management Systems – a different perspective

two speedA Safety Management System is supposed to be a systematic and proactive process for managing safety risks. Having a structured approach to safety management should complement and support good management, operational and human factors practices but the reality is usually very different.

What can we say about safety management systems in the real world?

  1. Safety Management Systems are usually large, complex and difficult to access for the very people they are designed for.
  2. The emphasis on process deflects focus away from safety risks.
  3. They largely exclude health and psychosocial health risks.
  4. Where behaviour is believed to be the main cause of accidents the safety management system aims to control the behaviour of people[1].
  5. Their effectiveness is questionable and there is a lack of evidence of outcomes.
  6. They are costly to build and maintain.
  7. Most don’t work as the only people who access them are the High Priests of Safety.
  8. Their application is supposed to encompass the whole organisation yet few workers would even be aware of its existence.
  9. The effectiveness of safety management systems over time must be questioned[2].

From this we can conclude that having a ‘good’ safety management system does not necessarily mean good safety[3].

So why do we have safety management systems? Could it be that a safety management system is simply a means to an end? For many organisations a Safety Management System has become a requisite to do business. Customers require evidence of a Safety Management System. They will not do business with organisations that do not have a systemised approach to managing safety. In my organisation’s case it is a condition of our self-insurance licence is that we have an accredited Safety Management System. A structured and certified safety management system coupled with demonstrated performance in safety can also be a commercial value-add to any selling proposition.

In an ideal world there would be no need for a ‘safety management system’ as safety, alongside productivity, quality and cost would be an integrated subset of the overall work being performed. But unfortunately, safety is treated as a standalone discipline whether we like it or not. This starts with legislation and regulation, the requirement for documented and accredited systems and also the real world difficulty of having operational procedures incorporate all the elements of the safe system of work.

This creates a real barrier to the integration of safety into mainstream work practices. The safety management system needs to engage and involve lest the system become a white elephant. The problem is that despite being certified and fulfilling all regulatory and commercial requirements the system we have doesn’t achieve the desired levels of engagement and involvement. Our profession is partly to blame with people who should know better embracing the white elephant murmuring “my precious”.

But do we need a new safety management system? After all we have achieved an extraordinary level of performance with the existing one. Professor Sidney Dekker has a good answer. He says that “Safety actions taken in ultra-safe (near zero) organisations are often repetitions or retreads of those taken in a less safe organisation. They miss the point and do not help in creating additional safety”[4]. My view is that risks are still there, we haven’t eliminated them and to rely upon what we have done to go forward is analogous to Einstein’s definition of insanity[5]. Therefore the systems we have are not entirely fit for purpose, or as I like to tell my staff, “What got is here isn’t going to keep us here”.


Introducing the “Two Speed Safety System”

The greatest barrier to a safety system being used by anyone but the safety people in the organisation is its very size and complexity. Line managers and employees want simple and effective answers to questions and a clear understanding of process. This applies just as much to safety as it does every other activity. Yet often this information is buried in detailed, sometimes complex documents full of legal references and does not inform or promote safe work.

Yet is this necessary? To a certain extent, it is. What safety management systems tries to do is be all things to all people, and inevitably fails. Worse it borders on the ridiculous. A procedure for reversing a vehicle (because that’s how someone got killed) without a procedure for driving a vehicle (because we haven’t run over someone going in a forward direction… yet).  So what should a safety management system relevant to the people who need it look like? Here are the criteria a non-safety person may consider important;

  • It must be meaningful and useful to every worker.
  • It must be accessible and easy to use.
  • It must be simple and easily do-able.
  • It must not, by its very size be a deterrent.
  • It must use language understood by everyone.

Conversely, regulators and auditors want detailed, formal documents with operating procedures described in clinical detail. This leads to the creation of large, complex documents which unsurprisingly are rarely referred to by managers or workers. Yet we need both so what to do?

One approach may be two systems not one. We still need the formal system albeit in a more useful and accessible form. But the average manager or worker also needs tools they can use as well. So our primary system should be the formal safety management system which would be our ‘Slow Speed’ system. Then there would be another system which would be aimed at being quick and easy to use in every aspect of its use, the ‘Fast Speed’ system.

Simply put it is a ‘simple’ and ‘complex’ system running side by side. To make the ‘fast speed’ is to make every element of the system quick and easy. It means making our procedures real, relevant and applicable in a real world situation. Picture an app where the user can find out what needs to be done in a process in a short time and links with the elements which tells them about the risks faced and how to manage them. The ‘fast speed’ should touch every part of our system and make the interaction with users a quick and easy experience. Applying these to the system and simplifying the experience will truly make our system more accessible and if it is used,  has a better chance of keeping people safe. In the meantime the ‘slow’ speed system sits in the background and is only referred to when required.

We trialled this concept in my organisation 18 months ago. The ‘fast speed’ consists of a series of FAQ’s, abbreviated procedures translated into plain English, one pagers showing steps to take and a set of simple standards outlining our expectations and how to achieve them. This all resides within our intranet in a ‘one stop shop’. For a population of approximately 8,500 employees the site has been accessed over 23,000 times in the last year, the equivalent of nearly three hits per employee. It proves that people will access systems if they are accessible and the valuable messages buried in complex processes can be revealed where they can be of use.

Complexity in Safety is not going to disappear overnight. But complexity where it is needed and simplicity where equally it is needed can both be stepping stones towards doing Safety Differently.



[1] K. Frick & V. Kempa, Occupational Health& Safety Systems – When are they good for your health?, European Trade Union Institute, Brussels, 2011.

2 Occupational Health and Safety Management Systems: A Review of their Effectiveness in Securing Healthy and Safe Workplaces, C. Gallagher, E. Underhill, M. Rimmer, National Occupational Health and Safety Commission, Canberra, 2001.

3 A. Hopkins, Lessons from Esso’s Gas Plant Explosion at Longford, Australian National University, Undated, from Longford by Hopkins.pdf

4 S. Dekker, The Field Guide to Understanding ‘Human Error’, Third Edition, Ashgate, 2014, pp181.

5 Insanity: doing the same thing over and over again and expecting different results. Albert Einstein (attributed).


  1. drbillcorcoran Reply

    The lead sentence is “A Safety Management System is supposed to be a systematic and proactive process for managing safety risks.”

    This sentence says that a system is a process.


    How does a system differ from a process?

    1. Geoff Hoad Reply

      A system is an organised method made up of many processes. The word “process” is used in the context of the system using a series of steps to achieve a particular end. Inherent in these are procedures, operations, actions and activities formalised into components which set out the objectives of the system and the mechanisms of how it is going to achieve those objectives.

      1. drbillcorcoran Reply

        A system can be described by its outputs, its inputs, and its processes. The most basic process has one input, one output, and one process. Each output has a destination. Each input has a source. The order of flow is source, input, process, output, destination. The acronym is SIPOD.

  2. David Reply

    Hi Daniel,

    Keen to have a chat, as the criteria being looked for, we can provide through the proven and evaluated Codesafe mobile digital system.

    Speak soon, David

  3. Bob Wears Reply

    I’d give a bit different answer to the question, “Could it be that a safety management system is simply a means to an end?”

    I’d say a safety management system is an end in itself. It is a performance put on for both internal and external audiences, demonstrating that the organisation is “doing something” about safety. Once it’s performative value has been achieved, anything else arising from the safety management system is just lagniappe — and so, very little of value additionally arises.

    1. drbillcorcoran Reply

      Every system is perfectly designed to produce what it is producing.

      What is your safety management system producing?

      Dollars of expense?

  4. drbillcorcoran Reply

    I’m still trying to understand what a system is.

    What is the simplest entity that qualifies to be called a system?

    I need to know what a system is before I can understand what a safety management system is.

  5. Ronald Butcher Reply


    Thanks for contributing on what I believe to be a critically important topic. I think all too often, as is forced by the realities of the modern, regulated world, we develop our “collection” of programs or procedures that do little for the true customers of safety while placating the various and sundry regulators, agencies and auditors who need to “check the box” of their compliance documents. Right thing perhaps but certainly the wrong reason.

    What I find challenging from your discussion is the continued discussion on systemic and procedural elements that, to my mind and in my experience, remain too linear and inflexible to support the need for real time adaptation and, in some cases, creativity to address the myriad of emerging challenges and performance failures of the complex and multi-dimensional socio-technical systems we’re working with.

    Can you possibly expand a little on how your “high speed” system adapts and supports resilience and the maintenance of safety at the risk interface?

    Thank you Sir!

    1. drbillcorcoran Reply

      Any system that does not provide for its own refinement, including the incorporation of external requirements, and the accommodation of externally induced change is doomed to ineffective obsolescence.

    2. Geoff Hoad Reply

      I completely agree with your comments about the inflexibility of current safety processes. Whilst we want to do “Safety Differently” we are constrained by existing legal and commercial rules and expectations. They encourage and sometimes force us to practice safety in a repetitive fashion. For many professionals this has become the safety equivalent of Groundhog Day. I am sure many would pray for revolution in thinking and practice but I can’t see that happening. What I can see is evolutionary change where we redefine what safety is and how it is practiced. In this respect two themes emerge, engagement and simplicity. People will not seek to understand let along participate in the safety message you are selling unless they understand and can accept that it is rational and reasonable. Right now so much of what we do is seen to be quite the opposite. Our experience with the high speed system is greater engagement because the message is rational and simple. We know that human beings are terrible at recognising risk, (a cursory look at our financial system is evidence of that) so I see engagement as being critical to changing people’s awareness and consciousness about the risks they face. If engagement can increase then the messages are getting to more people and from that flows increased resilience and maintenance of safety at the coal face.

  6. drbillcorcoran Reply

    A paradigm of system care is: Say what you do; do what you say; prove it; improve it.

    Saying what you do involves transparent policies, procedures, and practices.

    Doing what you say involves flowdown of those requirements to where they are adhered to.

    Proving it involves records to show the extent to which what was done matches what was said.

    Improving it involves resolving the mismatches.

    1. drbillcorcoran Reply

      System Output:

      The function of a system is to produce output from input. A functional system produces output that meets qualitative and/or quantitative acceptance criteria, is capable of performing satisfactorily in service, and is suitable for its intended purposes.

      A system that is not functional is dysfunctional.

      Functionality is one of the attributes of a system.

      1. drbillcorcoran Reply

        Attributes of Output:

        The attributes of the system outputs depend on the attributes of the inputs and those of the processes. For non-varying inputs the attributes of the outputs are solely dependent on the attributes of the processes. For non-varying processes the attributes of the outputs are solely dependent on the attributes of the inputs. In practice, there is variation in both inputs and processes.

        Positive Control:

        When a system is in positive control the outputs are what is intended and they are the only outputs.

  7. Bill Mullins Reply

    Is there a difference between an Integrated Safety Management System and a Do Work Safely Integrated Management System. In my view there surely is.

    To recognize what a “system” is, for these discussion purposes, one probably needs to understand “systems thinking.” If one starts with present day doctrine about Systems Thinking – recognizing whether one is confronting a “system” will be straightforward without reliance upon a prescriptive definition (systemizing in nature occurs both with and without prescription)

    250 years ago the domain of Systems Thinking was termed Natural Philosophy; with mathematized-science contributions of thinkers like Newton we entered an era in which prediction from design became the highest god. The forward-engineered processes of the Industrial Age seem to have co-opted the term system – this article seems to take the view that an SMS is a constructed artifact and an over-constructed one at that.

    Why not take an organic Enterprise view instead of the mechanical engineering default that is critiqued in the post? Human institutions are organic – they may possess inorganic processes of manufacture or service delivery, but those are invariably subordinate to human intentionality. Being organic, all institutions are open systems – energy and raw materials cross the boundary of the institution, two characteristic outcomes ensue.

    One outcome we term “production,” the other we name variously – I suggest we use the term “preservation.” For all institutions, the efforts at preservation are more complex and uncertain than those of production. Ordinary production operations are generally not subject to direct disruption by events occurring outside the institution; on the other hand a large aspect of effective preservation is paying attention to outcomes originating from outside the institution.

    Neuroscientists report regularly that one mind cannot simultaneously focus attention on quality production and effective preservation. That means either and individual’s attention must switch back and forth periodically, or there must be division of labor. One person assigned relatively uncomplicated work unfolding at a comfortable breathing pace can usually produce effectively – with considerable experience they can monitor the immediate environment for emergent threats.

    But speed things up and/or add genuine non-linear complexity and no single person can ensure the mission is met. This is where processes such as are cataloged in the typical SMS come in. And, where it becomes clear that poor design (including provision for User Experience) leads to crappy outcomes in both production and preservation circumstances.

    In most institutions, the environment is the larger source of constraints on success at Doing Work Safely. SMS’ too often short the organic constraints in the reactive pursuit of simplicity or clarity where what will always be required is vigilance and deliberateness which may or may not conform to the published schedule.

    1. Ronald Butcher Reply

      Thanks Bill. I like your use of the term ‘organic’ and the recognition of the open system characteristics. I believe you may too have touched on a genuine rub for organizations focused largely on the debit/credit boundaries of accounting or the finite (known) characteristics of engineering. Humans, with our various and sundry tendencies, limitations, biases, abilities, imaginations and cultures don’t fit neatly into either of those generally finite disciplines. While the tendency has always been to label the social, psychological and cultural studies as ‘soft’ versus ‘hard’ science, perhaps a better description, or one that better stimulates the direction of focus, would be organic versus inorganic studies.

      You are, I believe, spot-on with the discussion on preservation and dichotomy of production vs. preservation. In the simple terms, we hear the derogatory, “More focused on keeping his/her job than actually doing his/her job” but I think it’s a critical point with respect to the identification of and response to risks in that preservation focus of performance may create artificial constraints limiting the end users ability to create effective safety measures and respond to evolving conditions in order to maintain safety at the hazard interface.

      Thanks again Bill.

        1. Bill Mullins Reply

          Open systems often generate outcomes that are not foreseeable from the Input-Transform-Output “functionality” which is the sine qua non of engineered artifacts. Is my 70 year old body characterizable as either “functional” or “dysfunctional”? The question answers itself with no data at all – its an inappropriate question.

          Most of the organic systems on the planet consume energy, resources, and exert agency in their surroundings with out the least meaningful awareness of their systemic actions – awareness isn’t what makes those actions systematic.

          And yet the evidence of emergent systematization is readily recognized by the least scientifically or engineering trained indigenous person who happens to observe a bee colony in moving its collective mass to a new location and in constructing a hive.

          Single cell organisms qualify as systems; so do stars that went supernova billions of years ago, but which evidence of that reorganization of constituents just appeared in the optics of the Hubble Telescope yesterday. The more we understand of systems thinking the more the notion of system seems the functional antithesis of simple.

          Effective preservation agency by an organization functioning in Complex, High-Consequence Circumstances is an ongoing balancing act filled with small, medium, and larger scale adaptive activity – there can rarely be agreement that the human component of effective preservation agency must follow only one deterministic path. Notably that is quite the opposite of the error-free criteria needed to make most sophisticated automation function as intended.

          Safety Management, by reductionist concessions in pursuit of unequivocally effective institutional preservation is unnatural; effectiveness in CHCC is constrained to approaching sustained dynamic balance in manner such as Pareto Optimals. In many instances that is as good as intentionality can make it in advance of the moment when some critical decision – one that puts preservation ahead of production – must be made.

          People who are willing to take responsibility for such in situ choosing face a challenge to choose responsibly – typically to the best of their ability – knowing full well that some of those choices will be second-guessed by someone who wasn’t at the nexus of choosing. Competent people don’t expect perfection of themselves; rather they remain open to new learning, even in familiar circumstances. Incompetent people hide from new learning, inevitably to the detriment of the institution.

      1. Bill Mullins Reply

        Yes Ron, and too, few of us haven’t found ourselves in the situation where “discretion was the better part of valor.” Life demands some retreats in the interest of returning to engage the challenge at a more propitious time and place. Effective preservation without the occasional scratches is a naive expectation – or a vessel that never left the boat-shed!

  8. drbillcorcoran Reply

    System Failure:

    When one or more outputs do not that meet qualitative and/or quantitative acceptance criteria, are not capable of performing satisfactorily in service, and/or are not suitable for intended purposes the system has failed. A system will fail when its service conditions are not within its service capabilities.

    1. Bill Mullins Reply

      And – lest we forget – as Einstein sagely observed, “All things simple are difficult.”

      For example, how easily we anthropomorphize a bee colony’s “hive” agency (encoded chemically in a very simple neural network) with terms like “they” and “intelligence.” While there is much to learn from and about the topic of Bungay’s article – it is far longer than most readers today have patience for.

        1. drbillcorcoran Reply

          SMS Maxim #2
          The safety requirements for a work activity must be appropriate to the scope of work and the situation in which the work activity is to be done.

          SMS Maxim #3
          If the scope of work and/or the situation in which the work is to be done change in any way the safety requirements must be reviewed and, if needed, adjusted to maintain/ restore appropriateness.

  9. garyswong Reply

    Thanks for the interesting posting.

    Your Two Speed Safety System reminded me of Daniel Kahneman’s 2001 book “Thinking Fast and  Slow”. When thinking fast we rely on intuition and habits built from years of experience and constant practice. This is the realm of “best practices” and tight constraints to control behaviour. We are able to think fast because we believe history has shown there is only one right way and we either maximize or minimize the output.

    There are times though when we must think slow which requires careful analysis, calculations, and crafting assumptions to cover our butt. Because there is more than 1 right answer, we limit the number of choices through policies and directives. We think slow to optimize evaluate known risks. This is the realm of “good practices” and constraints to govern behaviour. A SMS formally documents the may/may not boundaries but is a poor communique. Sadly, it also is based on Reductionism – the paradigm that safety can be separated into 8 -12 components. The whole is equal to the sum of its parts.

    Thinking Fast and Slow takes place on the Ordered Side of the Cynefin Framework.
    The Unordered side of Complexity and Chaos requires different thinking and abductive reasoning. What we’ve learned from nature is there is order within unorder. Hence we discover patterns and can develop simple rules, maxims, heuristics that help us to cope with uncertainty, deal with disruption, and try to be safe in an inherently dangerous real world.

    1. Bill Mullins Reply

      It is quite possible to prepare an operable SMS which is not limited to reductionist derivation of hard and fast requirements. To do so requires a paradigm shift away from the perception of effective and sufficient preservation agency as the equating to the sum of complying prescriptively with prerequisites (be that laws, regulations, or company policy).

      Alternately the work of effective preservation are those actions necessary and sufficient to maintain the integrity of the institution in its actual context – which context is both prescribed and co-evolving with the institution’s mission choices.

      Build a research lab at the South Pole and there is no escaping the environmental constraints which are unfolding variably in parallel with and indifferent to the mission. Compare the stories of Scott and Admunson’s pioneering trek’s to reach the South Pole for the first time – one’s preservation provisions sufficed, the other’s fell fatally short.

      Both explorers followed their checklists, one set of design criteria, rationally arrived at, nonetheless proved in deadly error. Yes, in that instance, careful preparation and diligent execution resulted in a system of performance that failed completely by any measure. Any SMS which lack the capacity to continually challenge even its most fundamental premises in light of what is happening in the environment sets itself up for a Deepwater Horizon burning platform as surely as night follows day.

      1. Ronald Butcher Reply

        “Any SMS which lack the capacity to continually challenge even its most fundamental premises in light of what is happening in the environment sets itself up for a Deepwater Horizon burning platform as surely as night follows day.”

        A profound point Bill. It certainly makes for a disturbing contrast when considering that most of the collection of documents, forms, procedures and requirements are designed for, and audited against, conformity and standardization, assuming the creation of standardized structure within what is believed to be a wholly controllable environment as applied to the “Work as Imagined” characteristics described by Dr. Hollnagel.

        To Dr. Bill Corcoran’s point above, it seems our challenge comes in ensuring the safety management “system” produces the desired outcomes, To that objective, your prophetic posting makes for a great mission statement.

        Thanks for sharing your insight Bill.

Leave a Reply

Your email address will not be published. Required fields are marked *