Security management

The safety management leads, steers and coordinates an organization with regard to all safety activities .

Safety management is synonymous with risk management (RM), which includes all measures for the systematic identification, analysis, assessment, monitoring and control of risks. The use of the term security management in technology (in the German-speaking area) is explained by the general use of the term security in technology ( see section Elements of security management ).

History of the development of security management

Safety management is used in all areas of industry with potential hazards. The necessity of the introduction and application of the safety management resulted practically from accident analyzes, according to which serious deficiencies in the organization turned out to be the main causes of accidents in addition to the possibility of errors in the technology and the personnel. The following major accident events gave rise to this: Chemicals - Sevesounglück Seveso (1976), Nuclear Technology - Chernobyl (1986), Space - Challenger (1986), Petrochemicals - Piper Alpha (1988), Railways - Eschede (1998).

In aviation, this process is referred to as the development of safety thinking, according to which the knowledge about the main types of accident causes has developed over time from technical factors (1950) via human factors (1970) to organizational factors (1980). The development of the methods of reliability engineering for evaluating technical systems (technical factors) began around 1950.

With the Chernobyl accident of 1986, which revealed considerable organizational deficiencies in the form of rule violations, the importance of the influencing factor safety culture on the accident occurrence was recognized and complements the series of types of accident causes listed above. The oil spill in the Gulf of Mexico in 2010 once again demonstrated the importance of this influencing factor.

The Swiss supervisory authority HSK highlights the close interrelationship between safety culture and safety management:

“Safety culture and safety management are very closely related. Despite this relationship, there is an essential difference between the two terms. While safety culture itself cannot be directly observed and can only be recognized by its effects, safety management can be observed directly and - on paper - described. The existence of a safety management system, its explicit description and the determination of its effectiveness can therefore be used to indirectly infer the safety culture of the plant. "

In aviation, the need to introduce safety management is justified as follows:

“Security management is based on the premise that there are always security risks and human errors. The safety management system (SMS) creates processes that improve communication about these risks and the measures to reduce them. The security level and the security culture of an organization are thus sustainably improved. "

The essential elements of safety management in the various industrial areas are largely comparable, with different priorities being set due to specific industrial experience ( see section: Application areas of safety management ).

Elements of security management

security concept

A central component of security management is a security concept . All relevant framework conditions, the company's defined security goals and measures to achieve these goals are described or defined here. The security concept accordingly represents the basis for the planning and implementation of individual security measures. The aim of creating and implementing a security concept is to achieve a planned security level and to minimize identified risks.

Security policy

The security policy includes goals and guidelines for security in companies. The security policy should be in line with the company's mission statement and should be represented by management and communicated to the employees.

Security analysis

The security analysis is part of the security management activities in an organization or company. The aim of the safety analysis is to threats to realize their probability of occurrence and damage potential to predict and from the risk estimate for the organization, for example by standard ISO 27001 . In particular, the "unsafe" parameters (weak points) of a system and their prioritization must be determined. In practice, risks are assessed on the basis of experience or through expert judgment ( educated guessing ).

Security analysis means are both technical (including vulnerability scan and penetration test ) and process-oriented (discussions with responsible personnel or data protection officers, documentation analyzes or business process analysis).

Security report

The safety report is to be prepared by the operator of the system and should contain the following elements (example from the field of chemistry):

Major Accident Prevention Concept;

Description of the security management and its application;

Determination of the dangers of major accidents and the measures required to prevent them and to limit the consequences for people and the environment (e.g. using a hazard and risk analysis / safety analysis );

An explanation of the design, construction, operation and maintenance of the systems of the facility that are associated with the risk of major accidents and that the systems are sufficiently safe and reliable;

Description of the internal emergency plans and information on external emergency plans, how the necessary measures should be taken in the event of a serious accident;

Indication of the information provided to the competent authority.

Security indicators

Safety indicators (Safety Performance Indicators) are out of the system operating parameters derived, which are easy to detect and track. They give a clear picture of the security status of the system operation. At an early stage, they give operational management information about a possible deterioration in system operation so that corrective measures can be initiated before an unacceptable risk occurs.

Safety culture

Safety culture is a behavioral characteristic of a group or organization in how safety issues are dealt with. It is subject to a complex learning process in which common goals, interests, norms, values and behavioral patterns develop.

Application areas of security management

Chemical industry

As a consequence of the chemical accident in the northern Italian city of Seveso in 1976, the European Commission issued the first accident directive ( Seveso-I directive ) in 1982. The accidents in Bhopal (1984) and Guadalajara, Mexico (1992) led to an update in the Seveso II guideline in 1996 , which for the first time required operators to create a safety management system.

With the publication of Directive 2012/18 / EU of the European Parliament and of the Council of July 4, 2012 on the control of major-accident hazards involving dangerous substances, the Seveso II Directive is replaced by the Seveso III Directive . It was published with the regulations of the 12th BImSchV on January 13, 2017 in Federal Law Gazette No. I No. 3 and came into force in Germany on January 14, 2017.

According to the Seveso III Directive (Annex III), operators should present a concept for the prevention of major accidents that includes a suitable safety management system for controlling the dangers of major accidents (following text somewhat shortened):

The safety management system is appropriate to the hazards, industrial activities and the complexity of the company organization and is based on a risk assessment. The safety management should consider the following aspects:

Organization and personnel - roles and responsibilities of major accident surveillance personnel at all levels of the organization, along with the measures taken to raise awareness of the need for continuous improvement;
Determination and assessment of major accident hazards - Assessment of the probability and severity of such accidents;
Operational Control - Establishing and implementing procedures and giving instructions for safe operational operations, including maintenance;
safe implementation of changes - definition and application of procedures for planning changes to the plant;
Emergency planning - Establishing and applying procedures to identify foreseeable emergencies based on systematic analysis and to create, test and review emergency plans;
Performance monitoring - continuous assessment of compliance with the objectives set out in the operator's concept and in safety management, as well as mechanisms for checking and initiating remedial measures in the event of non-compliance. Reporting major accidents or "near misses", especially those where the protective measures have failed, safety-related performance indicators;
Audit and review - definition and implementation of procedures for a regular, systematic assessment of the concept and the effectiveness and suitability of the safety management.

Petrochemicals

The explosion of the Piper Alpha oil platform on July 6, 1988, in which 167 people were killed, led to a fundamental realignment of safety measures in the petrochemical industry .

In his accident investigation (1990), Lord Cullen comes to the conclusion that the prevailing safety regime in the offshore industry ( Present offshore regime ) is inadequate and the licensing procedure (in UK ) needs a fundamental renewal. Every offshore company should have a formalized safety management system (SMS) in which the safety objectives of the company are identified and how these safety objectives are achieved and demonstrated in safety standards. The task of security management is to guarantee the security goals both in the system design and in the operation of the system. The implemented SMS must be presented to the competent authority.

In detail, the SMS should contain the following elements:

Creating an organizational structure
Standards for the management staff
Training for operations and emergencies
Security analysis
Design guidelines ( design procedures ).
Procedures for operation, maintenance, changes and emergencies
Security management of subcontractors regarding their work
Involvement of the operating staff and that of the subcontractors in the safety management
Accident and incident reporting, incident analysis and action tracking
Monitoring and auditing of the functionality of the SMS
Systematic re-evaluation of the SMS in terms of operator and industry experience.

In the international standard ISO 45001 , elements of the SMS were adopted and specified.

Railway systems

According to Directive 2004/49 / EC , replaced and expanded by Directive (EU) 2016/798 with effect from May 11, 2016, of the European Parliament and the Council on railway safety in the Community ( directive on railway safety ) are the essential components of the safety management system:

a security policy approved by the company manager and communicated to staff;
company-related qualitative and quantitative goals with a view to maintaining and improving safety and plans for the achievement of these goals;
Procedures for compliance with existing, new and changed technical and operational standards;
Procedures for carrying out risk assessments and applying risk control measures in the event that changes in operating conditions or new material present new risks to the infrastructure or operations;
Personnel training programs and procedures to ensure that personnel are qualified and that the work is carried out accordingly;
Provision for a sufficient flow of information within the organization and, if necessary, between organizations using the same infrastructure;
Procedures and formats for documenting security information and determining control procedures to secure the configuration of critical security information;
Procedures to ensure that accidents, incidents, near misses and other dangerous events are reported, investigated and evaluated and that the necessary preventive measures are taken;
Provision of deployment, alarm and information plans in consultation with the responsible authorities;
Provisions on regular internal reviews of the safety management system.

The safety management measures are supplemented by the determination of safety indicators (accidents caused by collisions, train derailments, accidents at level crossings, accidents with personal injury, suicides, vehicle fires), indicators relating to disruptions, near-accidents and indicators on the effectiveness of safety management (with reference to on the audits carried out).

As proof of the effectiveness of the safety management system in use, all infrastructure managers and railway companies must submit a safety report to the safety authority every year . This must include information on how the company-related safety objectives were achieved, how the recorded safety indicators have developed, the results of the internal safety reviews and defects and disruptions in railway operations.

According to EN 50129, proof of safety for all elements of the safety management process must be provided in a safety management report over the entire life cycle from creation, operation and disposal of a system. In all cases, hazard analyzes and risk assessment processes, as defined in EN 50126 , are necessary.

Nuclear technology

In the nuclear power plants , the use of safety management systems become an international standard. The main basis for this is the report by the International Atomic Energy Agency ( IAEA ) Management of Operational Safety in Nuclear Power Plants - INSAG-13 da.

The report gives a detailed description of safety management for nuclear power plants and points out the very close connection between safety management and safety culture, according to which both are mutually dependent.

An organization with a strong safety culture has effective safety management, which in turn creates the working conditions that reinforce the behavior and attitudes of staff towards safety.

The SMS is also defined accordingly:

"The safety management system which includes organizational measures of a company in terms of safety, a strong safety culture and a good safety performance ( safety performence to reach)."

The following system weaknesses could be determined from the experience with the use of SMS:

Insufficient identification of the fundamental causes of malfunctions ( real root causes )
Lack of management engagement in solving identified problems
Insufficient attention in planning and executing remedial actions and prioritizing them
Lack of conviction among employees to respond to planned changes
Insufficient resources to implement improvement measures.

In Germany in 2004 the BMU demanded the introduction of safety management systems for all nuclear power plants, the principles of which are described in.

Civil aviation

The safety management system (SMS), known in civil aviation as the safety management system , is mandatory by the International Civil Aviation Organization (ICAO) and must be implemented by its 190 contracting states, including Germany , Austria and Switzerland . The basic idea of the SMS is to understand safety as a management task, i.e. to proactively recognize latent dangers in order to prevent them at an early stage. Errors made should be reported retrospectively so that the risk of repetition is largely eliminated. (For the dangers in aviation, see.)

The ICAO SMS concept contains two addressees, namely on the one hand the ICAO contracting states themselves, each of which is to create its own comprehensive State Safety Program (SSP). On the other hand, it is aimed at airport operators , airlines , maintenance companies and training facilities in the aviation industry, each of which is to introduce an internal SMS and is to be monitored by the competent authorities of the contracting states.

The American ACRP reports Safety Management Systems for Airports , Volume 1: Overview and Volume 2: Guidebook contain detailed instructions for the introduction of SMS for airport operators.

Maritime shipping

A number of serious shipping accidents in the 1980s, in particular the disaster of the Herald of Free Enterprise , manifested human errors combined with management errors as the triggering causes.

The International Maritime Organization (IMO) then developed the Guidelines on Management for the Safe Operation of Ships and for Pollution Prevention , in which the goals of safety management, the provision of the resources for their implementation and the creation of a safety management system (SMS) are specified. The necessary safety measures should be presented in a safety management manual , with a copy on board the ship. The tasks of the SMS also include reporting accidents and dangerous situations to the ship owners.

A study by ADAC from May 2012 on the safety of cruise ships with 3,000 to 7,000 passengers on board came to the conclusion that 4 out of 9 ships were rated “poor” and only in one case were rated “very good”. were issued.

Water management

The "Technical Safety Management " (TSM) guideline created by the German Association for Water Management, Sewage and Waste (DWA) is used for water management companies and is intended to keep and review the level of knowledge of employees and the organizational structures of the technical area. The guidelines "TSM Abwasser" for wastewater and sewer companies, "TSM Water Maintenance" for water associations and "TSM Reservoirs" for dam operators are used for voluntary self-control, which is checked every six years.

Information security

The IT security management is in the field of information technology (IT) a continuous process within a company or organization to ensure IT security . Its task is the systematic hedging of an information processing IT assets to threats to information security and threats to data protection of a To prevent or repel a company or organization.

According to the BSI standard 200-1 Management Systems for Information Security (ISMS) , the top management level of a company must initiate, control and monitor the security process. This includes the following tasks:

A strategy for information security and security goals must be adopted and communicated.
The effects of security risks on business activities and the performance of tasks must be examined. The operational task of "information security" is usually carried out by an information security officer (ISB).
The organizational framework for information security must be created, responsibilities and authorities assigned and communicated.
Sufficient resources must be made available for information security.
The security strategy must be regularly checked and evaluated, identified weaknesses and errors must be corrected.
Employees must be made aware of security issues and view information security as an important aspect of their duties.

Degree in safety management

The safety management course usually deals with the following subjects:

Operational management
Risk and security in a social context
Occupational and operational safety
Tax law
Risk management
Financial aspects
Conflict management and communication
Aspects of crime

and should enable the students to develop holistic security concepts and to implement them in companies, authorities, national and international institutions.

literature

Incident Commission at the BMU: Safety Management Systems , 10.1999 (PDF; 79 kB)

E. Moch, Th. Stephan: Development of working aids for the creation and testing of the concept for the prevention of accidents , Federal Environment Agency, UBA-FB 29948324 (PDF; 631 kB)

M. Niemeyer: Development and implementation of innovative quality techniques to make management systems more effective , Otto von Guericke University Magdeburg, 12.2004 (PDF; 3.7 MB)

A. Wolter: New legal and technical approaches in the assessment of chemical plants or operational areas i. S. d. Hazardous Incident Ordinance in the context of urban land use planning - typifying consideration with the help of elements of risk assessment , Bergische Universität Wuppertal, 02.2007 ( online )

St. Szameitat: Computer-aided security management - design of evaluation systems for security-critical events in industrial plants with high risk potential , Technical University Berlin, 2003 (PDF; 1.9 MB)

Safety Management System at Airfields, Manual (Version 1.0), as of March 2005, created by the Technical University of Berlin, Department of Flight Control and Air Traffic in cooperation with the traffic management of Flughafen München GmbH [9]

Individual evidence

↑ ^a ^b BSI Standard 200-1 Management Systems for Information Security (ISMS) , Federal Office for Information Security , October 2017.

↑ ^a ^b Safety Management Manual (SMM) , ICAO Doc 9859, ISBN 978-92-9231-295-4 , 2009.

↑ , A. Frischknecht, J. Nöggerath, Deutschmann: Supervision of the operational safety of nuclear power plants , lecture at SVA advanced course Review of operational safety of nuclear power plants , Winterthur, 10/2000.

↑ ^a ^b Safety Management Systems for Airports (PDF; 1.7 MB), ACRP Report 1, Volume 1: Overview, Transportation Research Board , Washington, DC, 2007.

^ Tucker, Eugene: Risk analysis and the security survey . 4th ed. Butterworth-Heinemann, Waltham, MA 2012, ISBN 978-0-12-382233-8 .

↑ ^a ^{b Council} Directive 96/82 / EC of 9 December 1996 on the control of the dangers of major accidents involving dangerous substances .

^ [1] , Aviation Glossary Aviation Glossary - Defining the Language of Aviation

↑ Directive 82/501 / EEC of the Council of June 24, 1982 on the dangers of major accidents in certain industrial activities .

↑ Federal Immission Control Act (Major Accidents Ordinance - 12th BImSchV) , April 26, 2000.

↑ Directive 2012/18 / EU of the European Parliament and of the Council of July 4th, 2012 on the control of major accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82 / EC , Official Journal of the European Union, July 24th. 2012.

↑ Regulation for the implementation of Directive 2012/18 / EU of the European Parliament and of the Council of July 4, 2012 on the control of major accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82 / EC, of July 9, 2012. January 2017 , regulations of the 12th BImSchV on January 13, 2017 in Federal Law Gazette No. I No. 3.

↑ [2] , D. Cullen. 1990. The Public Inquiry into the Piper Alpha Disaster. Department of Energy, HMSO Cm 1310, London.

↑ [3] (PDF; 147 kB), Directive 2004/49 / EC of the European Parliament and of the Council on railway safety in the Community ( directive on railway safety), Article 9 Safety Management Systems, April 29, 2004.

↑ ^a ^b Directive 2004/49 / EC of the European Parliament and of the Council on railway safety in the Community . ( Railway Safety Directive ), April 29, 2004.

↑ [4] , Björn Ludwig: Safety management systems - a new challenge for railways? ETR Eisenbahntechnische Rundschau, Jg .: 53, No. 11, 2004, ISSN 0013-2845 .

↑ EN 50129: Railway application - telecommunications technology, signaling technology and data processing systems-safety-relevant electronic systems for signaling technology , February 2003.

↑ [5] , EN 50126: Railway applications - specification and proof of reliability, availability, maintainability and safety (RAMS) ; German version, 1999.

↑ ^a ^b ^c [6] (PDF; 146 kB), Management of Operational Safety in Nuclear Power Plants - INSAG-13, IAEA, Vienna, 1999.

↑ Basics for safety management systems in nuclear power plants. Federal Ministry for the Environment, Nature Conservation and Nuclear Safety, September 2008, archived from the original on August 6, 2009 ; Retrieved April 4, 2014 (main document and notice dated June 29, 2004).

↑ Air safety , engl. Wikipedia: Air safety / hazards.

↑ ACRP REPORT 1: Safety Management Systems for Airports , Volume 2: Guidebook , Transportation Research Board, Washington, DC, 2009.

^ [7] , Development of the ISM Code.

↑ [8] (PDF; 453 kB), INTERNATIONAL SAFETY MANAGEMENT CODE.

↑ ( Page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. ], ADAC sample 2012: Safety on cruise ships. @ 2Template: Dead Link / www.adac.de

↑ Technical safety management , German Association for Water Management, Sewage and Waste eV

↑ Safety management studies , University of Public Administration Bremen.

↑ Security Management MA , Center for Distance Learning in the University Association.

[BSI-Standard_200-1-1] BSI Standard 200-1 Management Systems for Information Security (ISMS) , Federal Office for Information Security , October 2017.

[ICAO-2] Safety Management Manual (SMM) , ICAO Doc 9859, ISBN 978-92-9231-295-4 , 2009.

[HSK-3] , A. Frischknecht, J. Nöggerath, Deutschmann: Supervision of the operational safety of nuclear power plants , lecture at SVA advanced course Review of operational safety of nuclear power plants , Winterthur, 10/2000.

[ACRP_1-4] Safety Management Systems for Airports (PDF; 1.7 MB), ACRP Report 1, Volume 1: Overview, Transportation Research Board , Washington, DC, 2007.

[5] Tucker, Eugene: Risk analysis and the security survey . 4th ed. Butterworth-Heinemann, Waltham, MA 2012, ISBN 978-0-12-382233-8 .

[Seveso-II-6] {b Council} Directive 96/82 / EC of 9 December 1996 on the control of the dangers of major accidents involving dangerous substances .

[Indikator-7] [1] , Aviation Glossary Aviation Glossary - Defining the Language of Aviation

[Seveso-I-8] Directive 82/501 / EEC of the Council of June 24, 1982 on the dangers of major accidents in certain industrial activities .

[test-9] Federal Immission Control Act (Major Accidents Ordinance - 12th BImSchV) , April 26, 2000.

[10] Directive 2012/18 / EU of the European Parliament and of the Council of July 4th, 2012 on the control of major accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82 / EC , Official Journal of the European Union, July 24th. 2012.

[11] Regulation for the implementation of Directive 2012/18 / EU of the European Parliament and of the Council of July 4, 2012 on the control of major accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82 / EC, of July 9, 2012. January 2017 , regulations of the 12th BImSchV on January 13, 2017 in Federal Law Gazette No. I No. 3.

[Cullen-12] [2] , D. Cullen. 1990. The Public Inquiry into the Piper Alpha Disaster. Department of Energy, HMSO Cm 1310, London.