Investigation report: Safety management systems - an introduction for healthcare

Those who work in healthcare are aware of the need to protect patients from harm. Despite this, there are ongoing patient safety incidents across healthcare organisations, some of which have been highlighted in previous Healthcare Safety Investigation Branch (HSIB) investigations.

Other industries where safety is critical, such as aerospace, aviation, maritime, rail, oil and gas, defence, and nuclear power, take a structured approach to managing safety through the use of safety management systems (SMSs). This report explores the way SMSs are used in these industries and how the principles of an SMS could contribute to more effective safety management in healthcare.

An SMS is a proactive and integrated approach to managing safety. It sets out the necessary organisational structures and accountabilities and will continuously be improved. It requires safety management to be integrated into an organisation’s day-to-day activities. There is no one-size-fits-all SMS, however, there are four recognised areas associated with many SMS frameworks:

• safety policy - establishes senior management's commitment to improve safety and outlines responsibilities; defining the way the organisation needs to be structured to meet safety goals
• safety risk management - which includes the identification of hazards (things that could cause harm) and risks (the likelihood of a hazard causing harm) and the assessment and mitigation of risks
• safety assurance - which involves the monitoring and measuring of safety performance (e.g., how effectively an organisation is managing risks), the continuous improvement of the SMS, and evaluating the continued effectiveness of implemented risk controls
• safety promotion - which includes training, communication and other actions to support a positive safety culture within all levels of the workforce.

The purpose of an SMS is to ensure that an industry achieves its business and operational objectives in a safe way and complies with the safety obligations that apply to it. However, it is not just a paper-based or electronic system specifically developed for demonstrating compliance with regulatory frameworks. Instead, an SMS should be a dynamic set of arrangements which grows in maturity and develops as the industry evolves.

HSSIB has made an SMS explainer video to introduce the concepts described in this report.

This investigation explored how SMSs are used in other safety-critical industries and the current approaches to managing safety in healthcare.

The investigation interviewed people across a range of safety-orientated roles to understand their approaches to safety management. These safety leaders were from industries including healthcare, aerospace, aviation, maritime, rail, oil and gas, and nuclear power.

The investigation identified three key opportunities for an organised approach to safety management in the healthcare system:

SMS development in healthcare

• There is an opportunity to improve safety activities in healthcare to increase proactivity and coordination across and within organisations.
• In other safety-critical industries an SMS is mandated in regulation, but healthcare organisations are not required to have all four areas of an SMS.
• There is an opportunity to improve standardisation in the coordination of safety activities within and between different organisations across healthcare, in terms of how risks are escalated and managed.
• An effective safety system and culture requires a shared understanding of safety management principles.
• There is variability in the current language and definitions that describe the safety activities, functions and processes already common across healthcare.

Safety accountability frameworks across healthcare

• For effective safety management, clear lines of accountability and responsibility are needed. Within an SMS, everyone has some measure of responsibility, such as reporting unsafe conditions. Accountability takes responsibility to another level. When someone is accountable, they are responsible for systems and processes that assure safety.
• If there is no co-ordinated approach in place, accountability and responsibility can become misaligned, leading to gaps in the oversight of safety management.
• While there are clear accountabilities for safety at provider level through the Care Quality Commission regulation, there is no multi-level framework that specifies who should be accountable for the management of safety risks across the healthcare system.
• There is consensus within other safety-critical industries that effective safety management is only possible when there is a clear accountability framework that underpins the process.

Safety maturity assessments across healthcare

• The term safety maturity is used to describe how far an organisation has developed and embedded its SMS.
• Existing maturity frameworks in healthcare do not promote the principles of SMSs, do not define the key components of a healthcare SMS, and do not provide organisations with a road map for incremental development of their safety activities.

Future work will need to explore the applicability of the SMS approach to healthcare. This could involve:

• mapping current safety management activities in healthcare to SMS principles and identifying opportunities for improvement
• determining if planned and ongoing changes to the way safety is managed in healthcare would be usefully guided by SMS principles
• further understanding how an accountability framework could support an SMS approach in healthcare
• understanding how safety issues and risks for inclusion health groups are identified and then managed through an SMS approach.

If improvement opportunities are identified, work would need to establish how SMSs in healthcare could be appropriately and effectively implemented.

HSSIB makes the following safety recommendations

1.1.1 While the provision of safe care is a priority in healthcare, ensuring patient safety remains an ongoing challenge. There are large numbers of reported individual patient safety incidents highlighting deficiencies in the safety of care in all healthcare settings.

1.1.2 The Healthcare Safety Investigation Branch (HSIB) previously investigated a variety of patient safety incidents which occur repeatedly, suggesting that risks are not being sufficiently managed. Examples include medication errors (Healthcare Safety Investigation Branch, 2020a), wrong site surgery (Healthcare Safety Investigation Branch, 2021a) and a lack of a timely response when a patient’s condition rapidly deteriorates (Healthcare Safety Investigation Branch, 2019). A review of these investigations showed that there are common recurring themes across different types of safety incident (Healthcare Safety Investigation Branch, 2021b).

1.1.3 By its nature, the delivery of healthcare is inherently complex and risky. Healthcare should be recognised as a safety-critical industry (Wears, 2012; Patient Safety Commissioner, 2023). This means it is a system made up of individuals, technology and organisations in which safety is of paramount importance and where the consequences of failure or malfunction may be loss of life or serious injury, serious environmental damage, or harm to equipment or property (Saunders, 2015).

1.1.4 It has been suggested that healthcare should look at how other safety-critical industries manage safety to see if there is learning that can be shared (Macrae and Stewart, 2019). Many other safety-critical industries such as aviation, oil and gas, and nuclear power use safety management systems (SMSs) to co-ordinate the management of safety.

1.1.5 In recent reports, HSIB has also concluded that the principles underpinning SMSs may help healthcare organisations to respond more effectively to patient safety risks (Healthcare Safety Investigation Branch, 2022a; 2021b; 2020b).

1.1.6 An SMS is a proactive and integrated approach to managing safety. It sets out the necessary organisational structures and accountabilities and will continuously be improved. It requires safety management to be integrated into an organisation’s day-to-day activities (Civil Aviation Authority, 2015).

1.1.7 A safety culture cannot be imposed by regulation, however through an SMS, industries can try to create the conditions that will allow a positive safety culture to develop.

1.2.1 This investigation aims to identify the principles of SMSs by:

• identifying the requirements for SMSs
• exploring the potential role for SMSs in healthcare

1.2.2 The investigation sought the views of three broad groups of stakeholders:

• those from other safety-critical industries with experience and day to day operational involvement with SMSs
• academics who have published research into how SMSs could potentially improve system safety in healthcare
• those working in healthcare and patient safety.

See appendix 1 for more information about the investigation approach.

1.3.1 An SMS is more than a manual or a set of procedures. Its purpose is to ensure that an organisation achieves its business and operational objectives in a safe manner and complies with the safety obligations that apply to it (European Union Agency for Railways, 2023).

1.3.2 SMSs aim to provide an infrastructure to enable improvements to safety. Across safety-critical industries these safety management activities are organised and regulated through SMSs.

1.3.3 There is no one-size-fits-all SMS, but there are four recognised areas (see figure 1) associated with the International Civil Aviation Organization SMS Framework (International Civil Aviation Organization, 2018; Federal Aviation Administration, 2021):

• safety policy
• safety risk management
• safety assurance
• safety promotion.

A further detailed description of these four key areas, and how the organisation of patient safety does not currently map to these areas, can be found in Macrae (2022). Organisations may tailor their SMS to suit the size, nature and complexity of the operation, while still demonstrating the principles associated with the four areas of an SMS.

Safety policy

1.3.4 A safety policy establishes senior management's commitment to improve safety and outlines responsibilities; defining the way the organisation needs to be structured to meet safety goals. It should also outline the aims and objectives that an organisation will use to achieve its desired safety outcomes (Civil Aviation Authority, 2015).

Safety risk management

1.3.5 Safety risk management includes the identification of hazards (things that could cause harm) and risks (the likelihood of a hazard causing harm) and the assessment and mitigation of risks. Once risks are identified and prioritised, appropriate controls can be implemented to reduce the level of risk (Civil Aviation Authority, 2015).

Safety assurance

1.3.6 Safety assurance involves the monitoring and measuring of safety performance, evaluating how effectively an organisation is managing risks, and the continuous improvement of the SMS (International Civil Aviation Organization, 2018).

Safety promotion

1.3.7 Safety promotion includes training, communication and other actions that may help to enable a positive safety culture within all levels of the workforce. It also supports effective two-way communication of safety issues between staff working at an operational level and the organisation’s management (International Civil Aviation Organization, 2018).

Figure 1 The four areas of a safety management system

1.4.1 In this report the term safety maturity is used to describe how far an organisation has developed and embedded its SMS. Measuring their level of safety maturity, alongside their safety assurance process, is an important aspect of an organisation’s safety management.

1.4.2 In other safety-critical industries it is common practice to assess the safety maturity of their organisations. Maturity assessment tools have been developed by regulators in collaboration with industry partners to describe good practice SMSs, as seen in aviation and rail (European Union Aviation Safety Agency, 2023; European Union Agency for Railways, 2023; Office of Rail and Road, 2019). These tools are used to guide good practice in safety management but would need to be developed specifically for an industry.

1.4.3 An example of these safety maturity assessment tools was developed by the UK rail regulator, the Office of Road and Rail. The tool is known as the Rail Management Maturity Model, or RM3 (Office of Rail and Road, 2019). The tool was developed in collaboration with the rail industry as a tool for assessing an organisation’s safety management system and to provide a benchmark for year-on-year comparison. It has received wide acceptance by the rail industry as a means of demonstrating good practice in safety risk management. The RM3, shown in figure 2, provides maturity scales which are structured into five categories:

• health and safety policy, leadership and board governance
• organising for control and communication
• securing cooperation and competence
• planning and implementation
• monitoring, audit, and review.

Figure 2 Risk Management Maturity Model (RM3) (Office of Rail and Road, 2019)

1.4.4 The five categories are broken down into 26 safety risk management criteria. Each of these criteria have defined maturity levels rated from ad-hoc to excellence. An example for the ‘SMS documentation’ criterion is shown in table 1:

1.5.1 In the past 25 years there has been a growing focus on patient safety within the NHS. Efforts accelerated in the aftermath of the Bristol Royal Infirmary Inquiry into children’s heart surgery (Kennedy, 2001). In July 2001, the National Patient Safety Agency (NPSA) was set up as a Special Health Authority to co-ordinate the safety efforts of all those involved in healthcare.

1.5.2 The NHS Plan (Department of Health, 2000) led to the establishment of the National Institute for Clinical Excellence (NICE) to set standards of care and the Commission for Healthcare Improvement. This was a precursor to the Care Quality Commission (CQC), being established in 2009, to monitor clinical governance. In 2010 the first NHS Serious Incident Framework was established facilitating national safety incident reporting.

1.5.3 Following the Francis inquiry into Mid Staffordshire NHS Foundation Trust (Francis, 2010) the first national Director of Patient Safety was appointed in 2012. In 2017 HSIB was founded to help improve patient safety through effective independent investigation and in 2019 the NHS Patient Safety Strategy (NHS England, 2019) was published.

1.5.4 Most recently the Patient Safety Incident Response Framework (PSIRF) (NHS England, 2023) has been launched, which is changing how healthcare responds to incidents. Further developments include the Learn from Patient Safety Events service (LFPSE) (NHS England, 2022) and the NHS Patient Safety Syllabus (Academy of Medical Royal Colleges, 2022) which acknowledges the approach of an SMS.

1.5.5 A timeline of patient safety events is outlined in the National State of Patient Safety Report (Imperial College London, 2022).

1.5.6 Despite the focus on patient safety and many improvements, there are still recurring safety risks and incidents in healthcare. This can be seen in repeated concerns at trust level such as in the Morecambe Bay Investigation (Kirkup, 2015), ‘First do no harm: the report of the Independent Medicines and Medical Devices Safety Review’ (The Independent Medicine and Medical Devices Safety Review, 2020), the ‘Ockenden review of maternity services at Shrewsbury and Telford Hospital NHS Trust’ (Ockenden, 2020) and ‘Reading the signals: Maternity and Neonatal Services in East Kent Report’ (Kirkup, 2022).

1.5.7 In ‘First do no harm’, Baroness Cumberlege wrote in the opening letter to the Secretary of State:

“We have found that the healthcare system – in which I include the NHS, private providers, the regulators and professional bodies, pharmaceutical and device manufacturers, and policymakers – is disjointed, siloed, unresponsive and defensive.”

And:

“The system is not good enough at spotting trends in practice and outcomes that give rise to safety concerns.”

(The Independent Medicine and Medical Devices Safety Review, 2020)

1.5.8 An overall systems approach is needed – that is, one that encompasses all aspects of healthcare including non-clinical services, which can have a significant impact on patient safety. For example, a whole-system approach should consider auxiliary services such as decontamination services, facilities management or healthcare engineering. Currently, this may not be the case in healthcare. HSIB highlighted the importance of other services and parts of the healthcare system that may have a significant impact on patient safety and will need to be included in an overall systems approach (for example, Healthcare Safety Investigation Branch, 2021c).

Other safety-critical industries

2.1.1 In the aerospace, aviation, maritime, rail, oil and gas, defence, and nuclear power industries, an SMS is required by the appropriate regulators for authorisation to operate. For example, an airline will not be authorised with an air operator certificate – and will therefore not be able to fly or carry passengers – unless it meets the regulatory requirements for an SMS.

2.1.2 The investigation also heard that before the requirements of an SMS were set out, there was fragmentation in the regulations and in the ways organisations managed safety. For example, a safety leader in aviation said:

“… the airline is made up of different certified parts, so you can have operations, engineering, airworthiness, training, each with their own set of regulations. The regulations had also been written in siloes [that is, within rather than across the different parts of the airline] for each of those certified parts and they all had their own quality systems … this didn’t permit activity or communication between the departments and actually drove siloed working.”

2.1.3 The role of the regulator has been pivotal in the development of SMS standards in other industries. Regulators from safety-critical industries told the investigation that new regulations were introduced to co-ordinate safety management across different parts of their industry. Organisations will develop their SMSs to meet these regulations and will conduct internal assurance activities to ensure that they are correctly implemented within their operations. Regulators will assess the SMS as part of the authorisation process and may conduct inspections or audits to ensure that it is being applied as expected. Examples of these regulations and standards are given in appendix 2.

2.1.4 It was clear from the safety leaders in other safety-critical industries that the regulatory requirements of an SMS are integral to everyday work and how safety is managed within organisations. For example, a safety leader told the investigation how an SMS was adopted by their airline:

“We had our own manuals that documented the procedures, then SMS was really coming to the forefront of safety management through the regulations. So, it was a combination of the regulations and experience, some of it hard earned, and having to shift the way you think to managing the safety issues.”

2.1.5 The investigation heard from safety leaders in other safety-critical industries that safety management principles underpin all the operational aspects of safety management and must be understood before attempting to develop an SMS (see 1.3).

Healthcare

2.1.6 In other safety-critical industries an SMS is mandated in regulation, but healthcare organisations are not required to have all four areas of an SMS. There is a lack of standardisation in the coordination of safety activities within and between different organisations across healthcare, in terms of how risks are escalated and managed, which would be facilitated by an SMS.

2.1.7 Safety leaders in healthcare told the investigation that initiatives have been launched to improve patient safety. Many of these developments, of which there have been a significant number over the last 20 years and more, may map onto the key requirements of an SMS.

2.1.8 The investigation heard that the Patient Safety Incident Response Framework (PSIRF) “is leading to a more systematic approach to risk identification, developing processes for monitoring and managing known risks”. While safety reporting systems and risk assessment are important elements, interviewees recognised that the impact of these initiatives could be limited without being part of a comprehensive management system that can promote improvements across the wider healthcare system rather than solely local responses. However, the intention is that these initiatives should promote collaboration across organisational boundaries.

2.1.9 The investigation heard from safety leaders at the CQC, NHS England, and the Department of Health and Social Care that elements of SMSs are already in place or have been used in previous projects and there is an awareness of SMS principles among some organisations. The NHS has a significant amount of governance and assurance activity at local, regional and national level, with associated documentation related to safety assurance and risk. There are common terms of reference, which will be disseminated as part of NHS England’s Operating Model for Quality (forthcoming). Examples include regional and national quality groups, the work of the Joint Strategic Oversight Group, the work of the CQC in relation to regulating providers. However, there was acknowledgement from a safety leader that there is variability across the NHS. They said that there is reliance on informal ways of sharing safety concerns and limited documentation on plans to assure safety or better understand safety risks.

2.1.10 Another safety leader in healthcare said:

“… the identification of patient safety risks is more haphazard than I am comfortable with.”

With regard to safety management, they went on to say:

“Our system is based on ‘first do some harm’, when it should be ‘first do no harm’. Most of safety is deficit driven. We need to get to a system which starts with making sure up-front things are as safe as they can be”.

The organisation of safety activities

2.1.11 Current safety activities in healthcare were described by multiple interviewees, including academics and regulators, as reactive (that is, responding to events that have happened rather than actively assessing and managing risks), fragmented and often lacking in co-ordination across, and within, organisations.

2.1.12 An academic told the investigation that there is limited capability in the healthcare system at present to look at patient safety across care pathways or along a patient’s care journey. A healthcare safety leader told the investigation that the NHS is a crowded landscape which currently lacks a proactive mechanism for sharing intelligence, identifying risks and co-ordinating activity between stakeholders – “instead this is done on a reactive, case-by-case basis”. However, the intention of PSIRF is to enable proactive approaches so that safety activities can be coordinated across stakeholders.

2.1.13 Safety leaders in aviation, maritime and other safety-critical industries told the investigation that “formalised ways of sharing safety information are needed, so that safety activities can be co-ordinated within and between different organisations across an industry”.

2.1.14 The investigation heard concerns from safety leaders in healthcare about the applicability of an SMS approach to healthcare. This was because of the complexity of healthcare and the number of organisations involved. There was a misunderstanding that other industries have a single SMS. Other industries do not operate a single SMS, rather each organisation will have an SMS that is guided by common principles. This is because of different operational activities across many organisations within an industry. For example, in aviation there are SMSs for airlines, airports, air navigation service providers, contracted organisations and regulators.

2.1.15 In contrast to healthcare, other industries described a co-ordinated, but variable approach to managing risks in an integrated way rather than in isolation of each other. For example, the European Aviation Safety Agency (EASA) described the SMS bringing together several collaborative groups and multiple stakeholder organisations, including representation from those involved in different operational activities in the industry, to “worry about the right things, agree on what is important at a system level, and perform joint risk assessments”.

2.1.16 A rail operator explained that in safety-critical industries each stakeholder within the industry encounters different types of risks specific to their operational areas and develops their own risk profile. Risk profiling is how organisations rank their risks in order of importance and take action to control them (Health and Safety Executive, 2013). However, the investigation found that there are always a number of risks that need to be managed across stakeholders. Sometimes the management of risks does not always need new interventions and can instead be achieved through effective cross-stakeholder co-ordination that reinforces existing approaches.

2.1.17 The investigation heard from regulators in aviation and rail that implementing SMSs has involved collaboration between the regulator and multiple organisations over several years to develop regulations, standards and good practice to assure safety management practice across an entire industry. A rail operator told the investigation that the key is collaboration with a commitment to work together to build on existing foundations and ensure continuous improvement. The rail operator said that “once people understand that sharing won’t mean blame, they want to be involved because they can see the value in what they are doing”.

Implementing an SMS

2.1.18 The investigation heard from both healthcare and other safety-critical industry interviewees that while regulation of SMSs has worked in other safety-critical industries, healthcare would need to be supported in implementing an SMS that is suitable and not just ‘borrow’ from another industry.

2.1.19 An academic told the investigation:

“… it is not feasible to simply lift a surface structure of what appears to be working elsewhere as this can lose the fidelity of what is happening in those industries, for example the procedural elements often miss the cultural and cognitive infrastructure. The levers that work in other industries may not exist in healthcare as it doesn’t have the same co-ordinated infrastructure.”

2.1.20 A safety leader from the nuclear industry said:

“The danger of implementing an SMS directly from another industry is that it may increase the gap between work as imagined and work as done, for example the nuclear approach to safety is very slow, reliant on engineering and highly controlled so may not be an appropriate fit.”

2.1.21 Safety leaders in healthcare told the investigation that it is essential to develop a shared and easily understandable language with definitions for managing safety in healthcare to be used by all healthcare organisations. This should include agreed recognition of the safety activities, functions and processes already in place, recognising that these may not be as sophisticated as those in other industries. There is work underway by the CQC to develop this shared language in coordination with others.

2.1.22 The investigation also heard about the importance of language when adopting an SMS approach in healthcare. A healthcare leader told the investigation:

“We need to think about the ingredients of an SMS. There needs to be some transitionary language to make it translatable for people. If we are changing the landscape, we need to let people know what it means.”

To do this requires engagement across the healthcare system with co-ordination that involves relevant stakeholders.

2.1.23 The investigation has identified that:

• There is an opportunity to improve safety activities in healthcare to increase proactivity and coordination across and within organisations.
• In other safety-critical industries an SMS is mandated in regulation, but healthcare organisations are not required to have all four areas of an SMS.
• There is an opportunity to improve standardisation in the coordination of safety activities within and between different organisations across healthcare, in terms of how risks are escalated and managed.
• An effective safety system and culture requires a shared understanding of safety management principles.
• There is variability in the current language and definitions that describe the safety activities, functions and processes already common across healthcare.

HSSIB makes the following safety recommendation

Other safety-critical industries

2.2.1 The investigation found that lines of safety accountability are clearly defined in other safety-critical industries using an accountability framework which is specified in industry regulations. For example, the European aviation regulator sets out that:

‘… the operator shall establish, implement and maintain a management system that includes clearly defined roles of responsibility and accountability throughout the operator, including a direct safety accountability of the accountable manager.’

(Commission Regulation (EU) No 965/2012, 2012)

An accountable manager is a single individual who is designated as the person responsible to a regulatory authority in respect of the functions which are subject to regulation (Skybrary, 2023).

2.2.2 The Health and Safety at Work Act (1974) defines a duty holder as a person ‘who has, to any extent, control of premises, who may be an identified person with a specific responsibility within an organisation’.

2.2.3 The Defence Aviation Duty Holder Article (Regulatory Article (RA) 1020, 2014) provides a practical example of a multi-level accountability framework. The Article explains that:

‘… aviation duty holders are nominated at three different levels in each service: senior, operating and delivery. The senior level duty holder (SDH) is personally legally responsible and accountable for ensuring that an effective end to end SMS is resourced, implemented, and appropriately managed. The operating duty holders (ODH) and delivery duty holders (DDH) are both operators who are personally legally responsible and accountable for the safe operation, continuing airworthiness and maintenance of the air systems.’

(Regulatory Article (RA) 1020, 2014)

The operating and delivery duty holders have similar accountability, but the main differences are the levels of risk they can hold: ODH high, and DDH low to medium.

2.2.4 Similarly, the rail industry’s risk model (see 1.4.3) states that the:

‘… organisation is structured to implement its policies, strategies and plans into practice … this means, clear delegation of roles, responsibilities, authorities and accountabilities for health and safety are aligned and integrated into the operation of the organisation … [and] the roles of risk owners and advisers are clear.’

(Office of Rail and Road, 2019)

Simply put, this is about ‘having the right people, doing the right thing, at the right time.’

(Office of Rail and Road, 2019)

2.2.5 It was clear from interviews with safety leaders in other safety-critical industries that the regulatory requirements for defined roles of accountability guide how organisations escalate and manage risks in their everyday work. For example, a safety leader in a rail operator told the investigation that “risks will be escalated upwards to the person who is most able to deliver it. If it is a local risk, it will go to the local manager. If it is a more system-based risk, it would go to the Operations Director”. A safety leader in an airline told us that “there are formal mechanisms for these activities to be discussed, such as Safety Action Groups”.

Healthcare

2.2.6 There is no multi-level accountability framework in healthcare that specifies who should be responsible for the management of different types of patient safety risks. There is accountability as specified by CQC regulations (Care Quality Commission, 2014) that require the existence of a '[nominated individual] who is responsible for supervising the management of the regulated activity'. This includes oversight of governance and safety.

2.2.7 The investigation heard from several healthcare organisations that ‘safety is everybody’s responsibility and part of the job’. However, without accountability as specified by an SMS, some risks may not be managed and could compromise patient safety. There was strong consensus from safety leaders in other safety-critical industries that effective safety management is only possible when there is a clear accountability framework that underpins the process.

2.2.8 In healthcare, NHS England told the investigation that developing accountability frameworks may be more of a challenge. The regulatory landscape is more complex in healthcare than in many other safety-critical industries, with several regulators. Accountability for safety issues may overlap across multiple agencies which creates tension (Oikonomou et al, 2019).

2.2.9 Required safety activities can cross many organisations or departments (such as in a hospital). If they are not co-ordinated, gaps can appear when accountability and responsibility frameworks do not align. These gaps in accountability and responsibility may have serious consequences.

“System weaknesses may develop because of decisions and non-decisions that accumulate over long periods of time; because responsibility and authority for coordinating action to correct structural deficiencies is diffused, confused or absent; and because a profusion of localised practices and components erode the integrity and functioning of the system as a whole.”

(Dixon-Woods and Pronovost, 2016)

2.2.10 Integrated care systems (ICSs) bring together providers and commissioners of NHS services across a geographical area to plan care to meet the needs of the people in that area (The King’s Fund, 2022). An ICS aims to join up hospital and community-based services, physical and mental health, and health and social care to improve long-term outcomes and minimise inequalities. This is to reduce organisational autonomy, which is thought to have led to failures in care associated with long-term health outcomes and inequalities (The King’s Fund, 2022).

2.2.11 ICSs are required to have a designated executive clinical lead for quality, including safety, in the ICS, and clinical and care professional leadership. However, the Patient Safety Learning report suggests that there is:

‘… not clear guidance or support to ensure that ICSs treat patient safety as a core purpose of healthcare. We believe they need to have specific aims for reducing avoidable harm and improving patient safety. There also needs to be clarity on where the patient safety role of ICSs fits into the wider healthcare system. The landscape of organisations with patient safety roles and responsibilities in England is fragmented and lacks coordination, often ill-suited to tackling complex systemic challenges to patient safety. We believe that the Department of Health and Social Care and NHS England need to consider how to better join-up this system, to promote cross-organisational working, coordination and ultimately reduce avoidable harm.’

(Patient Safety Learning, 2023)

2.2.12 Safety leaders in NHS England told the investigation that NHS England’s operating model for quality promotes collaboration across healthcare providers to improve the quality of care that people receive across pathways and services. A previous Healthcare Safety Investigation Branch (HSIB) investigation found that management systems, including risk, quality and financial management systems, are not linked nor are they set up to improve safety (Healthcare Safety Investigation Branch, 2022b).

2.2.13 Many safety risks go beyond organisational boundaries and may not be monitored if they involve different core services that are being monitored independently of each other. This is referred to as a gap in regulatory oversight. A previous HSIB investigation into harm caused by delays in transferring patients to the right place of care found that:

‘… each part of the healthcare system manages an individual patient’s risk in isolation. ICB [integrated care board staff said] they are developing the ability of their organisations to manage risks across the system. However, when a patient’s journey reaches the boundary between health and social care, there seems to be an ‘air gap’ where patient safety is not managed in either direction.’

(Healthcare Safety Investigation Branch, 2022a)

Future work will need to explore the applicability of the SMS approach to healthcare and social care. This requires an understanding of how safety issues and risks occurring across healthcare and social care could be identified and then managed through an SMS approach.

2.2.14 The investigation has identified that:

• For effective safety management, clear lines of accountability and responsibility are needed. Within an SMS, everyone has some measure of responsibility, such as reporting unsafe conditions. Accountability takes responsibility to another level. When someone is accountable, they are responsible for systems and processes that assure safety.
• If there is no co-ordinated approach in place, accountability and responsibility can become misaligned, leading to gaps in the oversight of safety management.
• While there are clear accountabilities for safety at provider level through the Care Quality Commission regulation, there is no multi-level framework that specifies who should be accountable for the management of safety risks across the healthcare system.
• There is consensus within other safety-critical industries that effective safety management is only possible when there is a clear accountability framework that underpins the process.

HSSIB makes the following safety observation

Other safety-critical industries

2.3.1 The investigation was told by regulators in aviation and rail that it is good practice to assess the maturity of safety management in organisations. This goes a step further than the regulatory compliance requirements (described in appendix 2) and promotes continuous improvement. The investigation heard from several safety leaders in rail that the maturity assessment tools (such as those in the rail industry’s RM3 risk model – see 1.4.3) have generally been developed by the industry regulator in collaboration with industry partners. They are used to guide good practice in safety management to help assess and improve safety maturity. A regulator in rail explained how, in contrast to compliance audits, “the maturity assessments are not pass/fail and are not used in a punitive way”.

2.3.2 The investigation observed that safety management maturity tools may be applied by the regulator at the level of an individual organisation to track progress over time, or to measure the range of practices within an industry. Similarly, an organisation may form a view of their own safety management maturity, using the tool to monitor their progress and identify features they would need to develop or improve to mature further. They may also share maturity assessments among peer organisations, providing a common framework for comparing and sharing safety management practices.

2.3.3 The rail industry uses the RM3 model to identify the steps to evaluate an organisation’s progress through five levels of maturity, from ‘ad-hoc’ to ‘excellence’ (see table 1). The tool identifies the functions, people and roles needed to enhance safety management practices. There are descriptors to guide organisations to make accurate assessments.

2.3.4 The investigation heard from a Safety Director in the rail industry that duty holders have welcomed the tool. In rail, the term ‘duty holder’ may apply to railway operators such as infrastructure managers, freight and train operating companies and contractors who have responsibilities under health and safety law.

2.3.5 The Safety Director told the investigation that “the philosophy of RM3 is to create structured meaningful conversations about trying to improve the system” and “the tool offers an opportunity to develop good practice”.

2.3.6 The investigation also heard that there is variation in how the maturity tools have been used. The Safety Director in rail told the investigation:

“… how it is used can be frustrating … it is about improving the rigour of [maturity] assessments and getting meaningful [safety] plans and making sure plans are executed. Where it didn’t work well was where there was an executive drive to change the management system which ended up going down the wrong path too quickly … it took 6 months to get into a better place.”

2.3.7 Other safety leaders have shared more cautionary examples, one stating that “it isn’t about building a separate system; it’s about building around the existing work practices, so staff understand how it works”.

2.3.8 The investigation heard from regulators in other safety-critical industries that it is important that the regulator understands SMS principles, continues to adapt their approach as implementation matures, and that a regular exchange of meaningful information takes place between the regulator and the service providers. The investigation also heard that the industry regulator itself needs to have a systems approach to safety management.

Healthcare

2.3.9 The CQC told the investigation that it is one organisation that could develop the necessary oversight of safety co-ordination activities across health and social care. It explained that healthcare providers should already have systems in place to manage safety and because of the space in which it operates, the CQC would be able to evaluate how these systems are set up.

2.3.10 The CQC told the investigation that it has developed interim guidance to assess ICSs, which builds on the Single Assessment Framework that has been developed for healthcare providers (Care Quality Commission, 2023; 2022). The scope of this interim guidance includes the assessment of safe and effective staffing, workforce planning across the system, equity and access, and safety outcomes.

2.3.11 Safety management across the healthcare system goes beyond the remit of the clinical governance frameworks that are used by healthcare providers. This is because of the need to identify and manage risks that arise as patients move between providers, and the risks associated with accessing timely and appropriate care.

2.3.12 The investigation heard that there is currently limited data available to ICBs to enable them to collate information about safety risk priorities across the healthcare system in their area. Learning from Patient Safety Events (LFPSE) aims to improve how data is shared including risks across the healthcare system to support ICBs to have the data they need for their role.

2.3.13 The investigation found that experience from other industries has shown that SMSs are not implemented in a single step but are developed using an incremental process. This approach would need to be reflected in the development of assessment approaches. In healthcare, assessment would also need to evolve as principles of SMS are embedded.

2.3.14 The investigation has identified that:

• The term safety maturity is used to describe how far an organisation has developed and embedded its SMS.
• Existing maturity frameworks in healthcare do not promote the principles of SMSs, do not define the key components of a healthcare SMS, and do not provide organisations with a road map for incremental development of their safety activities.

HSSIB makes the following safety recommendation

The investigation explored the use of safety management systems (SMSs) and identified three key opportunities for an organised approach to safety management that takes into account all the elements that make up the healthcare system:

SMS development in healthcare

• There is an opportunity to improve safety activities in healthcare to increase proactivity and coordination across and within organisations.
• In other safety-critical industries an SMS is mandated in regulation, but healthcare organisations are not required to have all four areas of an SMS.
• There is an opportunity to improve standardisation in the coordination of safety activities within and between different organisations across healthcare, in terms of how risks are escalated and managed.
• An effective safety system and culture requires a shared understanding of safety management principles.
• There is variability in the current language and definitions that describe the safety activities, functions and processes already common across healthcare.

Safety accountability frameworks across healthcare

• For effective safety management, clear lines of accountability and responsibility are needed. Within an SMS, everyone has some measure of responsibility, such as reporting unsafe conditions. Accountability takes responsibility to another level. When someone is accountable, they are responsible for systems and processes that assure safety.
• If there is no co-ordinated approach in place, accountability and responsibility can become misaligned, leading to gaps in the oversight of safety management.
• While there are clear accountabilities for safety at provider level through the Care Quality Commission regulation, there is no multi-level framework that specifies who should be accountable for the management of safety risks across the healthcare system.
• There is consensus within other safety-critical industries that effective safety management is only possible when there is a clear accountability framework that underpins the process.

Safety maturity assessments across the system

• The term safety maturity is used to describe how far an organisation has developed and embedded its SMS.
• Existing maturity frameworks in healthcare do not promote the principles of SMSs, do not define the key components of a healthcare SMS, and do not provide organisations with a road map for incremental development of their safety activities.

Future work will need to explore the applicability of the SMS approach to healthcare. This could involve:

• mapping current safety management activities in healthcare to SMS principles and identifying opportunities for improvement
• determining if planned and ongoing changes to the way safety is managed in healthcare would be usefully guided by SMS principles
• further understanding how an accountability framework would support an SMS approach in healthcare
• understanding how safety issues and risks for inclusion health groups are identified and then managed through an SMS approach.

If improvement opportunities are identified, work would need to establish how SMSs in healthcare could be appropriately and effectively implemented.

HSSIB makes the following safety recommendations

HSSIB makes the following safety observation

This investigation aims to share the principles of safety management systems (SMSs) and to see if and how these could be applied to healthcare by:

• identifying the requirements for SMSs
• exploring the potential role for SMSs in healthcare
• exploring how SMSs could better support everyday work within healthcare.

Through interviews, it sought the views of three broad groups of stakeholders:

• those from other safety-critical industries with experience and day to day operational involvement with SMSs
• academics who have published research into how SMSs could potentially improve system safety in healthcare
• those working in healthcare and patient safety.

Table 2 presents an overview of the people interviewed and their associated industry.

The hour-long interviews followed a semi-structured format tailored to the interviewees’ backgrounds.

This section describes how some other industries have set up a safety management system (SMS). This has typically involved collaboration between the regulators and multiple organisations over several years to develop regulations, standards, and good practice to assure safety management practice across an entire industry.

The key is collaboration and the commitment to work together to build on existing foundations to ensure continuous improvement. These industries have spent many years developing their SMSs and they are still evolving to this day, responding to revisions to legislation and moving to integrated management systems – the next iteration in safety management practice (International Civil Aviation Organization, 2018).

European legislation on SMSs

European legislation sets a requirement for duty holders to have an SMS. In this context the term ‘duty holders’ means railway operators such as infrastructure managers, the freight and train operating companies who have responsibilities under health and safety law. The regulator requires organisations to have an SMS in order to grant them authorisation to operate. The legislation defines the required elements of the SMS across European duty holders. This legislation is contained in the European Railway Safety Directive (Directive 2016/798) which aims to improve railway safety by establishing a common approach to safety management.

Certification for Railway Undertakings or authorisation for Infrastructure Managers of their SMS is mandatory. National Safety Authorities (NSA) have the obligation to continuously supervise the adequate implementation of these SMS.

The legislation establishes requirements for an SMS that:

• is formally documented
• identifies safety responsibilities
• defines arrangements for controlling safety
• involves staff at all levels
• achieves continuous improvement
• specifically considers human and organisational factors, alongside technical and engineering safety.

The legislation also requires that the SMS includes the following elements:

• safety policy
• safety targets
• standards
• risk evaluation and control
• training and competence
• safety information and communication
• documentation of safety information
• accident and incident reporting and investigation
• emergency management
• internal audit.

A key feature of the legislation is that it aims to harmonise SMS approaches between organisations across Europe. This allows mutual recognition by parties who must work together to deliver safe service (a concept known as ‘interoperability’). It also allows more efficient implementation by duty holders and supervision by regulators.

In addition, the European Union Agency for Railways (ERA) also provides a range of support to harmonise safety management approaches and drive maturity:

• standards and specifications – the Technical Specifications for Interoperability
• safety objectives and reporting – Common Safety Targets and safety indicators across Europe
• safety tools – Common Safety Methods for risk evaluation and assessment (for managing technical change), for monitoring (for organisations to monitor and report safety performance) and supervision (for regulatory supervision and oversight)
• SMS guidance.

UK legislation on SMSs

Within the UK, national occupational health and safety legislation applies: the Health and Safety at Work Act (1974) and management regulations.

The Railways and Other Guided Transport Systems (Safety) Regulations (ROGS) (2006) set out legislation specific to the rail industry. The legislation transposes the European legislation, including the SMS requirements and Common Safety Methods, into UK law. The UK rail industry will continue to apply this framework after the withdrawal from Europe to benefit from harmonisation, though it may begin to diverge in certain aspects in the future.

The UK rail industry has a regulator, the Office of Road and Rail (ORR). The ORR authorises UK rail organisations to operate on the basis of the SMS, which is subject to reauthorisation approximately every 5 years. The effectiveness of the application of the SMS by the duty holder forms the basis for ongoing regulatory supervision and inspection. The ORR also applies its own safety maturity model, RM3, to provide a framework for SMS maturity assessment by the regulator, and self-assessment by duty holders. The RM3 is described further in the main body of this report (see 1.4.3).

International legislation on SMSs

The International Civil Aviation Authority (ICAO) is a United Nations agency, established to help countries share their skies to mutual benefit (International Civil Aviation Organization, 2023). It is a standards agency that has an important role in co-ordinating aviation safety at an international level. The ICAO Council adopts Standards and Recommended Practices (SARPS) to achieve the highest practicable degree of uniformity in regulations, standards, procedures and organisation to facilitate and improve aviation safety. SARPS are published in the form of Annexes to the Chicago Convention (International Civil Aviation Organization, 1994). The Convention establishes rules of airspace, aircraft registration and safety, security, and sustainability, and details the rights of the signatories in relation to air travel.

The ICAO sets out the requirements of an SMS in ICAO Annex 19 ‘Safety management’ (International Civil Aviation Organization, 2013). Annex 19 was developed with a panel of experts from different countries, known as States, to create a new safety management annex which would consolidate existing and overarching SARPS, with applicability dated back as far as 2001. The Annex is further supported by ICAO Doc 9859 ‘Safety management manual’ (International Civil Aviation Organization, 2018).

Annex 19 supports the continued evolution of a proactive strategy to improve safety performance, in the context of increasing complexity in the global air transport system and the interrelated aviation activities required to assure the safe operation of aircraft. It outlines safety management responsibilities directly applicable to the State, including the SMS requirements that shall be implemented by service providers. A service provider is any organisation that provides aviation services, including operators of aeroplanes or helicopters authorised to conduct commercial air transport, approved training organisations and flight schools, approved aircraft maintenance organisations, aircraft manufacturers, air navigation service providers, and operators of certified aerodromes (airports). It outlines the safety management responsibilities of services providers in an SMS framework. The aim is for States to manage aviation safety in an integrative and focused manner and more effectively manage its resources.

The effectiveness of a State’s safety management activities is strengthened when implemented in a formal way through a State Safety Programme and through SMSs for its service providers. A State’s Safety Programme, combined with the SMSs of its service providers, systematically addresses safety risks, improves the safety performance of each service provider, and collectively, improves the State’s safety performance.

A performance-based approach to safety offers improvements as it focuses on achieving the desired outcome rather than concentrating solely on whether a State is compliant or not. It is important to note, however, that the implementation of a safety performance approach is collaborative as it requires effort on the part of the aviation industry to develop appropriate means to achieve the specified outcomes and, with respect to States, to evaluate each service provider’s approach.

European legislation on management systems

The European Safety Aviation Agency (EASA) is the European regulator in aviation. EASA is an ISO 9001 accredited organisation and the Implementing Rules and standards are based on a 9001 Quality Management framework (International Organization for Standardization, 2015). EASA mandates the requirements of a management system that must include a focus on aviation rules. This regulation is known as ORO.GEN.200 Management System (Commission Regulation (EU) No 965/2012 (2012)) and has the following requirements:

(a) The operator shall establish, implement and maintain a management system that includes:

• (1) clearly defined lines of responsibility and accountability throughout the operator, including a direct safety accountability of the accountable manager;
• (2) a description of the overall philosophies and principles of the operator with regard to safety, referred to as the safety policy;
• (3) the identification of aviation safety hazards entailed by the activities of the operator, their evaluation and the management of associated risks, including taking actions to mitigate the risk and verify their effectiveness;
• (4) maintaining personnel trained and competent to perform their tasks;
• (5) documentation of all management system key processes, including a process for making personnel aware of their responsibilities and the procedure for amending this documentation;
• (6) a function to monitor compliance of the operator with the relevant requirements. Compliance monitoring shall include a feedback system of findings to the accountable manager to ensure effective implementation of corrective actions as necessary; and

(b) The management system shall correspond to the size of the operator and the nature and complexity of its activities, taking into account the hazards and associated risks inherent in these activities.’

UK regulator guidance on SMSs

The Civil Aviation Authority (CAA) is the UK aviation regulator. The CAA has published guidance on SMSs in a document known as CAP 795 (Civil Aviation Authority, 2015). This document meets ICAO Annex 19 (International Civil Aviation Organization, 2013) requirements and is a UK CAA alternative means of compliance for the EASA management system requirements in respect of safety management. The guidance has been developed to give sufficient understanding of SMS concepts and support the development of management policies and processes to implement and maintain an effective SMS. It applies to Air Operator’s Certificate (AOC) holders, continuing airworthiness management organisations, maintenance organisations, air navigation service providers, aerodromes and approved training organisations.

Safety management goes beyond compliance with prescriptive regulations, to a systematic approach where potential safety risks are identified and managed to an acceptable level. SMS adopts a business-like approach to safety, similar to the way that finances are managed, with safety plans, safety performance indicators and targets and continuous monitoring of the safety performance of the organisation. It enables effective risk-informed decision making across the business.

It is important to recognise that an SMS is a top-down driven system, which means that the accountable manager of the organisation is responsible for the implementation of and continuing compliance with the SMS. Without the support and ownership of the accountable manager the SMS will not be effective. However, safety is a shared responsibility across the whole organisation and needs the involvement of all staff.

There is not a ‘one size fits all’ model for SMSs that will cater for all types of organisations. Organisations may tailor their SMS to suit the size, nature and complexity of the operation, while still demonstrating compliance with the four areas of an SMS.

The Health and Safety Executive has published guidance (Health and Safety Executive, 2001) to help duty holders comply with the Control of Major Accident Hazards (COMAH) regulations (Health and Safety Executive, 2015). The purpose of the COMAH regulations is to prevent major accidents involving dangerous substances and limit the consequences to people and the environment of accidents which occur. Oil, gas and petrochemical organisations have an inventory of chemicals that fall under the COMAH regulations.

The COMAH regulations mandate that ‘an operator must implement its major accident prevention policy (MAPP) by a safety management system’ (Health and Safety Executive, 2015). The MAPP is a key document. Its purpose is to provide a statement of the senior management’s commitment to achieving high standards of major hazard control. The policies described in the MAPP are put into operation through an SMS. The MAPP should set out the high-level policy. Below this, an SMS is required to implement the policy aims in the MAPP. For a multi-site operator the MAPP might apply to several establishments, but the more detailed SMS documents should be specific to a particular establishment.

The guidance states that the SMS may be integrated within an overall management system which addresses other matters such as quality. Therefore, the approach to developing the MAPP and the SMS may vary greatly reflecting the overall management philosophy, system and culture of the organisation.