Safety Management System

Why do we need to audit our Safety Management Systems?

Managing risk in an operating facility requires effective systems across the organisation AND performance management measures (such as an SMS audit) to ensure they work. The SMS is ultimately a hierarchy of policies, procedures and execution records, held together by a framework such as this:

SMS levels

Depending on the complexity of our organisation, there may be 3-5 levels, however the principle is the same.  The main aims of an SMS are to implement a plan-do-check-review cycle to all aspects of safety management whether it be related to OHS or process safety. Often Environmental and Health management are blended into this system.

SMS cycle


An SMS would typically cover about 10-15 elements. The above chart is an example  and include scope such as leadership, policies, operations, change management, asset integrity, incident management, contractor management, competency management, emergency response and auditing/review.

Many organisations have procedures (Tier 3 and 4 in above diagram) in place that cover these topics, however is the performance management in place to allow leadership and the board to exercise due diligence over their business? Due diligence is a concept embodied in H&S legislation around the world and covers the following broad areas.

  • Having sufficient knowledge of H&S matters
  • Understanding the hazards & risks associated with the business operations.
  • Having processes in place to manage risk, including making resources available to do so.
  • Established process to respond to information regarding hazards and risks within their operations.
  • There are mechanisms to measure and verify the use of these resources and systems.

Structurally a SMS framework document should include the following within element.

  • Clear accountability
  • Objectives of the element
  • What actual systems are in place to achieve these objectives? (without re-litigating the content of the systems)
  • Performance monitoring and follow-up requirement

It is my opinion that leadership cannot exercise their due diligence requirements without an effective SMS. Over the last 10 years, I have audited and developed several Safety Management Systems varying in scale from small organisations to multinationals. The issues that I have seen broadly fall into 3 camps:

  1. There is no SMS framework. Procedures exist, but there no system to ensure they work and are achieving their aims.
  2. There is a SMS framework, but it is largely a combination of statements of good intent. It is not used to drive performance.
  3. There is a SMS framework, and it is broadly achieving its aims and it is providing a mechanism for the leadership and board to exercise due diligence over the business.

Companies that fall into (1) or (2) tend to have more significant gaps and have limited or ineffective risk management in place. I tend to work in hazardous industries and my focus is often the area of process safety which focuses on high consequence events. There are process safety management model frameworks out there such as the Centre for Chemical Process Safety (US) or the Energy Institute (EI). These are great references to check that your SMS covers elements of process safety or alternatively they can be implemented in their own right (eg large organisations). If your business is exposed to process safety risks, the auditing element which includes auditing & review of your SMS is vital as it represents a key management tool to ensure the performance of your critical controls that prevent these risks from materialising.

A SMS audit requires 4 areas of coverage:

  1. Is it an enabler for performance management and due diligence?
  2. Is it structurally sound and contains the correct elements i.e. aligned with good practice?
  3. Are the procedures developed for each element being complied with?
  4. Are the elements performing i.e. measured results / KPI’s?

To do this, multiple persons may be required in the audit team to ensure competence is in place across the full scope of the SMS. An audit against ISO 45001 often would cover (1) and (2) however this does not mean the SMS is achieving its objectives.  Domain knowledge is also key to (3) and (4) and giving additional value to the process. This involves identifying gaps (against good practice) and recommendations to close them. It is important that all levels in an organisation are involved in an audit such as this, from management to frontline staff. Conversations with leadership will establish if due diligence is being performed/ achieved and the shop floor will help you assess the performance of the elements.

Click here to download our SMS audit checklist.

Download SMS Audit Checklist