Aviation Safety Management Systems
Tony Cramp
Senior Advisor (Americas)
17th May 2005
3/23/2016
File Title
Lafayette
Shell
Aircraft International
Underlying Safety Beliefs
•
How many factors need to be removed to prevent the accident? Theoretically
only one, but with each factor removed the probability for an accident is lowered
•
The fundamental requirements for accident prevention are thus (i) the ruthless
hunting out and elimination (the identification and management) of risk factors
and (ii) using systems of work that are inherently safe
•
Everyone can contribute to causing an accident, we can also contribute to
preventing one
•
A fundamental requirement for this is effective collaboration between line
personnel and ‘management’
•
These are 3rd Generation Safety beliefs
Safety Paradigms: 3rd Generation
•
Safety is a corporate value. Safety practices consider the organizations particular
“way of doing business” as well as corporate’s possibilities and constraints. What
works well for one airline does not necessarily work equally well for others.
•
Accidents are caused by systems flaws. The failures observed at the “front end” of
aviation operations are considered symptoms of deficiencies in the architecture of the
aviation system.
•
Human error as a symptom. Error is accepted as normal component of human
performance, unavoidable but manageable. Human error is a clue, which indicates
where the safety investigation process must begin rather than end.
•
Proaction. Attention is focused on the processes incurred by the aviation system,
regardless of the outcome of these processes.
Safety Paradigms: 3rd Generation
The finding of ‘human error’ should be the starting point of an investigation, not
its conclusion
Defences in Depth
If we have these beliefs then the foundation of a strategy for
preventing accidents would be to introduce controls at
Organizational (Systemic), Team and Personal levels so as to
achieve Organizational defenses in depth:
A Systemic approach to the management of safety:
Safety Management Systems
Safety Management Systems
The formal goals of an SMS are as follows:
•
To produce fully airworthy aircraft, in a safe working environment, that are
subsequently operated safely
•
To ensure and demonstrate that safety is being managed as formally as any other
critical business function
•
To ensure and demonstrate that the Organization is ‘responsible’ and exercising ‘due
care’ (the counter to offence of ‘Corporate Killing’)
But what is the bottom line?
SMS is Not New!
•
The concept and practice of ‘System Safety’ was first introduced consequent to the
Apollo 204 pad fire in 1967 and has been embedded in engineering ever since.
•
The Basic Principles of ‘System Safety in Engineering’ are:
•
•
The assurance of safety is gained through the competence and safety-orientated
procedures used by each individual engineer, however:
•
In complex systems it is easy to ‘overlook the wood for the trees’: there must be an
autonomous, safety oversight process that has the ‘big picture’ and a ‘watchdog’ function,
and:
•
There must be a system enforcing the effective communication of safety-critical
information, and:
•
There must be a ‘Facilitative function’ that ensures hazard identification and resolution
This engineering / astronautics approach then migrated into the Nuclear, Maritime,
Rail, Oil/Chemical industries and has shown considerable benefits
SMS in Aviation: The Challenge
•
Aviation is lagging some 15 years in implementing formal SMS: flight operations
already heavily regulated and traditional Flight Safety methods have a high degree
of effectiveness
•
SMS has been developed primarily outside of aviation: past experience e.g.CRM
and QA, shows that systems from outside are not always introduced correctly or
tailored correctly to aviation culture
•
Have to get past the SMS language used by other disciplines, mainly the ‘speak’ of
HSE and Quality Assurance
•
BUT: SMS is rapidly becoming a Regulatory requirement (UK CAA, Transport
Canada, FAA moving in this direction etc) as well as a Customer requirement (Shell,
ExxonMobil)
•
The challenge is to take the benefits of SMS distilled to date and adapt and apply
them to aviation in such a way that SMS is accepted and is demonstrated to add
value
SMS Primary Components
Accident cause ⌗ 1.
Inadequate Procedural Baseline
SMS Primary Components
①
Procedural baseline to assure
safety in work
Ops Manual, GMM/MPM,
Ramp Procedures, Fuel Quality,
OSHA Compliance
SMS Primary Components
The manual forms a ‘road map’, has an integrative function and if
the SMS Manual consists of a template of the ‘ideal’ system, then it
can be used for both assessment and development purposes
②
SMS Manual
①
(Full spectrum of policies,
procedures, methods, practices to
assure safety in work)
SMS Manual can be written bottom- up, or preferably as a
template ‘top-down’, gives the big-picture, highlights any major
‘holes’ in SMS Component ⌗1
Any holes?
SMS Primary Components
X
Cause ⌗ 1. Inadequate Procedural Baseline
Cause ⌗ 2. Uncontrolled Hazards
SMS Primary Components
③
Safety Management
Program
②
SMS Manual
①
Procedural baseline to assure safety
in work
Systems are for People?
“Even the most well-considered safety
system can be wrecked by the idiosyncratic
behaviour of a single individual”
SMS Component ⌗3: Safety Program Management
1.
Proactive Safety Management
•
Encouraging and developing Management commitment
•
Creation of a Safety Culture
•
Safety structure and resources, committees and meetings
•
Ongoing hazard identification and management (HEMP)
•
Safety education (training, information dissemination)
•
‘ Watchdog’ function
2. Reactive Safety Management
•
Occurrence investigation (‘occurrences’, incidents, accidents)
•
Data analysis
•
Continuous learning
SMS Primary Components
③
②
Safety Program
Management
④
SMS Manual
Safety Case
①
Procedural baseline to assure safety
in work
SMS Component ⌗ 4: The Safety Case
1.
A Safety Case is a formal, organizational risk management exercise conducted
proactively (e.g. prior to contract launch), or reactively (e.g. to gain control over the
risks in current operations)
2.
An aviation ‘Safety Case’ is defined as “The documented description of the major
hazards that the aircraft operator faces and the means employed to control these
hazards”
3.
As opposed to the SMS Manual, which gives ‘big picture’ inputs, a Safety Case
gives detailed inputs into the procedural baseline. It identifies individual controls
required.
4.
A Safety Case is a specific application of the HEMP
5.
A safety case functions at Management, Supervisor and Line levels: a Living
document.
SMS Primary Components
X
Cause ⌗ 1. Inadequate Procedural Baseline
X
Cause ⌗ 2. Uncontrolled Risk Factors / Hazards
Cause ⌗ 3. Failures in Communication
SMS Primary Components
⑤ SIS
③
②
Safety Program Management
SMS Manual
④
Safety Case
①
Procedural baseline to assure safety in work
Safety Information System
1.
The fifth primary element is the Organization’s ‘Safety Information System’
(SIS)
2.
Several studies have shown that in the vast majority of (aircraft) accidents
there was always a piece of information available somewhere that had it been
in the right place at the right time, the accident might well have been prevented
3.
A SIS may take a variety of forms, from the basic verbal / written
communication of safety information across the organization to sophisticated
company ‘intranets’.
Examples:
Hazard report forms
Regular safety meetings, with minutes recorded and distributed.
Company newsletters
Effective, updated notice boards
Intranet employee notices
SMS Primary Components
X
Cause ⌗ 1. Inadequate Procedural Baseline
X
Cause ⌗ 2. Uncontrolled Risk Factors / Hazards
X
Cause ⌗ 3. Failures in Communication
Next Challenge!
• How to integrate these components:
Integrating Principles
1.
After 200 years of industry and 100 years of flight surely there must be a package of
elements or principles that if applied will give a high level of assurance of safety?
2.
Currently, there is agreement that these elements and principles are best described
in systems developed by the science of ‘Quality Assurance’
3.
The most current definition of an SMS is thus:
•
‘A system for the proactive management of safety that is appropriate to the
Operator’s size and complexity and integrates operations, maintenance, human
resources and finance and draws upon quality principles’
SMS Primary Components
⑥ Quality System
⑤ SIS
③
②
SMS Manual
Safety Program Management
④
Safety Case
①
Procedural baseline to assure safety
A Typical Safety-Orientated ‘Quality’ System
Management
Review
Customer
Satisfaction
Remedial Action
Investigation
& Follow-up
Principles
& Policy
Strategy
Objectives
Targets & Plans
Standards
Plan
Feedback
Culture
Check
Do
Accountability &
Competence
Product
Management
COMMUNICATION
Incident Reporting
Risk Assessment
Monitoring
Audit
Review
Hazard
Management
SHELL ‘Model’ HSSE-MS Elements
SMS Summary
⑥ Quality System
⑤ SIS
③
②
Safety Program Management
SMS Manual
See ‘Model Manual’
33 Sub-Elements
④
Safety Case
①
Procedural baseline to assure safety
SMS Booklet
The Safety Case
1. A Safety Case is a formal, organizational risk management exercise conducted
proactively (e.g. prior to contract launch), or reactively (e.g. to gain control over the
risks in current operations)
2. An aviation ‘Safety Case’ is defined as “The documented description of the major
hazards that the aircraft operator faces and the means employed to control these
hazards”
3. As opposed to the SMS Manual, which gives ‘big picture’ inputs, a Safety Case gives
detailed inputs into the procedural baseline. It identifies individual controls required.
4. A Safety Case is a specific application of the HEMP
5. A safety case functions at Management, Supervisor and Line levels: a Living
document.
Hazards, Incidents, Accidents
Byrd’s Triangle
Eliminate hazards and you will
eliminate accidents
1 Accident
10 Incidents
600 Hazards
Hazard Identification: Fundamental Requirements
1.
The fundamental requirements for effective hazard identification are:
»
To get past perceptions and to quantify wherever possible
»
To tap into the vast reservoir of knowledge that exists within Aviation and
other complex industries
»
To ‘think outside the box’
»
Be paranoid: believe everything and believe nothing: continually test for the
truth
Which hazards?
Type specific
Hazards
Company Specific
Hazards
Generic Aviation
Safety Hazards
Aviation
Safety
Case
=
+
Generic HSE
Hazards
Major
Aviation
Safety
Hazards
Operation Specific
Hazards
Location
Specific
Hazards
Significant
Workplace
Hazards
Workplace
Safety
Procedures
(Defined in
HSE-MS)
Primary Sources for Identifying Hazards
Safety Critical
Processes
External
Sources
Hazard Register
Internal
Sources
Formal
Hazard
Models
Hazard and Effects Register
Note:
1. Hazard
Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full
detail in an Excel Document
2. Hazard Reference :
and Description :
Prepared by:
Custodian:
Authorized by:
3. Status of the hazardous event at the time of the risk assessment:
5. Remedial Actions Raised
a.
b.
c.
d.
e.
f.
6. Hazardous Event:
Rev No:
Date
4. Activities in which the Hazardous Event may occur:
4.1
4.2
4.3
7.
Location:
8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –
See appropriate Excel document. Document Reference No :
12.
Risk
Assessment
People
Environment
13. Consequence associated with hazard release:
Asset
Reputation
14. Mitigation from consequences :
15. Accountable Line Management Sign-off having accepted current status:
Line Department:
Name:
Signature :
15. Date :
Risk Analysis Process
– When identified and objectively analyzed, each hazard shall be
subjected to a risk analysis. This shall accomplished by using a risk
matrix of a format commonly found in the industry
– The matrix is self-explanatory and even though some of the aspects
may well be subjective, it at least allows the partial quantification of risk
factors.
– The hazards are then ranked in terms of the rating obtained by use of
the matrix
– In terms of the Shell model, all hazards ranked as ‘intolerable’ shall be
subjected to a ‘bow-tie’ analysis.
The Risk Grading (Threat Analysis) Matrix
The ‘Bow-Tie’ Process
The Bow-Tie Process
For those hazards assessed as being ‘Intolerable’, develop ‘controls in depth’ as
follows:
1.
Identify the Threats that might release the hazard
2.
Identify Controls to contain the Threats
3.
Identify factors that could prevent the Controls from being effective: Escalation
Factors
4.
Develop controls to contain the Escalation Factors: Escalation Controls
5.
The hazard is released, but it’s consequence has not yet occurred: what controls
make detection and recovery possible: Recovery Measures
6.
Identify Escalation Factors hampering detection and recovery
7.
Identify a final layer of Escalation Controls
8.
Identify measures to mitigate the effects of the Consequence
HAZARD
THREAT
CONTROL
ESCALATION
THE
BOWTIE
CONTROL
Hazardous
Event
RECOVERY
ESCALATION
CONTROL
CONSEQUENCE
MITIGATION MEASURES
TIGER
Cage Door Locking System
Twin Locks & Warning Lights
Unserviceable Warning System
Records & Maintenance
Hazard
Threat
Control
Escalation
Control
Tiger out of
the Cage
THE BOW-TIE
Shoot Tiger, or drive back in cage
Miss Tiger, or Tiger Evades Keeper
Competent Keepers
Tiger Bites Keeper
Effective Emergency Response Plan
Recovery
Escalation
Control
Consequence
Mitigation
PEOPLE
Errors, Mistakes, Violations
Competence, Procedures, Systems
Non Compliant Pactice
Monitoring and Feedback
Hazard
Threat
Control
Escalation
Control
Human Error
Inappropriate pilot
control input
THE BOW-TIE
Make corrective control selection
Input can not be made it time
Competence & Awareness
Aircraft Crashes
Effective Emergency Response
Recovery
Escalation
Control
Consequence
Mitigation
Percentage of Accidents Reported in NASA Study Preventable by
Individual Mitigation Measures
Late FAR 29/Enhanced Handling
FFS Training + CRM/LOFT
Measures
OC/QA/SMS
HUMS/VHM
Seven Key
Initiatives
HOMP/FOQA
Perf Class 1/2e
EGPWS/TCAS
Requires development work
Tail Rotor Impact Warning
0.0
5.0 10.0 15.0 20.0 25.0 30.0 35.0
Percentage acidents prevented
Hazard and Effects Register
Note:
1. Hazard
Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full
detail in an Excel Document
2. Hazard Reference :
and Description :
Prepared by:
Custodian:
Authorized by:
3. Status of the hazardous event at the time of the risk assessment:
5. Remedial Actions Raised
a.
b.
c.
d.
e.
f.
6. Hazardous Event:
Rev No:
Date
4. Activities in which the Hazardous Event may occur:
4.1
4.2
4.3
7.
Location:
8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –
See appropriate Excel document. Document Reference No :
12.
Risk
Assessment
People
Environment
13. Consequence associated with hazard release:
Asset
Reputation
14. Mitigation from consequences :
15. Accountable Line Management Sign-off having accepted current status:
Line Department:
Name:
Signature :
15. Date :
So What is an SMS?
1.
An SMS is a suite of standards, policies, procedures, practices etc that will assure
the safe and effective execution of work (‘Quantitative’ Quality elements)
2.
An SMS contains a structure for dynamic and flexible identification and control of
risk to ALARP (‘Quantitative’ procedures and methods for the proactive
management of safety: safety cases). This includes the requirement for a Safety
Information System.
3.
An SMS requires the application of Human Factors: communication, leadership and
followership, conflict management, cultural aspects, motivation & commitment
(‘Qualitative’ elements)
4.
An SMS should encompass flight safety, ramp and maintenance safety, industrial
(workplace) safety, occupational health, environmental protection and security
5.
An SMS Manual should give the ‘big picture’ regarding safety management in the
organization
Conclusion
• SMS is not a magic bullet: it is a set of tools and guidelines
that if tailored to the Organization and diligently applied so
that the probability of an accident will be reduced to a level
that is as low as is reasonably practicable (ALARP)
• Apply these tools and guidelines and you will have done all
that can be reasonably expected of you as aviation
professionals and as a ‘responsible operator’
3/23/2016
File Title
QUESTIONS
Shell
Aircraft International