Justification Of Processes

Justification Of Processes

By OffRoadPilots

On March 10, 1988, an aircraft crashed shortly after takeoff during winter condition operations. Air Ontario Flight 1363 was a scheduled Air Ontario passenger flight which crashed near Dryden, Ontario, on 10 March 1989 shortly after takeoff from Dryden Regional Airport. The aircraft was a Fokker F28-1000 Fellowship twin jet. It crashed after only 49 seconds because it was not able to attain sufficient altitude to clear the trees beyond the end of the runway, due to ice and snow on the wings.

At that time there were no regulated safety management system (SMS) in place and the accident generated several safety improvements and operational changes to aviation. A question to ask is if the same accident could happen today with an implemented and operational SMS. SMS is not a system that is dependent on a specific person in charge but is reliant on processes. If processes are incomplete, then the same type of accident could happen again today with an SMS. Prior to SMS became the regulatory requirement for safety in operations, safety was absolutely dependant on individuals and their opinions. Conventional wisdom within the aviation industry is if the individual in charge of the crashed Dryden airline had not left their position, the accident would have been avoided. This is of course speculations, and speculations does not have a place for the safe operations of an aircraft or airport.

Winter, snow, ice, and runway contamination seem so far away when it is in the middle of summer and hot weather. The Drayden accident happened in the month of March, which is towards the end of winter many places in the Northern Hemisphere. The pilots had flown many snowy days during their last few months of work. When they came to work that day, they expected to complete their runs on time and rest for their next duty day. There was nothing unusual about this trip until the flight crew departed with snow on their aircraft. Just a few years later Air Florida crashed into the 14th Street Bridge over the Potomac River. The aviation industry had not learned their lessons from the Dryden accident.trap for airlines and airports with an SMS is to expect that they need to be perfect and extreme proficient in their operations and have zero accidents goals and to stay safe. This leads to tampering with processes, or over controlling of processes by adjusting the aiming point after occurrences. When a stable process is adjusted to correct a result that is undesirable, or for a result that is extra good, the output that follows will be worse than if he had left the process alone. When a process is centered on target and is in state of statistical control, any adjustments to the process only increase variation.

There is a heavy load of responsibility on the accountable executive (AE) after an accident, but when accidents are of the magnitude of Dryden or Potomac River accidents, their responsibilities just quadrupled. Recovery from accidents is not just to say or post the right words, it is to build back trust with the regulator, aviation industry and the flying public. One of the responsibilities of an AE is to ensure that the person managing the safety management system performs the duties. An SMS manager is responsible for monitoring the concerns of the civil aviation industry in respect of safety and their perceived effect on the certificate holder, being airline or airport. After a sever accidents social media ratings for an airline or airport operator involved may plummet within hours.

The fact that a captain of an aircraft is the final decisionmaker for safety in operations, there are additional responsibilities for airport operators with an approved safety management system to perform their role to ensure that their airport is suitable. Before taking off from, landing at or otherwise operating an aircraft at an aerodrome, the pilot-in-command of the aircraft must be satisfied that the aerodrome is suitable for the intended operation. Available airport information for pilots is recorded in an airport operations manual (AOM). An AOM contains information about paved and dry movement area surfaces and includes references to airside operations plans when there are deviations from AOM recordings. Where there are deviations, an airport operator is required to publish a NOTAM. A winter operations plan must include procedures for publishing a NOTAM in the event of winter conditions exists that are hazardous to aircraft operations or affect the use of movement areas and facilities. An airport has multiple options when publishing a NOTAM. They could publish that the runway is ice covered, that it is covered with slush, that snow clearing is in progress, or that the runway is closed. An airport operator may close the runway that is covered with slush, ice or snow since their obligations as an operator is to inspect the airport for hazards to aviation safety, and when slush, ice or snow are identified, there are hazards to aviation safety. A justification for maintaining such runways active may be to move aircraft to avoid congestion. It is also a role for an SMS manager to determine the adequacy of training required for airside personnel. Since an airport operator is required to inspect

for hazards, they are also required to train airside personnel to learn what hazards they are looking for, and how airside personnel justify their decision that slush, ice, or snow-covered runways are hazardous to aviation safety. Decisions made by an airport operator is a required tool for an airline captain to determine if the airport is suitable for their type of aircraft operations. An airport operator who does not comply with notification about hazardous operations environment is a concern to the aviation industry and requires an SMS manager to implement corrective action plans.

Everything changed with implementation of a regulatory required SMS. Rule of thumb in the old safety world was that if it was not stated in the regulation as a requirement, the task was not required to be done. With an SMS the rule of thumb is that since a task is not stated in the regulatory text is the very same reason why an airport operator or airline must do what it takes to ensure safety. Regulations are just not broad enough to cover each acceptable work practice, procedure, process, policy, or standard. In ICAO states, flight crew are still charged with criminal intent after accidents. A non-punitive reporting policy is not necessarily accepted by the local authorities. On a clear and calm day November 1, 2022, a helicopter crashed and fatally injured all passengers shortly after takeoff. The helicopter pilot was charged criminally, and later the operator was also charged since the helicopter pilot acted on behalf of the operator. The Accident Investigation Board stated that no technical faults had been found that could explain the accident. Without technical fault the only other available justification was to lay criminal charges against pilot and operator since public perception was that someone needed be held accountable. A non-punitive safety policy is far away from a get-out-of-jail free card, but places additional responsibilities on operators and crews to do the right thing when operational tasks are excluded from the text in the regulations.

Taking off an airplane with snow or ice on the wings is one of the very first thing a new pilot learn, but for some reasons this basic knowledge is forgotten. Several years ago, a Cessna 185 pilot took off with dry snow on the tail surfaces, the tail stalled, and the aircraft pitched up violently to about a 45 degrees angle. The pilot was able to recover and continue the flight, but justification for takeoff by a several years veteran as a bush pilot was based on other priorities than safety in aviation..

Air Ontario justified their takeoff and expected the flight to be normal, and the same for Air Florida and the helicopter. However, all captains had clues presented to them before starting their takeoff run, or prior to rotation, but in their ongoing mental risk analysis they all independently justified their takeoff.

An SMS manager plays a critical role in aviation safety by their roles to identify hazards and carry out risk management analyses of those hazards. These hazards include hazards other than hazard or incident reported to the SMS system but are hazards already known to the aviation industry. Since an SMS manager cannot be onboard an aircraft 100% of the times, at 100% of their locations, and analyse 100% of their risks, an operator must establish a link between the SMS manager’s risk management analyses and their operations. This organizational link is the Director of Operations or Director of Maintenance. Communication of risk analyses results with associated decision-making process are performed by flight following or dispatch, or by maintenance supervisors. For private and smaller operators, such as a helicopter pilot or a small bush plane operator, this link remains with one person, who is the captain of the aircraft.

OffRoadPilots

Could SMS Have Prevented March 27th Disaster?

 Could SMS Have Prevented March 27th Disaster?

By OffRoadPilots

If the safety management system (SMS) of today could have prevented the March 27, 1977, worst aviation accident in history when two B-747 at the Los Rodeos Airport on Santa Cruz de Tenerife is a question without answers. There are no answers since SMS is forward-looking and accidents cannot be predicted until the last few seconds when it is evitable that an accident will occur. At the time of the accident, it was assumed that aviation was operating with safe and fail-free systems, except for pilot errors as the bad apples in the box. Pilot error had become industry acceptable root cause to any accidents. It is unknown when pilot error became the popular root cause solutions, but accident reports since the late 60’s and early 70’s support this as a solution. However, after the June 30, 1956, Grand Canyon disaster, the probable cause of the mid-air collision was not allocated to pilot error, but that the pilots did not see each other in time to avoid the collision due to other multiple factors. Human factors are not the same as human error. Human errors or other negatives are not useful for intervention to improve safety but are symptoms of much deeper cause within systems.

Before we answer the question if an SMS could have saved both aircraft, let’s look at what SMS is.SMS is a system that introduces an evolutionary and is a structured process that obligates organizations to manage safety with the same level of priority that other core business processes are managed. SMS is a structured means of safety risk management decision making, it is a means of demonstrating safety management capability before system failures occur, it is increased confidence in risk controls though structured safety assurance processes, it is an effective interface for knowledge sharing internally and between external organizations, and it is a safety promotion framework to support a sound safety culture an promote business strategies. An effective safety management system is a support system to the business itself just as serval other systems are required to conform to regulatory compliance, to recognize competitors, to maintain business relations and to evaluate processes for effectiveness to meet defined goals.

The four factors of the 1977 disaster that stands out in the accident report are human factors, such as communication and observations, it is organizational factors, such as authority and decision-making, it is supervision factors, such as air traffic services, lights and signage, and environmental factors, such as weather and airport design. These factors combined played their roles in designing, planning and execution of the disaster. At the time when the decision was made to divert all aircraft to Los Rodeos the accident process was put in place.

The first aircraft to taxi was backtracking runway 12 for departure runway 30 and instructed to exit the runway at the 1st taxiway to hold at runway 30 but was later cleared to taxi to button runway 30 for takeoff. The second aircraft was also cleared to backtrack runway 12 but to clear the runway at the 3rd taxiway. After they were lined up on runway 30 the first aircraft received their departure clearance. The second aircraft was still backtracking runway 12 looking for the third taxiway exit when the first aircraft departed runway 30 and an accident was evadible to occur. At the time of accident runway visibility varied between 300 meters to 1500 meters (1000 ft – 5000 ft).

The first task to operate with an SMS is to appoint an accountable executive (AE) to be responsible for operations or activities authorized under the certificate and accountable on behalf of the certificate holder for meeting the requirements of the regulations. An SMS policy includes safety objectives, commitment to fulfill safety objectives, a safety reporting policy of safety hazards or issues, and defines unacceptable behavior. A safety policy must also be documented and communicated throughout the organization. What the safety policy does is to establish the base and foundation to build an SMS, and to plant the seed that safety is paramount. Human factors, organizational factors, supervision factors and environmental factors must be linked to the safety policy to instill process awareness and accountability in all personnel. With a mature SMS it is expected that personnel have learned to consider special operations, such as the combination of hazards with overcrowded airports, low visibility, and more aircraft on the movement area than the airport was designed to support. An SMS in 1977 would include tools to affecting the outcome since the accountable executive appointed by their name takes pride in their roles to be responsible for safety. In addition, and between the airport operator, ATS and the two airlines, there was a tool available to recognize that their SMS includes processes to recognize that a combination of an overcrowded ramp and low visibility is special operations and therefore normal operations processes are invalidated.

A regulatory requirement of an SMS is to adapt to is the size, nature and complexity of the operations, activities, hazards and risks associated with the operations of the certificate holder. Since there were an abnormal level of heavy aircraft and abnormal number of aircraft that day, an SMS applicable to normal operations would be scaled to much smaller operations. If an SMS had been in place on that day, the airport operator or ATS would have had a tool to recognize that their SMS was not designed, or capable of managing the increased traffic volume. Human factors would be affected by communication and observations, organizational factors by authority and decision-making processes, supervision factors by ATS overload compared to normal operations, and environmental factors by weather and airport design. An SMS designed to size, and complexity is essential in a decision making process to establish a limit when the system becomes overloaded. Just as an electric cable is designed for a limited voltage, an SMS is designed for a limited load factor.

A quality assurance program is a requirement to be included in an SMS. A prerequisite to maintain a quality assurance program is operational quality control. If a quality assurance program had been in place at that time, it would have included a daily quality control system where processes are linked to regulatory requirement and safety expectations. In a business transaction cash is counted daily and the same principle applies to a safety management system. Process compliance with regulatory requirement, safety policy and process outcome must be accounted for daily to recognize drift, limitations and volume. An SMS that day would have included tools to capture the fact that runway capacity was overloaded that day.

A safety management system is required to assign duties on the movement area and any other area set aside for the safe operation of aircraft, including obstacle limitation surfaces, at the airport, only to personnel who have successfully completed a safety-related initial training course on human and organizational factors. Airside personnel that day would have been equipped with SMS tools to recognize the overload on human and organizational factors with the increased volume and aircraft size.

An SMS is required to include a policy for the internal reporting of hazards, incidents and accidents, including the conditions under which immunity from disciplinary action will be granted. If an SMS had been in place that day, the flight crew of any aircraft, not just the two involved in the accident, would have been equipped with a tool to recognize hazards and filed hazard reports by telephone or fax. A report is an SMS tool to trigger a reaction to an overloaded airport operations that day.

The accountable executive is the person accountable on behalf of the certificate holder to meet the requirements of the regulations, and compliance with their SMS policy. This position is not a position for the person to be held accountable, or responsible for past incidents, but for the person to maintain oversight and communicate with workers and the regulator on issues and compliances. An SMS is required to include procedures for making progress reports to the accountable executive at intervals determined by the accountable executive and other reports as needed in urgent cases. A report to the AE of low visibility operations, volume and aircraft size is an SMS tool to trigger urgent issues and when reported immediately it is an SMS tool for the AE for action and communication with their flight crew and airport operator.

A quality assurance program is required to be included in the SMS is a function of the SMS to establish policies, processes, and procedures. These processes and procedures are then applied in an operational quality assurance program to perform specific required task. One of the tasks is to perform regular audits. For airports, audits are preformed by checklists of all activities controlled by the airport operations manual. An SMS on March 27th would have included a tool to recognize the excess volume and workload and a trigger for the airport operator to review their activities controlled by the airport operations manual.

The person managing the SMS, which could be the position of an SMS Manager, Safety Officer, or Director of Safety, is required to determine the adequacy of the training required in their safety management system. This training includes indoctrination training, initial training, upgrade

training and annual refresher training. Flight crew or airside personnel received this training would have a tool to recognize hazardous condition and reported it via their SMS process.

The person managing the SMS is also required to monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the certificate holder, or SMS enterprise. Dispatch for any of the airlines were monitoring diversions and weather conditions with their tools available at that time, and their SMS training would have triggered a report of this abnormal condition to their SMS system, and someone would be required to make a decision if any actions were required, and if these hazards combined were incompatible with the safe operation of an airport or aircraft.

Within an SMS the hazards of March 27th need to be analyzed without knowing, or considering the outcome, but be analyzed as an event in the future based on information available at that time. SMS is unable to establish if an incident will occur or not in the future, and it is therefore impossible to determine if an SMS would have prevented the March 27th accident. On January 13th, 2022 there was a similar incident at JFK airport, except there were no low clouds or fog. The tower could see an aircraft crossing directly in front of a departing aircraft and their takeoff was aborted. On this day, both airlines involved were operating with an SMS, but an SMS did not prevent the incident, and an SMS by itself could not have prevented the Los Rodeos accident without applying tools in the SMS toolbox.

However, on March 27th an SMS would have made available several triggers for flight crews, ATS and the airport operator to pause operations and assess their next step and special cause variations that existed that day. A pause would at a minimum have generated a decision-making process for either the airlines, ATS or the airport operator.

An SMS exposes the “holes in the Swiss cheese”. When the cheese is sliced it exposes the holes within the cheese which comes available to assessed within the context of a system analyses and within observed special operating conditions. Without an SMS there were no triggers, or a person assigned to slice the Swiss cheese on that day, and that is what was missing.

OffRoadPilots