Saturday, August 6, 2022

When Safety Gets Involved

 When Safety Gets Involved

By OffRoadPilots

Safety has been involved in aviation since the first flight in 1903 and since then safety result randomly, but without directions, were able to improve. Airlines did what they could to improve safety but were unsuccessful in total elimination of accidents. Over time, as aircraft became larger and more of them at the airports, airside accidents became systemic errors. When operators become overly focused on safety, but they do not know what to do with it, then safety has become its worst enemy. No one wants to expose themselves to danger, but the real hazard when overestimating risks is overcontrolling processes to remain safe. 

Overcontrolling safety is a common reaction to opinion-based root cause analyses. When a root cause is based on preliminary assumptions, there is a strong temptation to overcontrol safety to ensure, in their own mind, that everything possible was done for immediate safety improvements. After a severe aircraft occurrence everyone wants answers, but impatience and instant gratification to find out why an aircraft crashed is a hazard to aviation safety. When the accident investigation process is not understood, management and other positions in an organization who has been assigned safety oversight may demand solutions right now, without knowing all the facts. In support of their demand for a solution, they could make irrational statements with reference to safety, and place blame and responsibilities on lower-level personnel for lack of safety management. A simple solution to protect a high-level position is to play the safety-card. The safety card is played when safety becomes the driving force of operations without considering facts. In addition, the safety card is often played when safety is not defined, measured or when operational pressure is applied from a third party or social media. 


There are no reasons for an immediate finding, cause of accident, or root cause after a single engine aircraft crash, or a large airliner crash. One crash does not render the aviation industry unsafe or demands major changes to operations. If an aircraft crash due to an unreported and unidentified wind share with an extreme change in wind velocity, or an aircraft crash due to contaminated surfaces, there is no justification to cease all aircraft operations, since the aviation industry has already established a track record for being safe. That an investigation is ongoing, and the cause of the crash and root cause are still to be determined, does not imply that an airline must remain idle until an investigation report is published. However, an enterprise is compelled by their accountability to the safety management system to conduct an internal analysis of human factors, organizational factors, supervision factors and environmental factors to determine the factor with highest probability impact on events leading up to the crash. An internal analysis, prior to the final accident report, is a probability analysis as opposed to a root cause analysis. 


There are multiple phases to an aircraft accident investigation. The most common phases are the field phase, the examination and analysis phase, and the report phase. 


In the field phase, an investigator in charge is appointed and an investigation team is formed. The nature of the occurrence determines the makeup of the investigation team, but it can comprise operations, equipment, maintenance, engineering, scientific, and human performance experts. The number of investigators needed to investigate depends on the nature of the event, severity and composition of parties involved. During the field phase the public is informed, the crash site is secured, and pictures or videos are taken of the wreckage and crash site. Overhead drones is a commonly used tool to document facts. Initially, witnesses, airport personnel, company personnel or government personnel are interviewed. Accepting to be interviewed is voluntarily, and information learned from interviews are not used for disciplinary actions against pilots, mechanics or other personnel involved. After the initial facts are documented, the wreckage is removed for further examination by the investigative authorities. The regulator does not investigate aircraft accidents. 

The examination and analysis phase is away from the accident site. This phase consists of examining the company, aircraft, flight crew, training records, maintenance records and safety management system records. SMS is relatively new in the aviation industry but becomes a vital part of an aircraft accident to analyze applied processes. Parts and components of the wreckage may be sent to a laboratory for analysis, such as material strength, metallurgical analyses and both destructive, and non-destructive testing. Any possibilities, but also unthinkable options are analyzed. The examination and analysis phase is an unbiased process without predetermined conclusions. This phase also consists of reading and analyze recorders and other data, create simulations, and reconstruct events, review autopsy and toxicology reports, conduct further interviews, determine the sequence of events, identify safety deficiencies, and update interested parties of progress in the ongoing investigation. If, at any stage of the investigation, the investigator identifies safety deficiencies, they may inform those who can address the problem right away. 

The final phase of an investigation is the report phase where the investigation report is drafted. Selected members of a committee review the draft report and may approve it, ask for amendments, or return it to the investigators for further work. A report may be rejected for any reason but may also approved for any reason. Once there is a consensus to the draft report, it is sent to designated reviewers on a confidential basis for comment. A designated reviewer may be any person at an air carrier, airport, corporation, manufacturer, or association, who, in the opinion of the review committee, will contribute to the completeness and accuracy of the report. After such review with comments, report is amended as required. After this review, the review committee now approve the report to be released to affected parties. For single engine aircraft crash, this reporting process may take 9-12 months to complete, while for a large airline crash it may take 3-5 years. Since a report is a final and conclusive report, any evidence and documents and records are destroyed. 


Overcontrolling safety, or when safety gets involved, is to fall into the instant gratification trap and conclude with a root cause before facts are known. Prior to SMS, the safety manager had all powers, and root cause statement that included the word “safety” was accepted as facts. With the implementation of a safety management system, safety was no longer verbal statements, but an intelligent system where process maturity was allowed prior to making changes, or control, specific item identified. 

A safety management system without statistical process control analysis capability (SPC), is still operating in the pre-SMS era. It is crucial for the validity of an SMS to understand the difference between a process that is in statistical control (stable) and a process that is out of control (unstable). In processes there are variations. A common cause variation is a variation in the process that is required for the process to function as designed, or to function within the laws of nature, or the laws of physics. A special cause variation is a variation introduced to a process that is not a required variation for the process to function as designed. The migratory bird season is a common cause variation and required for the process to work and causing more bird activities around airports in the spring and fall. A flat tire when driving to work is a special cause variation, since it is not a variation required for the process to travel to work.    

If this month's aviation incidents were higher than last month, a question to ask is what happened? This is a common question heard today in many organizations, but many do not know how to answer this. A major barrier to the use of control charts is that SMS enterprises do not understand the information contained in variation. When they understand this information, they will realize that the type of action required to reduce special cause variation is totally different from the type of action required to reduce common cause variation. Control charts also helps SMS enterprises to understand why costs decrease as quality improves, and that pointing faults and blame at personnel is totally wrong.


There are generally speaking two types of mistakes when looking at data. One mistake is to assume that a data point is due to a special cause when in fact it is due to common cause, and the second type of mistake is to assume that a data point is due to common cause when in fact it is due to special causes. There are different corrective action plans for a special cause variation and a common cause variation. A special cause variation needs to be removed, while a common cause variation is to be managed within a safety management system.   


When Safety Gets Involved, is when safety makes corrections, or eliminate a variation in a stable process, or when safety makes overcontrolling the only acceptable procedure. Simplified, when overcontrolling, or a desire for instant gratification in safety is happening, the next control point has moved, and will continue to move farther and farther away from the issue until there is a total and unexpended failure. It is crucial for the success of an SMS to know what battles to fight, but determining a root cause to a common cause variation is not one of them. 





Saturday, July 23, 2022

Unlock the Secrets of SMS

 Unlock the Secrets of SMS

By OffRoadPilots

Secrets of the SMS are not all positive secrets but are also pitfalls to watch for and secretly hidden in processes. On the surface a safety management system (SMS) in aviation is a perfect system to avoid or eliminate accidents. When SMS in aviation was first sold to the aviation industry, it was sold as a tool, if an operator followed the rules, to reduce number of accidents. The sales philosophy was that if an operator didn’t have any major accidents, they would for sure have one in the future if they did not implement the safety management system. Their sales pitch intentions were honorable, and the regulator firmly believed what they sold to operators. Virtual and fictional accident cost scenarios were developed to prove how beneficial an SMS system would be in the future. The predication was that the cost of implementing and maintaining a safety management system would become less significant and well worth the investment when contrasted with the cost of doing nothing. Every operator, being airline or airports, fell for the sale pitch, until they discovered that accidents and incidents, including regulatory findings, still happened. 

The SMS in itself cannot fail since it paints a true picture of an enterprise. What could fail is accountability by enterprise leaders, managers, and personnel. Safety in aviation was in the past built on failures, and failures, or accidents, were expected to occur so that new safety improvements could be put in place. Continuous improvement to safety were designed and implemented after failures and major accidents. What a functional SMS does, is to move these failures from physical harm and accidents to virtual failures on the drawing board. When drawing board tests fail, the aviation industry saves the world from a whole lot of grief. SMS does not prevent aviation accidents, it just moves accidents from operations to the drawing board. A secret of the SMS is that flaws discovered in the design or application process may be assigned an opinion to minimize the finding and design a short-cut in the process to bypass the failure.  

The safety management system has generated vast gap between design and operations. This is not due to the design of the SMS itself but is due to output expectations and application in the organizational hierarchy. When the SMS is viewed as a tool to interfere with operations to ensure safety, it is brought down from the oversight level, and quality assurance, to the operational level where it does not belong. A system that is implemented where it does not belong is a failed system by the untrained eye. While it appears that the SMS failed, it is not the system that failed, but the implementation process. There is a time and place for everything. This statement is crucial for a safety management system to survive, and it is vital for the success of an SMS enterprise that an accountable executive comprehend time and place in processes. A secret of the SMS is that it paints a true picture of an organization, and when it is brought down to an operational level, it paints a picture of failed management as opposed to a failed SMS system. An SMS at the incorrect level is when findings are prescriptive and assigned to deviations in process outcome rather than to the process itself. 

An SMS integrated at the operations level is recognized by the strain it places on operations to behave in a manner incompatible with the operations itself. A practical example is the flight operational quality assurance system, or FOQA, that most airlines have integrated into their operations. One event trigger may be that an aircraft does not bank at an angle greater than 30 degrees in flight, and when it does, the captain is assigned a red flag and becomes a higher risk to the operations. The two options available in a strong crosswind when turning a visual approach base to final, may require a 35-degree bank to remain on the approach. However, due to the red-flagged policy, a captain may chose to remain at 30 degrees of bank and overshoot the localizer. If the bank is 35 degrees or greater, the captain will at a minimum be questioned and flagged. When placed at the incorrect level in the organizational hierarchy, the system does not fulfil its expectations for improvement to perfectionism in flying. A secret of the SMS when management fails a captain, is the system has identified operational management complacency who opted to comply with a faulty arbitrary rule rather then make operational decisions based on aeronautical science and aerodynamics, which deals with the motion of air and the way that it interacts with objects in motion, such as an aircraft. Attempting to achieve perfectionism in aviation is in itself a hazard to aviation safety.  

A safety management system is in principle a simple tool to provide for understanding and engaging in safe working practices. A safety management system defines what hazards exist in aviation, being airports or airlines, and is established as an oversight tool to identify if operational processes are in control to assess hazards with a reliable track record to cause an incident or accident. The weather is a factor with major impact on aviation safety. Weather is not just hazardous weather, but also a factor in achieving safety in operations. Rightfully so, icing and strong winds, are often associated with catastrophic accidents. However, by comprehending that these hazards are common cause variations, and will always be a part of weather systems processes, aircraft manufacturer, airport operators and airlines has a golden opportunity to place a safety management system where it belongs, at the organizational level of the accountable executive, and applied as a daily quality control and oversight tool. As a reminder, the role of an accountable executive to be responsible for operations or activities authorized under the certificate and accountable on behalf of the certificate holder, or board of directors, for meeting the requirements of all applicable regulations. 


An SMS system is designed to evaluate process expectations in operations. An aircraft on approach may experience a steady crosswind, but instantly, at the same time as the aircraft touches down, the wind velocity suddenly increases to triple strength and the aircraft crashes. A well-designed SMS system is designed to capture a common cause variation, such as a steady wind suddenly turns into a special cause variation and triple increase in speed. An airport applying their SMS, a special cause variation, such as approaching extreme winds, may be identified at an earlier point than what currently is the common process, and be tracked over an extended distance prior to reaching the runway. Accidents occur when an aircraft and a special cause variation converge at the fork-in-the-road. An aircraft is operating in a 3D environment and measured in time (hours-minutes-seconds), space (geographical location) and compass (direction). When a special cause variation, also measured in 3D, and an aircraft converges anywhere in a 3D environment, is when accidents occur. Another example of a common cause variation is snow removal in Canada. An airport operator is not required to publish in the aeronautical publications that they operate with a winter operations plan, since it is assumed, due to a common cause variation, that all airport operators will have a winter and snow removal plan. A special cause variation occurs when snow accumulation is extremely low. Parked machinery becomes fragile to the environment and professional skills are forgotten. This requires airport operators to substitute actual snow removal activities with training of their crews. A secret of the SMS is that it uncovers special cause variations of hazards within a process. 


The true secret of an SMS is that the system comes with the capability to find a needle in the haystack when applied at the correct level in the hierarchy.  




Saturday, July 9, 2022

Unintended Consequences of Training

 Unintended Consequences of Training

By OffRoadPilots

The law of unintended consequences is when a planned strategy fails. Sometimes an unintended consequence is winning the jackpot and mostly celebrated as flukes, but when a tragedy strikes, it is bad luck or murphy’s law. 

Training is to perform in harmony

The Safety Management System (SMS) regulations requires that there is a process in place for ensuring that personnel are trained and competent to perform their duties, that there are training requirements for the person managing the safety management system and for personnel assigned duties under the safety management system, and a method to determine the adequacy of training required. These training requirements are required for all personnel, including the Accountable Executive (AE). 


Conventional wisdom is that the only two requirements, roles, responsibilities, or duties for the AE is to support the SMS with human and financial resources. An SMS is ineffective and without an excuse if an AE remains untrained to comprehend their responsibility for operations or activities authorized under the certificate and accountable on behalf of the certificate holder for meeting the requirements of the regulations.


Training of the AE becomes a vital task for the SMS to be effective. An effective system is a system that is successful in producing a desired or intended result or outcome, and when the AE remains untrained, the intended result is not produced. In larger organizations, the AE, who also in most cases is the President and CEO, may receive limited training in lieu of relying on a third-party confidential adviser to the AE, in the same manner as the organization rely on accountants, lawyers or janitorial services for effectiveness. With no minimum personnel requirement to operate with an SMS, the AE of a small organization may be the same person who is managing the SMS. However, in larger organization, and when relying on a confidential adviser to the AE, the responsibility and accountability of the accountable executive are not affected by the appointment of a person to manage the safety management system. 


No person within an SMS enterprise is required to hold an “SMS license” to qualify for their positions under the SMS. A pilot needs to hold a pilot’s license, a mechanic needs to hold a mechanic’s license, with the only exception that an airport manager (APM) is not required to hold an APM license. Licenses are governed by standards that a person must meet to qualify for the license held, and to maintain the license. Requirement for SMS training is determined by the SMS manager, who establishes training requirements for the person managing the safety management system and for personnel assigned duties under the safety management system. The accountable executive approves by their responsibility for meeting the requirements of the regulations their own third-party training supplier, or internal training personnel. 


There are several purposes for training, some of which are to conform to regulatory compliance, it is to ensure indoctrination training, it is to learn new skills, it is refresher training, it is specialty training, or targeted training. Training takes form of theoretical training in a classroom setting, and as practical on-the-job (OJT) training, and concludes with a written, or practical competency test. A test also serves several purposes. One purpose is simply to pass the test. This is often accomplished by answering correctly one of multiple answers. A multiple-choice test is mere a test-taking skill, since there is no oversight of what process the candidate applied to answer questions correctly. Generally speaking, there are five methods, or processes to answer a multiple-choice test correctly. One method is by comprehending the subject, while another method is trained capability to select the correct answer by taking practice-tests with same or similar scenarios prior to the final test. Other methods are to answer correctly by elimination, answer correctly by keywords or answer correctly by multiple test-tries. Unless the subject comprehension method is applied, it is impossible to determine the adequacy of the training required as it relates to the candidate’s retention of SMS technical knowledge and subject matter. A practical test to verify quality of the OJT is not subject to the candidate’s test taking method but is subject to the examiner’s opinions. Both theoretical and practical tests have flaws, and both are unreliable as the only means to assess a candidate’s skills and the instructor’s ability to convey information to instill learning.

Unintended consequences occurs when human factors become unacceptable

Training of personnel is a specialty skill, it is a learned skill and it is an ongoing development skill. When it comes to using an untrained instructor to train other personnel, the instructor may resist to be moved out of their comfort zone and unable to train the new person to the expected comprehension level. peaking in front of a group of people is also one of the biggest fear a person has. An exceptional skilled and dependable person may not always be the best choice as the instructor to train new personnel, since their tasks in the past had been on their own development and improvement, and not on improving someone else. For a person with exceptional skills and knowledge, it may also become frustrating to accept that others still have a distance to go before they have reached the same level of ambition to achieve.


Another potential issue with assigning training tasks to a person who does not hold a position to train as a regular trainer is that there is often not enough time to do so adequately. In preparation for training an instructor needs to do research, design a training schedule, and develop target specific training to conform to an SMS enterprise’s safety policy and training objectives. There are SMS enterprises, both large and small, that believe training is busy-time, or waste of time since their personnel was already trained. In addition, refresher training that is not a part of a regulatory requirement may discourage and not allowed during regular working hours. When an SMS enterprise, or a person in a leadership position does not seek or take advantage of all training opportunities available to their personnel, an employee’s skills become stale.


Training in form of trivia may be just as effective than mandated, scheduled or required training. Trivia training does not include a competency test but is a self-evaluation of skills. Learning is a process to improve a just culture and does not necessarily need to be of technical knowledge or competency skill. Several years ago, when it was allowed to smoke in the airplane, a young flight instructor did the instructor flight test with an inspector who would smoke during the flight test. 

Later that day, the new instructor learned that the smoking was a distraction tool to learn how an instructor would respond to non-standard issues, or a special-cause variation. In addition, the final determination if the new instructor was fit, was for the flight test examiner to place the airplane in an inverted spin to learn how the candidate would react to a situation that a student could easily put an airplane into. These two tests were not a part of the flight test curriculum but was a part of the whole picture to assess if a new instructor was ready or not to take on students, and as an oversight system to assess reactions to a special cause variation.  


Unexpected consequences of training occurs when training is viewed as having reached the final qualification standard, it is when oversight becomes incidental to an activity, rather than viewed as a tool to accept imperfection in human behavior.



Saturday, June 25, 2022

Unintended Consequences of Hazard Identification

 Unintended Consequences of Hazard Identification

By OffRoadPilots

An SMS enterprise is required to operate with a process to identifying hazards to aviation safety. Defining hazards to aviation safety is subjective and based on prior experiences, guidance, or fear of failure. When there are none, or very few, hazards in the hazard register, the regulator view this as a nonconforming to a regulatory requirement to identify hazards. A limited hazard register is a red flag to the regulator who then will issue findings to operators. An experienced and high time pilot may view a gravel-runway as a non-hazardous condition, while a low time pilot with, or a pilot without gravel-runway experience rates gravel-runway as a hazardous condition. Both pilots view the same scenario, at the same location, at the same time and with the same meteorological conditions, but experience, guidance and fear of failure leads to two different conclusions. One accepts the condition as hazardous, while the other rejects the conditions as a hazard to aviation safety. However, there are several examples in flying that highly experienced bush-pilots operates with a lower risk level bar than new and inexperienced bush-pilots. 

There is a difference between observing for hazards and actively searching for hazards.

In addition to tangible hazards there are abstract hazards. An example of an abstract hazard is time pressure for on-time departures. Abstract hazard conditions are higher risk levels than tangible hazards, since their outcome cannot be predicted, they cannot be measured, or produce the same outcome each time. A common cause explanation to overlook abstract hazards, such as fatigue or time pressure, is to “get the job done”. When there is a conflict between abstract hazards and tangible hazards, the tangible hazard takes precedence. Red flags are more likely to be attached to personnel who reports abstract hazards than personnel who reports tangible hazards. These types of organizations operate with a systemic fear of failure culture. 


An SMS enterprise is required to operate with a proactive process or system that provides for the capture of information identified as hazards and other data relevant to SMS and develops a hazard register. A hazard register are list items of conditions that could cause occurrences, and it is also a list of hazards derived from past occurrences. Hazards should be assessed and mitigated through safety oversight, training and awareness, and the use of a flight data monitoring system. Performing a proactive assessment within a daily quality control system, and a review of SMS database is necessary to verify the rate of occurrences. An SMS enterprise who indicates that they do not have hazards to report should demonstrate how they have reached this conclusion. 


A hazard register contains two distinct different types of hazards, which are assumed hazards and experienced hazards. These different types of hazards should be separated into different hazard registers to analyze the rate of hazards from occurrences and the rate of assumed hazards occurring. 


A third variant of hazard identification is the planned self-evaluation and actively searching for hazard. Requiring pilots and airport workers to actively search for hazards is a distraction and take away time from their roles and responsibilities leading to unintended consequences. There is a difference between observing for hazards while flying and actively searching for hazards. Most everyone has experienced how a new vehicle changes alertness and observations. When a certain make and color of vehicle is purchased, the same vehicles and colors that were not noticeable before, now attracts attention. These vehicles were still within sight before but were not noticed since they were irrelevant to the operator. There is a universal principle called the Law of Attraction, which says that you attract into your life people, ideas, and resources in harmony with your dominant thoughts. Other ideas and resources become irrelevant and not noticeable. The fact is that humans are living magnets, like iron filings are attracted to a magnet, human nature, or human factors, is to attract the people and professions that are in harmony with your current level of knowledge, wisdom, and experience.

A tangible hazard is comprehended, while an abstract hazard is interpreted.

Awareness is a key element for a successful flight and successful airside maintenance. Human factors is to understanding the effect of why a task is required and the effect of how distraction deviates attention from a priority task. When a flight crew's attention is diverted from the task of flying, the chance of error increases. Over the years there have been dozens of air carrier accidents that occurred when the crew diverted attention from the task at hand and became occupied with items totally unrelated to flying. An example is the Everglade crash in 1972 when three green lights failed to illuminate gear down and locked. The crew conducted a fact-finding task to find a solution. While they were focused on the gear-lights, they did not realize that the airplane was continuing to descend, causing the left engine to strike the ground then the aircraft crashed. The flight crew were actively searching for what hazard had caused the lights not to illuminate. 


When an SMS enterprise expects pilots and airport workers to report hazards, the effect of human factors is to focus on finding a hazard and then focus on the immediate threat. The pilot of a small single engine aircraft taxiing at night may be blinded by the taxi lights of an approaching heavy aircraft, causing the small aircraft to taxi across taxiway islands. Hazards, if they are factual or virtual, have a distractive effect on human behavior. When flight crew and airside workers feel obligated to identify unknown hazards, it is unknown to an SMS enterprise how their attention to hazards distract their attentions from current assigned priority tasks.  


The requirement to actively search for hazards is also a regulatory non-conforming behavior. A regulatory requirement for operations involving taxi, takeoff, landing, and all other flight operations conducted below 10,000 feet MSL is that no flight crewmember may engage in, nor may any pilot in command permit, any activity during a critical phase of flight which could distract any flight crewmember from the performance of his or her duties or which could interfere in any way with the proper conduct of those duties. Activities such as eating meals, engaging in nonessential conversations within the cockpit and nonessential communications between the cabin and cockpit crews, and reading publications not related to the proper conduct of the flight are not required for the safe operation of the aircraft. Actively searching for hazards during critical phase of flight is a violation of the regulatory requirement to maintain a sterile cockpit. Unintended consequences to require active hazard identification is regulatory non-compliance and an induced risk level. 


A review of the effect of non-compliance with the sterile cockpit principle finds that 48% were altitude deviations, 14% were course deviations, 14% were runway transgressions, 14% were general distractions with no specific adverse consequences, 8% involved takeoffs or landings without clearance, and 2% involved near mid-air collisions due to inattention and distractions. 


A key to good Human Factors practice is awareness. It is not enough for pilots and airside workers to know what can affect them, It is also necessary for them to be aware that they are in a position to be affected. As an example, knowing that fatigue affects performance is not useful unless pilots realize that they are fatigued. Realizing fatigue is applicable to all professions, not only pilots. In the old days of long-haul trucking, before automatic transmission, drivers realized that they were fatigued when shifting gears became difficult. In aviation, a pilot realized fatigue by altitude or heading deviations. Automation in aviation has reduced the ability to recognize fatigue, without applying an SMS safety case to operational hours. Regulated flight and duty times does not ensure fatigue compliance since the regulation is not broad enough to cover every aspect of fatigue. When the regulation is incomplete, it is the role and responsibility of an SMS enterprise to add additional layers to identify fatigue. A fear of failure culture marks a red flag to pilots reporting fatigue prior to the end of regulatory flight and duty day, or airside worker reporting fatigue prior to end of their shift.  





Saturday, June 11, 2022

The Successful AE

The Successful AE

By OffRoadPilots

A successful Accountable Executive (AE) is a person who fully comprehend their Safety Management System (SMS). The successful AE is result oriented and focuses on leadership motivation. The AE set clear goals and provide personnel with their empowerment and tools needed to achieve success. The successful AE is a motivational leader inspiring personnel with directions to work toward goals, and successfully complete one goal at a time. A goal without directions is not a goal but a wish, or a dream. Just as a successful CEO is surrounded by highly qualified personnel to guide them with business transactions, a successful AE accepts the confidential adviser as their go-to person to maintain processes that conform to regulatory requirements.    

During phase one, the SMS knowledge was limited, and no questions were asked.

A safety management system is an evolving system through three phases. A successful AE is in the third phase of their SMS evolution. Evey SMS enterprise go through the same three phases before the accountable executive becomes a successful SMS leader. Achieving success in the third phase is not the completion of an SMS system but it is the beginning of comprehensive application of the safety management system. Canada was the first ICAO state to regulate the safety management system and there was a struggle for operators throughout the four implementation phases. The expectation that an AE was only responsible for their financial and human resources was the wrong turn at the fork-in-the-road and the root cause for the ongoing SMS struggle. Throughout the four implementation phases the regulator misled operators by acting as consultants and they were extremely generously with opinion-based SMS guidance to both airport and airline operators. 


The first phase of SMS extends from the implementation phase to the first audit. During the first SMS phase the AE complies with implementation directions and outcome expectations without hesitation, or concerns. The initial phase-in process of the SMS was a learning process with an objective to establish a successful SMS. Every person in the organization at this stage were learning about their roles and responsibilities and were applying tasks without justifications, or reasons for the task. The general guidance at that time was that an SMS was a tool to reduce incidents and accidents. Those safety visions were quicky shattered as there were no evidence that SMS had reduced the number, or severity of incidents, or improved safety at all. Airlines without a fatal incident for over 30 years, experienced their first fatal accident as an SMS enterprise. 


The AE, as well as other personnel began to question the purpose and effectiveness of their SMS. Their SMS manuals included safety policies, reporting systems, hazard identification systems, investigation systems, root cause analyses, safety data systems, corrective action processes, monitoring the concerns of the civil aviation industry, and determining the adequacy of training, but without any significant effect on the outcome. Operators began to question why the global aviation Industry, being airlines or airports, needed a safety management system (SMS) today, when they were safe yesterday without an SMS. Without any guidance material of how to reach these goals, airport and airline developed their own systems, with different processes, to reach the same expected outcome. It became more complicated a successful AE, when the regulator took the position that the solution to conform to regulatory compliance was to implement electronic data collection tools, with checkboxes for result completion. The SMS had deviated from its purpose and turned onto a path where completing checkboxes for individual results became the primary task, as opposed to the task to analyse processes for regulatory compliance. This became evident in a survey published in the JDA Journal, April 13, 2017, where the vast majority of oversight inspectors view themselves as having better knowledge of airline and airport operations than the operator themselves, and that they are better qualified than operators to fix safety problems before they become accidents or incidents.  

There is a process for everything.

The second phase of a successful AE is the reactive phase of a safety management system. In the reactive phase, there is no daily quality control, errors and findings are accepted as a normal part of the processes, daily performance tasks are not assigned links to regulatory compliance and the accountable executive is struggling to maintain regulatory oversight and compliance in their operations. The reactive process in phase two was different than the reactive process during the initial SMS phase-in processes. An SMS enterprise may establish a proactive process by including a daily inspection at airports, or a pre-flight inspection for airlines, but during this second phase of SMS, established proactive processes became inactive and transformed into reactive processes. While it is true that these processes discovered findings and trigger repairs, they did not extend beyond the repair itself to become an integrated part of a daily quality control system and system corrections. When FOD was found on the runway, it was removed, or when a damage was found to an airplane, the airplane was grounded, and the damage repaired. These repairs were the initial part of a reactive process, but without a link to an action item beyond the repair itself, they were only reactive processes, and events repeated themselves. An action item is different than a root cause analysis, in that the link to a regulatory component becomes the proactive element of the process. In phase two of a successful AE, they relied on the opinion of external auditors, and the AE’s goal was to become a platinum-members of the auditor’s safety-club. The scenario of an AE in phase two plays out in the global airline industry today where there is a shortage of flight crew and more tickets sold to passengers than airlines capacity. 


During the second phase of SMS, it is also common is to assume compliance by reaction, or by performing regulated operational tasks, while non-regulated operational tasks were excluded. With non-regulated tasks excluded, an SMS enterprise became in non-compliances with the SMS regulations. A successful AE in phase two excluded specific tasks that were not included as regulatory tasks to be performed. What the AE was missing, was that the time for an operator to define and design operational tasks is when the tasks are not included in the regulations as regulatory tasks. The AE also assumed during phase two that completing regulatory operational processes automatically conform to regulatory requirements. This assumption was false and was not followed up with data to support their opinion. Some accountable executives carried this believe to the extreme, where their certificates were threatened. It was not until the certificate was threatened that the successful AE realized that the only way forward is to implement a daily quality control and a regulatory oversight plan.  


When the successful AE entered into the third phase of SMS, they accepted their accountability that they have several more tasks and responsibilities to comply with than only human and financial resources. At this time the successful AE understood that their roles and responsibilities were much more than just human and financial recourses. In addition, their responsibilities were to scale and adapt their SMS to size, nature and complexity of the operations, activities, hazards, risks associated with the operations and daily quality control for their triennial audits. In the third phase of a successful accountable executive, operational processes were linked to regulatory requirements, and one task was linked to several regulations or standards as a tool to scale and adapt to size and complexity. Airport operations is a relatively small-scale operation in aviation compared to airlines. However, airports provide essential services to the aviation industry for successful flights and customer satisfaction. An airport AE must have comprehensive knowledge of airport operations, they must have general knowledge of airline operations and be familiar with air navigation services. A successful AE has accepted that operational tasks for airports or airlines are many and is more than a full-time job. There are several standards they must ensure compliance with, in addition to many regulatory requirements. Scaling the operations and SMS down to size and complexity is not to exclude unimportant regulations, but to assign multiple regulatory requirements to one single operational task. A critical task for the successful AE is to conform to SMS regulations by ongoing research and development. 

A successful AE knows the path through the SMS maze.

The first task for a successful AE in the third phase is to review and amend their current safety management system manual. When their initial manuals were built, SMS knowledge was limited and data available how to apply processes to human behaviors were inadequate. Quality control and quality assurance had been applied to material strength and material fatigue for decades and the same approach was now applied to the SMS. Over time both airports and airlines found that using this same approach was not complete or effective. Their initial SMS manuals were correctly designed and approved by the regulator based on what was known at that time. Over time SMS evolved to include several unknown factors and changes to SMS became inevitable. The successful AE understands that SMS process applied to mechanical breakdown, material fatigue or occurrences are different than processes required when the human factors system breaks down. The hazard pyramid becomes inverted in a human factor system, since there is a learning factors involved, which is not available to mechanical breakdown, material fatigue or occurrence likelihood. For each vivid event a person is exposed to, that person learns to avoid incidents and near-misses. Exposure to vivid events is crucial to safety in aviation and any pilot who grew up in a protected environment with little or no exposures to vivid events, has lost the value of these experiences. 


Roles and responsibilities for a successful AE is oversight, while roles and responsibilities for the person managing the SMS is operations. The successful AE has comprehensive knowledge of each statement in their safety policy to deliberate and speak on the policy in a complete matter. A successful AE has established a comprehensive goal setting program that includes a process to complete one goal by applying the 14-days goal setting process. A successful AE has researched and developed processes to identify hazards. These are not only limited to hazards discovered by the AE or other personnel, but researched hazards, hazards from targeted inspections and hazards identified by in the regular data collection processes. Hazard identification is ongoing and monitored. A successful AE is responsible for oversight of training and that the person managing the SMS is completing training on schedule and on-demand as required. Training is both formal and informal and is ongoing and a part of a daily self-development process. Most importantly, a successful AE is able to deliberate on why operations are safe most of the time. 


A successful AE applies a proven statistical control process to analyze how processes conform to regulatory requirement. An SMS manual contains all safety management system processes and a process for personnel to be aware of their responsibilities. In phase one and two, the SMS manual was often handed over to personnel and they were expected to do self-study and learn on their own. In phase three of a successful AE, the AE has established a system where daily on-the-job tasks are targeted for personnel to maintain awareness of their responsibilities. A successful AE operate with a quality assurance program, which includes a daily quality control system as a prerequisite and process for their triennial audits. 


A major change for a successful AE is to include in both airport and airline operations any additional requirements for the safety management system. This includes unregulated tasks. As an example, a pilot is required to ensure that an aerodrome is suitable for the intended operation. An aerodrome operator is responsible for compliance with their published services. During the pre-SMS era, an aerodrome operator could publish a runway surface condition NOTAM without any further responsibility. With the global reporting format requirement and SMS regulation, an aerodrome operator at a certified airport, must ensure that the airport maintain compliance with airport standards for each arrival and departure. It is no longer acceptable to publish a NOTAM only. In addition to the NOTAM, the aerodrome operator must do something to ensure compliance, which is achieved by a simple risk analysis or a risk assessment for comprehensive tasks.  


An airport operator is required to complete an Aircraft Movement Surface Condition Report during their published hours of operations and at least every 8 hours, or when there are operational changes. A change in wind direction would trigger a new report, since a new runway is now active. Monitoring the weather is a responsibility of the successful AE, while the person managing the SMS implement project the plans assigned by the AE. A daily quality control system includes several tasks to be completed hourly, daily, weekly, monthly annually or on-demand as required. 


An addition change for the AE in their third phase of the SMS, is to develop internal Operations Plans as their long-term corrective action plans, and to monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the holder of the airport certificate. The requirement list for a successful AE could continue for several pages with line-item tasks to conform to regulatory requirements.  


There is no magic wand out there to make anyone a successful accountable executive for an airport or airline. Electronic data collection tools and cloudbased SMS are great and necessary tools, but they are not the solutions to become a successful AE. 





When Safety Gets Involved

  When Safety Gets Involved By OffRoadPilots S afety has been involved in aviation since the first flight in 1903 and since then safety resu...