Tuesday, November 16, 2021

How to Audit SMS

How to Audit SMS
By Catalina9

Conventional wisdom of how to audit the Safety Management System (SMS) is to generate an audit checklist based on regulatory requirements for an SMS, and develop expectations, or processes, in a checklist form to determine level of regulatory compliance. There are several itemized expectations for an SMS enterprise to audit every single aspect of operations for compliance. Auditing by expectations does not paint a true picture of an SMS enterprise level of compliance since an expectation audit does not audit for reliability. 

Research and development is the responsibility of an AE.
An airline or airport may be required to comply with hundreds of regulations in addition to just as many operational standards. One regulation may be compliant by applying several different operational methods, or expectations, which may be interpreted differently by inspectors, auditors or organizational management. When expectations are applied to an SMS audit, all operators are grouped into one expectation and that one-fits-all. Auditing by expectations is a hazard in itself, since an SMS enterprise may change their operational behavior to please the inspector’s or auditor’s checkbox, rather than trusting their own operational judgement. Auditing by expectation is also an avenue to group safety with ratings. A high rating number becomes equal to a high, or superior, level of safety. As an operational oversight system SMS paints a picture of results, or process outputs, and not of a predetermined input. A shopping list contains expectations or inputs, and when used correctly each item is checked off, but the condition, output, or quality of each item is unknown until after the shopping is done.  

The first level of audit of an SMS enterprise is to audit for scalability, or size and complexity. There is a regulatory requirement that a safety management system shall be adapted to the size, nature and complexity of the operations, activities, hazards and risks associated with the operations. Humans are great at making simple tasks complex, or even unmanageable. An unmanageable SMS is a system where hazards to operations are unknown. In an unmanageable SMS, or where an SMS is scaled beyond their operational needs, operations tend to drift towards informal, and simplified processes. An SMS workload is not the SMS itself, but research and develop to scale down systems to size and complexity for regulatory compliance, for safety in operations compliance, for compliance with operational needs and compliance with the SMS policy. An SMS system should be scaled to a level where it can be explained in just a few words. If an SMS enterprise is unable to explain how to maintain regulatory compliance and safety in operations, don’t expect the regulator to explain it for you.

A public speaker is a highly regarded expert.
 A speaker at an aviation safety conference made a statement that the regulator has decided to only issue findings against regulatory non-compliances and no longer issue findings to an SMS enterprise for non-compliance with their own internal manuals. That the regulator no longer plans to issue findings to an internal manual is a step in the right direction. When a finding is made to non-conformance with an internal manual an operator has two corrective action plan (CAP) options. The first is to make a change to the manual, or the second option to make a change to the process, or how things are done. Either way, the regulator must approve the CAP by directing what the manual text must read or direct the operator to what specific process they must implement. When the regulator mandates, or locks-in text or processes, they are interfering with the operators sole responsibilities pursuant to the regulations to operate with an SMS that is scaled to size and complexity. An benefit to an SMS enterprise when the regulator only issue finding to regulatory non-compliance is that they now have an opportunity to self-correct their own manuals or ineffective processes.

An accountable executive (AE) is responsible for operations authorized under the certificate and accountable on behalf of the mayor, council, airport authority, CEO, corporation or business owner for meeting the requirements of the regulations. In the regulations it states that an appointed AE must have control over human and financial resources. In the past, this regulation was interpreted by regulatory oversight that their only responsibilities was to apply cash to safety and hire personnel to do the jobs. As long as an AE could answer yes to these two questions, they passed their part of the audit. What was overlooked by the inspectors or auditors, was that an AE was not only responsible for cash and personnel, but also responsible for meeting all the other requirements under the regulations. When the regulator no longer issues findings for compliance with the SMS manual itself the manual or processes becomes much more flexible to change, and both airlines and airport operators having an opportunity to perform a true audit of their SMS enterprise. 

The second part of an audit is to audit for outputs, or results. Inputs for these audits are the daily, hourly, or frequently assigned operational tasks. Inputs are how the job is done and what tools are used to support these operational tasks. As an oversight system an SMS enterprise documents the results as they are completed, or at the time of their transactions. Just as upon completion of the shopping list, an itemized receipts and cash exchanged is documented at the time of transaction. Counting the cash is the first step in a quality control system for an upcoming financial audit. Counting outputs and results of an assigned task within an SMS world is a control system for a safety audit. In a financial audit, the auditors do not audit against expectations, how an organization plans to do their inputs, or if they are compliant with their expected inputs. In a financial audit the end result is audited by confirming receipts and financial entries. In a safety audit, the same process is followed by auditing the end results, or outputs, and confirmed by receipts, or data, and entries into the SMS system. An airline or airport conducts daily quality control, regular surveillance of their systems by random sampling and classifies their data to a level of security to preserve its integrity. The audit of an SMS then based on results and not based on virtual, or opinion-based expectations. SMS is to build a portfolio of safety.   




Monday, November 1, 2021

The Swiss Cheese

 The Swiss Cheese

By Catalina9

The other day when I was on my way to the store to buy swiss cheese and it was raining. I had opened my umbrella inside, walk under a ladder and a black cat crossed in front of me by the time I got to my car. My day was off to an unpredictable day. I purchased a block of swiss cheese and a package of sliced. I could not see the swiss cheese holes in the block, but I could see them in the sliced cheese, and all the holes were lined up. An unavoidable incident seems to be on the march in my direction today. I had opened an umbrella inside, walked under a ladder, black cat crossed in front of me and now all the holes in the swiss cheese lined up. And to make things worse, I embrace the principle that more is less and less is more. 

Umbrellas are attainable and measurable goals to be used for
a purpose.
An effective Safety Management System (SMS) is expected to run smoothly, and that safety will come by itself if we just do the right tings. The right thing is to find the holes in the swiss cheese and to stop the flow of accidents by plugging or diverting holes. If we make safety objectives and goals, we will be safe, or if we just remain vigilant, observant and follow the rules, we will also be safe. Accidents are built from a blueprint for a system to fulfil an undesired purpose, or aim, and the swiss cheese analogy is an imaginary description to simplify how integrated micro-systems builds accidents.

They key to a successful SMS is to accept that there are micro-systems within larger systems. These micro-systems are defined as at random, since there is no obvious logic to how they form or are placed within its own system. The definition of at random in the Marriam-Webster dictionary is without definite aim, direction, rule, or method, and lacking a definite plan, purpose, or pattern. Applying these micro-systems as random and unpredictable is how they must be applied within an SMS enterprise.  

A latter is a tool to reach new goals, so don’t walk
under it.
The swiss cheese principle is an exceptional good description of at random, or of how accidents are built and the many interactions of events that must take place to build up to the accident itself. However, this principle is only effective as a reactive tool for analysis after an accident, since when arriving at one hole, there is no road map or directions as what turn to take next to avoid lining up another swiss cheese hole. The swiss cheese analysis is non-directional, it is operating within a dark space and each hole in the cheese are individually and specifically placed within its own micro-system and without connections to current events. Holes in the swiss cheese may appear to be randomly placed, but they are systematically placed within its own micro-system produced by carbon dioxide. Each hole in the swiss cheese is a result of a cause which creates the effect. The cause is its own system within the swiss cheese creating these pockets of gas. From outside the swiss cheese, these holes may appear to pop-up randomly, while within the dark spaces of the micro-system itself their location placing becomes predictable

Conventional wisdom is that more is less, and less is more. Professional organizations are rigidly applying this principle in their decision-making process. When applied correctly, simplifying processes is a tool to achieve more. However, simplifying processes does not include a reduction in level of service, or removal of regulatory compliance processes. When more is less, and less is more, there is much more work, research, design, and project planning needed to produce a simplified system output on the front line.  

Looking for the black cat is active hazard identification
Safety in aviation is beyond being a miracle, a matter of luck or dreams come true. Everything happens for a reason, good or bad, positive, or negative. Accepting that at random are micro-systems affecting your goals, and that this system appears as at random is vital to the goal achievement process. If at random is without definite aim, direction, rule, or method, and lacking a definite plan, purpose, or pattern, then accidents are meaningless. A meaningless event has no purpose or reason. An accident is emotionally meaningless since there is no reason or purpose for people to be harmed or loss of life due to unexpected events. However, when applying meaningless, or without definite aim in an SMS organization it becomes impossible to establish cause and integrated factors of occurrences and unexpected events. That everything happens for a reason does not imply that events magically occur, is a statement that there are micro-systems affecting operations which cannot be determined, recorded, or predicted. In an SMS world, these systems are also defined as special cause variations.

A Regulator is responsible for the development and regulation of aeronautics and the supervision of all matters connected with aeronautics. When a new regulation comes into force, an airport or airline operator only have one choice to continue operations, which is to maintain compliance with the new regulation. Public opinions, political environment and aviation incidents are all triggers for new regulations. Over time these regulations add up to an overwhelming task for both airlines and airports. In addition, the regulations require an SMS enterprise to run a safety management system that is adapted to the size, nature and complexity of the operations, activities, hazards, and risks associated with the operations. More regulation and a scaled down SMS system are two opposing regulatory requirements.  

Scaling down an SMS enterprise is not to remove or decline specific regulations, but to combine operational tasks applicable to each regulatory requirement. Scaling down is to make your job as the Accountable Executive userfriendly and manageable for the SMS Manager. When regulations are performance based, an operator is obligated to demonstrate how their activities conform to the regulations. Demonstrating compliance is more than demonstrating compliance with one regulation, but to demonstrate how each task maintain compliance, and how any of these separate tasks does not interfere or causing non-compliance with other regulations.

The swiss cheese principle is a valuable analogy to describe actions, reactions and results of a micro-hazard travelling through the cheese and setting the main system up for failure by travelling through each hole in the swiss cheese. However, if an SMS enterprise establish a safety goal to avoid the swiss cheese holes and objectives are to navigate safely around the holes, they are doing the right thing, but operating with unmeasurable goals since the distance and directions to the holes are not measurable.  


Applying the principle that less is more and more is less gives the same output as the swiss cheese principle. Both principles come with a valuable application, but it is impossible to establish measurable goals from these principles. On the other hand, opening an umbrella inside, walking under a ladder or the black cat crossing, are all events that can be used to establish measurable goals. Find the umbrella, ladder, and black cat within your SMS enterprise micro-systems to build a portfolio of safety. 


Sunday, October 17, 2021

When SMS Becomes Inactive

When SMS Becomes Inactive 
By Catalina9

A Safety Management System (SMS) that is inactive will leave a void for an uncontrollable system to take its place. An SMS includes a variety of tasks and some of them are a safety policy, a process for setting goals, measuring the attainment of those goals, hazards and for evaluating and managing the associated risks, a process for personnel to be trained and competent, a process for internal reporting, a process for analyzing of hazards, incidents and accidents and for corrective action plans, an SMS manual, distribution of the SMS manual, a quality assurance program, periodic reviews or audits, developing safety cases and any additional regulatory requirements. An SMS is a comprehensive system, which must be scaled to size and complexity to conform to regulatory compliance. The scale down requirement is a process to Smarten Up SMS.

Smarten Up SMS is to avoid going to court.

Smarten Up SMS is not targeted to one area of the aviation industry, such as airports, but is a tool that can be applied to any specific regulatory requirement. Smarten Up SMS is therefore applicable specific to an enterprise’s operations certificate or regulatory compliance requirements. Simplification of the SMS is not to remove or ignore regulatory requirements, but to combine regulations into normal daily operational tasks. It is nothing but hard work to do research and development as a prerequisite for a successful SMS and then apply correct regulation to all activities.

A Safety Management System regulation is not directly applicable to non-SMS operators, but safety in operations comes with expectations that there are some sort of standards, processes, and systems in place to ensure an acceptable level of safety. Without standards, safety becomes opinion based and applied differently to the same scenarios.  When opinions are applied to safety, an airport, airline, or any other air operator have surrendered all their internal safety control to somebody else. “If you don't design Your Amazing Airport plan, chances are you'll fall into someone else's plan. And guess what they have planned for you? Not much.”  A voluntary compliance with the Safety Management System regulations is an acceptable process to maintain control of operations without relying on opinions to implement corrective action plans. Globally, the aviation industry is moving in a direction of a rating level system, where audit compliance and customer service becomes rating targets published. Just as a rating system is applied to all aspects of social media, it will also apply to internal safety levels, or safety cultures in aerodrome operators, airlines, flight schools, aerial applicators, or any areas of the aviation industry. Major and large organizations are already individually applying their own safety culture assessment of vendors, contractors, or service suppliers and basing their non-data assessment to level of services requested.   


In a healthy and functioning Safety Management System, data collection is a fundamental tool as a prerequisite for analysis and evaluation of corrective action plans. A second fundamental principle of a healthy SMS is incremental safety improvements, or continuous safety improvements. Safety in operations is not to make major changes, but to make small adjustments, or almost unnoticeable changes. SMS is to build a portfolio of safety. A regulatory requirement is to operate with a quality assurance program and include a process for quality assurance that includes periodic audits of activities and audits for cause, or on-demand audits. A third fundamental principle of a healthy Safety Management System is for an enterprise to capture data that supports adjustments. Since it is impossible to foresee future events, or when an event will occur, enterprise must maintain a daily quality control system. Depending on size and complexity of operations, several tailored, individual, or operational specific daily quality control systems may be needed. 


An Enterprise runs a business with an accountant, a financial manager, a chief executive officer, an office administrator, or any other position that helps promote the business for a higher return on investment. SMS is a businesslike approach to safety where the SMS Manager has a responsibility to monitor and evaluate results, which requires a daily journey log of activities affecting operational safety. An enterprise would not in a million years think about coming into a financial audit without being prepared for the audit and without showing records of how they prepared themselves daily for compliance. But, when it comes to airports or airlines, they enter into an SMS audit without having prepared one single item. With this approach many operators failed their third-party rating audits and regulatory inspections. When management comes unprepared for an audit or oversight inspection, their Safety Management System has become inactive, and an uncontrolled system will fill this void. 

A healthy SMS has fulfilled its daily quota.

A healthy Safety Management System is prepared for the approaching rating trend, where a rating becomes the determining factor to be awarded contracts or public confidence of an operational safety culture. They come prepared by the Accountable Executive (AE) being responsible for meeting the requirements of the regulations on behalf of an airport authority, city or town council, the mayor, or the CEO of an airline. This responsibility includes research and development, design, implementation, and oversight of a quality control system. The responsibility for an AE goes far beyond having control over financial and human resources. An AE is responsible to maintain regulatory compliance, which is to conduct ongoing audits, analysis of audits, corrective action plans (CAP) of findings, and monitor drift. In a prepared enterprise the SMS Manager is responsible for management of the SMS systems that is put in place by the Accountable Executive and implement all assigned tasks by their roles and responsibilities. When ratings are approach from within the organization, there is a functioning and healthy SMS. When an SMS is approached to please the rating or make changes due to demands from a customer or auditor, their SMS has become inactive, and the uncontrolled system will fill that void.

Monitoring the aviation industry is an enormous task and a regulatory requirement the AE must comply with. Weather is the one single most important factors impacting the aviation industry, being airlines, air operators or aerodromes. There is not much one can do about the weather, but the actions taken, or CAPs applied (e.g. timely snow removal, de-icing, low visibility etc.) is crucial for successful operations. The Cranbrook BC crash on February 11, 1978, during a snowstorm, is an example of how lessons learned were about improving clear and precise communication. 

The tasks an AE has is to find all pieces and  analyze them for applicability

The following are examples of some of the tasks an airport AE has to maintain regulatory compliance. These tasks includes monitoring the aviation industry, monitor drift and for the AE to maintain a quality control system including public weather, METAR/TAF, GFA, ICING, flight conditions, field image, radar, local live and forecasted surface winds, sunrise and sunset for day or night operations, or plan of construction operations, monitoring enroute overhead flights (e.g. medical emergencies), a toolbox with links to frequently used documents and forms, AMSCR records, CADORS records, CADORS airfield tenants, procedures for the exchange of information in respect of hazards, incidents and accidents among the operators of aircraft and the provider of air traffic services at the airport and the airport operator), daily inspection records, active NOTAM, historical NOTAM, proposed and new regulations monitored weekly, airside operations plans tailored to airside operations, tenants safety concerns and comments, the public concerns and comments, regulatory inspections, planned, open or closed, calendar with current events, NOTAM Manual, AIM Manual, aeronautical obstructions assessments, TP312E 5Th training, airside training, airport operations training, monthly newsletter, monthly SMS posts, SMS performance monthly, monitoring the aviation industry, airport surveillance of airside activities for safety and regulatory compliance, bird and wildlife reporting and handling, airport emergency plan and any other management or operational subject an airline, air operator, airport operator, aerodrome operator, flight school or aerial applicator requests to be added.            

An inactive SMS is not an SMS that is inoperative, but an SMS  where there is dereliction of duty for complete regulatory compliance. Their task is so enormous that it is impossible to run a healthy SMS without a confidential adviser to the AE. The duty of a confidential adviser to the accountable executive, is to act in the best interest of the accountable executive and to fill the void of an inactive SMS.



Thursday, September 30, 2021

Smarten Up SMS

 Smarten Up SMS

By Catalina9

We don’t manage risks. We lead personnel, manage equipment, and validate operational design for improved performance above the safety risk level bar. A businesslike approach to safety is to lead the Safety management system in the direction of your visions, goals, and services. Running SMS like a businesslike approach to safety is to Smarten Up SMS. Smarten up SMS is not to ignore or take away regulatory requirements, or jeopardize safety in operations, but it is to make the Safety management system a userfriendly application for the Accountable Executive, SMS Managers, and all other personnel. Smarten Up SMS is applicable to both SMS-operators and non-SMS operators since it is a tool to apply safety in operations.

Smarten Up SMS is a choice at the fork in the road
Smarten Up SMS is based on the regulations that a safety management system shall be adapted to the size, nature and complexity of the operations, activities, hazards, and risks associated with the operation. A Safety management system that is too complex for operations, does not conform to regulatory requirements. The goal of Smarten Up SMS is to operate with a daily quality control program for compliance with the regulations and a prerequisite for a quality assurance program. The objective of Smarten Up SMS is to maintain ongoing regulatory compliance and safety in operations.

There are three parts to a Safety Management System. The first part is for the accountable executive to be responsible for meeting the requirements of the regulations on behalf of the airport authority, city, or town council, the mayor and city administrator, the aerodrome, the airline, aerial applicator or flight training unit. This responsibility includes research and development and the implementation of a daily quality control program.

The second part is for the SMS manager to be responsible for management of the SMS systems and implement plans researched, developed, and designed by the accountable executive. The SMS manager implement a reporting system to ensure the timely collection of information related to hazards, incidents and accidents that may adversely affect safety, identify hazards and carry out risk management analyses of those hazards, investigate, analyze and identify the cause of all hazards, incidents and accidents. The SMS manager also implement an electronic safety data collection system and an electronic analysis system to monitor and analyze trends in hazards, incidents, and accidents. Analyze trends in hazards is different than analyze trends of hazards. Trends of hazards is an enumeration of hazards identified, while trends in hazards are to first identify the effect a hazard has on operations. This can be achieved by defining safety critical areas and safety critical functions in operations. If, over a period of 30 days, 100 highway cones were observed on an airport ramp, there are 100 hazards identified, or one trend of hazards over that period. When applying trends in hazard these highway cones become multiple trends, since the trends may be obstructions to aircraft, obstructing the view, or distractions to pedestrians, vehicles, or aircraft operations. An SMS manager must monitor and evaluate the results of corrective actions, monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on safety, and determine the adequacy of the training required for all personnel. 

Smarten Up SMS is to observe.

The third part of a safety management system is for all operational personnel to take part in the SMS, where operations are observed, reports are submitted, and assigned corrective actions are implemented. 

A daily quality control program is based on a simple principle that if the regulations are not broad enough to capture all aspects of their operation, the operator is responsible for safety in operations and must add additional safety levels to ensure an acceptable level of safety. The principle of Smarten Up SMS is to operate with a userfriendly system for the end-user, places a high workload on the accountable executive to conduct comprehensive research and development.  

The SMS regulations is a helpful tool for operators to document and establish processes that works. SMS is an oversight regulation and is therefore applicable to all aspects, or regulatory requirements of all airport or airline operations. As an example: A daily inspection at an airport is not a regulatory requirement but becomes a tool under the SMS regulation to comply with airport standards. An aerodrome operator, aerial applicator, flight school or airline are all required to comply with their own parts of the regulations and must have tools in place for compliance. Even though the SMS regulations is not applicable to all of these operations, it is a helpful tool to apply to ensure compliance with their specific applicable regulations. 

An operator may voluntarily use the SMS tools as their process control for compliance. Since the SMS tool are already available, and operators have access to use the systems, there is no need to begin new research and development to design a system to implement in their own operations.

It is vital for success for airports and airlines operations that they have a third party to represent their interest at audits, inspections, or onsite regulatory oversight activities. Corrective action plans (CAP), including research, development and presentation are extremely labor intensive and costly for both large and small operators. Develop and design CAP takes away time for safety in operation.

Smarten Up SMS is when nobody is in the office, but where everyone is away working.

The aviation industry has already moved into a rating level system, where audit compliance and customer service become your rating targets published. Just as a rating system is applied to all aspects of social media, it is also applied to aerodrome operators, airlines, flight schools or aerial applicators. Smarten Up SMS is not about what your SMS is, or who you are, but about who you must become.


Monday, September 20, 2021

SMS Authority

 SMS Authority

By Catalina9

A Safety Management System plays a role in the organizational charts for both airport and airlines, but without overriding any other regulatory requirements the SMS is an administrative tool rather than a safety improvement tool. Since the SMS being a businesslike approach to safety, poor decision makings are allowed, and losses are acceptable. In addition to other regulations, the regulator must verify that airports and airlines comply with all regulations and not just the SMS regulations. This could create conflicts between the SMS regulations and operational regulations. 

It is a lonely road for an AE to find hidden SMS facts.

The two avenues of a Safety Management System are the regulatory and operations avenues. The regulatory avenue includes oversight, policies, systems, research, development, design, compliance, project solutions leadership motivation, quality control, audits, and quality assurance. The operations side of the SMS are processes, procedures, implementation and maintenance, training, data collection, analyses, review, and communication. Oversight is by the Accountable Executive (AE) and operations is by the SMS Manager. 

The two regulatory requirements to act as the AE are that they have control of financial and human resources that are necessary operations. These requirements are different than roles and responsibilities of an AE, since they are only the authority to act as Accountable Executive. Their roles and responsibilities are defined in the regulations as to be accountable on behalf of an airport authority, a mayor, a city council, a corporation, a business, or a person for meeting the requirements of the regulations. Depending on size and complexity of an airport or airline, an Accountable Executive is responsible for between 250-500 regulations. This responsibility is much greater than the asserted responsibility over financial and human resources.  


The roles and responsibilities of an SMS Manager are operational in nature. Their responsibilities under the regulations are defined as being responsible for implementation of a reporting system to ensure the timely collection of information related to hazards, incidents and accidents that may adversely affect safety. Timely collection may be different today than yesterday and may look very different tomorrow. When SMS was first invented, timely delivery was by fax. If someone sends a fax today, their report might not arrive on the SMS Manager’s desk. 


Another responsibility is to identify hazards and carry out risk analyses of the hazards. This responsibility is so huge that it is almost impossible to comprehend. Identification of hazards are not defined in the regulations as an opinion, but actually of factual hazards. A hazard identified one day is still a hazard the next day. When hazards are identified an SMS Manager has a responsibility to investigate, analyze and identify the root cause of all hazards, incidents and accidents identified. The regulatory requirement is not to identify the root cause of selective hazards, but to identify the root cause of all hazards. 


An effective SMS needs a safety data system to be implemented by electronic or other means. This is another responsibility of the SMS Manager. When this requirement was first implemented a paperformat safety data system was acceptable, but as the SMS evolved it became unmanageable as a paperformat system and electronic databases were used. Over time this system also became obsolete since electronic spreadsheets could be manipulated or corrupted by adding or removing data. There are several SMS cloudbased services available, the comprehensive task is to select one that do not demand control over your Safety Management System. There are only a handful cloudbased data collection tools that let you maintain full control over your own SMS.  


This leads us to the next responsibility is that the SMS Manger implements a safety data system to monitor and analyze trends. Monitoring is to maintain regular surveillance over events, and to do this at uniform intervals. Monitoring events does do very little to improve safety. After data is collected it is turned into information to be absorbed by one, or all, of the five senses. When absorbed, information turns into knowledge, which is used to analyze for trends. When trends are known, the SMS Manager has a tool to comprehend interconnected links. This tool is also available to the SMS Manager as a tool to monitor and evaluate the results of corrective actions implemented from the analysis. 

Concerns of the aviation industry may vary with experience.

The most comprehensive responsibility that an SMS Manager has is to monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on an airport or airline. There are several responsibilities applied to this regulatory requirement. The first task is to decide what to monitor, another task is to decide when to monitor, with a third task where to monitor, e.g. locally or globally, the next task is define in details why to monitor, in addition to the regulatory requirement, and who should monitor. Monitoring might not be done by the SMS Manager, but could be assigned to dispatch, flight following or airside maintainer. The final task is to decide how to monitor the aviation industry. 

Other responsibility an SMS Manger has is to determine the adequacy of the training required by the SMS Manager and for personnel assigned duties under the safety management system. A person with any responsibility for an aircraft operating airside at an airport or a person with airside responsibilities are personnel assigned duties under the SMS. This includes both the Accountable Executive and SMS Manger in addition to other workers with roles and responsibilities for the safe operations of an aircraft or airport. 

With all these SMS responsibilities both airline operations, or airside regulations will overrule SMS proactive actions. A requirement at an airport is to maintain obstacle free zones for approach surfaces and transitional surfaces. When an SMS identified that tall trees or construction cranes are almost penetrating these surfaces and should be removed as a precautionary action, the overall decisions in the past were that since these obstructions legally conform, they must not be removed or restricted. The same scenario could be applied to a damaged, but legally conforming engine, a stress-damaged wing that is legally conforming, or the tailstrike damage to Air China 601 accident. If SMS is given its intended regulatory powers by an airline or airport will be documented in how recovery in aviation after a pandemic is given accountability to legally conforming concerns. Both pilots and maintenance crew are experiencing the old effect of being “bushed”.  As an old bush-pilot, I've seen people get "bushed" living in the middle of nowhere for months and they would do unthinkable things. What the global aviation industry must comprehend is that pilots and mechanics are being “bushed” by quarantine and other enforced pandemic demands. Since the regulations is not broad enough to include, or cover this aspect of aviation safety, it becomes the responsibility of the airlines and airports to ensure that SMS is allowed to function as intended and capture every “almost” in aviation. 



Monday, September 6, 2021



By Catalina9

Exposure in the Safety Management System is an integrated part of a risk assessment and risk analysis. A risk assessment involves several steps and forms the backbone of an overall risk oversight plan. Included in a risk assessment is one or several risk analyses to determine the defining characteristics of each hazard and to assign risk level scores based on the analysis. Key components of a risk analysis are likelihood, severity and exposure. Likelihood is a definition of times between intervals of an active hazard, severity is a defined outcome of the occurrence, and exposure is the variable, defined as common cause variation or special cause variation and a assigned a function, or weight score, between 0 to 1. If the exposure is zero, the hazard does not exist or has been eliminated. When the exposure is one, the impact of a hazard is inevitable.

When common cause variations are treated as special cause variations, the risk analysis has taken the wrong turn at the fork in the road. Common cause variations are integrated in a process, they are necessary for the process and the process would fail if one or more common cause variations were eliminated. An example of common cause variation is ice in clouds and thunderstorms. For ice to form on an aircraft in flight, the air must be cold and contain moisture. Icing conditions frequently occur when moist air is forced upward. As the air rises, it expands and cools. If the air cools to the saturation point, where the temperature equals the dew point, the moisture will condense into clouds or precipitation. For ice to form there must be clouds or precipitation and icing can be most intense near the cloud tops, where the amount of liquid water is often greatest. This part of the cloud has the greatest amount of lifting, cooling, and condensation. Encountering inflight icing in clouds is therefore a common cause variation, while non inflight icing in clouds is a special cause variation.

When applying exposure in a risk analysis the task is to analyse in 3D and measured
in time (hours-minutes-seconds), space (geographical location) and compass (direction). A 3D analysis is to analyse a moving object within the tube itself, rather than from behind, below, above, beside or in front of a moving object. A 3D analysis is the expected view as observed by the pilot at a specific moment in time, location, and direction.

Exposure paints a picture of the past to plan for the future.
The first step when analyzing exposure is to determine if the variation is a common cause variation or a special cause variation. When traveling to or from work, people conduct a mental exposure analysis by leaving at a certain time to avoid the heaviest traffic. In aviation common cause variation analyses are also conducted for arrivals at major airports or during special events. Comprehension of systems is therefore vital to correctly identify the true variation and develop the proper corrective action plan. If encountering inflight icing in clouds was assigned as a special cause variation with a root cause analysis, the analysis would be derailed from the beginning. The analysis could easily take a turn to explain that icing in clouds were not in the forecast. While this might be true, does not make it a special cause variation, since icing in clouds is to be expected anytime an aircraft is flying above freezing level. 

If the freezing level was lower than forecasted still makes it a common cause variation, since this is what the freezing levels do every day. The forecasted freezing level is nothing else but a risk assessed model of what altitude the level might be in the future. Pilots and dispatches often blindfolded accept icing and freezing level computer models, which then could be mistaken for a special cause variation. Level of exposure changes with time, location, and direction of an aircraft. An aircraft on the ground has a zero-exposure level to inflight icing. The exposure level begins when the reach the rotation speed. Inflight icing could be from ice accumulated on the ground and the exposure level for inflight icing is therefore 1,or 100% likelihood, or probability, that the ice will affect aircraft performance. 

One reason for ground de-icing and anti-icing is to reduce the exposure level of inflight icing to an acceptable level and defined as holdover time. Research of anti-ice fluids has determined that the fluid remains effective for a short period of time and when an aircraft is airborne prior to the time expires, the exposure probability, or likelihood, to inflight icing is inconceivable, or times between intervals are imaginary, theoretical, virtual, or fictional.

After it has been determined that a variation is a common cause, the next step is to analyse how the hazard could be exposed, or how the hazard could affect operations. If the hazard is icing in cloud, the analysis shows a likelihood of 1 that flight into known icing will expose the aircraft to inflight icing. The analysis is both a part of the pre-flight planning and inflight operational observations. The severity of icing is determined by several conditions, but for the purpose of icing when entering clouds at a flight level above freezing level, the likelihood of exposure is methodical, planned and dependable, without defining the operational system or processes involved. When analysing flight crew, aircraft and expected level of icing severity, available operational systems play a role. Encountering icing may vary from a level of informational, which is a severity level that is not compatible with another fact or claim of the hazard, to catastrophic which is a severity level where functions, movements, or operations cease to exist, or it could be any level between these two extreme severity levels. Exposure level in SMS is a pre-flight, or pre-task operational tool with actions defined in applicable safety cases.

Special cause variation Beatty NV 1981-03-18
The third step and an analysis of level of exposure to a special cause variation is a totally different approach, since a
special cause variation is unexpected, it is an abnormal condition and a variation that is irrelevant for the process to function as expected. A special cause variation could be a
malfunctioning ITT or Inter Turbine Temperature during takeoff. Special cause variations are excluded from pre-flight planning since they are items covered by other levels of protections. When using the ITT example above, aircraft engines are regularly inspected and found acceptable, or it is removed from the aircraft if unacceptable. When the pilot takes off, the engine is expected to perform as it should without malfunctioning. However, a principle in aviation is to expect the best but to be prepared for the worst. Preparing for the worst at every takeoff is not exposure to an engine failure or other system failures but is a part of an ongoing recurrent training program. Below is an example of how a malfunctioning ITT is identified in a control chart and when this is identified a root cause analysis must be performed. Normally the ITT is running 680°, but one day it was 681°.

This variation did not trigger an incident or ITT exceedance, but it is a variation that is not common within the system itself and must be investigated with a root cause analysis. Exposure levels triggers two actions: The first action is to prepare for common cause variations and the second action is to conduct a root cause analysis of a special cause variation.


Sunday, August 22, 2021

Scale Down for Compliance

Scale Down for Compliance

By Catalina9

Scale Down for Compliance

An airport operator has several responsibilities when it comes to the activation of an airport emergency plan, activities during the emergency and post emergency activities. Airport Emergency Plan compliance is a comprehensive task which at first glance seems impossible to comprehend and achieve.

Airport emergency planning is the process of preparing an airport to cope with an emergency occurring at the airport or in its vicinity. The object of the airport emergency planning is to minimize the effects of an emergency, particularly in respect of saving lives and maintaining aircraft operations. The airport emergency plan sets forth the procedures for coordinating the response of different airport agencies and other community agencies in the surrounding community that could be of assistance in responding to the emergency. The basic needs and concepts of emergency planning and exercises are command, communicate and coordinate.

An airport operator has a responsibility to identify organizations at the airport and community organizations that are capable of aiding during an emergency at the airport or in its vicinity. Telephone numbers and other contact information for each organization are listed in the airport emergency plan and the type of assistance each organization can provide is also listed.

An airport operator has a responsibility to identify any other resources available at the airport and in the surrounding communities for use during an emergency, or in recovery operations and provide their telephone numbers and other contact information.

An airport operator has a responsibility to describe lines of authority for each emergency and the relationships between the organizations and how interactions between these organizations are coordinated, and coordination within each of these organizations.

An airport operator has a responsibility to identify supervisors and describe the responsibilities for each emergency.

An airport operator has a responsibility to specify the positions occupied by airport personnel who will respond to an emergency and describe their specific emergency response duties.

An airport operator has a responsibility to identify the on-scene controller and describe the person’s emergency response duties.

An airport operator has a responsibility to provide authorization for a person to act as an on-scene controller or a supervisor if they are not airport personnel.

An airport operator has a responsibility to set out the criteria to be used for positioning the on-scene controller within visual range of an emergency scene.

An airport operator has a responsibility to set out the measures to be taken to make the on-scene controller easily identifiable at all times by all persons responding to an emergency.

An airport operator has a responsibility to describe the procedure for transferring control to the on-scene controller if initial on-scene control was assumed by a person from a responding organization, e.g. fire, ambulance or police.

An airport operator has a responsibility to describe any training and qualifications required for the on-scene controller and other airport personnel identified in the emergency plan.

An airport operator has a responsibility to describe the method for recording any training provided to the on-scene controller and airport personnel.

An airport operator has a responsibility to describe the communication procedures and specify the radio frequencies to be used to link the airport operator with the on- scene controller, and to link the airport operator with the providers of ground traffic control services and air traffic control services.

An airport operator has a responsibility to describe the communication procedures allowing the on-scene controller to communicate with the organizations identified in the emergency plan.

An airport operator has a responsibility to identify the alerting procedures that activate the emergency plan, establish the necessary level of response, allow immediate communication with the organizations identified in the emergency plan in accordance with the required level of response, confirm the dispatch of each responding organization, establish the use of standard terminology in communications, and establish the use of the appropriate radio frequencies as set out in the emergency plan.

An airport operator has a responsibility to specify the airport communication equipment testing procedures, a schedule for the testing, and the method of keeping records of the tests.

An airport operator has a responsibility to specify the location of the emergency coordination center used to provide support to the on-scene controller when ARFF is on the field.

An airport operator has a responsibility to describe the measures for dealing with adverse climatic conditions and darkness for each potential emergency.

An airport operator has a responsibility to describe the procedures to assist persons who have been evacuated if their safety is threatened or airside operations are affected.

An airport operator has a responsibility to describe the procedures respecting the review and confirmation of emergency status reports, coordination with the coroner and the investigator designated by the Transportation Safety Board of Canada regarding the accident site conditions, disabled aircraft removal, airside inspection results, accident or incident site conditions, and air traffic services and NOTAM coordination to permit the return of the airport to operational status after an emergency situation.

An airport operator has a responsibility to describe the procedures for controlling vehicular flow during an emergency to ensure the safety of vehicles, aircraft and persons.

An airport operator has a responsibility to specify the procedures for issuing a NOTAM in the event of an emergency affecting the critical category for fire fighting if ARFF are available on the field, or changes or restrictions in facilities or services at the airport during and after an emergency.

An airport operator has a responsibility to describe the procedures for preserving evidence as it relates to aircraft or aircraft part removal, and the site of the accident or incident in accordance with the Canadian Transportation Accident Investigation and Safety Board Act.

An airport operator has a responsibility to describe the procedures to be followed, after any exercise, or the activation of the plan, a post-emergency debriefing session with all participating organizations, the recording of the minutes of the debriefing session, an evaluation of the effectiveness of the emergency plan to identify deficiencies, changes, if any, to be made in the emergency plan, and partial testing subsequent to the modification of an airport emergency plan.

An airport operator has a responsibility to describe the process for an annual review and update of the emergency plan, describe the administrative procedure for the distribution of copies of an updated version of the emergency plan to the airport personnel who require them and to the community organizations identified in the plan, and describe the procedures to assist in locating an aircraft when the airport receives notification that an ELT has been activated.

An airport operator includes in the airport emergency plan a copy of signed agreements between the airport operator and community organizations that provide emergency response services to the airport and an airport grid map.

A Safety Management System (SMS) is a process oversight system of all areas of airport operations. The challenge with an Airport Emergency Plan (AEP) is not all required responsibilities, and a conglomerate of interactions, but that the AEP must be scaled down to size and complexity of the airport. Unless the AEP is scaled, the airport operator is in non- compliance with a regulatory requirement that a safety management system is adapted to the size, nature and complexity of the operations, activities, hazards and risks associated with the operations. The key to success is to scale down to a common denominator with combined tasks.


How to Audit SMS

How to Audit SMS By Catalina9 C onventional wisdom of how to audit the Safety Management System (SMS) is to generate an audit checklist base...