Monday, July 26, 2021

$ Money Talks $

 Money Talks

By Catalina9

One could define risk management as the identification, analysis and elimination of those hazards, as well as the residual risks that threaten the viability of an enterprise. The discussion if it is possible or practical to eliminate hazards are ongoing with opposing views. Airports and airlines accept the inherent risks in aviation every time there is a movement on the field or in aeronavigation. On the other hand, both regulators and professional auditors, expects from the corrective action plans that an operator make changes to ensure that an occurrence will never happen again. While it is unreasonable to expect the complete elimination of risk in aviation, it is also unreasonable to expect that that all risks are acceptable. It is a fine line to balance between what risks to eliminate, and what risk to accept. Risk acceptance, or elimination is a 3D identification process measured in time (speed), space (location), and compass (direction). When 3D thinking is introduced, a future scenario can be designed, or the exposure level. Risk mitigation then becomes an exposure level mitigation and not the mitigation of the hazard itself.  This does not imply that the future can be predicted, but it implies that data, information, knowledge, and comprehension are vital steps to predict hazards that affect operational processes. Exposure level mitigation is currently a major part of risk mitigation, e.g., airside markings, markers, signs or lighting, or aeronavigation flow into congested airspace and for gate assignments. 

Risk in aviation are the common cause variations, which are variations within a process, and required to be a part of the process for the process to function as intended. An example of a common cause variation is the runway friction. Without runway friction landings and takeoffs would not be possible. For an air operator, runway friction becomes a special cause variation with rain, snow or slush. Special cause variations are mitigated to an acceptable exposure level. The difference between a risk and a hazard, is that a hazard is one item and the effect it has on safety, while the risk is a conglomerate of hazard probabilities in a 3D scenario with a combined effect of safety.

Let’s take a moment and analyze the probability of the probability of a midair disaster involving two aircraft departing 350 NM apart and travelling to two different destinations in a non-congested airspace. If a risk assessment was done of a midair collision prior to departure, the assumption is that both assessments would accept the risk and defined as a green color. In this first risk assessment the planned departure times and destinations of the other aircraft was unknown. An inherent risk in aviation, or common cause variation, is that the 3D position of other aircraft flying in accordance with the visual flight rules (VFR) are unknown. In an instrument flight rule (IFR) environment, the position of other aircraft, or their estimated 3D positions are known and mitigated. In an IFR environment the exposure level is mitigated to an acceptable level. In a VFR operational environment, the exposure level is unknown until communication between pilots are established, or visual contact has been established. 

Safety in aviation is the strategic game of moving hazards.
 Two aircraft may be on collision course   without knowing of each other.   Depending on aircraft design, an   approaching aircraft may be in a blind   spot for several minutes, as it was for   flight 498. An exposure level may last   for  several minutes, or only for a split   second. When the 3D location is   unknown, the exposure level is   unknown,  even if two aircraft are on a   certain collision course. In 2012 two   aircraft departed 350 NM apart for   different destinations and crashed   midair.  A 3D location could have been   calculated if their altitude, track and groundspeed were known. However,

flying VFR and relying on visual or audio clues is an inherent risk, or a common cause variation in aviation. A common cause variation transforms to special cause variation when one or more of the other systems are malfunctioning. The investigating authority defined a weakness of the see-and-avoid system for VFR flights. A secondary system malfunctioning may have been the position reporting system when departing an altitude or communicate their intended VFR approach procedure.

The safety cycle in aviation is safety, operations, and accounting. When a student pilots take off for their first solo flight, their primary concern is safety and that their first landing will be a safe landing. What their general flying skills are or what the cost of the airplane is, becomes secondary to safety. When safety is achieved and the student pilot is proficient in landing, they are focusing on cross country skills and flights beyond sight of the airport. As more time is accumulated equals more money spent. Eventually, money becomes the governing factor of flying. 

Safety is Project Solutions Leadership Motivation

The principle, or cycle of safety, operations and accounting is a cycle that airlines or airports go through at regular intervals. When first starting up as an airline, their primary concern is safety, including new upstarts of low-cost carriers. Without safety processes in place, they would not qualify for the operations certificate. When SMS was regulatory mandated, airlines and airports went overboard to ensure safety compliance. As they move forward, customer service is added to safety in operations, but eventually, their capacity limits out and cost becomes the determining factor. A regional airline spent more than $750,000.00 within a short time to ensure safety compliance. Eventually the accounting department focuses on cash spent on safety and demands reductions in spending. At first this seems reasonable and acceptable, but over time this drift eliminates critical tasks and moves the operations closer to the fine line between safety and incidents. Several years ago, a regional operator, who had not experienced a fatal accident in 35 years, had their first fatal accident because they relied on prior years track records which had included safety processes. With a good track record, it made sense to accounting to reduce cash spent on safety investments. Fail to plan equals plan to fail.    

Safety in aviation is not what accidents or incident did not occur, but it is what the cash return on safety investment is. In general terms, return on investment is the additional revenue, or cash generated. The return on investment in aviation safety is the reduction of cash spent on safety, or negative cash generated. Return on investment of SMS is not the savings by a reduction of accidents or incidents, but the return of cash revenue generated by in-control processes and organizational based safety investment decisions. A CEO of a company works with cash daily and a reduction of quantity is less significant than a higher cash value of the organization. For an airline or airport with 500,000 annual movements or cycles, a reduction of annual incidents from 1,500 to 1,200 is less significant to the CEO and the Board than a reduction in cash spending of 1,080,000.00 dollars. 

When the reduction of cash spent on incidents has a positive impact on the bottom line, the old-fashion cycle of safety may be broken, and continuous safety improvements becomes an available option to the processes. Money talks and when safety is the profit generator, it makes sense to invest in safety.    


Friday, July 9, 2021

Make An Effective Root Cause Analysis

 Make An Effective Root Cause Analysis

By Catalina9

Within an aviation safety management system, a root analysis should be conducted of special cause variations which caused an incident. The two types of variations are the common cause variations and special cause variations. A common cause variation exists within the system itself as an inherent risk and is to be mitigated by applying a risk analysis of a probability exposure level upon arrival at location, direction, or time. Bird migration and seasonal airframe icing are examples of common cause variations. Special cause variations do not exist within the process itself but are interruptions to a process by external forces. Birds or wildlife on the runway, or icy runway are special cause variations, since they are beyond airport certification requirements, and the airport operator is expected to maintain a bird and wildlife free runway environment and a contamination free movement area. However, for an airport operator both bird and wildlife and ice contamination are common cause variations to which they should apply an expected exposure level upon arrival of an aircraft.

The two most common root cause analysis processes are the 5-Why-s and the Fishbone. The fishbone analysis is a visual analysis, while the 5-Why-s is a matrix. Preferred method is defined in the Enterprise’s SMS manual. A root cause output, or corrective actions required, will vary with the type of analysis used and the subjectivity of the person conduction the analysis. The first step in a root cause analysis is to determine if a root cause is required and why it is required. A risk level matrix should identify when a root cause is needed. A root cause analysis should be conducted for special cause variations. However, the risk level of a special cause should be the determining factor for the analysis. For a risk matrix to be both objective and effective, it must define the immediate reaction upon notification, identify when a root cause analysis is needed and define both the risk levels when an investigation is required, and at what acceptable risk level an investigation is conducted.

When conducting a root cause analysis there are four factors to be considered. The first factor is human factors, the second is supervision factors, the third is organizational factors and the fourth is environmental factors. Environmental factors are categorized into three sub-factors, which are the climate (comfort), design (workstation) and culture (expectations). Culture is different than organizational factors in that these are expectations applied to time, location, or direction. Example: A client expect a task to be completed at a specific time at an expected location with direction of movement after the task is completed. Organizational factors are how the organizational policies are commitments to the internal organization in an enterprise and the accountable executive’s commitment.

There is only one root cause,
but several options for selection
  A principle of the safety management system is   continuous, or incremental safety improvements and   an accurate root cause sets the stage for moving   safety forward. The very first step in a root cause   analysis is to identify the correct finding. This might   be a regulatory non-compliance finding, an internal   policy finding, or a process finding. The root cause   analysis for a regulatory non-compliance finding is   an  analysis of how a regulation was missed, or how   an enterprise drifted away from the regulatory   requirement. An example of regulatory non-   compliance is when an enterprise drifts away from   making personnel aware of their responsibilities   within a safety management system. The root cause is then applied to the accountable executive level, who is responsible for operations or activities authorized under the certificate and accountable for meeting the regulatory requirements. The root cause for an internal policy finding is when the safety policy becomes incidental and reactive to events occurrences, rather than a forward-looking policy, organizational guidance maternal for operational policies and processes, a road map with a vision of an end-result. A sign of a safety policy in distress, or a system in distress, is when policy changes are driven by past events, opinions, or social media triggers, rather than future expectations. An internal policy root cause is applied to the management level in an enterprise. The most common root cause analysis is a process finding root cause. This root cause analysis is applied to the operational level. An example could be a runway excursion. With a runway excursion both the airport and airline are required to conduct a root cause analysis of their processes.
The root cause is your compass.

A root cause analysis is to backtrack the process from the point of impact to a point where a different action may have caused a different outcome. A five columns root cause matrix should be applied to the analysis. Justifications for five columns analysis is to populate the root cause matrix with multiple scenarios questions rather than one scenario that funnels into a root cause answer. The beauty of a five-column root cause analysis is that answers from any of the column may be applied to the final root cause, and if it later is determined to be an incorrect root cause, the answers to the new root cause analysis is already populated in the matrix. When the root cause is assigned, it should be stated in one sentence only. It is easy to fall into a trap assigning the root cause to what was not done. However, since time did not stop and something was done, the root cause must be assigned to what was done prior to the occurrence. An example of an ineffective root cause would be that the pilot did not conduct a weight and balance prior to takeoff. In the old days of flying, the weight and balance of a float plane was to analyze the depth and balance of the floats. Airplanes flew without incidents for years using this method. For several years standard weights were applied to personnel and luggage. Applying the standard weight process is similar to applying the float analysis process. Aircraft flew without incidents for years applying guestimates of weight rather than actual weight. At the end of the day, the fuel burn became the tool to confirm if correct or incorrect weight was applied. That a weight and balance was not done is not the root cause. The root cause could be one or a combination of human factors, organizational factors, supervision factors or environmental factors. The next step in a root cause analysis is to analyze these factors to assign a weight score to the root cause factor. 

A weight score is applied to human factors, organizational factors, supervision factors and environmental factors by asking the 5-W’s + How.  Examples of considerations are shown below.

When the root cause has been decided, but prior to the implementation phase of the corrective action plan (CAP), apply a link to the safety policy via objectives and goals by a process design flowchart of the expected outcome. This flowchart is your monitoring and followup document of the CAP for each step defined in the process. 


Monday, June 28, 2021

Illegal Activity, Negligence or Wilful Misconduct

 Illegal Activity, Negligence or Wilful Misconduct

By Catalina9

The Safety Management System (SMS) Safety Policy is the platform on which the SMS is built. The policy is built on an idea, a vision, and expectations of future achievements. A policy is a course or principle of action adopted or proposed by a government, party, business, or individual. An SMS policy follows these same principles and remains in force until the idea, vision, or expectations changes. It is crucial to the success and integrity of a Safety Management System that the Safety Policy is designed to serve the major definite purpose of an enterprise. There is one quality which one must possess to win, and that is definiteness of purpose, the knowledge of what one wants, and a burning desire to possess it. A major definite purpose is the core purpose for the existence of an organization, and the hub where goals, objectives and processes are developed and designed. The more you think about the purpose of your SMS Policy, and how to achieve it, you begin to attract people, opportunities, ideas, and resources that help you to move more rapidly toward your goal. 

Negligence is drift, or abandonmentand invisible in
the daily operations.
A requirement of a safety policy is that it includes an anonymous reporting policy, a non-punitive reporting policy and a confidential reporting policy. A purpose of these reporting systems is to preserve the integrity of the Safety Policy. A non-punitive reporting policy is a commitment by the Accountable Executive (AE) to the event itself and to personnel who were involved in an event that punitive actions are off the table. During the pre-SMS days, punitive actions were applied depending on the severity of the outcome, prior history and expected reoccurrence. Punitive actions were subjective, biased and based on one person’s opinion. A pilot who was involved in an incident expected to be terminated on the spot. There was an expectation by air operators that a commercial pilot should have knowledge and experience to get the job done. Back then, when the weather was low the expectation was to go and take a look and if you see the runway land, but if you don’t, try again. A young pilot did just that and flew an approach to zero visibility, landed and kept the job. Today, in an SMS world, a pre-take off hazard report could have been submitted and the flight cancelled. Then there are other examples of a pilot who was terminated for the operator to look good for their clients when an aircraft on fire was recovered with the first officer frozen on the controls. Punitive actions were an integrated part of a system to improve pilot skills and remove the bad apples. In a non-punitive reporting system, the report may go to those who needs to know, to those who should know and are also disseminated as a summary throughout the organization of events for information purposes.   

A confidential reporting system is when the report only goes to the persons who needs to know, or to a director level within the organization. At the level of directors, the report may go to other than those who needs to know, but the report is still confidential to the director level. The purpose of a confidential reporting system is that the reporting process is within a controlled system and that the contributor has confidence that the report is not shared outside of a director level, or to those who needs to know. A contributor of a confidential report may allow for the report to be shared within the organization, or also contribute to the SMS with videos and clarification of how an incident happened. 

A non-punitive policy is the most often applied policy since it is applied to every single SMS report received as a commitment to the contributor by the AE. There is an ongoing discussion in the aviation industry what makes a non-punitive policy effective. One opinion is to view it from a contributor’s point of view as a job performance assessment when an incident becomes a learning tool for continuous safety improvements. This is defined in a statement where the conditions under which immunity from disciplinary action will be granted. Another opinion is to view this from an enterprise’s point of view when the policy is only applied if an incident does not trigger litigation or legal action against the worker or enterprise and defined in a statement that the non-punitive is not applied if a worker was involved in illegal activity, negligence or wilful misconduct. 

These two opposing regulatory requirements above are supporting the same common goal, which is safety in aviation, but they are opposing views. They are opposing views since one requires definitions of unacceptable behaviors, while the other requires definitions of acceptable behaviors. There is a fine line, and often an invisible line, to balance between accepting an event to be accepted under the non-punitive policy, or for the event to be excluded by the policy. 

Non-punitive policy is a tool for continuous learning.

The foundation of a Safety Management System is a just-culture. In a just-culture there is trust, learning, accountability and information sharing. A just-culture is where there are justifications for actions or reactions. For an enterprise to apply one or the other definition to their non-punitive policy, a safety case, or change management case must be conducted with a risk assessment of their justifications for the application of either of these two definitions. Both unacceptable behaviors, when punitive actions are necessary, and acceptable behavior when immunity will be granted must be pre-event defined in the Safety Policy, with detailed definitions and publications of the five W’s and How in their SMS Manual. The five W’s are to define the process of What, When, Where, Why, Who and How to both illegal activity, negligence or wilful misconduct, and to when immunity from disciplinary action will be granted.

There is no expectation that an enterprise retains workers who shows behaviors of illegal activity, negligence or wilful misconduct. These behaviors could cause the destruction of a successful business. However, SMS is job-performance review and not legal activity review. When an SMS policy states that illegal activity, negligence or wilful misconduct are unacceptable, everything else becomes acceptable. Until the level of these behaviors is reached, the AE makes a commitment to the worker to continue to work. In addition, in an enterprise that allows for any behavior, except for that illegal activity, negligence or wilful misconduct, there is no room for training or continuous safety improvements. On the other hand, in an organization where the conditions under which immunity from disciplinary action will be granted, a defined list of job-performance safety critical areas can be defined and applied. It is crucial to an enterprise to comprehend that even if punitive actions are accepted, there is no regulatory requirement that they must be applied. However, when applied, they must be applied systematically, or evenly to all workers, including senior management. The very first case pursuant to the SMS policy applying the punitive action sets the bar for all future punitive actions.  

When conducting a safety case for which definition to apply to a safety policy, the case must focus on how a policy affects the future of operations and more important, how the policy affects an expanding business. A short term non-punitive policy applied to a single-pilot, single engine operator, or a small regional airport, may restrict the operator to expand into multicrew and multi-engine aircrafts, or an airport may be restricted to expand to multi runways and international traffic. A safety case applies the 5-W’s and How to processes rather than to the issue. As an example, the What question could be asked as; What is illegal activity, negligence or wilful misconduct, or What is the process to establish the baseline for illegal activity, negligence or wilful misconduct. Asking a process question does not eliminate the fact that these behaviors must be clearly defined in the SMS manual. 

Both scenarios require comprehensive pre-defined and published definitions. A concept of the SMS is to pre-define and clearly spell out job-performance expectations. When job performance expectations are undefined until they reach the level of illegal activity, negligence or wilful misconduct, the line when these levels are reached must be clearly defined. Generally speaking, illegal activity is an act committed in violation of law where the consequence of conviction by a court is punishment, especially where the punishment is a serious one such as imprisonment. A definition of negligence is failure to use reasonable care, resulting in damage or injury to another, and a definition of wilful misconduct any act, omission or failure to act (whether sole, joint or concurrent) by a person that was intended to cause the harmful consequences to the safety or property of another person. In addition to general definitions, each sub definition must be clearly defined. When job performance expectations are defined under which immunity from disciplinary actions will be granted, these expectations must be clearly defined. They are defined as Safety Critical Areas with a subcategory of Safety Critical Functions. A comprehensive list could include more 500 events to consider. 

An airport or airline operator must apply the regulatory requirement applicable to their operations. Within a just-culture, or a non-punitive environment, there must be justification for pre-defined actions or reactions. The four principles within a just-culture there is trust, learning, accountability and information sharing. As long as an operator is governed by these principles, they may apply any non-punitive policy tailored to the needs of their operations.  


Monday, June 14, 2021

How To Do A Risk Analysis

 How To Do A Risk Analysis

By Catalina9

There is a difference between a risk analysis and a risk assessment. A risk assessment involves several steps and forms a platform of an overall risk management plan. A risk analysis is one of those steps and is a defining a characteristic of each risk level and is assigned a weight score as a part of the risk assessment. Generally speaking, a risk assessment includes identification of the issues that contribute to risk, analyzing their significance, identifying options to manage, or maintain oversight of the risk, determining which option is likely to be the best fit for size, complexity and scaled to an organization, and assigning recommendations to decision-makers. A risk assessment also includes one or multiple risk analyses for both pre-risk and post-risk mitigation. A risk analysis is one single justification task of likelihood and severity of a hazard and communicated as a risk level, and it may be a standalone document or a supporting document in a risk assessment. 

There are several guidance materials available on how to do a risk analysis which comes with different designs. A risk analysis may focus on likelihood of a hazard, or it may focus on the severity of a hazard as a determining factor. The combination of likelihood and severity is communicated as a risk level. A risk analysis tool is the risk matrix, which assign a reaction to the risk by colors. Red is normally an unacceptable risk level, while yellow may be acceptable with mitigation and green is acceptable without a reaction to the hazard. In a risk matrix likelihood and severity are assigned classification letters and numbers. A low number could be assigned a high severity or a low severity depending on how the risk matrix is designed. The same is true for the likelihood level where the letter “A” could also be a high severity or a low severity depending on risk matrix design.  

Level of exposure is a third component of a risk analysis and to simplify the risk analysis it is normally assigned an exposure level of 1. An assigned exposure level would be between 0 and 1, or 0% to 100% certainty. With the exposure level assigned as 1, the certainty is definite, and the hazard has appeared. As an example, birds are a hazard to aviation. The exposure level to birds for an aircraft 

A current risk analysis level.
on an approach is quite different for an aircraft on an approach to the same runway in January or May. Due to a common cause variation, the migratory bird season increases bird activities during spring and fall months at airports. During the migratory season an airport may apply multiple mitigation processes by ATIS notification, ATC direct notification or means to scare the birds away from airport. Birds are attracted to food sources, and the black runway surface is an attraction for insects, which then again attracts birds. An exposure level for bird activities, without affecting flight operations, may be between 0.1 to 0.9, or up to 90%. An operator may decide to cancel flight with an exposure level at 90%. However, this is an extreme operational decision task since passengers and freight are dependent on the airline in support of their own integrity and on-time commitments. Most often a scheduled or on-demand flight would continue as planned and rely on other aircraft or the airport to scare birds away from the approach or departure ends. By eliminating the exposure criteria and applying an exposure level of 1, a hazard, or risk level for each segment of the flight may be applied. Another common cause variation are thunderstorms, and an expectation that they are to be mitigated at the time of exposure.       

When conducting a risk analysis, one of the most important factors is to reduce inputs of subjective, wishes, or biased, or opinion-based applications. A common cause variation of a risk analysis are the individual assumptions, which does not make it a faulty risk analysis, but an analysis with justification of assumptions or individual variations. One descriptor of a risk assessment is “Possible” with a definition that “It is Possible to occur at leas once a year”.  When a risk analysis is conducted of the hazard of bush flying or flying into one of the most congested airports in the world, the Likelihood of Occurrence would not reach the level of “Possible”, since human behavior is to take the path of least resistance. A likelihood of “Possible” would increase the workload dramatically and it could also restrict business, or flights, into areas of a high profit margin. If this is a new route or area of operations their justification is based on a wish or opinion and might not be a true picture of the hazard. However, if the risk analysis justification is based on prior years documented records, the risk analysis is based on data and paints a true picture. There are no one-fits-all answer in a risk assessment, and there are no correct or incorrect answers to a risk assessment, since it is the operator who accepts or rejects the risk. While this is true, it is also a customer who accepts or rejects the risk to use services provided by one or the other air carrier.       

One of the principles of a Safety Management System is to operate within a Just Culture. A Just Culture is a culture where there are justifications for actions, both proactive and reactive actions. A risk analysis is just as much a part of justification as any other areas of a Just Culture operations. After a risk analysis, both likelihood and severity are processed through a justification process. The platform to build on for likelihood justification is times between intervals. The first level of times between intervals is when times between intervals are imaginary, theoretical, virtual, or fictional. This is a level with no data available and it is unreasonable to expect the likelihood to occur. An example would be the likelihood of a meteor to land in your back yard. The second level is when times between intervals are beyond factors applied for calculation of problem-solving in operation. At this level, the likelihood cannot be reasonable calculated. It is just as impossible as reaching the last number of PI. Third level is when times between intervals are separated by breaks, or spaced greater than normal operations could foresee. 

In a justification culture there is a
justification why the
scale is not balanced
Number four is when times between intervals are without definite aim, direction, rule, or method. Incidents happens, but they are random and unpredictable. Level five is when times between intervals are indefinable. This is when it is impossible to predict an incident, but most likely one or more will occur during an established timeframe. Level six is when times between intervals are inconsistent. This is when incidents occurs regularly, but they are not consistent with expectations. Level seven is when times between intervals are protracted and infrequent and may last longer than expected, but the frequency is relatively low. Level eight of the likelihood are the foothills of a systemic likelihood and when times between intervals are reliable and dependable. Levels nine and ten are the systemic levels when times between intervals are short, constant and dependable, or times between intervals are methodical, planned and dependable, without defining the operational system or processes involved.

After the likelihood level is justified, the justification process continues to the severity level. There are also ten severity levels, which are independent of the likelihood levels. The platform for classifications of the severity levels is a platform of expectations. Building on the platform is a severity level that is not compatible with another fact or claim of the hazard. The next blocks are a severity level with insignificant consequences, a severity level inferior in importance, size or degree, a severity level that would attract attention to operational process, cause operational inconvenience, or unscheduled events, a severity level large in extent or degree, a severity level involving an industry standard defined risk, or a risk significant in size, amount, or degree, a severity level having influence or effect of a noticeably or measurably large amount caused by something other than mere chance, or ignorance. Severity level eight is the foothills of the catastrophic levels, when a severity level having influence or effect of an irrevocable harm, damage, or loss. Severity levels nine and ten are the catastrophic levels with a severity level of a turning point with an abrupt change approaching a state of crisis and sufficient in size to sustain a chain reaction of undesirable events, occurrences, incidents, accidents or disaster, or a severity level where functions, movements, or operations cease to exist. 

With a justification risk analysis, the first action is defined based on the risk level. At level one the risk the initial task is to communicate. Level two is to communicate – monitor. Level three is to communicate – monitor – pause. Level four is to communicate – monitor – pause – suspend. And level five is to communicate – monitor – pause -suspend – cease. The beauty of a justification-based risk analysis is that after corrective action is implemented and during the follow up process, the tasks are to be completed in reversed order until the risk reaches the communicate task level.  


Tuesday, June 1, 2021

What To Expect From An Audit

What To Expect From An Audit
By Catalina9 

What we expect of an audit is that it is an unbiased and a neutral report of the facts. 

Everyone in the aviation industry needs to do audits for one reason or another. Audits might be done for regulatory compliance, for compliance with the enterprise’s safety policy, as a contract compliance agreement, at customer’s request as a satisfaction evaluation or after a major occurrence. An airport client must feel ensured that operating out of one specific airport does not cause interruptions to passengers due to inadequate maintenance of nav-aids, visual aids, markings, runways, taxiways, or aprons, or that are any surprises for aircraft, crew or passengers. 

Include in your SMS manual that audit
results are not automatically implemented
An airline or charter operator most often carefully research new airports they are planning to operate out of, and when there is a tie between two or more airports, the one with the best customer service wins the draw. A passenger on an airliner must feel ensured that the flight will be occurrence-free, or a shipper of goods must trust the carrier to ensure that their goods arrive at the destination airport in the same condition it was when first shipped. There is a million considerations and reasons why audits are needed. Since there are several reasons for audits, there are also several expectations of outcome of an audit. What these expectations are, depends on what side of the audit you are and the scope of the audit.

Let’s take a few minutes and reflect on these three different types of audits. The audits are the Regulatory compliance audit, the Safety Policy compliance audit, or the Customer Satisfaction compliance audit. 

The Regulatory compliance audit is a static audit, where no movements or processes are required for the audit. When an operator’s certificate is issued to an airline there are zero movements required for that certificate to be issued. However, there are conditions for operations attached to the certificate, which becomes the scope of regulatory audits. These conditions are management personnel, maintenance personnel and flight crew. All these positions for an air carrier are certificated positions and each person must to comply with their roles, responsibilities, and privileges of their licenses for the operating certificate to remain valid. For a new certificate holder, at the time the first aircraft leaves the gate for a flight, there is an expectation of an audit that pre-departure regulatory requirements are met and that all regulatory requirements are met at the closing of the flight upon arrival at their destination. When an audit of an airline is carried out, the first step is to review their operations manuals for regulatory compliance. At the time of issuance of the certificate they were compliant, but over time amendments are added and new regulatory requirements are implemented. One major implementation example is the Safety Management System (SMS), which had an enormous impact on airlines. Their compliance requirements went from a “job well done” to who did the job and how did they do it. After manuals are reviewed, their operational records are reviewed for compliance. Records for their very first flight, or first flight since last audit, to the most current records are reviewed. Regulatory compliance audits are audits of pre-flight compliance, in-flight compliance, and post-flight compliance. Training records, operations records, maintenance records or crew license records are all audited and assigned a compliance or non-compliance grade. The expectation of a regulatory audit is that any items audited are linked to a regulatory requirement. 

A Safety Policy compliance audit is an audit of an enterprise’s Safety Management System. The audit process is the same as for a regulatory compliance audit, with a difference the audit becomes a job-performance audit. A job-performance audit is about what the task was, when was the task performed, where in the operations was the task assigned, who did the task, why was the task necessary and how was these tasks performed. The “how” audit is an overarching audit for the other five questions: what, when, where, who, and why. A safety policy audit must answer how a decision was reached for each one of the five questions. E.g., how was a decision reach to select and airplane and crew, how was the timeline for crew-pairing selected, criteria for destinations and how was it decide who makes the final decision and why was this person selected.

A safety policy to be “safe” is a
policy with undefined destinations
A safety policy audit is the most comprehensive audit, since is involves all aspects of operations, each person in those operations and a complete timeline of that operations. An inflight example of a safety policy audit is the process for preparing for an emergency upon arrival. A person seated in the emergency exit is prior to takeoff asked if they are willing and able to assist the flight crew with opening the emergency exit. During the flight alcohol is also served to that person who could be intoxicated upon arrival as a temporary crew member with limited duties. A safety policy audit conducts interviews of operational personnel, crew members and maintenance personnel. During these interviews, an auditor may discover that intoxicated personnel are expected to be frontline crew members during an emergency. For each task required by regulatory requirements the same audit process is applied. Just one simple task may take hours to complete, and it becomes a resource impossibility and impracticability to conducts SMS audits of 100% of the requirements, 100% of the personnel and at100% of the times. An SMS audit must therefore apply random sampling and statistical process 

control (SPC) for a confidence level analysis. The industry standard is that there is a 95% confidence level for each element of an SMS to be present for an acceptable audit result. 

A customer satisfaction compliance audit is the simplest audit of all audits. A customer satisfaction audit is audited against opinions, or industry standard expectations. A customer may conduct an audit as an opinion of regulatory compliance, as an opinion of safety policy compliance audit or as an opinion of conforming to industry expectations. Customer satisfaction auditors is not required to be technical experts in regulatory interpretation, operational experts, or experts in airport operations, but are experts in providing opinions of their observations based on their operational experience in aviation. A customer satisfaction audit does not issue findings since the auditor is unqualified to issue findings against regulatory requirements, or operational recommendations. They issue opinions and suggestions for operational changes or implementations as viewed from a customer’s point of view and on behalf of a customer. An operator, being airline or airport, makes a decision if they should implement these changes and how these changes could affect their operations. The criterion for change may solely be based on a customer’s wish, public opinion, or social media trends. An enterprise without a clause in their SMS manual that any findings from any types of audits must first be assessed by the enterprise before accepted or rejected to be implemented in their operations, may be compelled to make changes without knowing the effect.        

An auditor has no responsibility for any occurrences an operator may experience by in their operations after implementing audit recommendations. A new regulatory requirement implemented may affect operational safety. A safety policy recommendation may affect safety and the implementation of a customer suggestion may affect safety in operations. In any case after an audit, being an airline or airport, must prior to implementation of changes conduct a safety case, or change management assessment, to evaluate the risk impact on their operations. Since there is an inherent hazard in aviation from the time an aircraft is moving under its own powers, an operator must monitor what direction the implementation of audit suggestions or requirements are taking and from their assessment continue the course or make operational changes to avoid or eliminate hazards on the horizon. 



Monday, May 17, 2021

Training Works

Training Works

By Catalina9

When applying the fact that training is associated with Human Performance, ongoing training becomes a tool to capture process deviations from performance parameters. Deviations from performance parameters are not lack of knowledge, but it is a human factor to take the path of least resistance and to deviate for effectiveness to reach a common goal. Most standardized processes are arbitrarily chosen based on opinions. This does not make the process wrong, bad, incorrect, or dangerous, it is just the fact that someone established the process based on their experience and personal view of what to them made sense. From these processes, rules and job performance expectations are derived to establish the lowest bar acceptable in aviation safety. One example of a new rule that was implemented after an accident was the sterile cockpit rule. This rule was implemented due to one notable accident which caused a crash just short of the runway conducting an instrument approach in dense fog. Training is a tool to assess the effectiveness of standardized procedures, capture deviations and excel in performance above the lowest acceptable safety bar.    

Training is time sensitive
Training is to prepare the Safety Management System (SMS) for tomorrow, which will be different than what it is today. A future SMS enters into a commitment agreement with the flying public, the regulator, airports, and airlines to accept nothing less than excellence in operational processes. Excellence is not to be perfect and operate in a virtual, or fantasy world. Excellence is incremental improvements of safety processes. SMS is not to show that we always get everything right, but to show that we can build a portfolio of safety even when we get it wrong. A fully potential SMS operates with a businesslike approach to safety where losses are
 accounted for and profits are rewarded.

The days of SMS as we know it is taking a new course into a professional SMS management direction. Just like an organization is relying on lawyers and accountants, organizations have come to a point when they need to rely on SMS experts to oversee, administer and manage their SMS. It is no longer enough to run a professional SMS organization because the SMS Manager wants to be safe. SMS has become more complex and needs to be managed by professional SMS experts. COVID19 was the catalyzer which moved SMS at rocket speed in a new direction. In the blink of an eye the world changed from virtual fun and games to a virtual corporate culture as their businesslike approach platform.  

One component that is critical for a successful SMS is training of the Accountable Executive to comprehend SMS as a businesslike approach and, most important, that the AE title does not qualify a person as a professional SMS expert. The regulations stats that no person is to be appointed as the AE unless they have control of the financial and human resources that are necessary for the activities and operations authorized under the certificate. The brilliancy of this regulation is that an AE is an SMS team member within the organization, and to be responsible for operations and accountable on behalf of the enterprise for meeting the requirements. This requirement does not make the AE the sole expert but leaves the door wide open for an AE to be surrounded by experts at any level in the organization. As the final authority, as opposed to the final decision-maker, the AE can with confidence sign off on the SMS for regulatory compliance and safety in operations. Just as the CEO of an enterprise signs off on legal and tax documents, the AE’s role is to sign off on SMS documents. SMS is the overarching umbrella, or the hub of a wheel where the processes lead a path of safety improvements.  

Conventional wisdom is that training is required because of regulatory requirements, and that someone who does the same tasks daily should know how to do it without require training. Nothing could be farther from the facts that this is the only reason for training. There are several elements to training process, which one of them is refresher training of personnel who does the same task daily. Refresher training has two main goals; 1) Evaluate a skill; and 2) Evaluate drift within an organization. Short term corrective actions are applied to skill test training findings, i.e., additional training of personnel who failed, while policy changes are applied to organizational drift findings. During the old way of SMS training, if several of the pilots failed their missed approach task during training, each person who failed would require additional training until they successfully passed the missed approach task once. In the new-SMS era, training of each pilot would continue until their success became persistent. In addition, the missed approach training program would be reviewed for drift, or what would be the expected outcome based on the missed approach training process. If the expected outcome of a process deviated from the expectation of outcome, drift is discovered and a change in training policy required.  

Training is to train for resilience.
Training serves several other functions, and one of them is to train for what is not expected to happen. It makes sense that glider pilots are trained to make off-airport landing for every flight. Even though the Captain does not have power available, their power plant is a power-reversal by spoiler applications. A glider can speed up or slow down by applying speed brakes. Glider training benefited the Captain of the Gimli Glider several years later. In 1983 a Boeing 767 was gliding from FL410 after fuel starvation. When fueling the aircraft, the fuel volume was displayed in litres, while the fueler expected it to be displayed in gallons, with the effect that the 767’s fuel load was 25% of required load. The fuel supplier had drifted away from their expected outcome, or what number was expected to be displayed when fully fueled. Resources from the Captain’s glider training kicked in and they successfully landed at an abandoned airstrip. The same principle is true for the Hudson River landing in 2009. Resources from the Captain’s prior decision-making training kicked in and assisted in a successful outcome. Just a few weeks ago glider aircraft landed in a lake after the tow-airplane lost power shortly after takeoff. All these examples are examples of events that were not expected to happen, and that training works when unexpected events occur. It could be missed approach training, glider training, decision-making process training, or any other training, are training of resilience with an expectation that resources become available when they are needed.

Training works when a candidate learns that they are consistently capable of completing a task successfully. During the old-SMS, a task completed once was all that was required, while in the new era of SMS, training is the success of completing a task over and over again. SMS training is to build confidence as a resilience tool when things go wrong, and unexpected resources must become available to a person. Resilience training also includes training of the Accountable Executive to comprehend the SMS without being overwhelmed with details. 



Monday, May 3, 2021

Teamwork Simplified

 Teamwork Simplified

By Catalina9

In aviation, both airlines and airports, teamwork is the foundation for an organization to function within a Safety Management System (SMS). A common expectation is that everyone must unconditionally “take one for the team” for the team to win or succeed. When someone “take one for the team” they are expected to willingly undertake an unpleasant task or make a personal sacrifice for the collective benefit of one's friends or colleagues. Should someone reject this notion that it is moral or necessarily for them to sacrifice their emotions, they will more than likely be kicked off the team. 

A scale is balanced by the SMS policy.
 Conventional wisdom is that there is “no I in team”.   This is as far from the fact that it could be. There will   always be an “I” in a team. The “I” could be by their   position of authority, by their vocabulary, by their   technical expertise or simply by their reputation within   the organization. Until the Safety Management System   came along, it was the “I” in the team who had control   over the masses. They would use the “safety card” and   imply that anyone who opposed their opinion of safety   were against safety and should be silenced in the   conversation. Playing the “safety card” is when   someone is making references to safety as a tool to   further their opinions and gain control of the conversation. An operational plan in aviation is called the safety management system for that exact reason. A safety management system in aviation is not about safety, but about process design, management, and oversight. The outcome of these SMS tasks are expected reduce, or even eliminate unexpected events and therefore we are safe. 

In 1912 an unsinkable ship left on a journey across the North Atlantic. A few years earlier Captain Smith’s own words were that “When anyone asks me how I can best describe my experiences of nearly forty years at sea, I merely say uneventful. I have never been in an accident of any sort worth speaking about....I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.” Everyone’s opinion was correct, in that the Titanic could not sink, since the experts who designed it said so, and they were in the good hands of Captain Smith. As we all know, the Titanic went down, but not because someone failed to complete a task, but because the system worked the way it was designed to work. NOTE: The system didn’t work as expected, but as designed. The team who designed the ship and operational process were in agreement and could therefore not be wrong. A safety statement in advertising is to persuade their team that a million people cannot be wrong. Any person who does not accept this statement is shunned or rejected by the group. A team was in the pre-SMS days a group of experts where the person with the best vocabulary or authority made an opinion-based decision and called it a team decision. 

Behind every door is a virtual reality attendee with facts to be discovered.
Over time virtual reality meetings or conferences has become the acceptable platform for meeting. Just a few months ago virtual meetings were infrequent and used as a last resort but changed very quickly. From small organizations to international level conferences, meetings are today conducted via virtual attendance. The aviation industry also adapted quickly to this platform where attendees are now placed in separate rooms or even separate locations across the globe. The transition from old-fashion meetings to virtual attendance just happened without conducting a safety case or change management analysis. Just as the Titanic was unsinkable, transitioning to virtual attendance was to be a flawless transition. 

An analysis of a transition to virtual attendance shows that teamwork has become much more team platform oriented and reduced the “I” from the team. Attendees now has an opportunity to raise their concerns, opinions, or suggestions by their physical distance from the other team members. There is also an opportunity for everyone to make their voice heard by anonymous submissions. Virtual attendance has opened a new door to the Safety Management System where facts are forced to be analyzed, rather than someone needs to “take one for the team”.  In a virtual conference environment, the other option but to accept inputs from everyone on the team, is to end the meeting. This unexpected change of personal involvement is a positive change to the aviation industry and hazard identification. 

An opportunity is delivered on a blank sheet of paper.
An enterprise operating within an SMS-world is required to implement a non-punitive policy, or a policy that differences of options cannot be punished. Since the beginning of SMS, in 2006 when Canada as the first country implemented the SMS regulations, a non-punitive policy was expected to be applied to airline or airport operations for hazard or incident reporting. This policy often came with a caveat that it would not be applied to illegal activity, negligence, or wilful misconduct. The intent, or expectation of the non-punitive policy was to protect a person when involved or observed unexpected events of job performance. A non-punitive policy is integrated in the safety policy on which the SMS system is based. The non-punitive policy was not considered to applied to meetings or teamwork, since it was a flight crewmember or airside worker who would fail their tasks and not the management who designed the systems. 

In a regulatory world the Safety Management System is applicable to an air operator certificate and an airport certificate. Any person who is without a role or responsibility in operations or management of these certificates may be excluded from the non-punitive policy. E.g., someone maintaining offices may be excluded, while someone maintaining an aircraft, or the airfield must be included. The Accountable Executive, CEO, or President are included, any management levels are included, and any operational and support levels are included in the non-punitive policy. However, senior management were excluded from the caveat that a non-punitive policy should be applied for illegal activity, negligence, or wilful misconduct. 

The “I” in team still exists within an SMS system and cannot be removed or ignored. The “I” in team is the SMS policy, the SMS non-punitive policy, objectives, goals, and parameters. Virtual reality attendance meetings have improved the opportunity for attendees to assign data, information, knowledge and their comprehension of systems to policies and objectives and bypass the gatekeeper’s opinion. Virtual attendance has placed the “I” in team where it should be, which is in the Safety Policy Team. When the Safety Policy is the focus of the discussion, teamwork is simplified.      


$ Money Talks $

 Money Talks By Catalina9 O ne could define risk management as the identification, analysis and elimination of those hazards, as well as the...