Saturday, May 14, 2022

Why Long-Term CAPs Crash

 Why Long-Term CAPs Crash

By OffRoadPilots

When the Safety Management System (SMS) regulations came into force, there were little or no guidance material available to design useful long-term corrective actions to findings. Long-term corrective actions were defined by how long time it would take to implement. While short-term corrective actions also were defined by time between design and implementation, short-term corrective action did not change with the SMS, since the fix or repair required to return to normal operations was already in place. If an aircraft engine failed, the short-term corrective action was to change out the engine with an engine that had not failed yet. 

Paved roads are a long-term CAPs. No need to change the road after an accident.

A long-term corrective action is a system level change and there are seven levels to a long-term corrective action. The first level is discovery, either by hazard identification, audit finding, or an unplanned event occurrence. The second level is the immediate corrective action, which is an immediate reaction to a hazard, finding or event to establish a degree of supervision and operational management. The third level is the short-term corrective action, or the repair to return to normal operations. The fourth level is the root cause analysis, which is new with the introduction of SMS. The fifth level, and another new element of the safety management system is the long-term corrective action, or the system repair by continuous, or continual changes. For the purpose of a safety management system, continuous is a change to the current system, while continual change is a change of the system itself. A continuous change could be to move from hand-written paper copies to typewriter copies, while a continual change would be to change the system from a paper-document system to an electronic system. At this time in the process, it is unknown if a change implemented is an improvement or deterioration of a system. The sixth and crucial to success of the SMS is to define what the expected outcome of a long-term system change is. The seventh level of a corrective action plan is the analysis of expected outcomes and to compare expectations with actual outcome. Root cause analysis and long-term corrective action are not new to the aviation industry but became new as additional elements for operators to consider since prior to SMS they were only considered by accident investigators and regulators. 

All parts, or systems, of a car is not changed out if one of the systems fails.

Systems are inter-dependent processes to achieve a defined result which comprises of policies, processes, procedures, and acceptable work practices. A system is the cause or expected outcome and conditions are the tasks requirements triggered by the system design. A system could be the document and records system, where an expected outcome is to generate data for an SMS enterprise to design, develop and implement action plans. A process is to define the 5-W’s + How (What, When, Where, Who (position), Why and How) to compete a task. A process could be to collect data for flight planning. A procedure are the tasks, sequence and timing of steps required to complete a process. A procedure could be the specific tasks, sequence, and timing of steps to control an engine failure. Acceptable work practices are practices accepted by an SMS enterprise since it is impossible to have procedure for everything. An acceptable work practice could be a person’s operational judgement decision such as to land an aircraft or initiate a go-around.  


Long-Term corrective actions are highly influenced by the Accountable Executive (AE) and their opinion of the best approach to achieve their goals. The position of an AE is often the CEO of the company, who has a successful track record in business administration, but without being a data analytical expert is still the final decision maker for safety in operations. 


April 28 was World Day for Safety and Health at Work, recognized around the world to draw attention to the estimated 317 million accidents that take place on the job each year across all industries. A common safety statement is to keep safety above all as the priority, meaning that an AE will never sacrifice safety for any other purpose. This is a well intended statement, but without safety analytical expertise the statement falls apart when it continues to read that a safety approach is common sense and simple by never sacrifice safety rules or policies and procedures for any other goal, always adhere to rules, policies, and best practices for ensuring quality service, and report any incidences that negatively impact the safety of team members. If safety was common sense and as simple as to adhere to rules and policies, there would not be any incidents to report. Pilots of the 1957 Grand Canyon crash followed the rules. 


Long-term CAPs go wrong because they are not long-term CAPs. They are corrective action plans which takes a long time to complete, but the effect of the CAP is still a short fix, or repair. Long-term CAPs are system CAPs. Systems are not as complicated as we often make them and by making it complicated CAPs often go wrong. The regulator has shown a trend that they do not comprehend long-term system CAPs. This became evident to an operator, who submitted a comprehensive long-term CAP for regulatory findings. The regulator rejected the CAP with the reasoning that it was too comprehensive, that it was complex, and it was detailed, and it was irrelevant to the regulator that the outcome was a simple system long-term CAP. The regulator’s long-term CAP form is no larger than a 3x6 index card. It takes more time to plan a project than it takes to build it. Designing long-term CAPs are operational project plans. 

Long-term CAP is incremental improvements within a system

 A long-term corrective action plan is to provide long-term solutions to correct problems in the system that led to the unexpected event. An unreasonable expectation is that a long-term CAP ensures that this type of event will never happen again. There are no unreasonable expectations or goals, there are only unreasonable timelines. With an exception for the same event to never happen again, the timeline of “never” is an infinite timeline. An expectation of “never” is an unreasonable timeline, since an event which has occurred, will occur again at a later date. History repeat itself. An unreasonable timeline is a reason why a CAP goes wrong. A second unreasonable expectation in a long-term CAP is that all contributing causes and associated systems are corrected. An associated system in a birdstrike event, includes birds. Some of the birds have a system they call the migratory bird seasons. This is a common cause variation system, which is a requirement for their system to work, and it is impossible for anyone to correct that system. An unreasonable expectation is a second reason why a CAP goes wrong. When task with these two requirements to ensure that an event will never happen again and an expectation to change a common cause variation, the trap operators fall into, both airlines and airports, large and small, is to design their CAP to include these items for one reason only, which is to complete the checkbox task to conform to an expectation of what it takes for regulatory compliance. Since regulatory compliance is when operations is in a static state of operations, it is possible to comply by ensuring there are no aircraft movements. However, this is not how the real world works and the purpose of an airport is aircraft movements. When movements are happening, that’s when the regulatory compliance gap comes into play. 


Long-term CAPs is not to do root cause analysis and make changes to operations so that an unexpected event never happens again. Making long-term CAP project plans is to design, develop, and operate with safety cases and internal operations plans. When you have these plans in place, the only change, or long-term CAP that is needed, is to make short-term changes to the plans for incremental safety improvements. Take a minute an assess a gravel runway. There are still airports out there that offer gravel runway services only. An airport operator makes a safety case for a gravel runway. Based on the safety case they make a gravel operations plan. Their long-term CAP is now the operations plan itself. In the plan they grade the runway once a month. Then one day there is a runway excursion because of the large ruts in the runway. Their long-term CAP fix is now in their operations plan and the fix is to change grading of the runway to every two weeks and after heavy rain. This is literally how simple a long-term CAP is when an operator comes prepared for it with safety cases and operations plans. The reason for long-term CAP crashes is because they are designed to crash.




Sunday, May 1, 2022

The Unintended Consequences of a Non-Punitive SMS Policy

 The Unintended Consequences of a Non-Punitive SMS Policy

By OffRoadPilots

An SMS enterprise is required to implement a non-punitive reporting policy. The intent of this policy is that more incident reports or near misses will be submitted to management when there is a policy in place that a contributor will not be reprimanded, fired, criminally charged, or other punitive actions, such as a reduction in pay or benefits, will be taken against them. An implied benefit from a non-punitive reporting system is that an operator, being airline or airport, will learn from the content of these reports and implement changes to operations as needed for safety improvements. 

A non-punitive policy that needs to be decoded is not a policy.

An objective of a non-punitive SMS policy is to support the overarching SMS policy goals of an SMS enterprise. Examples of an SMS policy goals are to have a goal-setting process in place, processes for live hazard identification, reporting and corrective actions, processes to train personnel, a process to operate with a daily quality control program as a prerequisite for their quality assurance program, processes for conducting periodic audits of the safety management system, or a non-punitive reporting policy. Conventional wisdom is that the non-punitive reporting policy is the only element of an SMS policy that ensures reporting disclosure of all near misses, incidents, or hazards. When an SMS enterprise is relying on their non-punitive reporting policy as their only tool for sole-source reporting, they are taking the SMS down the wrong path. Sole-source reporting is reporting of an event that otherwise would be unknow to the operator since no other person had knowledge of the event to report it. A sole-source report could be an IFR altitude deviation in uncontrolled airspace, or operational deviations out of a remote airport without air traffic services.  


Negative thinking generates an incorrect root cause.

A non-punitive reporting policy is a crucial tool for an SMS enterprise, but it is not, and cannot be the only tool for sole-source reporting. If there is no benefit for the contributor to report, the intervals between receiving reports are imaginary, theoretical, virtual, or fictional when solely based on a non-punitive policy. There is no benefit for a contributor to report an undetected event that was corrected. Individuals reporting more reports than other is actually a red-flag and does not contribute to safety but is a contributor for suspicions. Suspicion or qualification assumptions is a hazard to incremental safety improvements. A negative mind, such as suspicion, attracts negative behaviors. Negative thoughts are the greatest resource for destroying success. The greatest enemies to success are negative thoughts of all kinds. They hold you down, tire you out, and take away all your joy in life. From the beginning of time, negative thoughts have done more harm to individuals and societies than all the plagues of history. One of the most important goals is to remove all negative thinking about operational personnel. A non-punitive reporting process foster negative thinking in an organization. Some of the causes for negative thinking are rationalization, which causes automatic negative thoughts. When you rationalize, you attempt to give a socially acceptable explanation for an otherwise socially unacceptable act. Rationalization is to explain away or put a favorable light on something that you have done that you feel bad or unhappy about. Rationalization cast yourself in the roles of the victim, and you mark the other person or organization into the oppressor.


Negative thinking applies to all organizational structures and to small and large organizations. When information is analyzed by emotions rather than data analyzed within a statistical process control system, the findings will lead to an incorrect conclusion. When incorrect conclusions are applied to incremental safety improvements, safety improvements become random. Relying on an SMS manager’s random skills for safety improvements is a hazard in itself. As an example, when analyzing the root cause for aircraft wing strikes while towing between a sample of operators, negative thinking affects the root cause finding. In this example, a graph shows one operator with several more wing strikes than another operator and another operator shows several more days without a towing strike than the rest of the group. When analyzed in the negative thinking mode, the root cause is to enforce towing policies for operators with higher towing strike events and fewer days since a strike occurred. When analyzed as data and applying an SPC analysis, the processes between operators are in-control. Negative thinking applied an enforcement root cause, while an SPC analysis shows in-control processes. After it was concluded that the right thing was to enforce towing policies, one operator in the group asked what the other operator without strikes did correctly. When asked, the answer was: “We don’t tow, since we don’t have hangars to move aircraft in and out of”. 

Sometime ago, several news papers published a report that a stash of cocaine was found by a maintenance worker in the plane's avionics bay. The flight crew reported to the authorities that they found illegal drugs on the plane, and then they were detained and arrested by the local authorities for possession of illegal drugs. The flight crew reported in good-faith and under the assurance of the company’s non-punitive policy their findings to the authorities. Their reporting of a finding caused them to be arrested. 


When SMS was implemented as a regulatory requirement several years ago, the regulator acted as a consultant and advised operators to write a non-punitive policy to include conditions under which punitive disciplinary action would be considered, e.g., illegal activity, negligence or wilful misconduct. Transporting illegal drugs in aircraft is an illegal activity, it is negligence, and it is wilful misconduct, so the non-punitive policy does not apply to the flight crew. Some might say that the crew did not know about the drugs. However, the expectation applied to a non-punitive policy did not include to have knowledge of, as a condition for the policy to be applied. The non-punitive policy failed this flight crew considerably. When implementing the SMS recommendations, operators did not include in the non-punitive policy that the policy is only applicable in a jurisdiction where the policy is accepted, or by international agreements. In addition, the regulation itself was not applied to the non-punitive policy. The regulation sates in part: “…including the conditions under which immunity from disciplinary action will be granted…”   The regulation states that immunity is not granted unless specifically granted by the operator. When SMS is elevated to a level without accountability by the operator, and to a level where a person acting in good faith when reporting is punished, there is no just-culture in operations. Without just-culture there is no safety management system. 


The unintended consequence of a non-punitive policy is to foster negative thinking, and the promise to grant immunity in other jurisdiction than of the SMS enterprise. 





Monday, April 18, 2022

SMS Goalsetting Strategies

 SMS Goalsetting Strategies

By OffRoadPilots

A successful safety management system (SMS) includes strategy solutions for setting goals for the safe operations of an aircraft or airport, and for members of an SMS Enterprise to be involved in an ongoing development of the safety management system itself. 

Traditionally, in an organization, all positions are established by authority of command, decision-making authority, and signatory authority. An organizational chart of a traditional organization takes the form of a pyramid, where the president, CEO of the corporation, or the board, has final authority. From the top-level in the pyramid, at the CEO level, the pyramid continues upwards, spreads outwards and takes on the shape of an inverted pyramid to reach as many customers as possible. People who are working within this type of traditional organizational structure have little or no impact on decisions made by the CEO.

In this type of highly successful and accepted organizational structure, a conflict arises between the concept and principles of members of an SMS Enterprise, and their position in the traditional business hierarchy. Either a change of culture to the current established business structure is required to conform to SMS, or the culture of an SMS Enterprise is required to change to conform to the current organizational structure. Establishing an SMS with a business-like approach to safety does not imply that the hierarchy of a business is copied and applied to an SMS Enterprise, but rather that a systematic businesslike approach is applied to the SMS. 

There are no qualifications or training requirements for a person to accept the position as an accountable executive (AE) at an airport or airline. By the position a CEO holds in the organizational hierarchy, that person qualifies by default as the AE. Qualifications for the AE to be accountable on behalf of the certificate holder for meeting the requirements of the regulations are assumed to be acceptable by their CEO position in the organizational hierarchy. A condition for a person to accept the position as an accountable executive is that they have control of the financial and human resources that are necessary for operations authorized under the certificate. Maintaining daily regulatory compliance is not a condition, but a qualification, experience level requirement and a team assembly skill. While the condition for an AE is that the person has control of the financial and human resources that are necessary for operations authorized under the certificate, their priority is to maintain regulatory compliance. These two opposing requirements is a hazard to a safety management system since they are opposing forces where one is a responsibility, and the other is a condition.

A condition is an appearance. E.g., the condition of the front tire does not look good. The condition of accountable executive is the appearance of cash to allocate to the safety management system. Cash in itself does not promote SMS or aviation safety. It is the responsibility, action, or task applied that counts. Conventional wisdom is that cash will lead to safety improvements or a support tool to the SMS. However, without goalsetting strategies improvements, goals are not goals, but only wishes or dreams without any safety improvements. 

A responsibility is forward-looking accountability, it is to plan, it is to initiate actions and comply with follow-up actions. An accountable executive with a responsibility to maintain compliance with the regulations involve, not only one, but several task over the course of a day. Daily tasks are not randomly picked tasks but are planned and analyzed for compliance tasks. 

An SMS manual is the process manual, or the manual where it is described, or depicted in flowcharts how things are done in the organization. Every process in an SMS manual answers the 5-W’s + How questions. The questions are about what the process is, when the process is executed, where it is executed, who does it, which is to answer who is the position, and not a name who the person is, why is the process applied and how is it done. These questions are then applied to line-items required tasks, where one task may complete a compliance requirement with multiple regulations. The role of an AE is also to analyze how these processes within an SMS Enterprise supports data, information, knowledge, comprehension, information sharing, trust, learning and accountability. The responsibility of an accountable executive is an oversight responsibility and research, planning, design and development responsibility. 

With a daily quality control program in place, the task for the AE becomes to assign daily variables to common cause or special cause variables. The role of an AE is not to make the final safety decisions, since an AE, in most cases, is a businessperson and not a safety management system expert. Safety is not to apply common sense, but to apply pre-defined processes and pre-defined expectations, or outcome, of those processes. If we don’t know what to expect, the outcomes are only wishes and dreams. 

Following the accountable executive selection flow chart, a person is excluded from selection if they do not have control over human and financial resources. The intent of the requirement is therefore to select an AE with an operating budget to support regular operations for an airport or airline. By this definition the SMS did not change pre-SMS operational practices, where a person, possible director of flight operations, had funding for hiring, training and daily operational tasks. Large purchases, investments or emergency cash would still be allocated by the board of directors or the sole proprietor owner of a business.

When an accountable executive has established all operational tasks required for compliance, their priority is to establish a goalsetting strategy. Goalsetting within an SMS Enterprise does not follow the business approach organizational chart, where each level of management has veto authority. All members of an SMS Enterprise are on the same playing field. The accountable executive is the manager of the team with the authority to establish what direction to move. An AE establishes the policy or their vision of what the future should look like. If this scenario was applied to a baseball game, such as the Oakland Athletics 2002 season, the vision would be to assemble a competitive team. A goal for each game would be to win by one single point, with objectives for each player to act out their assigned responsibilities. Based on a vision to establish a competitive team the AE establishes a goalsetting project plan clearly defining goals which are supportive of the policy. SMS in aviation requires a competitive attitude and a strategy to win every game, or every daily quality control task. This is one reason why it is critical for a successful SMS to select an accountable executive who is determined to meet the requirements of the regulations. Each time a regulation is met, is when a player gets on base. An SMS Enterprise who gets on base regularly, or completes the daily quality control task regularly, has a winning team. A successful SMS cannot be run without a statistical process control (SPC) system to analyze where different strategies need to be applied.

The goalsetting strategy is not for the AE to accept all SMS goals presented or desired by a member. The goalsetting strategy is to assemble a team of players, or members, who accept their responsibilities within an SMS Enterprise to help the AE to meet the requirements of the regulations. 



Monday, April 4, 2022

The Seven Lines of Defence Of An SMS

 The Seven Lines of Defence Of An SMS

By OffRoadPilots

A Safety Management System (SMS) must be effective to conform to the regulatory performance requirements to have in place a process for reviewing the safety management system to determine its effectiveness. A general definition of effective is a process that is successful in producing a desired or intended result or fulfilling a specified function. SMS is a simple concept to operate within a just culture where there is trust, learning, accountability, and information sharing, while determining effectiveness of the system includes several tasks and processes to capture data relevant to effectiveness. SMS in itself cannot fail since it paints a true image of the enterprise. What can fail is trust, learning, accountability, and information sharing to operate within a just culture. As with any effective system, unless there are lines of defence in place, the system is not an effective system. There are seven lines of defence in an effective safety management system. It is difficult to detect failures or errors when aircraft and airport operations were safe prior to implementation of the SMS. Aviation was actually said to be the safest mode of transportation with acceptable levels of accidents with fatalities. Since then, SMS was implemented by a regulatory requirement, but no changes were made to operations, since it was safe in the first place. 


In a business organization the lines of defence follow the same lines as their hierarchy pyramid, or organizational chart. In this type of organizational structure, it is expected that persons on the bottom of the chart make several mistakes, it is also expected that their managers catch some of their mistakes and that the middle managers catch more mistakes. At the top of the pyramid is the hero who catches all other mistakes. Then, just to be sure that all mistakes are captured, caught, or identified, they bring in a third-party auditor, or the regulator comes for an inspection and issue findings. Civil aviation inspectors with a delegation of authority from the Minister are the only persons who have the authority to issue regulatory findings. Everything else are opinions and observations. 

Lines of defence are within the system itself

There are seven lines of defence within the SMS system itself and each defence system are performed daily. A principal role of an accountable executive (AE) is to be responsible for operations under the certificate and accountable on behalf of the certificate holder for meeting the requirements of these regulations. Their roles go far beyond having control of human and financial resources, which is only a condition for acceptance and not an operational requirement. Their operational requirement is to ensure that every process within the SMS enterprise conforms to regulatory compliance. Lines of defence within an SMS are the regulatory conformance level of any operational tasks in an airline or airport operations. These lines are not governed by the organizational hierarchy to catch errors or mistakes, but within a balanced system each spoke in a wheel are the lines of defence. Data is an external source, it is neutral, it is not biased, it has no agenda, and it flows into an SMS enterprise minute by minute. This data may not be observed, captured, or analysed, but it is still flowing into the SMS system as an unnoticeable background application. Data captured by an SMS enterprise is processed into information, which is the foundation of their lines of defence are building on.


Data is entering the safety management system via the information entrance. This is the only external gate to and from the outside world. Data may be flowing within the SMS enterprise, but it has no consequences or usage until it is captured and processed into information. Data is often associated with hazards but does not exclusively equal hazards. Conventional wisdom of an effective SMS is that there are processes in place to capture hazards. A component of an SMS is that an enterprise has a process for identifying hazards to aviation safety and for evaluating and managing the associated risks. While it is true that an unidentified hazard is a risk and a potential trigger for an incident, it is also true that by focusing on hazards only, other elements of data is floating by undetected. Another component of an SMS is to monitor results, or drift, of corrective actions. Recognizing drift is only possible when data of actual result or output is compared to the expectation of a corrective action. Capturing data of how a job is expected to be performed is a critical skill when observing processes for drift. 

The answers to safety are within the numbers of PI

Information comes in different shapes and forms but needs to be recorded to be useful to an SMS system. An example could be an odor which is processed to information by the sese of smell and indicating a fire. This data needs to be documented and submitted to the SMS as a hazard or incident report. Information is received by the five human senses, taste, sight, touch, smell, and sound. Data may come in the form of a taste or smell if fuel is spilled. It comes as a touch when an item is dropped on a foot, or as a sound when an item is dropped. Data also comes as sounds during training, conferences, or telephone calls. Data comes as sight when observing a hazard, a text document, flight operations, or watching a video. Most of the data does not arrive as a text in written format, but as an observation and informal delivery. Information is the first line of defence since it opens the floodgates to design and development. 


Information is processed to knowledge. With knowledge millions of opportunities comes alive. Knowledge is both theoretical and practical of how data may affect an event or causing an occurrence. Knowledge is also a prerequisite to perform tasks. Both a pilot and aircraft mechanic need to have aircraft knowledge. While it is different knowledge required, their task, or job performance is critically dependent on their knowledge. Knowledge is also power. In a conventional organizational hierarchy knowledge at lower levels may be viewed as a threat to the higher levels. When knowledge is in the spokes of a wheel, it flows independently of the organizational structure. Knowledge is the second line of defence since it is a prerequisite for the other lines of defense. 


With knowledge a person has a tool to comprehend systems and processes. Not only individual systems, but integration and interaction between related and unrelated systems. Comprehension is a 3D environment and measured in time (speed), space (location), and compass (direction). Comprehension is not to predict the future, but to have the ability to place yourself in the moment prior to an incident and to view the future without applying the known outcome. Comprehension is a line of defence since it recognizes process deviations, or processes predisposed to incidents. 


Data, information, knowledge, and comprehension are prerequisites for information sharing, which is an additional line of defence. Another component of the SMS is that there are processes for sharing information in respect of hazards, incidents and accidents among aircraft operators and an airport operator. Information shared is not assumptions or unverified, but information comprehended by the person sharing it. As example, it is difficult for a non-SMS person to share SMS information, and it is difficult for a non-pilot, or non-mechanic to share aircraft information. Information sharing may flow on the wheel to any of the other lines of defence. 


With data, information, knowledge, comprehension, and information sharing it is possible to gain a persons’ trust. Without trust there is no just-culture or a safety management system. Trust is an assured reliance and repetitious acceptance behavior when an event could cause retaliation against a person. Trust is not just to apply a non-punitive policy but is also a behavior to unconditionally accept facts and outcome. Trust is also a line of defence. Without trust an SMS enterprise is relying on threats to learn what they want to learn, and not what they must learn. 

The line of defence of learning is an incomprehensible component in an organization where learning is viewed as a tool to acquire knowledge. There are still aviation operators who are viewing learning, training, courses, and seminar as busy time, or as an excuse to be recused from the job. Learning is as much of a job performance as the job-task itself. As a line of defence, learning is a component to capture deviations and alternations.


Forward-looking accountability is not to know the outcome but to apply a behavior

Accountability as a line of defence is a forward-looking accountability. When a person is held accountable it implies that the person intentionally committed a behavior leading to an unpleasant outcome or result. Accountability within an SMS is forward-looking accountability when a person is accountable to the future of their job performance, their training and expectation of outcome. Accountability is not to foresee the future or avoid errors, but it is to perform job-tasks to the skill of training and expectations. If an expectation is established beyond a skill requirement, accountability is to inform that there is a link between training and job performance expectations. As the wheel comes together with seven spokes of lines of defence and each line links to the rim, these lines of defence flow along the rim in any direction, and to and from the SMS enterprise hub. 


Remember; If you don't design your own line of defence plan, chances are you'll fall into someone else's plan. And guess what they have planned for you? Not much.



Wednesday, March 30, 2022

When does a “mistake” become CRIMINAL?

 When does a “mistake” become CRIMINAL?

By Dennis Taboada, M.eng.,CQE,CQM

This past week a jury convicted a former Nashville nurse of reckless homicide and impaired adult abuse  after she was accused of inadvertently injecting a patient with a deadly dose of a paralyzing drug. RaDonda Vaught, 38, was indicted in 2019 on two charges – reckless homicide and impaired adult abuse – in the death of Charlene Murphey at Vanderbilt University Medical Center.Murphey, 75, died on Dec. 27, 2017, after being injected with the wrong drug. This was a terrible tragedy and certainly there is plenty of blame to go around. 

Former Nurse RaDonda Vaught

When does a “mistake” become CRIMINAL?

Of course there needs to be reparations for the family involved. I support the right to sue for “malpractice.” The nurse in this case did not try to hide or cover-up what she did. I guess we need to define what a “Mistake” or “Error” is. According to Merriam-Webster Dictionary: a wrong action or statement proceeding from faulty judgment, inadequate knowledge, or inattention.” According to Atlanta Attorney Alex Freeman, “The difference between a mistake and a criminal act is “WILFUL INTENT.”  If there is no “wilful intent” then there is no crime, but there are legal liabilities. According to an NPR article While Vaught's defense acknowledged the tragic nature of Murphey's death, her attorneys argued that her mistake was not a conscious, criminal act of homicide.

"What struck me most about RaDonda Vaught's interviews was not her honest recitation of the facts ... but her genuine worry and concern about Charlene Murphey and concern for her family," defense attorney Peter Strianse said during the defense's closing statement Thursday. "She was not thinking about herself."

 In a Safety Management System, SMS, we have an important element called NON PUNITIVE REPORTING. What does Non-Punitive reporting mean? In order to continuously improve, we need to know what is happening in our “SYSTEM.” The good and the bad. If we punish someone for “self reporting” and error or mistake they made, we create an environment where people are “Fearful” to report any incidents or hazards. It is bad enough for employees to receive administrative discipline, but when you cross the line to “criminal” you now create a very Toxic environment. I would add that this criminal threat to employees would lead to a much more dangerous environment because nurses/doctors will NOT act in situations that may save a person’s life in fear of being arrested.

What makes this case even more ominous is the fact that there was no autopsy performed. so there was no objective proof that the drug mistake was the cause of death. My question here is this: 

What happened in the “SYSTEM” to cause this accident?

The "SYSTEM" Forces as defined by Dr. W. Edwards Deming

Dr. W. Edwards Deming, “The system is responsible for the outcomes. NOT the people.”  Why did nurse RaDonda make this mistake? Let’s look at the Deming “system” forces that may have affected her judgement.  Machines, Material, Methods, People, Environment. There may not be machines involved, but the Material: Was it properly labeled? Was it identified properly to the patient? Methods: Is there a procedure in place for administering medication? Was the procedure followed? People: How many people did this medication pass through? Why didn’t others catch this mistake? Was there proper training given to administer drugs? Environment: Is the nurse working in a pressured environment? Is the Management supportive or toxic? We must examine the “System!” If the nurse is held criminally liable, why is not the management held criminally liable as well?


Janie Harvey Garner, Founder of "Show me Your Stethoscope"

Janie Harvey Garner, the founder of Show Me Your Stethoscope, a nursing group on Facebook with more than 600,000 members, worries the conviction will have a chilling effect on nurses disclosing their own errors or near errors, which could have a detrimental effect on the quality of patient care. "Health care just changed forever," she said after the verdict. "You can no longer trust people to tell the truth because they will be incriminating themselves."


Certainly, nurses and others in the medical and pharmaceutical professions are going to think twice about reporting any mistakes or errors. Many will now refuse to make decisions without some sort of legal personal liability waiver. Before this ruling, Nurses would fall under the malpractice umbrella of the hospital or doctor. Yes there certainly need to be lawsuits. There needs to be a system to compensate the injured. This is the purpose of malpractice insurance. What is criminal prosecutions going to do to patient care?  Will criminalizing mistakes improve the Patient Process? As a society, we are driving in Fear to our medical workers. How can they work with this “gavel” hanging over their heads?  Yes, mistakes are going to happen! We need to learn from these mistakes and not merely BLAME the person. Management is responsible for the medical System and should be constantly evaluating processes to look for variations that may get out-of-control. By blaming the person, we let the same broken system continue and  most certainly contribute to future tragedies.  

Dennis Taboada, M.eng.,CQE,CQM

Note: Janie Harvey Garner is the sister-in-law of Dennis Taboada, author. 

Monday, March 21, 2022

Your SMS Conversion Rate

Your SMS Conversion Rate

By OffRoadPilots

Within the world of a Safety Management System (SMS) the task is to identify desired outcomes in operations for both airlines and airport operators. The SMS regulations are performance based, and in a performance-based environment it is crucial to success that goal strategies are researched, designed, developed, and carried out. SMS are building blocks of data, information, knowledge, comprehension, triggers, tasks, oversight, and monitoring. What makes SMS different than tangible project, such as an apartment complex, is that the building blocks within a safety management system are abstract without tangible or physical dimensions. Without physical or measurable limits or perimeters, it becomes a difficult task to assess performance value of the SMS itself.  

Performance is a system in harmony with itself.
Elements of a safety management system are performance goals and a means of measuring attainment of those goals and processes to develop and maintain performance parameters that are linked to goals and objectives. Parameters are defined differently if applied in a technical environment, to mathematics, or statistics. However, its common core is that a parameter is any characteristic that can help in defining or classifying a particular system. Parameters within an SMS are characteristics classifying each sub-system within the SMS itself. Parameters are also different from perimeters. A perimeter establishes a physical boundary which a system must remain within. Going back to the apartment complex, these buildings must remain within established boundaries. Look at parameters as challenges and perimeters as task. A parameter establishes opportunities, challenges, or objectives, while perimeters within an SMS system are task performed to move in a desired direction.  


It is just as important to know what parameters are not, as it is to know what parameters are. At an airport a parameter is not the number of runway edge lights failures in a year, or the number of safety discussions held with airport tenants. For an airline, a parameter is not how many runway excursions they had, or the number of flat tires upon landing in a year. The reason these are not parameters is that they are applicable to operational tasks, or objectives, such as maintenance or training, and are not applied to operational challenges, or goals, such as an established quality assurance program. A parameter applied to these conditions would be a daily quality control program with a defined purpose to monitor the daily operations of both acceptable and unacceptable performance. A parameter does not assess for unacceptable performance only, but for the whole system itself. On the other hand, a perimeter assesses only for unacceptable performance when a system exceeds beyond its physical limits, or perimeter, and reports only when a runway edge light is burned out.    

Performance of a timepiece without parameters are unidentifiable events.

Parameters are pre-defined within the operational management of an SMS system. A safety management system has process in place to develop and maintain performance parameters that are linked to goals and objectives, which forms the basis for a performance analysis. This analysis in not how many failures there were over a period of time, but how well, or poorly, they system itself performed. In aviation weather is what has the most impact on operational reliability. 

There are operational performance reasons why METARs are published hourly and TAFs are published several times per day. For an airport operator these weather parameters affect their level of success to in operational performance. An airport cannot do anything about the weather, but their response, or reaction to the reports and events are critical to their success. An airport’s pre-defined performance parameter, or challenge or goal during a heavy snowstorm could be established within their quality assurance program for the airport to maintain operational status. Other airport operations parameters could be to maintain a FOD-free runway prior to each arrival and departure, or maintain runway markings to maintain ongoing compliance with the standards, or runway edge lights to meet illumination and operational standards. These parameters, challenges, or goals for an airport operator triggers objectives to execute tasks, or defined perimeters of what, when where, who, why and how to collect data and establish records for an analysis of performance parameters. 


A requirement of the quality assurance program is to include a process for periodic reviews or audits of the activities and reviews or audits, for cause, of those activities. The beautify of a quality assurance program is that after a comprehensive line-item audit, an SMS enterprise has a wealth of information to use in their strategic planning of goals with associated objectives and processes. 


Parameters within an SMS is to assess how an SMS performs as data collection tool, information development system, conveyor of knowledge, and as an overall system comprehension platform. SMS parameters is to measure the value of what percentage of personnel buy-in, or unconditionally accept and support the SMS as their environmental culture. While it is true that parameters are numerical values, they are not values of failures, or occurrences, but numerical values of what percentage level an SMS has the capability to identify prospects, or challenges and the conversion rate needed to master these challenges.  




Friday, March 18, 2022

Is Aviation Risk Assessment really “VooDoo?”

Is Aviation Risk Assessment really “VooDoo?”

By Dennis Taboada, M.eng.,CQE,CQM

Coming from a strictly Quality Assurance, QA, background, both education and vocation, I have been engrained with the concept of “OBJECTIVITY!” All analysis and action must be based on DATA and ACCEPT/REJECT criteria. When I was first introduced to the process of Risk Assessment, RA, using a risk matrix, my reaction was, “Are you kidding me?”  The Risk Assessment was mostly based on OPINION and SUBJECTIVITY of the team conducting the Risk Assessment session.  The result of the Risk Assessment was a numerical RISK RATING based on the OPINION of a safety committee. Depending on the composition of the Risk TEAM, the Risk Rating can change to meet the objective of the company. I say that this process itself is a “RISK” to SAFETY!  Hey, at least the process is using the QA concept of  TEAMING!  

Risk Assessments are Subjective

In 2003, Sol and I were contracted by NASA at Kennedy Space Center to Design, Develop and Deploy Quality Assurance Training for all NASA Safety and Mission Assurance personnel. This was the first time I was introduced to the NASA Goddard Risk Program. 

Dennis and Sol Taboada Contracted by NASA at Kennedy Space Center

The NASA Goddard Space Flight Center (GSFC) Risk Assessment Tool is based on the Quality Assurance concept known a Failure Mode, Effects, and Critical Analysis, (FMECA).  FMECA was originally developed in the 1940s by the U.S military, which published MIL–P–1629 in 1949. By the early 1960s, contractors for the U.S. National Aeronautics and Space Administration (NASA) were using variations of FMECA under its Risk Assessment Program.

When Sol and I were first contracted by Transport Canada to help design and develop QA training for the CAR 107 Safety Management System, SMS, deployment to 705 carriers, I mentioned FMECA as a more “objective” means of risk analysis.  The idea was promptly rejected, why?  I touched upon the “3rd Rail” of risk in Aviation:  MONEY!  The Goddard Risk Matrix includes “cost” and “scheduling” as factors!  No way could cost be considered as part of “SAFETY” in aviation! 

Another division of the Quality Assurance science is something called, “Cost of Quality.”  That was a misnomer because the actual process determines the cost of “NON-QUALITY.”  Why can’t we have the “COST OF NON-SAFETY” in SMS?  This is a discussion for future articles. 

Is it possible to use the FMECA concepts to help “Objectivize” Risk Assessment even without cost factors? The answer is YES! We can use the actuarial Failure rate formula:

lambda = ln( 1 – pf )/- time

Where lambda represents the density of occurrences within a time interval, as modelled by the Poisson distribution. We can us lambda as “Failure Rate.” 

Where is our DATA for calculation coming from?

In Aviation Risk Management, we are required to have a “HAZARD REGISTER” in which we categorize the Hazards and Incidents. By simple modification of the Hazard Register categorization cells to include a probability calculation, we can now obtain objective probability numbers that can be introduced into our every day Risk Assessments through a modified Risk Matrix. Let’s face it, We use the Risk Matrix to create our Safety Risk Profile that drive our Safety Goals and Objectives.  Then why can’t we use the Hazard Registry to provide Quantifiable information for our Risk Matrix? At least this would make the PROBABILTY side of the RISK MATRIX more OBJECTIVE. The SEVERITY side can also use the “MODE” and “EFFECT” components of the FMECA to quantify the “Effects” of an incident or hazard based on history. 

Yes I know this is going to raise questions in the AVIATION Safety world! Why can’t we bring together the science of Quality Assurance into the world of Safety Management Systems to provide better “Processes” that can actually make Aviation Safer and more efficient? Without the Voodoo!

Dennis Taboada, M.eng.,CQE,CQM

For more information:  Request Training from 


Why Long-Term CAPs Crash

  Why Long-Term CAPs Crash By OffRoadPilots W hen the Safety Management System (SMS) regulations came into force, there were little or no gu...