Fond Du Lac

Fond Du Lac

By Catalina9

This post is about the ATR-42 crash at Fond Du Lac. There are several lessons to learn from this incident, while on the other hand it is easy to overlook what we can learn by denial that this could never happen to us. TSB report was released October 28, 2021.

After accident investigations TSB issue recommendations to TC to implement new or change current regulations. A recommendation from this incident is for TC to require all commercial aviation operators in Canada to implement a formal safety management system. 

TSB report reads: “When the flight crew and dispatcher held a briefing for the day’s flights, they became aware of forecast icing along the route of flight. Although both the flight crew and the dispatcher were aware of the forecast ground icing, the decision was made to continue with the day’s planned route to several remote airports that had insufficient de-icing facilities.”

 

A Safety Management System (SMS) is an oversight system of the operations itself. An effective oversight system includes a daily quality control system. There are several parts to an SMS, but the two key parts to operations are daily quality control and monitoring of quality assurance. Airport operations and flight operations traditionally has been separated as two independent operations which one does not affect the other. With SMS this changed that if a regulation it not broad enough to capture a hazard, then the operator is responsible to mitigate the hazard. One of the SMS regulations reads that an SMS Enterprise needs a process for identifying hazards to aviation safety and for evaluating and managing the associated risks. Sometimes it is just as important to know what the regulations does not read. This regulation does not read that an airport or airline must identify their own hazards. It simply reads that they need a process to identify hazards to aviation safety. Under the SMS regulations it is just as incumbent on the airport operator as the airline to ensure that de-icing equipment is in place since it has to do with safety for the flying public and safety at the airport. The TSB report addresses remote Canadian Airports and there are remote airports that provide de-icing services and a vehicle with hot de-icing fluid. De-icing fluid is a service for sale, just as they sell fuel and other services. TSB recommendation is that the Department of Transport collaborate with air operators and airport authorities to identify locations where there is inadequate de-icing and anti-icing equipment and take urgent action to ensure that the proper equipment is available to reduce the likelihood of aircraft taking off with contaminated critical surfaces.

Another part of the regulation reads that no person shall conduct or attempt to conduct a take-off in an aircraft that has frost, ice or snow adhering to any of its critical surfaces. A daily quality control system has a responsibility to capture the daily weather forecast and other weather-related reports, images or videos as a prerequisite for their quality assurance system. An airline may be operating with a dispatch system, flight following system or a pilot self-dispatch system. Whatever level of operational oversight system that is in place, any weather report must trigger a reaction. 

The reaction could be to do nothing, but needs to be documented and justified why nothing, or no reaction is required. An SMS Manger, or Safety Director, at an airport is responsible under the regulations to implement a reporting system to ensure the timely collection of information related to hazards, incidents and accidents that may adversely affect safety. This regulation is applicable under the airport regulations. An aircraft taking off, or attempting a takeoff with contaminated surfaces, is just as much of a hazard to the airport as an airport vehicle on the runway with an aircraft on approach. It is the responsibility of the airport to collect data about this hazard. As the final authority for an airport or airline SMS Enterprise, the accountable executive is to be responsible for operations or activities authorized under the certificate and accountable for meeting the requirements of the regulations. This includes justification to the regulator why or why not certain processes must be included or removed. 

On March 10, 1989 Air Ontario 1363 crashed shortly after takeoff due to ice contamination. The Final Report reads: “Modern air transportation is a complex enterprise. Similarly complex are the causes of aircraft accidents. Previous aircraft accident investigations have demonstrated that an accident or serious incident is not normally the result of a single cause, but rather the cumulative result of oversights, shortcuts, and miscues which, considered in isolation, might have had minimal causal significance. A properly functioning air transportation system with appropriate standards operates as an ongoing check against the circumstances that can give rise to an accident. It became clear from the evidence that, when one or more of the components in the system breaks down, the probability of an accident or serious incident is increased. The accident at Dryden on March 10, 1989, was not the result of one cause but of a combination of several related factors. Had the system operated effectively, each of the factors might have been identified and corrected before it took on significance. It will be shown that this accident was the result of a failure in the air transportation system.” 

Almost 30 years later the aviation industry as a hole are still struggling with broken systems learned from the Dryden accident. In 1989 the Safety Management System in aviation did not exists as a regulatory oversight. When there is not a formal SMS system in place, it becomes impossible to identify how there was a gap in the system causing the incident. The Dryden report identified intelligently and clearly that “an accident or serious incident is not normally the result of a single cause, but rather the cumulative result of oversights, shortcuts, and miscues which, considered in isolation, might have had minimal causal significance.”  At that time airlines managed safety by a simple principle of ensuring superior customer service to ensure the safe arrival at intended destination. With the implementation of SMS, the SMS system itself was expected to ensure safety in operations. A Safety Management System cannot fail since it paints a picture of the operations itself. What can malfunction within an SMS is a system to recognize processes which does not serve its purpose. This does not only apply to de-icing of aircraft prior to takeoff, but also includes the collection of hazards affecting aviation safety which goes beyond operational control or take on a role when the regulation itself is not board enough to include all future hazards to be identified. 

It is true that SMS is about aviation processes. However, the authority, or to which level safety is paramount, rests with one person only. This person is not always the accountable executive, but the person who within an organization has the power of authority. This person be a part of the organization itself but could also be a third-party person. This person may have other interests in mind than safety in operations since past records demonstrate a safe tracking record.  Everyone believe they are the key piece to keep aviation safe, but it is the person who demonstrates the best vocabulary who wins the deal.  

 

Drift in aviation is what a pilot from the days of NDB navigation understands. An NDB used for navigation always took the aircraft to its destination, but often by drift and correction to make it there safely. In the early days of an NDB they were broadcasting in morse codes to identify quadrants. Later an ADF with a needle pointing in its direction were installed in an aircraft. Great progress was made in air navigation. Also, an AM radio frequency could be used as a means of long-range navigation and was easily picked up 3-400 miles away. When navigating to an NDB, drift went undetected unless the pilot could comprehend the different systems and how one system affected the other. A sea captain navigating by lighthouses also comprehended drift in navigation, how to recognize drift and how to apply inputs for change. Both the Dryden and Fond Du Lac accidents were products of drift and the inability to recognize the drift itself. Drift is simply said how we do things. Drift is only recognized when there is an identified path to follow. At both Dryden and Fond Du Lac, the identified path to follow was an expectation to arrive at on time at the next destination. If the KWINK principle had been applied the captain would not have attempted the takeoff. KWINK is Knowing-What-I-Now-Know.

 

The KWINK system is a system to recognize drift, just as with navigating to an NDB, the pilot needs to correct their drift by doubling their correction track to take the most direct route. KWINK is for airline and airport operators to leap into the future and review their operational decisions. Taking a leap into the future is to review records and data from the past and apply to the next immediate task.   

 

 

Catalina9

How to Audit SMS

How to Audit SMS

By Catalina9

Conventional wisdom of how to audit the Safety Management System (SMS) is to generate an audit checklist based on regulatory requirements for an SMS, and develop expectations, or processes, in a checklist form to determine level of regulatory compliance. There are several itemized expectations for an SMS enterprise to audit every single aspect of operations for compliance. Auditing by expectations does not paint a true picture of an SMS enterprise level of compliance since an expectation audit does not audit for reliability. 

Research and development is the responsibility of an AE.

An airline or airport may be required to comply with hundreds of regulations in addition to just as many operational standards. One regulation may be compliant by applying several different operational methods, or expectations, which may be interpreted differently by inspectors, auditors or organizational management. When expectations are applied to an SMS audit, all operators are grouped into one expectation and that one-fits-all. Auditing by expectations is a hazard in itself, since an SMS enterprise may change their operational behavior to please the inspector’s or auditor’s checkbox, rather than trusting their own operational judgement. Auditing by expectation is also an avenue to group safety with ratings. A high rating number becomes equal to a high, or superior, level of safety. As an operational oversight system SMS paints a picture of results, or process outputs, and not of a predetermined input. A shopping list contains expectations or inputs, and when used correctly each item is checked off, but the condition, output, or quality of each item is unknown until after the shopping is done.  

The first level of audit of an SMS enterprise is to audit for scalability, or size and complexity. There is a regulatory requirement that a safety management system shall be adapted to the size, nature and complexity of the operations, activities, hazards and risks associated with the operations. Humans are great at making simple tasks complex, or even unmanageable. An unmanageable SMS is a system where hazards to operations are unknown. In an unmanageable SMS, or where an SMS is scaled beyond their operational needs, operations tend to drift towards informal, and simplified processes. An SMS workload is not the SMS itself, but research and develop to scale down systems to size and complexity for regulatory compliance, for safety in operations compliance, for compliance with operational needs and compliance with the SMS policy. An SMS system should be scaled to a level where it can be explained in just a few words. If an SMS enterprise is unable to explain how to maintain regulatory compliance and safety in operations, don’t expect the regulator to explain it for you.

A public speaker is a highly regarded expert.

 A speaker at an aviation safety conference made a statement that the regulator has decided to only issue findings against regulatory non-compliances and no longer issue findings to an SMS enterprise for non-compliance with their own internal manuals. That the regulator no longer plans to issue findings to an internal manual is a step in the right direction. When a finding is made to non-conformance with an internal manual an operator has two corrective action plan (CAP) options. The first is to make a change to the manual, or the second option to make a change to the process, or how things are done. Either way, the regulator must approve the CAP by directing what the manual text must read or direct the operator to what specific process they must implement. When the regulator mandates, or locks-in text or processes, they are interfering with the operators sole responsibilities pursuant to the regulations to operate with an SMS that is scaled to size and complexity. An benefit to an SMS enterprise when the regulator only issue finding to regulatory non-compliance is that they now have an opportunity to self-correct their own manuals or ineffective processes.
 

An accountable executive (AE) is responsible for operations authorized under the certificate and accountable on behalf of the mayor, council, airport authority, CEO, corporation or business owner for meeting the requirements of the regulations. In the regulations it states that an appointed AE must have control over human and financial resources. In the past, this regulation was interpreted by regulatory oversight that their only responsibilities was to apply cash to safety and hire personnel to do the jobs. As long as an AE could answer yes to these two questions, they passed their part of the audit. What was overlooked by the inspectors or auditors, was that an AE was not only responsible for cash and personnel, but also responsible for meeting all the other requirements under the regulations. When the regulator no longer issues findings for compliance with the SMS manual itself the manual or processes becomes much more flexible to change, and both airlines and airport operators having an opportunity to perform a true audit of their SMS enterprise. 

The second part of an audit is to audit for outputs, or results. Inputs for these audits are the daily, hourly, or frequently assigned operational tasks. Inputs are how the job is done and what tools are used to support these operational tasks. As an oversight system an SMS enterprise documents the results as they are completed, or at the time of their transactions. Just as upon completion of the shopping list, an itemized receipts and cash exchanged is documented at the time of transaction. Counting the cash is the first step in a quality control system for an upcoming financial audit. Counting outputs and results of an assigned task within an SMS world is a control system for a safety audit. In a financial audit, the auditors do not audit against expectations, how an organization plans to do their inputs, or if they are compliant with their expected inputs. In a financial audit the end result is audited by confirming receipts and financial entries. In a safety audit, the same process is followed by auditing the end results, or outputs, and confirmed by receipts, or data, and entries into the SMS system. An airline or airport conducts daily quality control, regular surveillance of their systems by random sampling and classifies their data to a level of security to preserve its integrity. The audit of an SMS then based on results and not based on virtual, or opinion-based expectations. SMS is to build a portfolio of safety.   

 

 

Catalina9

The Swiss Cheese

 The Swiss Cheese

By Catalina9

The other day when I was on my way to the store to buy swiss cheese and it was raining. I had opened my umbrella inside, walk under a ladder and a black cat crossed in front of me by the time I got to my car. My day was off to an unpredictable day. I purchased a block of swiss cheese and a package of sliced. I could not see the swiss cheese holes in the block, but I could see them in the sliced cheese, and all the holes were lined up. An unavoidable incident seems to be on the march in my direction today. I had opened an umbrella inside, walked under a ladder, black cat crossed in front of me and now all the holes in the swiss cheese lined up. And to make things worse, I embrace the principle that more is less and less is more. 

Umbrellas are attainable and measurable goals to be used for
a purpose.

An effective Safety Management System (SMS) is expected to run smoothly, and that safety will come by itself if we just do the right tings. The right thing is to find the holes in the swiss cheese and to stop the flow of accidents by plugging or diverting holes. If we make safety objectives and goals, we will be safe, or if we just remain vigilant, observant and follow the rules, we will also be safe. Accidents are built from a blueprint for a system to fulfil an undesired purpose, or aim, and the swiss cheese analogy is an imaginary description to simplify how integrated micro-systems builds accidents.

They key to a successful SMS is to accept that there are micro-systems within larger systems. These micro-systems are defined as at random, since there is no obvious logic to how they form or are placed within its own system. The definition of at random in the Marriam-Webster dictionary is without definite aim, direction, rule, or method, and lacking a definite plan, purpose, or pattern. Applying these micro-systems as random and unpredictable is how they must be applied within an SMS enterprise.  

A latter is a tool to reach new goals, so don’t walk
under it.

The swiss cheese principle is an exceptional good description of at random, or of how accidents are built and the many interactions of events that must take place to build up to the accident itself. However, this principle is only effective as a reactive tool for analysis after an accident, since when arriving at one hole, there is no road map or directions as what turn to take next to avoid lining up another swiss cheese hole. The swiss cheese analysis is non-directional, it is operating within a dark space and each hole in the cheese are individually and specifically placed within its own micro-system and without connections to current events. Holes in the swiss cheese may appear to be randomly placed, but they are systematically placed within its own micro-system produced by carbon dioxide. Each hole in the swiss cheese is a result of a cause which creates the effect. The cause is its own system within the swiss cheese creating these pockets of gas. From outside the swiss cheese, these holes may appear to pop-up randomly, while within the dark spaces of the micro-system itself their location placing becomes predictable

Conventional wisdom is that more is less, and less is more. Professional organizations are rigidly applying this principle in their decision-making process. When applied correctly, simplifying processes is a tool to achieve more. However, simplifying processes does not include a reduction in level of service, or removal of regulatory compliance processes. When more is less, and less is more, there is much more work, research, design, and project planning needed to produce a simplified system output on the front line.  

Looking for the black cat is active hazard identification

Safety in aviation is beyond being a miracle, a matter of luck or dreams come true. Everything happens for a reason, good or bad, positive, or negative. Accepting that at random are micro-systems affecting your goals, and that this system appears as at random is vital to the goal achievement process. If at random is without definite aim, direction, rule, or method, and lacking a definite plan, purpose, or pattern, then accidents are meaningless. A meaningless event has no purpose or reason. An accident is emotionally meaningless since there is no reason or purpose for people to be harmed or loss of life due to unexpected events. However, when applying meaningless, or without definite aim in an SMS organization it becomes impossible to establish cause and integrated factors of occurrences and unexpected events. That everything happens for a reason does not imply that events magically occur, is a statement that there are micro-systems affecting operations which cannot be determined, recorded, or predicted. In an SMS world, these systems are also defined as special cause variations.

A Regulator is responsible for the development and regulation of aeronautics and the supervision of all matters connected with aeronautics. When a new regulation comes into force, an airport or airline operator only have one choice to continue operations, which is to maintain compliance with the new regulation. Public opinions, political environment and aviation incidents are all triggers for new regulations. Over time these regulations add up to an overwhelming task for both airlines and airports. In addition, the regulations require an SMS enterprise to run a safety management system that is adapted to the size, nature and complexity of the operations, activities, hazards, and risks associated with the operations. More regulation and a scaled down SMS system are two opposing regulatory requirements.  

Scaling down an SMS enterprise is not to remove or decline specific regulations, but to combine operational tasks applicable to each regulatory requirement. Scaling down is to make your job as the Accountable Executive userfriendly and manageable for the SMS Manager. When regulations are performance based, an operator is obligated to demonstrate how their activities conform to the regulations. Demonstrating compliance is more than demonstrating compliance with one regulation, but to demonstrate how each task maintain compliance, and how any of these separate tasks does not interfere or causing non-compliance with other regulations.

The swiss cheese principle is a valuable analogy to describe actions, reactions and results of a micro-hazard travelling through the cheese and setting the main system up for failure by travelling through each hole in the swiss cheese. However, if an SMS enterprise establish a safety goal to avoid the swiss cheese holes and objectives are to navigate safely around the holes, they are doing the right thing, but operating with unmeasurable goals since the distance and directions to the holes are not measurable.  

 

Applying the principle that less is more and more is less gives the same output as the swiss cheese principle. Both principles come with a valuable application, but it is impossible to establish measurable goals from these principles. On the other hand, opening an umbrella inside, walking under a ladder or the black cat crossing, are all events that can be used to establish measurable goals. Find the umbrella, ladder, and black cat within your SMS enterprise micro-systems to build a portfolio of safety. 

Catalina9