The Seven Lines of Defence Of An SMS
A Safety Management System (SMS) must be effective to conform to the regulatory performance requirements to have in place a process for reviewing the safety management system to determine its effectiveness. A general definition of effective is a process that is successful in producing a desired or intended result or fulfilling a specified function. SMS is a simple concept to operate within a just culture where there is trust, learning, accountability, and information sharing, while determining effectiveness of the system includes several tasks and processes to capture data relevant to effectiveness. SMS in itself cannot fail since it paints a true image of the enterprise. What can fail is trust, learning, accountability, and information sharing to operate within a just culture. As with any effective system, unless there are lines of defence in place, the system is not an effective system. There are seven lines of defence in an effective safety management system. It is difficult to detect failures or errors when aircraft and airport operations were safe prior to implementation of the SMS. Aviation was actually said to be the safest mode of transportation with acceptable levels of accidents with fatalities. Since then, SMS was implemented by a regulatory requirement, but no changes were made to operations, since it was safe in the first place.
In a business organization the lines of defence follow the same lines as their hierarchy pyramid, or organizational chart. In this type of organizational structure, it is expected that persons on the bottom of the chart make several mistakes, it is also expected that their managers catch some of their mistakes and that the middle managers catch more mistakes. At the top of the pyramid is the hero who catches all other mistakes. Then, just to be sure that all mistakes are captured, caught, or identified, they bring in a third-party auditor, or the regulator comes for an inspection and issue findings. Civil aviation inspectors with a delegation of authority from the Minister are the only persons who have the authority to issue regulatory findings. Everything else are opinions and observations.
|Lines of defence are within the system itself|
There are seven lines of defence within the SMS system itself and each defence system are performed daily. A principal role of an accountable executive (AE) is to be responsible for operations under the certificate and accountable on behalf of the certificate holder for meeting the requirements of these regulations. Their roles go far beyond having control of human and financial resources, which is only a condition for acceptance and not an operational requirement. Their operational requirement is to ensure that every process within the SMS enterprise conforms to regulatory compliance. Lines of defence within an SMS are the regulatory conformance level of any operational tasks in an airline or airport operations. These lines are not governed by the organizational hierarchy to catch errors or mistakes, but within a balanced system each spoke in a wheel are the lines of defence. Data is an external source, it is neutral, it is not biased, it has no agenda, and it flows into an SMS enterprise minute by minute. This data may not be observed, captured, or analysed, but it is still flowing into the SMS system as an unnoticeable background application. Data captured by an SMS enterprise is processed into information, which is the foundation of their lines of defence are building on.
Data is entering the safety management system via the information entrance. This is the only external gate to and from the outside world. Data may be flowing within the SMS enterprise, but it has no consequences or usage until it is captured and processed into information. Data is often associated with hazards but does not exclusively equal hazards. Conventional wisdom of an effective SMS is that there are processes in place to capture hazards. A component of an SMS is that an enterprise has a process for identifying hazards to aviation safety and for evaluating and managing the associated risks. While it is true that an unidentified hazard is a risk and a potential trigger for an incident, it is also true that by focusing on hazards only, other elements of data is floating by undetected. Another component of an SMS is to monitor results, or drift, of corrective actions. Recognizing drift is only possible when data of actual result or output is compared to the expectation of a corrective action. Capturing data of how a job is expected to be performed is a critical skill when observing processes for drift.
The answers to safety are within the numbers of PI
Information comes in different shapes and forms but needs to be recorded to be useful to an SMS system. An example could be an odor which is processed to information by the sese of smell and indicating a fire. This data needs to be documented and submitted to the SMS as a hazard or incident report. Information is received by the five human senses, taste, sight, touch, smell, and sound. Data may come in the form of a taste or smell if fuel is spilled. It comes as a touch when an item is dropped on a foot, or as a sound when an item is dropped. Data also comes as sounds during training, conferences, or telephone calls. Data comes as sight when observing a hazard, a text document, flight operations, or watching a video. Most of the data does not arrive as a text in written format, but as an observation and informal delivery. Information is the first line of defence since it opens the floodgates to design and development.
Information is processed to knowledge. With knowledge millions of opportunities comes alive. Knowledge is both theoretical and practical of how data may affect an event or causing an occurrence. Knowledge is also a prerequisite to perform tasks. Both a pilot and aircraft mechanic need to have aircraft knowledge. While it is different knowledge required, their task, or job performance is critically dependent on their knowledge. Knowledge is also power. In a conventional organizational hierarchy knowledge at lower levels may be viewed as a threat to the higher levels. When knowledge is in the spokes of a wheel, it flows independently of the organizational structure. Knowledge is the second line of defence since it is a prerequisite for the other lines of defense.
With knowledge a person has a tool to comprehend systems and processes. Not only individual systems, but integration and interaction between related and unrelated systems. Comprehension is a 3D environment and measured in time (speed), space (location), and compass (direction). Comprehension is not to predict the future, but to have the ability to place yourself in the moment prior to an incident and to view the future without applying the known outcome. Comprehension is a line of defence since it recognizes process deviations, or processes predisposed to incidents.
Data, information, knowledge, and comprehension are prerequisites for information sharing, which is an additional line of defence. Another component of the SMS is that there are processes for sharing information in respect of hazards, incidents and accidents among aircraft operators and an airport operator. Information shared is not assumptions or unverified, but information comprehended by the person sharing it. As example, it is difficult for a non-SMS person to share SMS information, and it is difficult for a non-pilot, or non-mechanic to share aircraft information. Information sharing may flow on the wheel to any of the other lines of defence.
With data, information, knowledge, comprehension, and information sharing it is possible to gain a persons’ trust. Without trust there is no just-culture or a safety management system. Trust is an assured reliance and repetitious acceptance behavior when an event could cause retaliation against a person. Trust is not just to apply a non-punitive policy but is also a behavior to unconditionally accept facts and outcome. Trust is also a line of defence. Without trust an SMS enterprise is relying on threats to learn what they want to learn, and not what they must learn.
The line of defence of learning is an incomprehensible component in an organization where learning is viewed as a tool to acquire knowledge. There are still aviation operators who are viewing learning, training, courses, and seminar as busy time, or as an excuse to be recused from the job. Learning is as much of a job performance as the job-task itself. As a line of defence, learning is a component to capture deviations and alternations.
Forward-looking accountability is not to know the outcome but to apply a behavior
Accountability as a line of defence is a forward-looking accountability. When a person is held accountable it implies that the person intentionally committed a behavior leading to an unpleasant outcome or result. Accountability within an SMS is forward-looking accountability when a person is accountable to the future of their job performance, their training and expectation of outcome. Accountability is not to foresee the future or avoid errors, but it is to perform job-tasks to the skill of training and expectations. If an expectation is established beyond a skill requirement, accountability is to inform that there is a link between training and job performance expectations. As the wheel comes together with seven spokes of lines of defence and each line links to the rim, these lines of defence flow along the rim in any direction, and to and from the SMS enterprise hub.
Remember; If you don't design your own line of defence plan, chances are you'll fall into someone else's plan. And guess what they have planned for you? Not much.