Saturday, November 26, 2022

Accepting or Rejecting Risks

 Accepting or Rejecting Risks

By OffRoadPilots

Accepting or rejecting risks is a fundamental principle in a successful safety management system (SMS). A person managing the safety management system is expected to maintain a process for identifying hazards to aviation safety and for evaluating and managing the associated risks and ensuring that personnel are trained and competent to perform their duties as they apply to the safety management system. This includes training for both the accountable executive and SMS manager, in addition to other airport and airline operations personnel.


A level of risk is an inherent element of aviation safety and there are several types of risks to consider when accepting or rejecting risks. One type of risk may take precedence over another type even if it is not directly associated with operations. Risk control strategies are beyond accepting or rejecting a risk, it is to justify control actions based on defined criteria. There are five categories of risks. The total risk is the sum of identified and unidentified risks. Identified risks are risks which has been determined through various analysis techniques. A task for the SMS manger is to identify all possible risks. Unidentified risks are risk not yet identified. Some unidentified risks are identified by occurrences, and some risk will never be known. Unacceptable risks are risks that are beyond a limit to what is acceptable to an SMS enterprise. Unacceptable risks may be controlled or eliminated. Acceptable risks are identified risks that is allowed by the SMS enterprise to persist without further engineering actions. Residual risks are the left-over risks after all other options has been fully explored. The residual risk is the sum of acceptable risks and unidentified risks and integrated in airport or airline operations. 

 

Conventional wisdom is that the safety management system is about safety, while the fact is that the SMS is about processes, and how things are done. The expected output of these processes is to eliminate harm and create prosperity. When decisions are based on emotional safety principles, rather than data points of facts, the end result may change risk levels to unknown risk level, or unmanageable risk levels.


The AE is the final decisionmaker to accept or reject risks, system analyses or predictive SMS operations plans. Accepting or rejecting risk is not an authority to deviate from any of safety risk management (SRM) processed, or to base accepting or rejecting on common sense and prior practices. In the past, several practices which were acceptable for an airport operator are unacceptable today within an SMS environment. Airport operators has a responsibility for their airport operations to be compatible with aircraft operations, which is the purpose of an airport. In the past, a NOTAM that a runway was covered with ice or snow contaminants were a sufficient action. However, today within an SMS-world, an airport operator must comply with the airport standards, which includes a friction index requirement, or close the runway. An AE may be the final authority, but when risk acceptances are based on prior practices, both safety in operations, and certificate compliance are jeopardized. Risk acceptance based on prior practices, with the justification that it was done before without incidents doesn’t hold water. In addition, data from prior practices applied to hazard classifications and risks may be outdated. 

 

An easy trap for an AE to fall into is to believe that they have the authority to change a risk level by the stroke of a pen. Nothing can be further from the truth. When an AE wishes to change a risk level, they must follow established processes for root cause analysis, risk assessment and system analysis, which include a signature page that they rejected a risk level advise from the SMS manager. In most organizations, an AE is the President of the company and the business management expert. An AE is not the data analysis expert but is still the person with final authority to change a risk level. Should an AE reject a recommended risk level, operations affected by the hazard in question is paused until an acceptable risk decision is made. On the other hand, an accountable executive has the prerogative to manipulate risk decisions after reviewing other apparent risks, or identified residual risks, and combined exceeds the effect of proposed risk control. 


The role of an SMS manager is not to lower a risk level due to pressure, but to assess mitigation options for assigned risk level, and options for processes to conform to regulatory requirements and acceptable to the AE. A trap for an SMS manager to fall into, is to change the risk level to the demand of an accountable executive. When an SMS manager is a non-employee at a remote location, temptations to manipulate risk levels are reduced. In a just culture there is no personal liability associated with the position of an AE as this individual represents the certificate holder. The certificate holder retains all liability for non-compliance with the regulations. It is crucial to the success of an SMS that an AE works within the just-culture principles of trust, learning, accountability and information sharing when considering recommended risks controls. 

 

A purpose of regulations is to establish operational limits acceptable to the interest of public safety as determined by the regulatory authority. Public safety may be a floating object and change with circumstances. In the aviation industry this became evident during the pandemic period, where regulatory aviation limits were changed to justify the cause of a greater threat to public safety. This makes risk control measures only applicable under the regulatory jurisdiction. Unless there are international agreements, a just culture, or non-punitive policy is not applicable beyond the regulatory jurisdiction. For airlines, an acceptable risk control within its own borders my be acceptable, while the same risk control internationally may be rejected, or in worst case a criminal action. A recent event occurred when a charter flight crew discovered an indication in the cockpit that something was wrong in the avionics bay. During an inspection of the bay, a duffel bags with illegal substances were discovered, and the flight crew reported this to the authorities. Since the crew was outside of the jurisdiction of their safety management system they were detained for seven months.

 

Accepting or rejecting risks is therefore more than just organizational related, it is also related to areas of operations, wherever that might take you. A principle of a successful SMS is that hazards are locally identified.  

 

 

OffRoadPilots




Saturday, November 12, 2022

Predictive SMS

Predictive SMS

By OffRoadPilots 

Predictive SMS methods are applied research to entail the development of an expanded and well-organized safety database, as well as the use of predictive, or forecasting methods to identify potential and emerging hazards, trends and behaviour patterns. Using data analysis and predictive methods to identify latent hazards is a tool to prevent future adverse events in operations of any organization. SMS has generated wide support in the aviation community as an effective approach that can deliver real safety and financial benefits. SMS integrates safety concepts into repeatable, proactive processes in a single system. The structure of SMS provides organizations greater insight into their operational environment, including their reactive phase, proactive phase, and predictive phase. A prerequisite for a fully operational predictive safety management system are system analyses. 

 

There are several purposes to operate with a predictive safety management system, and one of these are to move special cause variations into common cause variation for specific operators and locations. A predictive analysis is forecasted expectations as opposed to special cause variations, where expectations are unknown. A predictive analysis is also different from a proactive approach, since the proactive approach is to assume potential hazards, and predictive approach is to analyze known hazards as facts. It is impossible to predict when a hazard will affect operations and cause an occurrence, but it is possible to predict that a hazard will appear in operations within a pre-established time, location, and direction. A predictive SMS does not predict accidents, incidents, or events since the affect of latent hazards are only available with reactive analyses. A predictive safety management system operates within a 3D system and in a virtual moment of the flight, taxi, vehicle operations or other movements. A 3D identification process is measured in time (speed), space (location), and compass (direction). When 3D thinking is applied in a safety management system, future scenarios can be designed with a defined exposure level to predictive hazards.

 

 

Root cause analyses of hazards for specific phase of operations and locations have already been conduced and accepted when operating with a predictive safety management. There is a requirement for the person managing the SMS to analyze and identify the cause or probable cause of all hazards, but this requirement does not extend to identify the cause of every hazard, or the same hazard multiple times. The cause of a hazard needs to be identified once, with subsequent same hazard classification numbers to be monitored in a control chart for pattern and frequency. Note that a predictive SMS is applicable to hazards of same classification number, and not of hazards with similar classifications. A successful SMS operates with a hazard classification system of safety critical areas and safety critical functions within identified areas. 

 

Analyzing birdstrike data in a predictive SMS generates control charts for reliability pattern and frequency. The outcome of this experiment unfolded as the post was written. Data applied in this scenario are from publicly available data for a specific airport between 2010 and 2022. Adding bird observations by airport personnel, tenants or users would enhance the analysis and improve predictive SMS operations. Data are reactive facts, since there are no expected, or assumed data applied in a predictive SMS analysis. 

 

The X-mR control chart is used with variables data - data that can be "measured" like time, density, weight, conversion, etc.  Like all control charts, the X-mR monitors variation over time.  The X-mR chart will tell if your process is in control (only common causes of variation present) or if there are special causes of variation.  You use the X-mR chart when you have only one data point to represent the situation at a given time.  For example, suppose your company is tracking accounts receivable each month.  You have limited data - one data point a month.  You can use the X-mR in these situations.  You plot the monthly result on the X chart.  You plot the moving range between consecutive months on the mR (for moving range) chart.” -SPCforexcel.com

 

An X-mR variable chart detects special cause variations. The X-mR chart below shows five spikes of special cause variations, or an out-of-control process, between 2010 and 2022. When a special cause variation is identified requires an SMS enterprise to conduct a full-scale Root Cause Analysis. 




When analyzing the out-of-control points, it is noticeable that they occurred during the summer seasons, with the last spike in 2017. What steps the airport took to eliminate special cause variations in 2018 is unknown. Since the main migratory bird routes through the area did not change overnight in 2018, it is assumed that the airport operator implemented changes. If operating with a proactive SMS, an operator would need to conduct a root cause analysis, system analysis and applied a predictive SMS approach to migratory bird behavior. With a predictive SMS approach to   migratory bird travel, systems may be put in place to direct the birds locally away from airport approaches. This particular airport is previously known for changing local bird travel routes by applying the principles of landuse in vicinity of airport, to divert, or eliminate bird activites. Such activities include diverting travel to and from landfills, water reservoirs, or removal of cereal crops in the area. Previous research has identified that bugs are attracted to the blacktop runway surfaces, which again attracts birds. Without any out-of-control points since 2018, it is assumed that a predictive SMS approached fulfilled its expectations.


A Pareto chart is a data-based approach to determine what the major problem or cause is.  All companies have lots and lots of problems on which to work.  There is not enough time in our day to work on everything.  The Pareto chart gives us a way to determine which problem to work on first – where we will get the most return for our investment.  And the Pareto chart is also a great communication technique as we shall see.

Vilfredo Pareto, an Italian economist, developed the Pareto chart in the late 1800s.  He discovered that 80% of Italy’s wealth was held by 20% of the people.  This has become known as the 80/20 rule or the Pareto principle.  It is at the heart of the Pareto chart.  The 80/20 rule applies in many places – 20% of our customers are responsible for 80% of the customer complaints; 20% of the workforce account for 80% of employee issues.  The Pareto chart is one method of separating that 20% - the vital few – from the 80% - the trivial many.  This allows us to focus our time, energy, and resources where we will get the most return for our investment.”

 – SPCforexcel.com


A pareto chart detects the frequency of hazard classifications. When frequencies are identified, an SMS enterprise may prioritize action plans for classifications with the highest frequencies. In a normal distribution, 20% of events are the cause of 80% of all hazards. 



This pareto chart identifies the months of July, August and September as the months when 73% of hazards are occurring during 25% of the months. For the airport operator, these three months now becomes the target focus area to manage bird activities. For airlines operating out of the airport, these three months become the target focus area for their predictive SMS. However, before jumping to a conclusion to apply these analyses to their predictive SMS, airline operators should approach the airport operator for detailed information about actions applied in their bird and wildlife control program. If no actions were taken by the airport operator, then other factors would have affected the bird activity process to reduce birdstrikes.  

 

In a search it was learned that the airport had implemented corrective actions, and revealed that in 2018 the airport implemented a new bird control system. Here is an excerpt of the news article (redacted): “The airport is pleased to welcome (company) to the airport. The company brings a specialty Falconry Bird Control Program to the airport which augments the airport’s existing wildlife management program. The company provides a service with trained falcons and other species of birds of prey to manage issues that are caused by wild birds in commercial and industrial environments. Bird control falconry is one of the only target specific methods of control which has the minimum impact of the environment and other non-evasive species within it.”

 

With the new bird control system, a new control chart analysis from 2018 was conducted that produced a similar special cause variation result. 




Migratory bird routes are common cause variations in the bird movement process. Their travel in the vicinity of airports or using airport lands as their feeding grounds is integrated into their process. The same birds come back year after year. For an airline or airport operator, this bird activity becomes a special cause variation when affecting the planned air travel or airport operations, since it is not an integrated part of their operations. When a common cause variation is manipulated, or controlled, the outcome may deviate from statistical expectations. As noted in this experiment, when the bird activity process is controlled by falconry, both the reliability pattern and frequency were slightly altered. 

 

The responsibility for improving a process in statistical control lies with management, while front-line personnel may have excellent suggestions on how to do this. Improving a process that is in control may mean changing the average or reducing variation. It is a never-ending process. The system must be changed to improve the process. From the birds’ point of view, their process may now be out-of-control, since a common cause variation was manipulated. The bird control system at this airport changed and monitoring the effect of implemented action verified that the birdstrike counts went down. This is a classical example of how simple, but effective, the concept of a safety management system is. 



With this new information an airline or airport has an opportunity to apply a predictive SMS to their operations. It is not the birdstrike that is predictive, but the bird activity. A root cause analysis can only be conducted of a hazard that the operator has control over, both control over data required for the analysis and control over the corrective action plan. In the bird experiment example, an airline operator has control over publicly available birdstrike data, and they have control over aircraft operations. A root cause analysis may have identified the migratory bird season as a root cause and their control measure may have been to accept the risk, reduce flights to this airport to mitigate aircraft damages, or pause operations during the hours when birds are present. Since an airline is in the business of generating money, it is impractical to reduce, or close down flights due to bird activities. Their own birdstrike data becomes their preferred tool to assess the likelihood and severity in their operations. At this particular airport, with approximately 1.3 mill movements and 5.2 birdstrikes annually, or one birdstrikes per 250,000 movements, any reasonable SMS manager would accept the risk. Zero birdstrike is an unacceptable goal. Both the airport and airline conducted their root cause analyses, their system analyses and is now ready to operate with a predictive SMS. At this particular airport, they continue to track the counts of birds, and birdstrikes, but a root cause analysis is not needed since it is already done for this hazard classification. 

 

A trap that is easy to fall into, when birdstrike numbers, or any hazards are low, is to reduce or eliminate current mitigation processes. The return of investment (ROI) in an SMS is inverted, with relatively higher investment and fewer occurrences returned. Most often justification for changing the mitigation process is due to cost and the low number of hazards. A Canadian airport voluntarily gave up their airport certificate a while ago since that allowed them to change their mitigation processes and eliminate their safety management system. Just this month they experienced what this trap could cause, by operating without an SMS, which also includes a plan of construction operations. “A privately registered Cessna P210N from (airport) to (airport) was taxiing on the hangar line and fell into an unmarked 3-foot wide strip where the pavement was taken away. The front wheel fell 4 to 5 inches into the construction area. There was propeller damage and engine damage to the aircraft.”

 

 

 

OffRoadPilots

Line-Item Audits

  Line-Item Audits By OffRoadPilots A irports and airlines are required to conduct a triennial audit of the entire quality assurance program...