Santa’s System Analysis

Santa’s System Analysis

By OffRoadPilots

Since Santa implemented the Streamlined Mission Service (SMS) 10 years ago, hisSMS system has evolved into a business of its own, and a business system within the Streamlined Mission Service system. Santa runs his operations as a non- profit organization. This is not a charity organization, but a not-for-profit enterprise, with Santa who is the AE, Mrs. Santa who is HR Director, the Elf Superintendent, the Elf Director of Reindeer Operations, and the Elf Director of Airfield Management as the Board of Directors. The purpose of Santa’s operation is to deliver, without profit, gifts to billions of people once a year during a 24-hour period. The task in itself is simple, since delivery methods remains the same for centuries. However, task to deliver within a 24-hour period has become more strenuous

The first time Santa delivered gifts was in the year 872, when he helped a king of the Arctic to convince farmers, laborers, ship builders, accountants, lawyers, and risk management officers to join the king as one nation. Santa used his gifted talent as a used-sleigh salesman to give out gifts to everyone who agreed. Since this gift-giving process went so smooth, and the reindeers loved it, Santa decided to give gifts to all the nations on the day of the Arctic mid-winter fest when the sun is returning to the region again, the earth is coming back to life, and continuous darkness must give way to daylight. Santa did not plan much for this, since travel and giving gifts were common sense tasks. He gathered up all the nine reindeers he had in the safety corral, where they were protected from hazards. These nine reindeers were carefully selected from the prime of the best reindeer-stock in the mountains. The reindeers were used as helpers for the 2-day build-up of the mid-winter fest and the return of the sun, and the 7-day cleanup after the fest. This was not a rowdy and wild fest, but the cleanup needed to take 7-days as a part of a tradition only.

At the next winter-fest in 873, Santa departed with gifts that him and Mrs. Santa had prepared. The nine reindeers were happy to go and was looking forward to seeing other parts of the flat-shaped earth. Santa and the reindeers had been up in the air before, and when climbing to 3,000 feet above ground, they could easily see the end of the world. Santa didn’t think this would take much time or presents and departed on a full moon morning and bright stars. These were the modern times, and there was nothing that was not known to be bright and intelligent people at this time. On the first takeoff one of the reindeers failed and stumbled after a famous wolf crossed the runway, and the reindeer got one of the runway edge lights stuck in his nose. The nose turned red, Santa named the reindeer Rudolph, after the famous wolf, and put Rudolph at the front for safety, since the nose was red.

Santa travelled from home to home and landed on the rooftops. They didn’t have chimneys back then, but there was a hole at the gable end for smoke to escape from the living areas. This was a convention place to drop the gifts, and if Santa had to, he could use a rope to slide down into their living room.

Every delivery went well, until Santa ran out of gifts. Santa had travelled for hundreds of miles but did not make it to the earth’s end yet. There were still yard lights as far as the eye could see. Santa was disappointed but had to turn around before the reindeers ran out of energy. Safety back at Santa’s yard, he sat down and wondered what went wrong since he couldn’t deliver to every single home.

Over the next few months Santa analyzed the system to learn what went wrong. He researched famous scholars about the flat earth and reindeer energy consumption. After reading and learning more about the earth, Santa came to realize that the earth is round like the sun and the moon. Also, Santa found out that the reindeer need solid food on their travel and cannot make the full trip by using power from the windturbine installed under the sleigh to supply water when they stop on the rooftops. Santa completed his system analysis for the next trip. The system analysis included the reindeer feeding system, the power generating system, and the earth-shape system. The reindeer feeding system was made automated and powered by the power generator to supply solid and liquid food to the reindeer. The windturbine was placed on top of the sleigh since it was damaged by rooftop landings when installed below. The power generator system added two backup windturbines to ensure power supplies for the whole trip. While Santa had problems defining, or changing the earth’s shape, he discovered that he could draw a map of the earth on a round rock and use the rock as his GPS (Grand Path System).

New inventions had come on the market since last year, and now, in the year 874, everything that was needed to be known about global travel was known. Santa had no worries since the experts had given him expert’s advice for every possible scenario and ensured his safety. After several hours of travel Santa was surprised that the sun did not set. Where he came from the sun did not rise all day, but here it was just the opposite. The sun did not set during the night. This reminded Santa of home and how the summer night are long and bright. Santa used an old wheel with six spokes to calculate his travel distance. Santa called his device every 6 balcony (E6B), since he needed to recalculate his route after six rooftop landings. To his surprise, he now was at the bottom of the round rock. Santa continued his deliveries, and he did not look back. The reindeer followed the direction from Rudolph, and the red nose pointed in a straight-ahead direction. After severalmore hours, Santa began to recognize places on the ground, and soon he found his landing airstrip. Santa was surprised to learn that he could make it home without turning around. When he told this to the experts, they expelled him from the toy factory since this could not be true. The earth was flat, and anyone who went of the edge never came back. Santa was more eager now than ever to continue his journey and deliver toys to everyone. Just a few days later Santa and Mrs. Santa started their own toyshop with help from all the elves in the area. Their future looked promising.

By now Santa realized that another system analysis needed to be done, since more systems were added, and he was planning for additional changes for the next toy delivery season. This time Santa included his own experts to do a system analysis. Mrs. Santa as the Director of Financial and Human Resources has roles and responsibilities to ensure that their processes from material to finish product were stable and userfriendly, and the system analysis expert for theses areas. Santa as the Accountable Elf (AE) has responsibility for human factors, organizational factors, supervision factors and environmental factors. In the system analysis Santa used the SHELL model, which stands for self-awareness, health-awareness, encroaching-awareness, limbo-awareness, and lane-awareness. sub-factors of environmental factors are designed environment, user friendly environment, design and layout, accessibility, tasks-flow, social environment, distancing, experiences, culture, language, climate, geo location, weather, temperature, methods, machines, manpower, materials, and measurements. Santa’s areas of expertise are applied in a system analysis of these mentioned factors. The Elf Superintendent brought her skills and expertise to the system analysis for Airfield maintenance, construction, and movements. The Elf Director of Reindeer Operations was responsible for all areas of operations, and to bring her expertise skills to the table for the system analysis. The Elf Director of Airfield Management brought his skills to the system analysis for safety, processes, and operation plans management to the system analysis. Santa was satisfied that this year, in year 875 and the year of major constructions, production and delivery of toys around the world would be a success. As the preparation continued, Santa was ready at the mid-winter fest to head out on his delivery adventure. This time he headed south until the sun did not set, and then northbound until the sun did not rise. By repeating this 24 times, he covered every single home and person all over the globe in a 24-hour period, and all children around the world was as happy as ever.

Santa, with approval by Mrs. Santa, made continuous improvements to production and deliveries, and continued support to the reindeer with helpful navigation aids, food delivery, and Santa also included a rest period for two of the reindeer at a time. With the annual new and improved processes, two of the reindeer were able to take a rest period without affecting the delivery process.

As homes were improved, the chimney became an obstacle. Santa noticed one year, in 1346, that some homes had build chimneys. At first Santa did not know but learned the hard way when the reindeer crashed into one. After the first incident Santa started to track every home with a chimney and documented this in the Chimney Tracking program. Since Santa had helped out the king in 872, he continued to report to the new kings of the Arctic. In 1537 a king who spoke a different language took over, and at first it was difficult for Santa to understand. Mrs. Santa developed a communication process in addition to the text and spoken word, to include colors and images. This was very helpful, and over time Santa also learned the new language.

Over the years there were ongoing improvements. Just as the chimney improvement, these improvements became a hazard for Santa and his deliveries. One year, one of the homeowners had placed a large evergreen tree inside their house. When Santa

dropped down the chimney and rolled into the living room, he rolled over the tree, and it fell over. All decorations broke, and everyone, including the children, woke up and ran to rescue. Santa made note of this and learned from his experience. Santa also notified the reindeers that there were trees inside some of these homes, which could cause more chimney smoke when branches and wood from the trees were burned on the fire. Santa tracked and documented every home with a tree and recorded it in the Tree Tracking system. Santa realized that system analyses also were useful in predicting hazards and avoid incidents when travelling. In 1814 Santa reported to a new king, who spoke his old language. Santa modified the written text in his messages so that elves and homeowners could understand the message. Santa documented and defined the text in the Write and Talk Tracking system.

Over the years Santa conducted several system analyses. A new invention on December 17, 1903, caught Santa by a surprise when another object, and Santa was not sure what it was, approach him in the air when travelling to a different district for

deliveries. Even if Santa was not sure of what the object was, him and Mrs. Santa conducted a system analysis of the event and implemented it in the safety manual for the annual toy-run. Santa did not mention this to anyone else, or to the king, since he had concerns that it could create to punitive actions to damage Santa’s reputation.

One day, a scientist invented an ultra-resilient strain of wheat that would grow food in places where food did not grow before. This also helped out Santa with feeding the reindeer while on the road, since he did not need to do as many detours to fill up the food supplies in the sleigh. In addition, since more food became available, Santa could carry a lighter weight of food, which made the job

easier for the reindeer. This worked out so well for Santa that Mrs. Santa awarded the scientist in 1970 the highest medal of honor since the new ultra-resilient strain of wheat helped to make peace between people. Santa, Mrs. Santa, and the elves were all happy to meet the scientist, visit with him and give him a hug and thank you for his hard work over many years.

Over centuries, decades and years, there were many challenges to overcome for Santa, and over time he made improvements to increase production, and improve delivery processes to ensure timely deliveries within a 24-hour period. For any changes that were made, minor or major, Santa and Mrs. Santa conducted their system analyses to be prepared for the known and unknown hazards awaiting Santa on his journey.

OffRoadPilots

What A Healthy SMS Looks Like

 What A Healthy SMS Looks Like

By OffRoadPilots

After several years of operating with a safety management system (SMS), an SMS enterprise should be operating with zero regulatory findings. The accountable executive (AE) should have full control over the path their SMS has taken in the past and established a vision in their SMS policy of what to expect in the future. The are three regulatory compliance principles for a successful safety management system. The accountable executive is responsible for compliance with all regulations, the certificate holder (CH) is responsible for the quality assurance program (QAP), the person managing the safety management system (SMS manager) is responsible for monitoring concerns that the aviation industry has about your airport. A healthy SMS includes a risk management officer (RMO) position. Risk management is what makes a safety management system a healthy SMS within a fluid environment and ever-changing priorities.

The duties of a risk management officer are often assigned to an SMS manager when the CH appoints a person to managing their SMS. The person managing the safety management system shall identify hazards and carry out risk management analyses of those hazards. Other duties assigned to an SMS manager are to maintain a reporting system, investigate, analyze and identify the cause or probable cause of all hazards, incidents and accidents, maintain a safety data system, by either electronic or other means, to monitor and analyze trends in hazards, incidents and accidents, monitor and evaluate the results of corrective actions with respect to hazards, incidents and accidents, monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the your airport, and determine the adequacy of the training required. These responsibilities which are assigned by the regulations to an SMS manager are extremely labor intensive, research intensive, data collection intensive and comprehension intensive. There are not enough hours in a 24-hour day for one person to comply with these requirements in addition to carry out daily risk management analyses.

If anyone for a minute thought that risk management analyses are not a daily and ongoing tasks, an SMS is not only rolling downhill, but it is also rolling down a path to operational failure. SMS itself cannot fail since all it does is to paint a true picture of a failed operation, but operations can fail by ignoring SMS drift and trends. Just as investments professionals must assess the risk daily, an airline and airport operator must also assess their risks daily.

Conventional wisdom is that airlines and airports only need to assess the risks for accidents that already have happened. This is also a misconception, but it does not imply that it is wrong or incorrect. When SMS first was introduced, there were little to no information or literature available of what an aviation safety management system actually is. Airlines and airports required to implement SMS continued the path they were on, which was to react reactively to incidents and accidents. SMS was not fully understood at that time. Common phrase was that safety is common sense, knowing that common sense had produced accidents since the beginning of time on December 17, 1903.

Some time ago, I received a practice SMS report, and this is what the report said:

“On 17 DEC 1903 two unlicensed pilots, Orville and Wilbur Wright, made 4 unauthorized flights in an unregistered aircraft. They departed and arrived without

communicating with air traffic control or utilizing local CTAF. Their airplane, which had not received its annual inspection by a licensed Aircraft Mechanic, was damaged during their last flight. They failed to report the incident to the TC and TSB, neither of which had been invented yet. Corrective Action: Recommend TC to be invented immediately, and Wilbur and Orville Wright's pilot certificates to be issued then revoked.”

In the Safety oversight component, the reactive reporting process was the first

operational task for airlines and airports. This task was fully understood, since

reactive reporting with corrective actions was how safety was managed prior to a

regulated implemented SMS. There were several other options available on how to

initiate the regulated SMS process, and the consensus was to begin with the

reactive reporting process.

When operating with a reactive process system, an incident or accident must first

happen before it is reported and analyzed by applying statistic process control

(SPC). The first step to report an accident was familiar to operators, but the

challenge came when the analytical process took place. In the pre-SMS days, the

broken piece was fixed, forgotten about, and nobody conducted process analysis.

Special cause variation for root cause analysis was unknown, and most operators

could not identify the difference between common cause variations and special

cause variations. SMS was implemented with several other new definitions and

tasks in the reactive system, which immediately caused confrontations. Since the

SMS regulations are performance based, the golden rule is that if the regulation

does not specifically state what needs to be done, that is the exact reason why an

airline or airport operator must do what it takes to meet the intent of the

regulations. A common phrase with the SMS implementation was that “the

regulations does not say that.”

The next step of the safety oversight element was to phase-in the proactive

process. There was still a confusion among airlines and airport operators, including

the Regulator, of what defined an SMS process. Since the phase-in was a proactive

task, the consensus became to identify hazards and do something about that

hazard before it became a bigger problem or would lead to an incident. Operators

dangled carrots, or bribes, for employees to report hazards. Whoever reported the

most hazard in a month would receive a gift. Gifts, or bribes, when initiating a

process to learn the process itself is acceptable, but within a fully operational SMS,

bribes, or carrots do not paint a true picture of the health of an SMS.

The Heinrich Pyramid, or the Heinrich Law, was used as justification to action to

prevent minor hazards immediately, since they would, unquestionable, lead to

accidents. Heinrich's law is based on probability and assumes that the number of

accidents is inversely proportional to the severity of those accidents. It leads to the

conclusion that minimizing the number of minor incidents will lead to a reduction

in major accidents, which is not necessarily the case. In a workplace, for every

accident that causes a major injury, there are 29 accidents that cause minor

injuries and 300 accidents that cause no injuries. Hinrich Law is applicable to an

overcontrolled environment with common cause variations only, and where

special cause variations are excluded. Eventually, several airline and airport

operators put the Heinrich Law aside and referenced this principle as guidance and

instruction material only, rather than a law written in stone.

After the reactive and proactive process systems were phased-in, the next step in

the SMS was to implement investigation and analysis. The first constraint for this

phase-in period was to determine what to investigate and a consensus made sense

to investigate accidents and incidents. After all, this is what TSB did, so operators

assumed they were expected to do the same. Accidents and incident investigated

by operators were not limited to the severity of the outcome, but anything that

failed were placed in the investigation hat. Upon completion of an investigation an

operations bulletin was issued for personnel to read and accept, and after just a

few months, the paper clipboard was overloaded with bulletins. An airport would

conduct a root cause analysis and investigate a burnt-out runway edge light, and

airline would do the same for a burnt-out aircraft taxi light. During the phase-in

period SMS personnel had limited training to comprehend the safety management

system. Investigations and analysis of incidents that were done at that time were

not the wrong thing to do, since it was common sense based on their current

knowledge. Investigating the outcome itself was the incorrect thing to do. The

difference between doing the wrong thing and the incorrect thing, is that doing the

wrong thing is to do a task against better knowledge, and doing the incorrect thing

is the lack of knowledge of what needs to be done. As the SMS learning level

progressed, it became clear that the investigation was not to investigate the

outcome, but to investigate the hazard and how a hazard was carried forward in

the operational process.

The final step in the 4-year

phase-in period was to

implement the quality

assurance program and

assess the effectiveness of

SMS. The struggle with this

phase-in period was to

determine what makes an

effective SMS. Conventional

wisdom was that operating

with zero accidents or

incidents was the prime key-

performance indicator, and the SMS performance level was assessed to the

number of incidents during an established time period. This is still an ongoing

assessment process used to establish an effective SMS. Effectiveness is analyzed in

graph-charts and run-charts, where a downwards trends are good, and upward

trends are bad. Applying this process provides some useful information, but the

analysis is based on opinions and emotions. When opinions and emotions are the

foundation for analyses, the trap to fall into is overcontrolling of processes. When

there is overcontrolling of processes, the ops-bulletin clipboard gets filled up faster

than the paper can be printed. An invaluable tool to operate with a paper-format

SMS is that process overcontrol can easily be identified by viewing the number of

paper files. When operating with a flawed system, e.g. flying an airplane without

required maintenance, by random chance that flight will be successful and safe. If

a pilot on a precision approach misread the approach chart minimums, e.g. a flawed training system, and lands in zero-zero, the odds by random chance is that

the flight will be successful. The moral of the story is that lack of accidents is not a

key performance indicator (KPI) of how effective an SMS is.

The most critical task and difficult task in assessing the effectiveness of a safety

management system is to rate, or classify processes to different risk levels, safety

critical areas and safety critical functions within these areas. From a non-analytical

point of view, all processes in flying must be assessed as high-risk levels since there

are always possibilities for an element to cause an accident. Operating with

possibilities is an emotional assessment of effectiveness. There is no evidence that

missing one or all items on a landing checklist will cause an accident. The

effectiveness of a safety management system cannot be determined without

applying statistical process control since it must be assessed by probabilities, as

opposed to possibilities.

The quality assurance program is a component of the safety management system

and is therefore an integrated part of an SMS in the same manner as the safety

polity, processes for setting goals, measuring the attainment of goals, hazard

identification, training, reporting system, process manual, communication to

personnel, periodic review of the SMS and review for cause are integrated

components of the SMS.

A regulatory requirement of a safety management system is to conduct an audit of

the entire quality assurance program carried out every three years. During the 4th

year phase-in period, the struggle with this requirement was to identify what the

quality assurance program actually was and what it should look like. Since the

quality assurance program is a component of the SMS system, it must be treated

the same way as a safety policy, goalsetting processes, or reporting processes.

Since none of these components include specific text on what an airline or airport

must include to meet the performance requirement, an airline or airport must

design their own quality assurance program tailored specifically to their

operations. One vital component, and prerequisite of a healthy quality assurance

program is an operational daily quality control system. This system is not included

in the text of the regulations but is a component of the overarching quality

assurance system. With the daily quality control program implemented, and just as

any small or large grocery store counts the cash at the end of the day, an SMS

enterprise must count their daily quality control processes daily. When the quality

control system is counted, an audit of the quality assurance program is possible,

and the checkboxes may be downgraded to be incidental to the daily quality

control.

Over a period of four years,

both airlines and airport had

been operating with an SMS

without knowing or

comprehending its definite

purpose. This also caused

conflicts and struggles

within the industry to define

the SMS path of how to apply 

this to operations. A consensus for a solution was to ensure that all required

checkboxes were completed, and the aviation SMS quality assurance program built

its platform on this principle. The checkbox syndrome is still the basis of SMS

performance and effectiveness and has become so powerful that it was also

implemented in the initial pilot training programs. Checkboxes are necessary for a

healthy SMS, but when checkboxes become the primary task, the accountable

executive takes their SMS down the wrong path. As I learned from a

groundbreaking woman in aviation, who also become one of the first female pilots

hired by a major airline, that completing all checkboxes have become a more

important task than the actual individual flight training.

Operating with a healthy SMS is a simple task when all the groundwork is

completed. A healthy SMS does not interfere or affect roles, responsibilities or

assigned tasks that an airline or airport has assigned to a consultant, director of

operations, airside crew, airport manager, SMS manager, airfield maintainers,

airside operations personnel, or cloudbased SMS resources systems. A healthy SMS

is scaled to the size and complexity of operations by assigning multiple regulatory

requirements to one task and operating with a regulatory element of the SMS and

an operational element of the SMS separately, but with both integrated in the SMS

analysis.

The single most significant role for a healthy SMS to accept that the accountable

executive is the person who is responsible for complying with the regulatory

requirement to be responsible for operations, and to be accountable on behalf of

the certificate holder for meeting the requirements of the regulations. A healthy

SMS looks like an organization where major factors affecting operations are

monitored daily. A healthy SMS collects data from multiple different sources, such

as web cameras, internal and external reports, and publicly available flight critical

observations and predictions. A healthy SMS operates with an Above the Fold

system, where factors that the risk management officer has assessed as

operational priority risk levels for that day are placed above the fold,

communicated to the AE, and monitored by the SMS manager.

A healthy SMS is when an accountable executive accepts that a healthy SMS is a

maturity system.

OffRoadPilots

The Devil Is In The Details

 The Devil Is In The Details

By OffRoadPilots

The Titanic disaster was caused by a detail in the watertight compartment design flaw that the walls separating the bulkheads extended only a few feet above the water line, so water could pour from one compartment into another, especially if the ship began to list or pitch forward.

The Alexander Kielland disaster was caused by a fatigue crack in one of its six bracings, which connected the collapsed D-leg to the rest of the rig. This was traced to a small 6mm fillet weld which joined a non-load-bearing flange plate to this D-6 bracing.

The Sioux City IA air disaster was cause by a catastrophic failure of its tail-mounted engine due to an unnoticed manufacturing defect in the engine's fan disk, which resulted in the loss of many flight controls. None of these details were identified as issues of any concerns, but they caused some of the most horrific and catastrophic historical events within their own areas of history. Titanic was built to be unsinkable, a deep-sea diver once said to me that there were terrible working conditions for underwater welders, and it was known ten years prior to the disk failures that these disks had flaws and could fail.

Details may be known by management, but are often dismissed, they are brushed aside as being unimportant, or seen as irrelevant to the issue. Details are not only important in operations, but also for regulatory and standard compliance.

both airlines and airports have to maintain compliance with a comprehensive safety management system (SMS). I concept, an SMS is simple but unless details are identified within a system analysis, the system becomes complex and often unmanageable. A manageable SMS is based on daily quality control, established processes and each operational task is linked to multiple compliance requirements. When processes are established, an SMS has been simplified and manageable, with the primary tasks to monitor for deviations from assigned path. The more details paid attention to in an SMS make the SMS simpler and easier to use. When details are known, it is easy to see where the pieces fit into the whole picture, as opposed to fit a large piece into a detailed issue. When SMS is forced, it makes it difficult and complex to apply in operations. A symptom of an SMS that is too complex or unmanageable for operations, is therefore when SMS is overloaded, or overcontrolled, and safety information is a tool to justify its existence.

Paying attention to details is a regulatory requirement for a certificate holder to adapt their safety management system to the size, nature and complexity of the operations, activities, hazards, and risks associated with the operations. Adapting to size and complexity requires detailed knowledge of their operations. When an operator only has a high- level knowledge and overview of their systems does not allow for a

certificate holder to apply operational targeted processes that suits their size of operations. A certificate holder is required to appoint an accountable executive (AE) to be responsible for operations or activities authorized under the certificate and accountable on their behalf of the certificate holder for meeting the requirements of the regulations. This requirement does not imply that an AE only need to be familiar, or only have partial knowledge of the regulations, but is a requirement for the AE to have detailed knowledge of regulations to detect deviations from established paths and non-conforming processes. Conventional wisdom is that an AE only need to be responsible for financial and human resources, which is a job description of their position, while the knowledge of regulations is the requirements for accepting the role. SMS is a businesslike approach to safety, and no business owners, corporate directors or airport authority would hire an accountant or lawyer who have limited knowledge of regulatory requirements and their areas of responsibilities. However, they continue to hire accountable executives who do not have the knowledge base to fulfil their obligations to the regulations.

Obligations of an airport operator is to review each issue of each aeronautical information publication on receipt and, immediately after a review, notify the Regulator of any inaccurate information. Detailed knowledge of how to obtain a copy of the aeropub is required, detailed knowledge of how often a new revision is issued, and what date it is published is required. They need detailed knowledge of what information pertains to their operations, what action to take in addition to reporting any errors to the Regulator, and how their internal SMS process capture these requirements. An operator must design, develop, and submit to the Regulator an operations plan for airside construction, and operate with airside operations plans for maintenance and repairs. Operations plans must include details of operations for processes to conform to regulatory requirements.

The person managing the safety management system, or SMS manager is required to monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the certificate holder and determine the adequacy of the training for personnel. In-depth and detailed knowledge of their own operations are required for an SMS manager to monitor the aviation industry in respect to safety and how they view different independent operators. An airport operator who frequently closes their runways due to maintenance and repairs, may be viewed as unsafe since this particular airport does not have project plans in place for airside management and for runways to remain open for business. An airport operator may choose to close a runway between 2AM and 4AM for daily maintenance and inspection, which is different that publish NOTAMS for unexpected maintenance requirements during hours of operations. An SMS manager is required to determine requirement of training, and without the details of expected outcome of the training this function cannot be performed.

Comprehension of details in operations, the text of regulations, and the intent of performance-based regulations are required for an operator to design processes that conform to regulatory requirements.

Generally speaking, a regulation is applicable to any airline or airport, unless there are special provisions for size and complexity. One such regulation is the airport winter maintenance regulations, where the regulation is applicable to airports serving turbojet aircraft, and the other part appliable to airport serving propeller aircraft and on-demand operations only. Winter operations for airports serving propeller aircraft is to consult a representative sample of the air operators that use the airport about the intended level of winter maintenance and the remove sand from movement areas when it is no longer needed. Additional requirements for airports serving turbojet aircraft are that they have a winter operations plan, snow removal priority areas, pre-threshold maximum snow accumulation, use of ice control and chemicals, friction measurement and movement area inspection reports. The detail of this regulatory requirement is not in this regulation itself, but in the requirement for an airport certificate. An applicant for an airport certificate must maintain verification records that they can operate with a safety management system and is requirement for non-certified aerodrome operations prior to the issuance of an airport certificate. When a certified airport operator elects to operate as an airport serving propeller aircraft only, they voluntarily give up their SMS records for operations serving turbojet aircraft. Should an airline operator wish to operate turbojet aircraft out of this airport, they must delay their operations until the airport can verify their capability to operate with an SMS supporting turbojet aircraft. The detail of this requirement is to connect the link between two regulations to conduct a system analysis of future operational restrictions. With the implementation of the safety management system, any operational regulations must be linked to the SMS regulations. This is a detail that an AE must be aware of and able to distinguish between multiple regulations and how they are linked to same SMS regulation.

An airport is required to maintain a runway strip, or an area beyond the side of the pavement of a runway, and beyond both threshold, that are without aeronautical obstructions. This includes natural obstructions and other encroachments such are riverbanks. One airport decided, without consultation, to fill in a riverbend to widen their runway strip.

After the construction application was submitted, the community responded with opposition to this initiative. The airport boundary needed to be expanded by filling in the river and bird wetlands. In practice, this means that birds, wildlife, and plants are forced to leave their habitats. In the application, the airport manager wrote the following: "Regarding natural diversity: The airport does not have the professional expertise to assess any special impacts on natural diversity. Our experience from operating the airports over several years is that there is very limited animal and bird life in that area. We assume that this is due to the presence of the lake on the opposite side of the runway, which has a bustling wildlife and bird activities, and which therefore seems to be more attractive. Nor has any extensive movement of wildlife or birds been observed between this lake and the riverbend, which is probably due to the activity on the runway. In addition, the airport has limited data entries in their bird and wildlife register.” The airport manager states in their application that they do not have the professional expertise to assess impact on bird and wildlife, and due to airport operations, bird and wildlife activities are scared away and therefore does not exist as a justification to stop the construction project. This application is in non-compliance with an SMS to conduct system analysis of projects and comprehend all details included. An accountable executive needs to be able to comprehend the details and impact on the community by reading their own submission. There is also a regulatory requirement for airport extensions to consult with their neighbors, stakeholder, and other interested parties.

When the Regulator conducts an inspection, and since the regulations are performance based, they will inspect what is not written in the text of the regulations. An inspection includes the regulations itself, how it is linked to other regulations, and how an SMS enterprise maintain a path to monitor processes. An AE needs to have knowledge to link for an airport to publish NOTAM (Notice To Air Men, and the new definition is Notice To Air Missions), and for the captain of an aircraft to be able to assess an airport for suitability. The intent of an airport operator, and a certificate requirement, is for an operator to operate an aerodrome as an airport. This requirement implies that the airport meet certification standards 24/7. A published NOTAM does not change that requirement but is a tool for an airport operator to fix or repair an unexpected issue within a short timeframe.

The devil is in these details and other safety or regulatory details. For all practical purposes, what this mean is that an SMS enterprise does not have any justifiable cause to operate outside of the intent of the regulations, or exempting themselves from standards, or their own policies as they please, and most important, it is a responsibility for an accountable executive to know what this entail to ensure ongoing compliance.

OffRoadPilots

SMS Reviews

SMS Reviews

By OffRoadPilots

A role for an accountable executive (AE) are to review their safety management system (SMS) and determine their SMS deviation from its planned course and path. A fully functional SMS cannot fail since it paints a true picture of operations, and any deviations from the path come from operational drift. An SMS enterprise operate with processes for conducting reviews or audits of their safety management system at regular intervals, and reviews or audits for cause or on- demand, of the safety management system when there are planned deviations from their current SMS. In addition to reviews and audits of deviations, an SMS enterprise operates with processes for reviewing the safety management system to determine its effectiveness. The first step to determine an SMS effectiveness is to determine what an effective SMS looks like. 

There are several views of what an effective safety management system should look like, and one effective SMS may be different for one organization to another. Effectiveness also changes with new tools, new inventions, or changes in expectations. A simple example are the changes from a paperformat SMS to electronic SMS and to a live cloudbased and automated SMS. The foundation of an effective safety management system is that the system conforms to regulatory requirements. Regulatory requirements are the foundation for an effective SMS, the foundation for airline or airport operations, and the foundation for issuance of their operating certificates. There are twelve factors of building blocks forming the platform for an effective SMS. A factor is circumstance, fact, or influence that contributes to a result or outcome of the SMS. When one of the blocks drift away, or deviate from its path, there is a change in the effectiveness of an SMS. The twelve building blocks are human factors, organizational factors, supervision factors, environmental factors, trust factors, learning factors, accountability factors, information sharing factors, data factors, information factors, knowledge factors and comprehension factors. When combined in one system, these blocks of interacting systems form the foundation for SMS effectiveness to be built.

Conventional wisdom is that after a goal is established, the next steps in the processes are to wait for the goals to be reached. Goals are not reached by doing nothing but are only reached by hard work. Operating with a safety management system is hard work and it is without a guarantee that this hard work will payoff, or that future accidents are eliminated. SMS is hard work by applying a daily quality control system and monitor processes for drift within its path and deviates outside of its path. Operating with an effective SMS, or a high-performing SMS is also hard work and requires strategic operating processes.

Several items are tools to operate with an effective SMS. A formalized safety policies is the first step to a successful SMS. Effective and regular communication about safety is another sign of a successful SMS. Having safety policies that are frequently communicated and accessible to everyone is important. An accountable executive is the base of support for behavior-based safety and accountability. It is crucial for an effective SMS that habits around safety are established. An SMS enterprise must focus on behavior-based safety, which is a safety methodology that focuses on improving safety through habit creation.

Unsafe behavior, or deviation from processes, are naturally habitual for workers, and they are often unaware of their own unsafe behaviors. Oftentimes, an activity has been done the wrong way for so long that workers do not consider an incorrect behavior in many cases. SMS organizations can create acceptable behavior by forming positive habits while breaking old ones. According to behavioral expert James Clear, it takes 66 days on average to develop a new habit. That means that time must be dedicated to continuous improvement in order to achieve results. The three main triggers to change habits are reminder (the trigger that initiates the behavior), routine (the behavior itself, or action taken), and reward (the benefit gained from doing the behavior). An SMS enterprise with an outstanding safety records has developed a systematic method to measure what is going on throughout their entire operation. It enables them to quickly and easily understand why something went wrong when it does.

The ability to identify high-risk situations quickly and precisely should be on every SMS manager’s and AE’s checklist for safety performance. Leading indicators can provide insight for an SMS enterprise to predict what could happen and take action to avoid accidents or incidents from occurring. SMS enterprise with low injury rates equip their workers for success and they do so through more than just processes and safety management programs. They leverage cutting-edge tools and systems to keep workers prepared and ready to handle whatever they need to. The most impactful safety management system is one that links worker with easy access the information they need and report an issue. SMS enterprises needs SMS managers who recognize the importance of continuous learning and schedule regular learning activities. Learning should be easy, practical and be tailored to expected job performance. Workers that may become leaders also needs to be prepared with tasks, tools, and support to take on leader roles when they are ready. Learning activities for managers, supervisors and workers should instill knowledge of proper practices, develop awareness of how to manage hazards to reduce risks, and gain specialized skills when their specific roles require unique preparations. The foundation of learning is for personnel to know where their comfort zone is, that they must step outside of their comfort zone, and have the tools, skills, and support required to move forward beyond their comfort zone.

Empowering personnel through the safety management system yields tremendous outcomes for an SMS enterprise. Often, the challenge with a safety management system is when focus is on preventing injuries by highlighting how bad things can get and scaring workers straight. Scaring people and information overload does very little to motivate workers to perform better. This results in a fear- based culture rather than one based on success, thus reducing the morale. A successful safety management system consistently promotes proper safety through continuous education, consistent reinforcement, and ongoing improvements.

It is natural to want to get the job finished on schedule, or even ahead of time, but with a “get it done quick” attitude is the focus, there is an increased risk for incidents to happen. Personnel may take shortcuts to “get the job done” and deviate from a specified path. Shortcuts may not be a wrong process to complete the job, but a shortcut is a deviation from a planned process with an acceptable track record. A shortcut is overcontrolling a process and over time, overcontrolling processes may cause other or additional hazards that are unknown and unaccounted for. An accident impacts productivity more than anything in a 

The review of a safety management system is ongoing in the daily quality control system. When it is time for a complete review for effectiveness, all data is already surveyed, determined, collected, recorded, classified, and reported in the safety management system. The final step in assessing the effectiveness of an SMS is to allocate goals to sensitivity levels.

OffRoadPilots

SMS Owners

 SMS Owners

By OffRoadPilots

Two owners of a safety management system (SMS) are flight operations and airport operations. In their own area of operations, they are the hazard owners and hands-on process control managers. With the implementation of SMS operational safety was moved away from the safety manager’s office and to areas of operations where they belong. In addition to social media opinions, there are still aviation managers who believe that a safety manger’s role is to keep everyone safe, it is their role to establish acceptable risk levels, and that it their role to overrule operations mangers and airport mangers if a safety manager decided a decision to be unsafe.

A safety management system is about processes and daily work practices. The final authority for risk acceptance is the accountable executive (AE). It is important to know that an SMS is not the magic wand that prevents future accidents from happening but is a tool to lay out the path for success. The first task on this path is to develop work practices with an output that conforms to regulatory requirements. One daily task may combine compliance with several compliance requirements. Another task is to develop work practices that conforms to safety in operations. Safety in operations is more than preventing accidents, it is also reliability of operational tasks. This could be reliability of the daily inspection at an airport, reliability of developing aside operations plans, or reliability to communicate non-standard airside work practices and decisions in a timely manner to the SMS manager and AE. A healthy SMS is not about prohibition and restraints but is about communication and accountability.

Taking ownership at work is to take initiative and responsibility for success or failure of SMS enterprise. SMS teams needs players willing to step up and take ownership of mistakes or challenges, as opposed to wanting to blame others for any issues. In practice, taking ownership within an SMS system means being proactive, solution-oriented, accountable, and committed to continuous improvement. Anyone who takes on ownership at work are prepared and ready to take on whatever challenges come their way. They have strong problem-solving skills and anticipate problems to prevent them before they happen, rather than waiting for things to go wrong and scrambling to fix them. They are also looking for ways to improve things. They're the ones who come up with new ideas and find creative solutions to complex problems. Workers who take ownership also take responsibility for their own actions. They own their mistakes and take responsibility for their successes. SMS team members don't shy away from accountability, they embrace it. Ownership is key to having a high-performing team. When a worker buys into the SMS, and its vision and they feel that they have a stake in its success, they are more likely to be engaged in their work.

There is a difference between a worker taking initiatives and a worker accepting a risk or developing risk controls outside of their area of responsibility. Accepting or rejecting a risk is the role of an accountable executive. A worker’s initiative is not to make changes that affects operations, but to take initiatives to communicate suggestion, hazards or options with managers and the accountable executive when issues arise. It is also to make initiatives and take actions when there is an apparent threat to personnel, equipment, or structures. Such action could be to initiate a missed approach without being instructed by ATC.

Unknowingly to the flight crew their airliner on final approach was lined up on the taxiway with several sequenced aircraft for departure. The flight crew observed lights, that they thought were aircraft on the runway. They made an inquiry to the tower who informed them that the runway was clear. Within an SMS world, a pilot is allowed to conduct a missed approach even if they are wrong in their assessment of an apparent danger. An airside ground vehicle with a clearance to cross a runway, may decline the clearance if there is something they have concerns about, even if their concern was not an actual issue. Taking initiatives within an SMS enterprise is to take initiative without consideration for punitive actions, or to take initiative for actions that later was shown not to be necessary.

The safety management system was sold as the solution for airlines and airports to identify risks before they become bigger problems, and that the regulations was required as an extra layer of protection to help save lives. When the safety card is played, i.e. that the regulation will “save lives”, is a red flag since their safety statement is without merit for an effective safety management system. It sounds good that SMS will save lives, but accidents have still happened after SMS was implemented. SMS was, and still is, sold as “saving lives” tool. If this statement is true that an SMS actually saves lives, it is not the fault of an SMS operator when there are occurrences.

In 2011 an SMS enterprise crashed an airliner. In this instance their SMS did not prevent the accident from happening. The aircraft was cleared to descend out of controlled airspace for an approach. The crew initiated the pre-descent checklist and the FO contacted the terminal controller and provided an ETA, with their intentions to conduct a Runway 35 approach. The crew then contacted tower controller, who advised them of the altimeter setting, winds, and instructed them to report 10 nm final for Runway 35. The crew asked tower controller for a runway condition report and was advised that the runway was a little wet and that no aircraft had used it during the morning. The crew initiated the in-range checklist, they configured the aircraft for approach and landing, and initiated the landing checklist. At 10 NM final for Runway 35 the captain called for the gear to be lowered and for flaps 15. At this point in the approach, the crew had a lengthy discussion about aircraft navigation. The aircraft flew a controlled flight into terrain about 1 NM east of the runway.

Another incident that an SMS was unable to prevent, was a taxiway overfly at a busy airport. An aircraft was cleared to land on runway 28R but instead lined up with parallel taxiway. Four air carrier airplanes (a Boeing 787, an Airbus A340, another Boeing 787, and a Boeing 737) were on the taxiway sequenced for takeoff. On approach the flight crew contacted ATC with a concern that there were aircraft lights on RWY 28R, and ATC informed them that the runway was clear. The flight crew of one of the sequenced aircraft then informed ATC that the approaching aircraft was “on the taxiway”. The tower controller instructed the incident flight crew to go-around. The approaching airplane descended to an altitude of 100 ft above ground level and overflew the first airplane on the taxiway continued its descent to 60 ft overflying the second airplane on the taxiway before starting to climb.

The flight crewmembers had recent experience flying into this airport at night and were likely expecting the airport to be in its usual configuration, but on the night of the incident, parallel runway 28L was scheduled to be closed. The captain later stated that, as the airplane approached the airport, he thought that he saw runway lights for runway 28L and thus believed that runway 28R was runway 28L and that taxiway C was runway 28R. The captain asked the first officer to contact the controller to confirm that the runway was clear, at which time the first officer looked up. By that point, the airplane was lined up with taxiway C, but the first officer presumed that the airplane was aligned with runway 28R due, in part, to his expectation that the captain would align the airplane with the intended landing runway. Neither flight crewmember recognized that the airplane was not aligned with the intended landing runway until the airplane was over the airport surface, at which time the flight crew initiated a low-altitude go-around.

Both incident airlines were operating with a regulatory conforming safety management system, but their SMS were unable to prevent the incidents. There are several reasons, or justifications, for these occurrences, but one fundamental SMS principle lost in the equation, was for the rightful owner to take ownership of their SMS and do something about it. In the second example, both ATC and one of the sequenced flight crew took ownership and prevented a disastrous outcome. SMS ownership is what made a difference, and SMS ownership is what prevented a major accident. SMS in itself did not prevent any of these occurrences, but taking ownership of progressing events would have made a different outcome.

A successful SMS is built on a foundation that personnel accept their roles as hazard owners. An SMS that does not identify its rightful hazard owners is an ineffective tool. A captain is the final authority and decisionmaker of a flight and this principle must not change. Everyone else need to accept that the captain is the final authority, and that other flight crew members have other ownership roles.

An accountable executive is the owner of regulatory compliance and safety in operations. However, an AE is not the owner of an SMS manager, and when they reject a recommendation from an SMS manger, the AE must take ownership and develop their own action to implement in their safety management system. Just as a CEO of a corporation may reject a recommendation made by an accountant or lawyer, a CEO, or AE may also reject a recommendation by an SMS manger and design their own action plan. Ownership is different than authority. Authority is to make decisions on behalf of someone else, while ownership is applied to a floating task for a person to pick up. Ownership is not an action that someone else need to do but is an action that I need to do at this moment.

An accountable executive is the owner of all hazards, director of flight operations is the owner of all flight hazards, director of maintenance is the owner of all maintenance hazards. In addition to these SMS owners, each person within these departments are the owners of hazards as they are applicable to their job performance expectations.

OffRoadPilots