Saturday, August 5, 2023

Overcontrolling Processes

Overcontrolling Processes

By OffRoadPilots 

Conventional wisdom is that flying must be perfect with procedures detailed to the minute. With the global position system (GPS) airnavigation has become more precise and accurate for aircraft to maintain their tracks. Dead reckoning was the processes used when no navaids were available, or navaids were placed at a distance greater than aircraft reception. Dead reckoning is to determine without the aid of celestial navigation, electronic navigation, or GPS, the position of an aircraft from the desired track to be flown and the distance made from a known starting point. Operating by instrument flight rules (IFR) in uncontrolled airspace using the dead reckoning process created random events of aircraft and aircraft intercepting positions, and near misses.

With GPS and its precise course track, aircraft are now flying at predetermined intercepting positions allowing for predictable near miss positions. These positions are often unknown to pilots, since aircraft track while in uncontrolled airspace is only internally known to that specific flight crew, while other aircraft may be randomly tracking on a collision course with an unknown flight paths to both flight crew. GPS navigation is overcontrolling of the navigation process and other control options must be applied, such as air traffic control (ATC), satellite tracking of aircraft, or other control measures. Implementation of GPS was a corrective action to navigational drift with good intentions for ATC to control aircraft separation. The difference between corrective action and control is that a corrective action is a one-time reaction to correct a segment of a process and designed after an undesired event occurs in an organization, e.g. GPS, while control is ongoing and performed continuously to influence or direct behavior, or to influence course of events, e.g. ATC.

As with any system, it is impossible for a safety management system (SMS) to predict time (speed), space (location), and compass (direction) of an future midair collision. However, with overcontrolling of processes, but one or more control options are excluded from that process, the process itself becomes a higher risk level than what it was prior to overcontrolling. Back in 2012 a midair collision occurred in the middle of nowhere. Both aircraft were on a predetermined track directly to their destination airport. A few minutes takeoff delay by one aircraft would have prevented the collision with current flight conditions that day since their intersecting track would not have intersected at either aircraft time of arrival at that location. GPS tracks predetermined their intersecting positions. Both tracks were overcontrolling a common cause variations by overcontrolling natural drift and heading corrections due to winds.

What was missing here, was ATC with their control option to manage the overcontrolled GPS track. Without GPS precision tracking, common cause variations would have drifted either aircraft off track to intersect at a different location. With only one degree of compass error and assuming no wind corrections, one aircraft would have been 5 NM off track, and the other 2 NM off track. By a random draw and at their known time of departure, the odds, or probability for each aircraft to match each of these conditions, their time within 2.3 seconds, location within 1/8 SM, and track within 1/128 degree to be within approximately 50 feet of each other are inconceivable, and times between intervals are imaginary, theoretical, virtual, or fictional. By random chance these aircraft would not been involved in a midair collision, but with an overcontrolled process, and elimination of one control item, the accident happened. For anyone who has flown aircraft for a few years, it is known that the highest risk of midair was when an aircraft was crossing a ground-based navigation fix. Today, with GPS direct tracks, any GPS geopoint is a ground-based navigation fix.

Human behavior is to overcontrol processes for a perfect result output. A simple example is marketing of new products stating that this product is new and improved, which implies that the prior product was old and inferior. The old and inferior product may have produces satisfactory outputs, but human factors demands overcontrolling and new and improved products. A safety management system is in the same risk category that improvements is necessary to improve safety in aviation. The old saying still holds true within an SMS, “if it ain’t broke, don’t fix it”. There is a very fine line to balance between improving a process and overcontrolling the same process, or implementing a fix to a process that was not broke.

Overcontrolling of processes is an easy trap to fall into for a certificate holder since there are SMS systems and limitations constraints. Every system comes with constraints and limitations, and within an SMS enterprise it is crucial that the person managing their SMS comprehend these constraints and limitations, and consider how overcontrolling affect policies, operational processes, procedures, acceptable work practices and safety cases or system analyses.

Process control is the ability to monitor and adjust a process to give a desired output. It is used in the safety management system to maintain performance expectations and continued safety improvements. An example of process control is to control the temperature in a room by using a heater or cooler and a thermostat as a control tool with display to verify desired temperature. The assumption when using this process control is that goods, vegetables or produce placed in the room will also maintain the same temperature internally as what the room temperature is. When a refrigerator temperature is set to 37° F, it is assumed that everything else placed in that refrigerator also will maintain 37° F.

One of the most difficult task for the person managing a safety management system is to classify hazards by safety critical areas and their safety critical function. A departure is a safety critical area, with several safety critical functions are attached. One of these safety critical functions is rotation where several parameters must have been met for a pilot to initiate the rotation. Some of these parameters are engine performance, aircraft performance and airfield suitability, e.g. runway condition and length. A published suitable runway may not be suitable for take of at the time when an aircraft reaches rotation speed. Rotation is a higher risk level than a clearance from ATC to line up and wait on the runway. Each of these two examples are safety critical areas with attached safety critical function as their classification identification, but one of these classifications is a hazard with a higher risk level. It is this risk level that is a challenge for the SMS manager to assign differently to each safety critical function. Overcontrolling of processes occurs when all safety critical functions and associated classification identification are assigned the same risk level.

Overcontrolling of processes occurs when an occurrence is assigned a possibility to occur, as opposed to a probability level. There are possibilities for events to occur anytime daily, while the probability for events to happen is scaled from 0 to 1. A probability level of zero is justified as inconceivable, and times between intervals are imaginary, theoretical, virtual, or fictional. A probability level of 1 is justified as systematically, and times between intervals are methodical, planned, and dependable, without defining the operational system or processes involved. There is a possibility that an aircraft will experience an engine failure on every departure, but the probability of an engine failure for one departure is highly unlikely. A departure may be assigned a probability level of 0.3 with a justification of remotely, and times between intervals are separated by breaks, or spaced greater than normal operations could foresee. For a probability level to be effective and reliable, it is assigned specifically to the current task at hand and is not assigned to multiple future tasks. An example is that a probability level is assigned to the current departure at a specific airport but is not assigned to other departures at that same airport until an aircraft is released for movement.

An airport operator may assign a safety critical area with a safety critical function to winter operations. Different runways may be assigned a different hazard classification identification, and each runway may be assigned a different risk level. Variables affecting runways are the obvious ice and snow in the winter, but also arrival and departure obstacles and current wind direction and velocity. Wind gusts may not always be detected by weather stations in time to be published and notify pilots on approach or departure. 

An example of an aircraft crash due to this phenomena is that the crosswind 20KTS with gust to 25KTS, but instantly and without warning a crosswind gust went to 48KTS. One runway may also have a different runway condition code than another runway at the same airport. A runway condition code is reported by runway thirds, and each 1/3 may be assigned a different code with an associated risk level. In the aviation industry and applied that a trend equals two events. When two events become a trend, overcontrolling of processes becomes a trap for certificate holders. A second trap for a certificate holder is to incorrectly identify common cause variations as special cause variations or incorrectly identify special cause variations as common cause variations. When a common cause variation is identified as a special cause variation with a root cause analysis is initiated, the root cause will be incorrect since the identified variation is required for the process to function as intended. When assigning a corrective action plan to an incorrect root cause, with the additional control action, a process becomes unstable since the certificate holder now is forcing a required element out of the process. While this is a special cause event for airport operations to experience a wind gust to gust from 25KTS to 48KTS without warnings and without visible thunderstorms, it is outside of the scope for an airport to conduct a root cause analysis since they do not have control over the environment, or the weather system reporting process. Overcontrolling the process could lead to other hazards if the airport frequently is closed due to possibilities of unexpected events.

Over a period of twelve months an airport experienced one runway incursion with an airport vehicle. When a vehicle is obstructing an aircraft for landing or takeoff, is a special cause variation and a root cause analysis is needed. After the root cause is identified a corrective action plan is implemented, and control options are added to operations. One event over twelve months is not a trend, or a pattern. A corrective action could be to install a moving map in the vehicle for the driver to view aircraft movements on the field. It may not be possible to for a driver to see an aircraft if a vehicle is 1-2 miles away. Overcontrolling this process would be to develop a minute by minute procedure for tasks to be completed prior to proceeding to the next segment for a vehicle operator when approaching a runway, which could include hundreds of specific items before entering a runway.

Any of these tasks on their own may be tasks that make sense, but when combined into an overcontrolling process these tasks combined by the number of tasks and the purpose of each task. Overcontrolling a process takes the focus away from the process output itself and move the focus to task compliance. The process output is for the driver to proceed when it has been established that there is not a conflict between an aircraft and vehicle. One vehicle and aircraft incursion over a twelve- month period at an airport with 1 million movements is not a trend and becomes acceptable within a safety management system statistical process control (SPC) analysis. What makes this so very difficult to accept by an airport operator, is that an accepted incursion within an SPC process is incorrectly interpreted as an acceptance of the incursion itself.

Overcontrolling processes is a result of an airport or airline operating a safety management system without a statistical process control system. Without an SPC an operator is missing out at the process level and applies their control to the procedure level, or acceptable work practices level. Overcontrolling a process is to assign unnecessary tasks for a defined expected outcome.

OffRoadPilots




No comments:

Post a Comment

Identify Special Cause Variation

  Identify Special Cause Variation By OffRoadPilots S pecial cause variation, also known as assignable cause variation, refers to variation ...