Aviation Safety Management Systems by cze94904

VIEWS: 35 PAGES: 45

									               Aviation Safety Management Systems


               Tony Cramp
               Senior Advisor (Americas)
               17th May 2005
               Lafayette
File Title




             Shell
6/9/2010




             Aircraft International
                   Underlying Safety Beliefs

•   How many factors need to be removed to prevent the accident?
    Theoretically only one, but with each factor removed the probability for
    an accident is lowered
•   The fundamental requirements for accident prevention are thus (i) the
    ruthless hunting out and elimination (the identification and management)
    of risk factors and (ii) using systems of work that are inherently safe
•   Everyone can contribute to causing an accident, we can also contribute
    to preventing one
•   A fundamental requirement for this is effective collaboration between
    line personnel and ‘management’
•   These are 3rd Generation Safety beliefs
               Safety Paradigms: 3rd Generation

•   Safety is a corporate value. Safety practices consider the organizations
    particular “way of doing business” as well as corporate’s possibilities
    and constraints. What works well for one airline does not necessarily work
    equally well for others.
•   Accidents are caused by systems flaws. The failures observed at the “front
    end” of aviation operations are considered symptoms of deficiencies in the
    architecture of the aviation system.
•   Human error as a symptom. Error is accepted as normal component of human
    performance, unavoidable but manageable. Human error is a clue, which
    indicates where the safety investigation process must begin rather than
    end.
•   Proaction. Attention is focused on the processes incurred by the aviation
    system, regardless of the outcome of these processes.
      Safety Paradigms: 3rd Generation




The finding of ‘human error’ should be the starting point of an
investigation, not its conclusion
                  Defences in Depth

If we have these beliefs then the foundation of a strategy
for preventing accidents would be to introduce controls at
Organizational (Systemic), Team and Personal levels so as
to achieve Organizational defenses in depth:
A Systemic approach to the management of safety:




            Safety Management Systems
                   Safety Management Systems

The formal goals of an SMS are as follows:
•   To produce fully airworthy aircraft, in a safe working environment, that
    are subsequently operated safely
•   To ensure and demonstrate that safety is being managed as formally as any
    other critical business function
•   To ensure and demonstrate that the Organization is ‘responsible’ and
    exercising ‘due care’ (the counter to offence of ‘Corporate Killing’)




                   But what is the bottom line?
                            SMS is Not New!

•   The concept and practice of ‘System Safety’ was first introduced
    consequent to the Apollo 204 pad fire in 1967 and has been embedded in
    engineering ever since.
•   The Basic Principles of ‘System Safety in Engineering’ are:
    •   The assurance of safety is gained through the competence and safety-orientated
        procedures used by each individual engineer, however:
    •   In complex systems it is easy to ‘overlook the wood for the trees’: there
        must be an autonomous, safety oversight process that has the ‘big picture’
        and a ‘watchdog’ function, and:
    •   There must be a system enforcing the effective communication of safety-critical
        information, and:
    •   There must be a ‘Facilitative function’ that ensures hazard identification
        and resolution

•   This engineering / astronautics approach then migrated into the Nuclear,
    Maritime, Rail, Oil/Chemical industries and has shown considerable benefits
               SMS in Aviation: The Challenge


•   Aviation is lagging some 15 years in implementing formal SMS: flight
    operations already heavily regulated and traditional Flight Safety methods
    have a high degree of effectiveness
•   SMS has been developed primarily outside of aviation: past experience
    e.g.CRM and QA, shows that systems from outside are not always introduced
    correctly or tailored correctly to aviation culture
•   Have to get past the SMS language used by other disciplines, mainly the
    ‘speak’ of HSE and Quality Assurance
•   BUT: SMS is rapidly becoming a Regulatory requirement (UK CAA, Transport
    Canada, FAA moving in this direction etc) as well as a Customer
    requirement (Shell, ExxonMobil)
•   The challenge is to take the benefits of SMS distilled to date and adapt
    and apply them to aviation in such a way that SMS is accepted and is
    demonstrated to add value
           SMS Primary Components




Accident cause ⌗ 1.
Inadequate Procedural Baseline
SMS Primary Components




            ①
                            Ops Manual, GMM/MPM,
                            Ramp Procedures, Fuel Quality,
                            OSHA Compliance
   Procedural baseline to
    assure safety in work
          SMS Primary Components

                                    The manual forms a ‘road map’, has an
                                    integrative function and if the SMS Manual
                                    consists of a template of the ‘ideal’
                                    system, then it can be used for both
              ②                     assessment and development purposes
           SMS Manual
                                    SMS Manual can be written bottom- up, or
                                    preferably as a template ‘top-down’,
                                    gives the big-picture, highlights any
                                    major ‘holes’ in SMS Component ⌗1

                                            Any holes?
             ①
   (Full spectrum of policies,
procedures, methods, practices to
     assure safety in work)
            SMS Primary Components




                  X
 Cause ⌗ 1. Inadequate Procedural Baseline



Cause ⌗ 2. Uncontrolled Hazards
         SMS Primary Components



     ③
Safety Management
     Program
                                ②
                             SMS Manual




                               ①
                    Procedural baseline to assure
                           safety in work
Systems are for People?




   “Even the most well-
   considered safety system
   can be wrecked by the
   idiosyncratic behaviour of
   a single individual”
                SMS Component ⌗3: Safety Program Management

1.       Proactive Safety Management

     •     Encouraging and developing Management commitment

     •     Creation of a Safety Culture

     •     Safety structure and resources, committees and meetings

     •     Ongoing hazard identification and management (HEMP)

     •     Safety education (training, information dissemination)

     •     ‘         Watchdog’ function

2.       Reactive Safety Management

     •     Occurrence investigation (‘occurrences’, incidents, accidents)

     •     Data analysis

     •     Continuous learning
 SMS Primary Components



    ③
Safety Program
  Management                        ②
                                  SMS Manual

                   ④
                 Safety Case




                                    ①
                         Procedural baseline to assure
                                safety in work
            SMS Component        ⌗   4: The Safety Case
1.   A Safety Case is a formal, organizational risk management exercise
     conducted proactively (e.g. prior to contract launch), or reactively (e.g.
     to gain control over the risks in current operations)
2.   An aviation ‘Safety Case’ is defined as “The documented description of
     the major hazards that the aircraft operator faces and the means employed
     to control these hazards”
3.   As opposed to the SMS Manual, which gives ‘big picture’ inputs, a Safety
     Case gives detailed inputs into the procedural baseline. It identifies
     individual controls required.
4.   A Safety Case is a specific application of the HEMP
5.   A safety case functions at Management, Supervisor and Line levels: a
     Living document.
             SMS Primary Components



                    X
 Cause ⌗ 1. Inadequate Procedural Baseline



                    X
Cause ⌗ 2. Uncontrolled Risk Factors / Hazards


 Cause ⌗ 3. Failures in Communication
  SMS Primary Components
⑤ SIS


     ③
 Safety Program
   Management                        ②
                                   SMS Manual

                    ④
                  Safety Case




                                     ①
                          Procedural baseline to assure
                                 safety in work
                           Safety Information System

1.     The fifth primary element is the Organization‟s „Safety Information System‟
       (SIS)
2.     Several studies have shown that in the vast majority of (aircraft) accidents
       there was always a piece of information available somewhere that had it been
       in the right place at the right time, the accident might well have been prevented
3.     A SIS may take a variety of forms, from the basic verbal / written
       communication of safety information across the organization to sophisticated
       company „intranets‟.
     Examples:
     Hazard report forms
     Regular safety meetings, with minutes recorded and distributed.
     Company newsletters
     Effective, updated notice boards
     Intranet employee notices
             SMS Primary Components



                    X
 Cause ⌗ 1. Inadequate Procedural Baseline



                    X
Cause ⌗ 2. Uncontrolled Risk Factors / Hazards



                     X
 Cause ⌗ 3. Failures in Communication
                     Next Challenge!


• How to integrate these components:
                          Integrating Principles


1.   After 200 years of industry and 100 years of flight surely there must be a package of
     elements or principles that if applied will give a high level of assurance of safety?
2.   Currently, there is agreement that these elements and principles are best described
     in systems developed by the science of „Quality Assurance‟
3.   The most current definition of an SMS is thus:
•        „A system for the proactive management of safety that is appropriate to the
     Operator‟s size and complexity and integrates operations, maintenance, human
     resources and finance and draws upon quality principles‟
                    SMS Primary Components
                  ⑥ Quality System

⑤ SIS




        ③
 Safety Program                      ②
   Management                    SMS Manual




                       ④
                   Safety Case
                                     ①
                           Procedural baseline to
                                assure safety
                  A Typical Safety-Orientated „Quality‟ System


                                Principles
   Management                    & Policy                   Objectives
     Review
                                 Strategy                   Targets & Plans
    Customer
   Satisfaction                      Plan
                                                                 Standards
Remedial Action                                             Accountability &
                       Feedback   Culture        Do
                                                              Competence
 Investigation                      Check                      Product
  & Follow-up                                                Management
          COMMUNICATION Assessment
Incident Reporting    Risk
                                                            Hazard
   Monitoring                      Audit
                                                           Management
                                  Review
SHELL „Model‟ HSSE-MS Elements
SMS Summary



                     ⑥ Quality System

  ⑤ SIS




          ③
   Safety Program                          ②
    Management                                             See „Model Manual‟
                                      SMS Manual
                                                           33 Sub-Elements
                         ④
                    Safety Case

                                           ①
                                  Procedural baseline to
                                      assure safety
                                                               SMS Booklet
                                The Safety Case
1. A Safety Case is a formal, organizational risk management exercise conducted
   proactively (e.g. prior to contract launch), or reactively (e.g. to gain control over the
   risks in current operations)
2. An aviation „Safety Case‟ is defined as “The documented description of the major
   hazards that the aircraft operator faces and the means employed to control these
   hazards”
3. As opposed to the SMS Manual, which gives „big picture‟ inputs, a Safety Case gives
   detailed inputs into the procedural baseline. It identifies individual controls required.
4. A Safety Case is a specific application of the HEMP
5. A safety case functions at Management, Supervisor and Line levels: a Living
   document.
         Hazards, Incidents, Accidents

Byrd‟s Triangle


                           Eliminate hazards and you will
                           eliminate accidents


    1 Accident




   10 Incidents



  600 Hazards
     Hazard Identification: Fundamental Requirements


1.    The fundamental requirements for effective hazard identification are:
      »    To get past perceptions and to quantify wherever possible
      »    To tap into the vast reservoir of knowledge that exists within Aviation and
           other complex industries
      »    To „think outside the box‟
      »    Be paranoid: believe everything and believe nothing: continually test for the
           truth
                       Which hazards?


                         Type specific
                           Hazards

                                                  Major
                                                 Aviation     Aviation
                       Company Specific
                                                  Safety      Safety
                          Hazards
Generic Aviation                                 Hazards      Case
Safety Hazards
                   +                        =
                       Operation Specific                     Workplace
Generic HSE                Hazards              Significant   Safety
Hazards                                         Workplace     Procedures
                                                 Hazards      (Defined in
                           Location                           HSE-MS)
                           Specific
                           Hazards
    Primary Sources for Identifying Hazards

Safety Critical   External             Internal   Formal
 Processes        Sources              Sources    Hazard
                                                  Models




                     Hazard Register
                                                               Hazard and Effects Register
Note:          Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full
               detail in an Excel Document

1. Hazard      and Description :                                                         2. Hazard Reference :

Prepared by:                             Custodian:                          Authorized by:                           Rev No:                      Date
3. Status of the hazardous event at the time of the risk assessment:                     4. Activities in which the Hazardous Event may occur:
                                                                                         4.1
                                                                                         4.2
                                                                                         4.3




5. Remedial Actions Raised
a.
b.
c.
d.
e.
f.
6. Hazardous Event:                                                                      7.   Location:
8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –
See appropriate Excel document. Document Reference No :

12.Risk                 People                             Environment                   Asset                          Reputation
Assessment
13. Consequence associated with hazard release:                                          14. Mitigation from consequences :

15. Accountable Line Management Sign-off having accepted current status:

Line Department:                                   Name:                                           Signature :                        15. Date :
                     Risk Analysis Process

– When identified and objectively analyzed, each hazard shall be
  subjected to a risk analysis. This shall accomplished by using a risk
  matrix of a format commonly found in the industry
– The matrix is self-explanatory and even though some of the aspects
  may well be subjective, it at least allows the partial quantification of risk
  factors.
– The hazards are then ranked in terms of the rating obtained by use of
  the matrix
– In terms of the Shell model, all hazards ranked as „intolerable‟ shall be
  subjected to a „bow-tie‟ analysis.
The Risk Grading (Threat Analysis) Matrix
The ‘Bow-Tie’ Process
                            The Bow-Tie Process

For those hazards assessed as being „Intolerable‟, develop „controls in depth‟ as
      follows:
1.   Identify the Threats that might release the hazard
2.   Identify Controls to contain the Threats
3.   Identify factors that could prevent the Controls from being effective: Escalation
     Factors
4.   Develop controls to contain the Escalation Factors: Escalation Controls
5.   The hazard is released, but it‟s consequence has not yet occurred: what controls
     make detection and recovery possible: Recovery Measures
6.   Identify Escalation Factors hampering detection and recovery
7.   Identify a final layer of Escalation Controls
8.   Identify measures to mitigate the effects of the Consequence
             HAZARD
             THREAT
            CONTROL
           ESCALATION
            CONTROL
THE
BOW-        Hazardous
             Event
TIE
            RECOVERY
           ESCALATION
            CONTROL
          CONSEQUENCE
       MITIGATION MEASURES
                           TIGER                     Hazard
                 Cage Door Locking System            Threat
               Twin Locks & Warning Lights           Control
               Unserviceable Warning System         Escalation
                   Records & Maintenance             Control

                                             Tiger out of
THE BOW-TIE                                    the Cage


               Shoot Tiger, or drive back in cage     Recovery
              Miss Tiger, or Tiger Evades Keeper      Escalation
                      Competent Keepers                Control
                      Tiger Bites Keeper             Consequence
              Effective Emergency Response Plan       Mitigation
                          PEOPLE                    Hazard
                Errors, Mistakes, Violations        Threat
              Competence, Procedures, Systems       Control
                   Non Compliant Pactice           Escalation
                 Monitoring and Feedback            Control

                                               Human Error
                                            Inappropriate pilot
THE BOW-TIE                                    control input


              Make corrective control selection    Recovery
               Input can not be made it time       Escalation
                 Competence & Awareness             Control
                      Aircraft Crashes            Consequence
               Effective Emergency Response        Mitigation
Percentage of Accidents Reported in NASA Study Preventable by
Individual Mitigation Measures
              Late FAR 29/Enhanced Handling

                  FFS Training + CRM/LOFT

                               OC/QA/SMS
   Measures




                                HUMS/VHM
                                                                                Seven Key
                              HOMP/FOQA                                         Initiative
                                                                                s
                             Perf Class 1/2e

                             EGPWS/TCAS

                   Tail Rotor Impact Warning              Requires development work

                                               0.0    5.0 10.0 15.0 20.0 25.0 30.0 35.0
                                                     Percentage acidents prevented
                                                               Hazard and Effects Register
Note:          Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full
               detail in an Excel Document

1. Hazard      and Description :                                                         2. Hazard Reference :

Prepared by:                             Custodian:                          Authorized by:                           Rev No:                      Date
3. Status of the hazardous event at the time of the risk assessment:                     4. Activities in which the Hazardous Event may occur:
                                                                                         4.1
                                                                                         4.2
                                                                                         4.3




5. Remedial Actions Raised
a.
b.
c.
d.
e.
f.
6. Hazardous Event:                                                                      7.   Location:
8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –
See appropriate Excel document. Document Reference No :

12.Risk                 People                             Environment                   Asset                          Reputation
Assessment
13. Consequence associated with hazard release:                                          14. Mitigation from consequences :

15. Accountable Line Management Sign-off having accepted current status:

Line Department:                                   Name:                                           Signature :                        15. Date :
                      So What is an SMS?
1.   An SMS is a suite of standards, policies, procedures, practices etc that
     will assure the safe and effective execution of work (‘Quantitative’
     Quality elements)

2.   An SMS contains a structure for dynamic and flexible identification and
     control of risk to ALARP (‘Quantitative’ procedures and methods for the
     proactive management of safety: safety cases). This includes the
     requirement for a Safety Information System.

3.   An SMS requires the application of Human Factors: communication,
     leadership and followership, conflict management, cultural aspects,
     motivation & commitment (‘Qualitative’ elements)

4.   An SMS should encompass flight safety, ramp and maintenance safety,
     industrial (workplace) safety, occupational health, environmental
     protection and security

5.   An SMS Manual should give the ‘big picture’ regarding safety management
     in the organization
                     Conclusion


• SMS is not a magic bullet: it is a set of tools and
  guidelines that if tailored to the Organization and
  diligently applied so that the probability of an
  accident will be reduced to a level that is as low as
  is reasonably practicable (ALARP)
• Apply these tools and guidelines and you will have
  done all that can be reasonably expected of you as
  aviation professionals and as a ‘responsible
  operator’
                                      QUESTIONS
File Title




             Shell
6/9/2010




             Aircraft International

								
To top