Friday, May 19, 2017

Communicating or Transmitting SMS

There is an expectation that for an SMS program to conform to regulatory compliance the enterprise must have in place a process for safety authorities, responsibilities and accountabilities are transmitted to all personnel. If this process is not in place the enterprise a non-compliance System Finding under Canadian Aviation Regulation (CARs) 107.02 may be issued to the operator.  CARs 107.02 is system compliance regulation, or a design regulations for a regulatory compliant Safety Management System. When the design of the SMS is regulatory compliant, then the processes executing the SMS design must also conform to regulatory compliance. In other words, these two compliance components are the design component and the operations component.  For operators in Canada the design requirements are found in CARs 107.02, for both airlines and airports. The operations requirements are found in CARs 705.151 and CARs 302.500 respectively.

The manufacturing of this chain complies with the requirement to produce a chain.
When job descriptions are transmitted to personnel, in accordance with this expectation, the message may or may not reach the intended personnel. Transmitting is a one-way communication and it does not specific direct the communication to the intended recipient. If the communication only reach a recipient who is in a non-management position, this information may be overwhelming since it does not conform to the expectation of the person’s job description. Or, if the information transmitted reach senior management only, their response may be incorrect for their job performance expectations. This expectation that “Safety Authorities, Responsibilities And Accountabilities Are Transmitted To All Personnel” may be compliant to the expectation itself and also compliant with the regulatory requirements under operations. However, by following the “letter of the sentence” only there are other SMS required tasks that are missed and not being performed to acceptable levels. Since the interpretation of information became a conflict with the position of the intended audience there is a failure of the system.

The process in this example is functioning as expected, but the response to communication was in conflict to the job position established in the organization chart. The effect caused by lack of response was not just that the information was transmitted to incorrect positions and the job not done, but also that by not performing as the expectation intended, other parts of the SMS was crumbling and the system itself did not function.

Destroying a process could crumble a system.
It doesn’t matter how strong and well maintained 99 links in a chain are when there is one link that breaks. When the link is broken, there is a broken process somewhere that must be identified. Repairing the process by replacing the old chain with a new chain may not necessary work well, since this does not consider the process. It could be that this link in the chain was being grinded now and then by a grinding tool required for the process to function. Replacing the old with a new is an assumption that there is a manufacturing flaw without analyzing the operational processes. Then the next time it happens everybody is just as surprised as the 10 previous times. Often, the next step is to change chain manufacturer, or fire a person who authorized the supplier.

By not conforming to the intent of this expectation that “Safety Authorities, Responsibilities And Accountabilities Are Transmitted To All Personnel”, the system itself may fail and everyone is as surprised as the first time when it failed.


Friday, May 5, 2017

Risk Management Differently

This is a blog with no relevance to any opinions, facts, research or science, but a trivial blog written for continuous improvement in safety by thinking beyond the horizons and outside the box. For continuous safety improvement to be effective thinking outside the box is vital for the collection of unbiased data and then bring this data back in the box to be analyzed for safety improvements. We don’t manage risks; we lead personnel, manage equipment and validate operational design for improved performance above the bar of acceptable risk level.

Improvements begins outside the box.
Risk level analysis is traditionally established by applying likelihood, severity and exposure. In a risk level analysis, the exposure is always equal 1 for the hazard to become a risk to aviation safety. Without exposure, there is no risk. Birds is a hazard to aviation safety. However, birds that are 100 miles away from the flight path are not a risk to aviation, but still classified as a hazard to aviation. Traditionally these risk levels are color coded, where green is acceptable, yellow acceptable with mitigation and red is not acceptable. There is often little or no scientific data behind these risk levels except for aircraft performance. Human factors, organizational factors, supervision factors and environmental factors are not included in these risk assessments. Human factors may affect the risk level differently one day than another day. Human factor, or the interaction between software, hardware, environment and crew and other human interactions are vital to aviation safety.

There are two elements to human performance: 1) technical knowledge and 2) technical skills. Knowledge is the theory of operations, while skills is the operations itself. At the initial licensing of a pilot, the candidate first must pass a knowledge test, and then a practical flight test. Without passing at an acceptable risk level, a pilot license cannot be issued. As the pilot is employed, this concept of refreshing both technical knowledge and technical skills becomes a concept of operational performance.

Normally a person’s retention of learning decreases with time when learning is not applied to operations. Much of the theoretical learning is not applied daily in the job, but occasionally with the use of checklist. The highest percentage-loss occurs in the first days and weeks after the leaning is completed and somewhat levels off after that. Since the learning is being applied in their skills performance by flying an aircraft daily, there is additional learning occurring on the job and their performance level of technical skills are improving in the days and weeks after the learning.

One enterprise was expecting their pilots to retain a 100% knowledge level one year after the training and would initiate the refresher course with the knowledge test and expect all candidates to be as proficient in knowledge as they were 365 days ago.  Since pilots only applied part of their knowledge regularly in the day to day job and learning was not encouraged, most of what was learned had been forgotten in 365 days. Since their jobs were dependent on passing the knowledge test, the candidates would do their own and personal refresher course the last 2-3 weeks prior to the official refresher course. When the test was take all candidates passed and the enterprise could proudly check off the box that their pilots had retained 100% knowledge in 365 days.

When assessing risk levels differently an enterprise would assess performance based on a pilot’s retention of knowledge and skills. Let’s assume the learning retention loss of knowledge is 20% per day for the first 84 days and from then on, the retention loss is 2% per day to 365 days. At the end of a year the total knowledge retention is 20%, or in other words, if the pilot took the test without studying after 365 days, it would be expected that the test result would be 20% of last result.

Their technical skills retention for pilots are not reduced after learning, but their performance is getting better since they are applying their skill in their day to day job and additionally being exposed to known and unknown hazards regularly. At the end of 365 days the pilot retention levels are 180% of what it was after the previous flight test.

When applying this data as a combined retention level factor of knowledge and skills, the pilots are performing at their 100% level after 365 days. After 5 years in the same job they are performing above their 100% initial level.

Performance factor most critical days are days 60-80.
The traditional risk level model is based on aircraft performance and pilots are expected to perform at their 100% performance level in both technical knowledge and skills. In addition, the traditional risk level matrix does only apply recommendations to accepted risk or rejected risk. A different risk matrix is to apply an action to the colors which are based on likelihood and severity. These actions are to communicate (green), monitor (yellow), pause (blue), suspend (orange) or cease (red) operations. Risk levels orange and red are applicable to aircraft performance where pilot qualifications does not impact aircraft performance limitations. When overlaying the knowledge, skills and performance factor graphs onto the risk matrix, the lowest level of performance represents knowledge, the highest skills and the middle is their performance level. A performance level should be above the monitoring (yellow) level for quality assurance of flight operations.


Thursday, April 20, 2017

The SMS Manager

The person managing the operation of the SMS fulfils the required job functions and responsibilities to meet regulatory requirements. An effective Safety Management System is lead by a person who is technically qualified and understand the interaction of all systems. An airline and airport are to ensure that the person who occupy the position as SMS Manger is qualified to lead and manage for regulatory compliance. The regulations for an SMS manager is written with ambiguity, or written for being open to more than one interpretation. This is how a performance based regulation is written to allow for the application of size and complexity to conform to regulatory compliance in operation. Since there is no establish standards the enterprise must first establish their standards, or expectations and then the qualifications requirement for that position before the effective date of their SMS.
Ambiguity is in the design.
If the qualifications for an SMS manager is not established, or an unqualified person is placed in the position as SMS manager, there is no certainty within the enterprise that their SMS is a businesslike approach to safety with the SMS as an additional layer of safety.

One of the items an SMS manager is expected to lead and manage is to establish and maintain a reporting system to ensure the timely collection of information related to hazards, incidents and accidents that may adversely affect safety. An SMS manager with technical knowledge and intelligence of the specifics of operations may know and understand the effect of unsafe conditions also needs to be qualified to develop a reporting system to ensure timely collection of information. It is the task of the enterprise to ensure that the person in the SMS manager position has these skills required to develop and maintain a system. Without these skills applied to an SMS manager, an enterprise may slowly drift away from the regulatory performance requirements.

Another skill required is to identify hazards and carry out risk management analyses of those hazards. A safety risk management of hazards is to apply likelihood and severity of a hazard as it applies to the operations of an airport or airline. If there is no exposure to the hazard there is no risk involved. In my many years of analyzing Safety Management Systems I have heard the opinion from regulators that a pilot is exposed to an engine failure for each takeoff and the reasoning for this is that an engine failure could happen, and that the pre-take off briefing includes the actions in the event of an engine failure. This is true, that an engine failure is a hazard, but it is not true that a pilot is exposed to an engine failure at each takeoff. The exposure determines the risk and if not exposed to the hazard there is no risk. The preparation for an engine failure is a corrective action plan to action the risk if exposed.

As the root cause analysist, the SMS manager is defining time and location of the fork in the road.
Other skills required by an SMS manager are skills to investigate, analyze and identify the root cause or probable cause of all hazards, incidents and accidents, to monitor and analyze trends in hazards, incidents and accidents, to monitor and evaluate the results of corrective actions with respect to hazards, incidents and accidents, to monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the holder of an airline or airport certificate; and determine the adequacy of the training required to comply with regulatory requirements.
When the person managing the operation of the SMS fulfils the required job functions and responsibilities established by the policies, standards and job performance expectations the enterprise has established a foundation for an effective SMS with tailored job functions to one specific enterprise and not intended for duplication.


Sunday, April 9, 2017

The Value of Safety

The last blog touched the value of safety and ROI on safety. There are several safety articles written about the return on investment of a Safety Management System with a return between 100 % and 600 %. All these ROIs are based on future predictions of a reduction in major accidents, operational incidents and hazards by applying the SMS tool. When applying an estimate of lack of future losses, the ROI does not represent the true value of safety, but a virtual value of safety. Virtual cash or virtual ROI is not an actual return based on facts or data, but an opinion and projection of a planned SMS. The value of safety is not the lack of accidents or incidents, but the total revenue generated by operations. SMS is a businesslike approach to safety and the value of safety should be applied in that manner.

Process Applications Are Limited To Technical Capability.
An investment in an airline or airport is the total cash invested in the operations. The return on this investment is based on several factors which at the end produces a profit or loss. A safety management system is neutral in producing profit of loss since it’s a system that does not produce or consume events and occurrences. A functional SMS is the financial comptroller of safety and a quality assurance program. In business, a comptroller is a management level position responsible for supervising the quality of accounting and financial reporting of an organization. As a businesslike approach to safety, SMS is responsible for supervising the quality of safety.  A financial commitment or investment affects all aspects of the organization. An investment in an aircraft or new runway affects other areas such as maintenance, customer service and training. Depending on how this single investment is promoted, marketed and managed may increase the overall ROI of the organization, or may incur a major loss. An aircraft or runway in itself is profit or loss neutral. It is the management of operations that generate a profit of loss. SMS is in this same manner accident or incident neutral, but affects outcomes based on how the SMS tool is applied. It is the application of SMS as a tool to manage and lead operations which generate the profit, losses, incidents or accidents.

Return on Investment of SMS is not the savings by a reduction of accidents or incidents, but the return of cash revenue generated by in-control processes and organizational based safety investment decisions. When purchasing an aircraft, the operator is basing their judgement on what safety-nets the manufacturer has implemented. When building a new runway the airport is basing their judgement on safety-nets applied by the construction company.  When customers decide to purchase a ticket, or an airline decide to operate out of a specific airport, their decision to purchase is based on what safety-nets and assurance, or process controls of these safety-nets the airline or airport have in place. Safety management, or leadership in process management, is the overarching tool in decision making and therefore the only profit generator in an organization.

Comfort on an airplane is important, but if there is an apparent lack of safety then other carriers are chosen. This is the same with an airport; if the runway is marginal short for operations then the airlines chose other less convenient airports of operations. Safety is therefore the only profit generator and when applied in a businesslike approach to safety the ROI is the cash returned in operations, and not the absence of accidents.

ROI projections may apply the cost of accidents, but it is not the true ROI. The true ROI is the SMS decisions that went into the process of purchasing a new aircraft, or extending a runway which contributed to the ROI and is the ROI of safety. As an ROI projection the value of safety may be applied as $1.00 per second of time spent on task as the investment, and the actual $1.00 per second spent on task as revenue. Since both airplanes and runways are ROI neutral, it’s the Safety Management System decisions that produced the ROI, or the profit of loss result. There is no single operation within aviation that does not assess for safety and the impact safety has on profit. Not as an impact of reduction in incidents or accidents, but on customer confidence level of operations.

SPCforExcel   Out of Control Tests.
Without SMS there is zero confidence level of operational safety. Operators without an SMS may believe that they have a 100% confidence level of safety. However, when mathematically calculated their confidence level of safety is 0% since there is zero data to justify their statement. With an SMS in place the operational confidence level of safety is at least 95% even if wishful thinking is for safety to be 100%. The other unaccountable 5% of confidence levels are so remote that times between intervals of one occurrence is imaginary, theoretical, virtual, or fictional.

A Safety Management System is the Constitution of an organization and the tool for operations within a just culture and accountability where the ROI is the fraction of out of control testes. Processes within the Safety Management System are analyzed in a Statistical Process Control (SPC) system with multiple test for out of control processes. Each one of these tests are assigned a weight and applied to the ROI. Without data the value of safety and ROI is just an assessment of opinions.


Thursday, March 23, 2017

A Qualified Person Runs The SMS

When an airport operator or an air operator appoints a qualified person as the Accountable Executive, the options are wide open to appoint anyone in the organization who they see qualified to be responsible for operations or activities authorized under the certificate and to be accountable on
The AE is a position without performance requirements.
behalf of the operator for meeting the requirements of the regulations. The requirement to qualify as the AE is a person who has demonstrated control of the financial and human resources that are necessary for the activities and operations authorized under the certificate. This is a broad description of qualifications, but becomes limited to organizational structure of authority.

The appointment of an airport AE compared to an air operator AE is slightly different, since an airport certificate is issued to a land-surveyed area, while an air operator certificate is issued to an individual or a corporate body. An AE for an airport is responsible to the land-surveyed area, while the AE for an air operator is responsible to the board of directors. However, as operators both AEs are responsible on behalf of the certificate holder for meeting the requirements of the regulations, which one of them are the Safety Management System regulations.

An Accountable Executive requirement could also be a matter of identifying a person who leads the necessary cultural change of Just Culture and Quality Assurance Culture and how services are provided with safety assurance to the general public. Without an SMS there is no safety assurance.

Run the SMS as a businesslike approach to safety.
Aviation Safety Management System is the NextGen of aviation safety, where a cultural change is inevitable for an SMS leader to be successful. Culture change does not happen overnight, but over a lengthy period of time. For a Just Culture to develop, each individual in an organization must be acceptable to these changes. The Just Culture and Quality Assurance Cutlers are developed within an organization by personnel consuming data, applied learning to data for processing into information, engage their information in operational processes with an output of knowledge and by assessing this output and comprehend the systems involved in a change of culture. This change is culture is the Return on Investment (ROI)

SMS is a businesslike approach to safety, where ROI is vital to success. When a certificate holder is applying this businesslike approach to safety and appoints a qualified person as the Accountable Executive, the requirement of demonstrating control over human and financial resources is incidental to the ROI. When applying this concept the NextGen of Accountable Executive Leaders in Aviation SMS are born.  


Saturday, March 11, 2017

AE Demonstrating Control Of Financial And Human Resources

In an SMS world the leader of the SMS program is the Accountable Executive, or the AE, who is playing the role as a sponsor of a specific project. A sponsor is a person who provides funding necessary, or a percentage of a project or activity carried out by someone else. A sponsor does not have direct inputs on the activities in the project, but can affect management decisions by withdrawing the sponsorship or increase their funding of both financial and human resources. Upon
Comprehension of the SMS is what defines human and financial resources.
the completion of the project there is no impact on the sponsor, other than the reputation of the project, or activity that was sponsored. It works the same way in aviation, being an airline or an airport, as long as the Accountable Executive can document their role as the sponsor of the project by the control of financial and human resources; the only repercussion to the operations is their pride and reputation from devastating audit findings.
It is assumed that the more funding and personnel that is assigned to a project, the more successful and safe the project will be. This wrongful assumption is supported by a requirement that a person, or position, is not designated as the role of the AE unless they have control of the financial and human resources that are necessary for the activities and operations authorized under the aviation certificate. With this requirement, an operator may be hesitant to restrict, or reject funding or personnel to the operations when the safety–card is applied.

There is no enforcement available when the AE restricts, reject or withdraw funding from an SMS program. The regulatory requirements is not directly linked to the funding itself, but to the result, or output of the Safety Management System. If an increase in funding from the sponsor, or AE, of an airline or airport as the only means to safety solutions would reduce the risk level, then it would be redundant, excessive, or even an injustice to the public to operate with a Safety Management System.

Under an SMS there is a requirement that the AE has control of financial and human recourses. Unless the operation is a sole proprietor or a corporation with 51% shares, there is no person who singlehandedly has control over these financial and human resources. With a requirement that the AE
Safety and SMS in aviation is not a contrast in colors, but shades of variables.
must demonstrate control of these resources, this demonstration task becomes to demonstrate by the quality of the safety management system itself. If the AE, as the sponsor of the program, is on a path to success or in a downward losing spiral the resources are available tools, but not the strategic solution to safety. The more resources that are inputted on the controls of an airplane in a spiral do not eliminate the spiral, but is assisting the spiral in an increasingly downward trend. For an airplane to exit a spiral it takes leadership, management, system understanding and application of resources to knowledge from data collected. Financial and human resources in aviation safety, or with an SMS, are not the solutions, but variables within the processes which are harnessed by their role within one system, for the total system to produce the desired, or planned, outcome.

An Accountable Executive who is defining the quality of an SMS system by human and financial resources only may not contribute to the safe operations of an airport or aircraft, while an Accountable Executive who is a leader within an SMS system applying strategic safety solutions is on a path of continuous safe operations.


Friday, February 24, 2017

Defined Roles For The Accountable Executive

A system without defined roles has little or no chance to function as intended. Lets for a minute look at a None Destructive Testing system, or NDT. NDT is a system to detect “undetectable” flaws in a material, or if production process produces output of flaws in the material. There are different independent system within an NDT system and none of these systems are compatible to interact with any of the other systems. The major NDT inspection systems are X-ray inspection, ultrasound inspection, magnetic particle Inspection and fluorescent penetrant inspection.

A system of defined roles within a process.
The system of X-ray inspection is applied to inspect for flaws within a material to relatively fine and defined resolutions.  Ultrasound is also applied to inspect for flaws within a material, but to a relatively course and undefined resolutions. Magnetic particle inspection is applied to both internal and external material flaws discovery. The NDT inspection system applied for external inspection of flaws is the fluorescent penetrant inspection. Within an NDT system all these independent systems function to produce an outcome of an effective system that will function as it was designed to function. None of these methods of NDT inspections are inferior to one or the other, they are just a part of one total system to manage, or lead processes to produce a flawless output.

Within an SMS system the functions of each system, or defined roles are hidden within human factors. In contradiction to mechanical systems, human factors include unpredictable variations. These variations are harnessed by defining roles for each person within an SMS system.

The accountable executive has certain defined roles which the AE must perform for the total system to function, without expectations that another person will pick up where the AE did not fulfil the role. The role of an accountable executive is to fuel the SMS system with safety. An effective AE is involved strategically rather than operationally for the SMS system to have an anchor point within the organization.

Without defining the roles or to assume a person should know better is often how unsuccessful businesses are operating. The definition of those systems is for a person to apply variations and pick up the slack as they see fit. Within an NDT world of systems, this would compare to placing an
Fill in the blanc and play that role.
aircraft jet-engine disk in the dark room for fluorescent penetrant inspection and expect an x-ray image to be produced by that process. The only way, and the process of which flaws in the jet-engine disk is discovered is to apply the fluorescent penetrant inspection as the process was intended.

An accountable executive has defined roles for one reason only, and that if for the SMS system to be effective where processes are producing outputs of what the processes were designed for. This does not imply that the processes should not, or does not identify flaws within the activities, but rather confirm that the processes of an effective SMS system identify both normal variations and special cause variations. In an NDT world, a jet-engine disk could be acceptable without flaws, or the process, when applied correctly, could identify an unlikely flaw in the material.