Monday, May 30, 2016

Risk Assessments And Exposure

Risk assessments are tools to prioritize risks and assign risk values to specific events. Higher risks values have greater safety impact to operations and are affecting operational processes more immediate than lower risk factors. A high number is an immediate shutdown, while a low number that no action is required. A risk is an active condition, but if left alone without mitigation or removal, will cause harm to person or property.

Aircraft parts are manufactured and tested to perform within parameters.
The risk value number is a factor derived from a risk matrix with assigned categories of probability, severity and exposure. This formula is calculated by probability x severity x exposure = risk factor. Risk factors are assigned numbers for acceptance, mitigation, or not acceptable and colored green, yellow and red respectively.  A risk is not a latent hazard, but an active condition at the time and location of intercepting an airport, or aircraft in flight or taxiing.

At one end of the spectrum there are visual clues of exposure to hazards. Some of these hazards are birds and freezing rain. Birds is a hazard, but does not become a risk until there is an intersecting path between birds and aircraft. Freezing rain is another identified hazard, but not does not become a risk until it is in the path of a flying aircraft, or falling at the airport. When exposures are applied to birds and freezing rain, these risks compute to higher risk value number and are mitigated, or avoided. An aircraft is only exposed to birds, or freezing rain when these hazards are on an intersecting path with an aircraft, and an airport is only exposed when birds are at the airport, or freezing rain are falling. At any other time, birds and freezing rain are no risks, but identified hazards.

At the other end of the spectrum there are non-visual clues, but assumed exposures to risks. These risks are more difficult to assess, since they contain probability hazards that are not active events affecting an airport or aircraft. These hazards are not to be ignored, but to be assessed differently than visual clues risks in the exposure of a risk assessment.

Pilots train extensively to manage engine failures at rotation, climb-out, departure, approach, or in-flight. The reasoning for training is that there is a virtual reality of probability that a modern aircraft engine could fail during any of these phases of flight. When an aircraft is setting thrust for take-off, that aircraft, or pilots are not exposed to an active risk of an engine failure. They are only exposed to the hazard within the system for an engine failure. If airlines are applying an engine failure exposure factor to take-off and departure, they are incorrectly assigning a risk, or an active hazard to the initial phase of flight. Aircraft and pilots are only exposed to an engine failure at the time and location of when the engine operating system is intercepted by an external event. Just as birds and freezing rain, there is no exposure until the hazard becomes an active event. If there is a possibility for an aircraft engine failure, the principle of Zero Tolerance to Compromise Aviation Safety is jeopardized. When aviation safety is compromised, the flight cannot continue.

In a virtual reality world anything can happen, any scenarios can be introduced and any outcome are possible. During the first 100 years of aviation, when data were limited and SMS was not included in planning, engines quit, wings fell off and preventable accidents happened. Aviation today is totally changed where data is analyzed, proactive measures are taken, processes are assigned confidence levels and mathematical equations and statistical process control are foundation for safety assessment. From the manufacturing of an engine, NDT testing of parts, installing on aircraft and to
Justification of exposure affects the outcome of a risk assessment.
flight operations, every step has multiple quality control and safeguarding processes, including quality assurance and quality assurance of the QA program itself. The aviation industry is moving into the new era of safety, from doubting the production quality to the reality where it is inconceivable that an engine will fail. With this in mind, when an aircraft sits at the threshold and sets take-off thrust, there is a 100% confidence level that the engines will function as designed. There are other external and accountable events causing engines to fail.

When applying engine failure to a take off exposure, risk management is incorrectly making assumptions that engines fails without pre-existing conditions being present, or that incomprehensible hazards intercepted the engine at the time of takeoff, or that the failure was caused by an unforeseen event. With the millions of safety processes included in manufacturing, training and operations an engine does not just fail on its own.  


Sunday, May 22, 2016

Non-Punitive Policy Is Enterprise Accountability

An applicant for, or an operator of an airport or airline certificate is required to have in place a non-punitive for reporting of hazards, incidents, or accidents and is one of the elements of a Safety Management System (SMS). A non-punitive policy is a policy for an airport or airline to allow for free flow of reports in a Just Culture and collection of data within the organization. In a Just Culture environment, a contributor may not fear repercussion from supervisors, managers or other personnel for reporting. A non-punitive policy is not a get-out-of-jail free card, but a policy of organizational accountability.

A non-punitive policy must be understood. 
A non-punitive policy is a policy for the internal reporting of hazards, incidents and accidents, including the conditions under which immunity from disciplinary action will be granted. The fundamental of a non-punitive policy is that it is unconditional with “no strings attached” and with pre-established conditions for when immunity for disciplinary actions are granted.
It may be tempting to simplify a non-punitive policy and apply conditions when immunity is not granted. Some of these conditions could be illegal activity, negligence or willful misconduct.

When applying these conditions, a fundamental principle of accountability in a Safety Management System is jeopardized. These are conditions which places the burden of proof on the last link in chain of events without considering human factors, organizational factors, environmental factors and supervision factors.

In most judicial systems illegal activity is an act committed in violation of law where the consequence of conviction by a court is punishment and where the punishment could be as serious one such as imprisonment. An illegal activity is not a fact until convicted by a court. The basic principle is innocent until proven guilty. It is therefore impossible to apply illegal activity to job performance evaluation and make it a condition of a non-punitive policy.

Negligence is failure to take proper care in doing something. When applying this as a condition of a non-punitive policy it becomes a decision by a supervisor who was not present at the time of incident, or accident. The supervisor was not in the moment of events and included in the ongoing decision making process at the time. Applying negligence as a condition to a non-punitive policy places the burden of proof on person involved without considering human factors, organizational factors, environmental factors and supervision factors.

Any act, or failure to act, by a person that was intended to cause harmful consequences to the safety or property of another person is willful misconduct. When assessing for willful misconduct an evaluation of the mindset at the time of event is required and based on supporting data collected. Applying willful misconduct as a condition to a non-punitive policy places the burden of proof on person involved without considering human factors, organizational factors, environmental factors and supervision factors.

An enterprise has established a maze for options when applying illegal activity, negligence or willful misconduct
A non-punitive policy is only credible, without bias and with organizational accountability when including pre-established conditions for when immunity for when disciplinary actions are granted. These conditions are based on job performance criteria, job descriptions with associated tasks and the intent of job performance outcome. When applying organizational accountability, personal accountability and that mistakes are not accepted to a non-punitive policy, the policy considers human factors, organizational factors, environmental factors and supervision factors to ensure correct training and competence.


Monday, May 9, 2016

When Safety Policy Is A Regulatory Requirement

Canadian Aviation Regulations (CARs) requires the Safety Management System (SMS) for airports and airlines to have a safety policy in place for regulatory compliance to operate under CARs 302 or 705. This safety policy sets targets for objectives and goals to conform to regulatory requirements. CARs are performance based regulations, where results of operational processes are the determining factors for compliance.

There are two parts for Safety Management System CARs compliance. One is design of regulatory compliance, or layout of the plans, while the other is the operational processes for regulatory compliance, or layout for expected outputs.  Regulatory compliance is documented in a manual with descriptions of requirements and operational process regulatory compliance are descriptions of how an airport, or airline plan to execute operations and collect data.

Operational safety polices comes in any forms and shapes.
Transport Canada developed a set of expectations for regulatory compliance. These expectations, while short coming in some areas, are guidance for developing regulatory compliant documents, or manuals. Regulatory compliance is simple, since it happens in a static environment without operational interaction or movements. On the other hand, operational process compliance is complex, since there are millions of variables, both internal and external variables which affect the outcome of processes. Regulatory process compliance becomes available only after review of data collection, or in other words, after the fact. It is not possible to predict the future with processes for compliance, and the data therefore has to speak for itself. However, regulatory compliance, or the layout of the plan, is future-predictable.

CARs 107.02 is applicable to both an applicant and a holder of an airport, or airline certificate. The certificate is an authority to operate and without a certificate there is no operations taking place. An applicant is not authorized to operate, while an operator is. That an operator has an authority to operate doesn’t change 107.02 to be applicable to operational processes.

CARs 107.03 is applicable to both airports and airlines to have in place a safety policy on which the system is based. As long as the safety policy is in place there is regulatory compliance. There is no requirement for operations to take place for this safety policy to be regulatory compliant.

The operational process for regulatory compliance are governed by 302.502 for airports and 705.152 for airlines. A safety policy for airports under 302.502 and airlines under 705.152 have actions involved, which is that the accountable executive has approved and communicated the safety policy to all personnel. Further, no matter how many operational errors, or findings there are under 302.502, or 705.152, these findings do not change applicability to become findings under Canadian Aviation Regulations 107.02.

Examples that findings under 302.502 or 705.152 do not convert to 107.02 findings can simplified be explained by comparing aviation to highway travel. Generally speaking, there are two important regulatory requirements to operate a highway, which are markings and signs. Markings and signs are planned, developed and installed prior to highway operations. It is known, or predicted, where these signs and markings will be when the highway is completed. These markings and signs are the highway’s safety policy, with maximum speed established on a sign or marking that clearly identify the limits.

Speed bugs for operational compliance.
As the highway opens and become operational the users must have processes in place to stay within the markings and conform to regulatory compliance of the signs. If the sign is a maximum speed sign, operators, or drivers must have in place processes to stay at or below this speed limit. These processes could be application of cruise control, manual speed control, a speedometer, or manipulation of a manual gear shift. How the result is achieved is irrelevant to conform to regulatory compliance, as long as processes produce desired results.

After data is collected, results are analyzed and assessed for operational compliance. If the majority of drivers violates the speed limit, does affect the system of how markings and signs are planned, developed and installed.

Non-confirming highway users are not charged, or made findings, under the system of planning, developing and installing markings and signs, but under the operational component of maximum speed limits. This could be compared to airport and airlines, where CARs 302.502, or 705.152 operational findings remains operational findings and do not convert to CARs 107.02 system findings.


Remote Management of a Safety Management System

A Safety Management System (SMS) may be managed from a remote location, by a Strategy Process Solutions (SPS). There are two components to a Remote Management System. One is the SMS, which is an onsite process verification how the job is done, while SPS is the strategy of planning and implementing design processes that conform to regulatory compliance and organizational objectives and goals.

Runway management is dependent on type of operations.

It is of vital importance to manage processes, both for regulatory compliance and safe operation, as a tool to evaluate how effective job-performance descriptions are.  During prior years without SMS the confidence level of how well processes were functioning was in all cases zero. There was no method, or tools available to assess how well the systems worked. There were no data collected to measure the confidence level of any processes, or give guidance of potential malfunctioning processes. It was assumed that it worked well as long as there were no accidents. However, after every major accident a lesson-learned statement was issued to explain the lack of known process effectiveness.

At an airport, runway inspections are conducted regularly throughout the day, depending on size and complexity of the airport. Managing these inspections are operational management and must be an onsite activity. Management of the processes itself is data collection and can be administered from a remote site. The processes include established timelines, a check list, runway items to be check and other critical safety conditions. This process would require all areas to be checked and reported as acceptable or non-acceptable, or with variances in between. Since there is a set timeline, or a goal for process to be executed, there is an open loop to be closed with the submission of report within a few

minutes after inspection is done. At the conclusion of submitting the report, there is data available to process for management for effectiveness of the Strategic Process System. Other options for runway inspection processes could be the use of drones, flying the approach checking for obstacles and flying the runway checking for Foreign Object Debris (FOD), or in the form of satellite sweeps of approach and runway.
SMS is an onsite process verification of how the job is done. 
Data and results of these inspections are irrelevant to the confidence level of how effective the inspection processes themselves are. If the goal is that a runway and approach is swept for obstacle and FOD status prior to every flight and the process is actually conducted prior to each flight, then the process is functioning within the expected confidence level. The processes of management of obstacles or FOD is an operational SMS process. Operational status of runways is an onsite management process, where data is collected establish the effectiveness of processes for safe flight operations. Data from onsite processes are applied to operational aviation Safety Management System of the runways.

Remote Management of a Safety Management System requires a remote Strategic Process System, combined with onsite aviation Safety Management System.