On July 7, 2017 Air Canada 759 lined up the approach for landing on Taxiway Charlie at SFO. This scenario of parameters was set up for the worse accident in the history of aviation. Based on this incident, does the argument hold water that a Safety Management System makes flying safer? Aviation safety is determined by several factors, where one factor to make flying safer is how well an enterprise is applying SMS as an additional layer of safety in support of their safety processes. An enterprise that supports bureaucratic processes or processes that are designed to support the organization are check-box syndrome processes. These processes only have one goal, which is to control, but not manage, the operational Safety Management System. In the public opinion, the blame-factor may be assigned to the Safety Management System requirement itself. However, the Safety Management System itself is fail-free system and telling a story of safety performance. Since it is a parallel system to the operational safety systems, SMS is collecting samples of data to be applied to processes as an additional layer of safety. SMS is a system which regularly checks in with the operations for a snapshot.
What is SMS?
SMS is the “ugly duckling” in safety that is to blame when things go wrong. When expectations,
which are only opinions, are developed as guidance material under an SMS and applied as prescriptive regulations, then safety operating processes are set up for failure. With this approach an SMS is not given the authority, accountability or opportunity to function within a just culture, where there is trust, learning, accountability and information sharing. When expectations are applied as prescriptive regulatory requirement the first task of SMS becomes to ensure that the check-boxes are correctly checked and completed. In a bureaucratic organization and operating with in compliance with the check-box syndrome, any reference to operational safety is determined by the status of their check-boxes. SMS is not to count the checked boxes, but it is hard work to make operational processes safer today then what they were yesterday.
What SMS Is Not
SMS is not the magic wand of miracles for accidents never to happen again and SMS is not a system where prescriptive expectations are applied as regulations. SMS is not a one-fit-all model and SMS is not a model where everything is acceptable. SMS is not emotions or opinions based and SMS is not where processes must conform to SMS design. SMS is not a system of perfect people or a system within a perfect virtual world. SMS is not the trial and error system and SMS is not a system with an end or beginning. SMS is not to roll the dice for an answer, but it’s to drop the marbles to see where they scatter.
There are a lot of things that SMS is not, but all of these things what SMS is not, are what SMS has become.
SMS Has Become A Conglomerate Of Opinions
SMS has become a conglomerate of opinions by the virtue of good intent to make flying safer. However, good intent and opinion have turned out to be the “killer-bee” of aviation safety. SMS has become so very complex that very few can explain why certain processes are applied or corrective actions are applied. Often these changes are made since the regulator is macro managing portions, or all of an enterprise. When a regulatory finding is given to an emergency response plan full-scale test because the test discovered deficiencies, then the SMS did not fail but was successful by the discovery of faulty processes. In an attempt to establish the utopia of safety, SMS has become a system where everything is defined as a safety issue and to the degree where safety itself has become virtual facts. Operational size and complexity is forgotten and Safety Critical Areas and Safety Critical Functions have no meaning.
Safety Critical Areas And Safety Critical Functions
An enterprise is failing their SMS unless their SMS includes Safety Critical Areas and Safety Critical
Functions. Anything else by to operate with an SMS for the purpose of improving safety is to support the red-tape of a bureaucratic enterprise where the processes are designed to support their design and not their operations.
Defining Safety Critical Areas and Safety Critical Functions is to place weight on areas of operations and functions within these areas. Not all areas of aviation are safety critical. In an organization where there are no safety critical areas or functions, the decision making process is simple, but without accountability. A Safety Critical Area could be night approaches, with a Safety Critical Functions being approaches to SFO or YCB at midnight during the month of July. An approach to SFO may be safety critical function, while an approach to YCB in the High Arctic may not be safety critical. On the other hand,
an approach into YCB on a January day at noon might be a safety critical function. When all areas of aviation are assigned the same key or same weight to safety critical areas and functions, it becomes impossible to target areas for learning and training purposes. Safety now has become wishful thinking of a utopia of aviation where accidents never will happen again. Only when it is understood that an accident could happen in the future is when the SMS tools are ready to be applied to the operational level.
A vital question to ask for continuous safety is: Does Transport Canada accepts anything less from an Enterprise but that all areas are safety critical areas and all functions are safety critical functions? If they expect that all areas and functions of aviation must be equal safety critical it becomes a conflicting task for the operator to operate with an effective SMS. In a bureaucratic organization it is preferred that everything and everyone are equal.
An enterprise operating SMS without safety critical areas and functions are spinning their wheels. SMS is the NextGen of aviation safety where processes, or “how we normally do things”, are analyzed for variables and to what risk-level these variables are affecting operations.
Does One Incident Qualify As System Failure?
Yes, it does when criteria are met and based on guidance supported by Transport Canada, it does.
This practice has been established by awarding Enterprises system failure findings for one single failure to meet an expectation. System failures are any findings under CARs 107.02. Based on this one incident, since AC 759 approach most likely did not meet the expectation; qualify as an organizational system failure. However, coming to a conclusion that one irregularity is a system failure is rush to judgement unless that one irregularity is a function of time and comprehension. Often TC inspectors are rushing to judgement when issuing a system finding for one non-compliance with one expectation. Transport Canada inspectors may have good intentions when applying expectations as system failures, but have departed from the concept of SMS and further departed from the basic of their initial SMS training when SMS first became a regulatory requirement.
Transport Canada SMS Survey
In a survey published din the JDA Journal, April 13, 2017, the vast majority of Transport Canada Inspectors view themselves as having better knowledge of airline operations than the operator themselves have and that TC inspectors are better qualified than the operator by fixing safety problems before they become accidents or incidents. Further, this survey identified correctly that SMS is to transfers responsibility for setting acceptable risk levels and monitoring safety performance is the responsibility of the operator themselves. This is a vital and valid point to improve safety in aviation since the system under SMS is operational based and not bureaucratic based for Transport Canada to accept the risk. SMS is the NextGen of aviation safety where the regulator is removed from operations. Another point in this survey is that 81 percent of inspectors surveyed predicted a major aviation accident soon. Nobody can predict a major aviation accident, not even a TC inspector. This survey reveals the bias of inspectors towards Canadian aviation operators and the inspector’s utopia view that they know best. Transport Canada Inspectors have yet to show any data collaborating SMS-failure statements over the last ten years. This survey was published as “A Learning Lesson For FAA”.
SMS Did Not Fail
SMS did not fail AC 759 on the approach to 28R at SFO. It was the operational practices, or how the flight normally is done that failed AC 759. If there was none, two or five aircraft on Taxiway Charlie is relevant to the potential catastrophic outcome, but irrelevant to the SMS processes. Since the quality of processes are unknown until the final output is known, it becomes vital to safety that the progress of operational safety processes allows for ongoing risk assessment and decision making by flight crew. Quality Assurance is a result of variations in quality output by the same process.
Does SMS Make Flying Safer?
Yes, SMS makes flying safer and the SFO incident does not make flying any less safe. Safety
management systems help companies identify safety risks before they become bigger problems. If one company ignores their own SMS tools available and the help SMS offers makes that one company less safe than if they had elected to apply their tools and predict the safety risk level of identified hazards. Flying doesn’t become less safe, or have a reduction in safety without SMS, but an organization without SMS lacks the opportunity for continuous safety improvements by applying SMS concept and principles. Over time an enterprise that is “listening to their SMS” is gaining grounds in safety and become safer in operations than non-SMS, or the “ignore-SMS” organizations.
Additional Layer and Parallel Approach
SMS is an additional layer of safety and parallel approach to operational processes. SMS does not make it safe or unsafe to fly, but SMS provides data, which is processed into information and then applied as knowledge and comprehension for safer operational practices. It is when this data has reached the level of comprehension that it can be integrated into a policy, design of processes and improvement of safety. In an SMS world it is still the flight crew, maintenance personnel, ground crew and the enterprise’s management that makes a difference in continuous safety improvement or continuous decline. However, SMS is an invaluable tool that some are overlooking but they are still expecting miracles from SMS. In addition, a contributing cause factor to the SFO incident is that
airports are outdated by its 1903 design without adapting to size, complexity and traffic volume.
AC759 Cleared To Land RWY 28R
Aviation Safety must always be viewed from the public’s point of view, which is an expectation of a pleasant experience and no incidents between boarding the airplane and deplaning at destination. For some passengers it might be comforting to know that Air Canada 759 did not end in a disaster, while for others this might be a horrified experience when learning about this incident to a point where they will never travel on an airplane again. Either way, the public is expecting quality performance of aircraft and flight crew. The flight crew of AC 759 on short final realized that something was wrong, but expected someone else, in this case the Tower Controller, to make a decision for them of what to do. This principle of avoiding safety actions is outside the parameters of an effective SMS system.