Sunday, September 24, 2017

The Safety Card

The Safety Card is played when data does not support an opinion of a decision maker or when safety is not comprehended. The Safety Card is when safety becomes the driving force of operations without considering Residual Risk, which is the remaining risk level that exists after all selected risk control techniques have been implemented or without considering the Substitute Risk, which is the safety risk level that exists of new hazards identified by the introduction of a risk control. The Safety Card is played when safety is not defined, measured or when operational pressure is applied from a third party or social media.

The Safety Card is effective when applied to one event only.
After major aircraft accidents, there is a public outcry, and rightfully so, for airlines to improve safety.  The aviation authorities are scrambling to make new rules to protect the flying public and everyone is alleging that flying is safer than driving a vehicle. Ever since the first flight new rules and regulations have been put in place to improve safety and make flying the utopia of safe travel. But it’s not certain that more regulations make flying safer.

A quote from Transport Canada:
"Traditionally, in rail and in other safety-critical industries, safety had been pursued through compliance with prescriptive rules and regulations. In the 1990s, however, advancements in safety research demonstrated that organizations could be compliant with prescriptive regulations, yet still be unsafe. More specifically, compliance did not necessarily mean effectively managing risks."
Leonardo da Vinci was a pioneer in aviation and 400 years ahead of his time. Below are two of his quotes: “For once you have tasted flight you will walk the earth with your eyes turned skywards, for there you have been and there you will long to return.”, and “Anyone who conducts an argument by appealing to authority is not using his intelligence; he is just using his memory.

When combining these quotes, they become a description of aviation safety and the Safety Management System as we know it. Regulatory compliance is not safety risk assessments and it takes intelligence to assess risks, manage, lead and continuous improve aviation safety. Regulatory compliance is to rely on memory, while intelligence to lead with operational safety processes and the ability to learn or understand or to deal with new or trying situations. When applying memory to SMS the task of memorizing regulations does not challenge operations or assessing risks, while applying intelligence, or human factors, operations are challenged and safety risk levels are assigned.

Customer Satisfaction is loyalty, safety and accountability to the flying public
SMS is data collection and to learn and understand what story the data is telling. Aviation safety is to apply data collected, which is the product of elements with a purpose to generate information, acquire knowledge and develop comprehension for training, competencies and communication within a Safety Promotion System. The public opinion of aviation safety is based on emotions of the outcome of the flight and not on input processes. This is how it must be addressed by the public, who should not have to analyze any data to raise their voice and opinion of safety when flying. An airline only has one option when it comes to manage safety in flying, which is to view their operations from the point of view of a passenger and the public opinion. An effective SMS is where the safety policy and primary objective is to provide a high-quality level of customer service and apply this as a tool for excellence in level of safety. It is impossible to provide a high-quality level of customer service without excellence in operations of a safety management system.

When applying this concept of a customer satisfaction based approach to safety there could be a conflict between the quality-level accepted by a customer and operational control. Opinions based demands from third-parties, customers, social media or an aviation authority could develop unintended hazards and affect safety decisions. Several years ago, and long before SMS became regulated, or accepted as a value-added level of safety in aviation, an operator developed a customer satisfaction based safety management system. The concept of this system was to measure the level of safety from the point of view of customer satisfaction and apply data-based decision tools to operational control. This system functioned for several years until it was decided to apply safety as the primary driving force into operations. While customer satisfaction could be measured, analysed and defined, the concept of safety could not easily be defined or comprehended. The Safety Card was applied equally to all aspects of operations without defining safety critical areas to measure. This opinion based decision to change a word from “customer” to “safety” caused a drift in operational control and drift of processes effectiveness. Introducing the word “safety” to operations does not improve safety unless decisions are based on factual data.

CatalinaNJB

Friday, September 8, 2017

Risk Matrix Differently

Traditionally the risk matrix in aviation is a method to assess a safety risk level and a decision tool to reject or accept that risk level on its own merits. If the risk matrix is in the green area the risk is accepted and if the risk in the red area, it’s not accepted. When the risk matrix is in the yellow area, then something must be done to move the risk to an acceptable green level area. The risk matrix is applied to aircraft performance criteria or airport physical characteristics and the decision is a go or no-go decision. The traditional risk matrix does not guide the decision towards the next process, but ends the decision-making process by rejecting or accepting the risk. The decision-making tool of a risk matrix may be red, green and yellow, but the process itself is just black and white.

A risk assessment is not always perfect.
As the name suggests, the risk matrix is a tool to develop a vision of the risk level, based on certain established criteria. These criteria are generally defined as Likelihood, Severity and assumed Exposure.
Without exposure to the risk there is no likelihood that the risk is affecting safety and the severity is eliminated. The exposure level is assumed to be one (1) at the time when likelihood and severity becomes a factor. An airplane sitting on the runway ready for takeoff is not exposed to an engine failure after takeoff at that time and location, but is systematically preparing for the reaction to an engine failure after takeoff if the exposure becomes a factor. When the flight crews are reviewing their departure emergency procedures they are making an assessment of the likelihood of exposure for that particular flight and a decision to reject or accept the risk level before initiating the takeoff roll. At the time of initiating the takeoff roll the flight crew has accepted that the likelihood for exposure to an engine failure is zero. The crew have just made a go or no-go decision, or a green or red decision and it has become a black and white process. If the risk level process was true, there would never be an engine failure after takeoff.
However, since airplanes still have engine failures after takeoff the assessment of placing the likelihood of exposure into the green box, this risk level acceptance is false.

The different levels in the risk matrix are the likelihood levels and the severity levels. The FAA has defined these levels for application of aviation safety risk levels.

Likelihood Levels
Likelihood is placed into five categories of likelihood with a definition for each category. Likelihood level A is category frequent and defined as expected to occur routinely. Level B is category probable and defined as expected to occur often. Level C is category remote and defined as expected to occur infrequently. Level D is category extremely remote and defined as expected to occur rarely. The last likelihood level is level E, and category extremely improbable and defined as to be so unlikely that it is not expected to occur, but it is not impossible.

Severity Levels
Severity is placed into five categories of severity with a definition for each category. Severity level 5 is category minimal and defined as negligible safety effects. Level 4 is minor and defined as physical discomfort to persons, slight damage to aircraft. Level 3 is major and defined as physical distress or injuries to persons, substantial damage to aircraft. Level 2 is hazardous and defined as multiple serious injuries; fatal injury to a relatively small number of persons (one or two); or a hull loss without fatalities. The last severity level is level 1 catastrophic and defined as multiple fatalities (or fatality to all on board) usually with the loss of aircraft.

Traditional Risk Matrix with unconditional decisions.
Risk Matrix
When an operator unconditionally accepts these acceptable and green risk matrix levels, they accepts the risk that there will be multiple serious injuries; fatal injury to a relatively small number of persons (one or two); or a hull loss without fatalities. The definition extremely improbable is not only applicable to the opinion of likelihood, but also applicable to the process itself and the collection of data. Since the assessment of likelihood is a subjective opinion and not based on data analysis, the definition itself of being extremely improbable is false.
Extremely improbable is only true as a probability analysis based on data but not as a definition of a subjective likelihood level. For the definition, extremely improbable to be true it becomes necessary to conduct a comprehensive research of all operations globally for that type of aircraft since the first flight of that aircraft. The likelihood of extreme improbable is only true for the first flight of that aircraft type. If there was only one malfunction of that type, the definition becomes invalid. However, that an operator still accepts the risk level is an operational decision based on their safety operational confidence level. A confidence level above zero is only possible by operating with an SMS and applying SPC. Everything else is an opinion level.

Risk Matrix Differently Tool
An effective risk matrix should include more than unconditional rejections or acceptance of a risk, and should guide the operator towards further actions. This risk matrix is similar to the above risk matrix, but it is different because it provides an answer of action before rejecting or accepting the risk.

The likelihood levels based on research and data collected and defined by times between event intervals. If an operator does not have data to support a likelihood analysis, other data may be available to borrow from similar operators, from NTSB sites, TSB sites, ICAO sites or other global Civil Authority sites. This likelihood level analysis is not specific to an analysis of one operator, but to all operations with same type of airplanes. It becomes specific to the operator when enough data is collected to conduct a true analysis. E.g. when data is collected for
5 years and the operations is continuing with the same processes a prediction for the next 5 years becomes available. However, when there are changes to the operations or processes, data collected does no longer represent the prediction. One cannot predict the future unless variables are eliminated, but one can accept the risk level based on a true safety operational confidence level. An operator who has a true confidence level of 95% that their operations is failure-free for the purpose of safety is a higher confidence level and safer operations than an opinion based 100% confidence level.

A different Risk Matrix with action.
A different risk matrix tool guides the operator to an action. This action could be to Communicate the issue, Monitor the issue, Pause operations, Suspend Operations or Cease Operations. Before and judgement and decision for rejection or acceptance are made, this risk matrix has guided the operations to an action.

A risk level to Communicate is green, and acceptable. But it is not unconditionally accepted, it is communicated within the organization and to affected personnel. The operations does not have to be interrupted, but an issue, or hazard is being discovered and communicated.
The next level is to Monitor the issue. This does not imply to skip the Communication, but it is to monitor and communicate.
The next level is to Pause. A pause could be for an hour, or a day, depending on the hazard. This Pause level gives the operator an opportunity to assess both aircraft performance, or airport capability and the capability of flight crew. A Suspend level is to stop activities while a comprehensive assessment of risk level and mitigation is conducted. The final level is the Cease level, and this is a level where the risk is transferred. None of these safety risk levels are unconditionally rejected or accepted, or stand-alone risk levels. When a risk level of Cease is defined, the operator is continuing to assess the Suspend, Pause, Monitor and Communicate levels.

The Risk Matrix Differently is a tool to apply SMS principles of continuous or continual improvements without getting locked into rejecting or accepting a risk level.



CatalinaNJB