< Previous1-4 Safety Management Manual (SMM) decision is taken, the SMS implementation should be monitored as part of the SSP. Before requiring SMS, States are asked to consider whether: a) there are any other viable options for achieving the desired improvement in safety performance; and b) sufficient resources are available for the State and industry sector to implement and monitor the SMS. In particular, consideration needs to be given to the possible impact on staffing and the potential challenge of acquiring and integrating the necessary skills and knowledge. 1.2.2.2 Each State should consider the acceptable level of safety performance (ALoSP) across their industry and institute an SMS applicability scheme that is most likely to achieve their State’s safety objectives. Noting that the SMS applicability scheme applied will likely evolve in continual alignment with the State’s ALoSP. 1.2.3 Safety management responsibility No provision of Annex 19 is intended to transfer to the State the responsibilities of the aviation service provider or operator. States possess many tools to manage safety within its system. As part of its SSP, each State should consider the best options for the oversight of aviation activities that may not fall within current ICAO Annexes or that of new or emerging activities. 1.2.4 Applicability for State-owned or military service providers 1.2.4.1 In some States, the service provider function is provided by the State civil service or military. Some civilian service providers provide contracted services to the military, and some military organizations provide civilian service. Regardless of the arrangement, the service provider providing the civilian service in the State should be required to address all the applicable ICAO SARPs, including the Annex 19 SMS requirements without regard to the specific nature of such organization. The State or service provider’s system description should have regard for the functions of these organizations and their relationship to each other. The accountable executive of the service provider, whether civil or military, should be capable of explaining the arrangements and how safety risks are managed. Put simply, service providers should manage safety regardless of the organizational arrangements. 1.2.4.2 Where the State operates as a service provider there should be a clear separation between its functions as the service provider and that of the State regulatory authority. This is accomplished by having clearly defined roles and responsibilities for State authority and service provider personnel to avoid any conflicts of interest. 1.2.5 Occupational safety, health and environment versus aviation safety Occupational safety, health and environment (OSHE) (also referred as occupational health and safety (OHS) or workplace health and safety (WHS)) is a field concerned with the safety, health, and welfare of people at work. The primary difference between aviation safety management and OSHE systems is the intent. In many States employers have a legal duty to take reasonable care of the health and safety of their employees. The intention of OSHE programmes is to meet the legal and ethical obligations of employers by fostering a safe and healthy work environment. These issues are normally addressed under a different government body from the one that handles aviation matters. As such, Annex 19, Chapter 2, Applicability, intentionally focuses on “safety management functions related to, or in direct support of, the safe operation of aircraft”. Chapter 1. Introduction 1-5 1.3 IMPLEMENTING SAFETY MANAGEMENT 1.3.1 Establishing a solid foundation is essential to achieving effective safety management implementation. The following aspects should be addressed as the first steps in implementing SSP or SMS requirements: • Senior management commitment: It is essential that senior management of all State aviation agencies is committed to effective safety management implementation. • Compliance with prescriptive requirements: The State should ensure that a mature safety oversight system is in place for the licensing, certification and approval of individuals and organizations performing aviation activities in their State, including qualified technical personnel. Service providers should ensure that they have processes in place to ensure continued compliance with the established prescriptive requirements. • Enforcement regime: The State should establish an enforcement policy and frameworks to enable parties to manage and resolve deviations and minor violations. • Safety information protection: It is essential that States put in place a protective legal framework to ensure the continued availability of safety data and safety information. 1.3.2 System description The system description is a summary of the organization’s (State or service provider) processes, activities and interfaces that need to be assessed for hazard identification and safety risk assessment that is covered by their safety system. It describes the aviation system, within which the organization functions, and the various entities and authorities involved. It includes interfaces within the organization, as well as interfaces with external organizations that contribute to the safe delivery of services. The system description provides a starting point to implement the SSP/SMS. More information on the system description for States and service providers may be found in Chapters 8 and 9, respectively. 1.3.3 Interfaces 1.3.3.1 When States and service providers are considering implementing safety management it is important to consider the safety risks induced by interfacing entities. Interfaces can be internal (e.g. between operations and maintenance, or finance, human resources or legal departments), or they can be external (e.g. other State, service providers or contracted services). States and service providers have greater control over any related safety risks when interfaces are identified and managed. Interfaces are defined as part of the system description. Interface safety impact assessment 1.3.3.2 Once a State or service provider has identified its interfaces, the safety risk posed by each interface is assessed using the organization’s existing safety risk assessment processes (see Chapter 2 for details). Based on the safety risks identified, the State or service provider may consider working with other organizations to determine an appropriate safety risk control strategy. Organizations working collaboratively may be able to identify more interface hazards; assessing any related safety risks and determining mutually appropriate controls. Collaboration is highly desirable because the safety risk perception may vary between organizations. 1.3.3.3 It is also important to recognize that each organization involved is responsible for identifying and managing any identified hazards that affect its organization. The criticality of the interface may differ for each organization. Each organization might reasonably apply different safety risk classifications and have different safety risk priorities (in terms of safety performance, resources, time). 1-6 Safety Management Manual (SMM) Monitoring and management of interfaces 1.3.3.4 States and service providers are responsible for ongoing monitoring and management of their interfaces to ensure the safe provision of services. An effective approach to interface SRM is to establish formal agreements between interfacing organizations with clearly defined monitoring and management responsibilities. Documenting and sharing all interface safety issues, safety reports and lessons learned, as well as safety risks between interfacing organizations will ensure clear understanding. Sharing enables transfer of knowledge and working practices that could improve the safety effectiveness of each organization. 1.3.4 Implementation planning 1.3.4.1 Performing a gap analysis before embarking on the implementation of SSP/SMS will allow an organization to identify the gap between the current organizational structures and processes, and those required for effective SSP or SMS operation. For SSP, it is important to include a review of the Universal Safety Oversight Audit Programme (USOAP) protocol questions which are considered as the foundation of the SSP. 1.3.4.2 The SSP or SMS implementation plan is, as the name implies, a plan for SSP/SMS implementation. It provides a clear description of the resources, tasks and processes required, and an indicative timing and sequencing of key tasks and responsibilities. More information on the implementation of safety management for States and service providers may be found in Chapters 8 and 9, respectively. Maturity assessment 1.3.4.3 Soon after the key components and elements of the SSP or SMS are implemented, periodic assessments should be conducted to monitor how effectively it is working. As the system matures, the organization should seek assurance that it is operating as intended and is effective at achieving its stated safety objectives and targets. Safety management takes time to mature and the aim should be to maintain or continuously improve the safety performance of the organization. 1.3.5 Size and complexity considerations 1.3.5.1 Each State and each service provider is different. SSPs and SMSs are designed to be tailored to meet the specific needs of each State or service provider. All components and all elements of SSP/SMS are interconnected and interdependent, and necessary to function effectively. Although it is tempting, it is important that SSP and SMS requirements are not only implemented in a prescriptive manner as this may defeat the purpose; that is, to complement the traditional prescriptive requirements with a performance-based approach. 1.3.5.2 The programme/system is designed to deliver the desired outcomes for each organization without undue burden. SSP and SMS, well implemented, are intended to complement and enhance the organization’s existing systems and processes. Effective safety management will be achieved through thoughtful planning and implementation ensuring each requirement is addressed in ways that fit the organization’s culture and operating environment. More information on what to consider when implementing SSP/SMS for States and service providers may be found in Chapters 8 and 9, respectively. 1.3.6 Integrating the basic elements It is important to note that all systems are composed of three basic elements: people; processes; and technology. Safety management is no exception. When establishing or maintaining the different processes, activities and functions, all States and service providers should ensure they have considered the intention of each requirement and, most importantly, how they will work together to enable the organization to meet its safety objectives. Each of these elements of safety management, and the interrelationships, will be covered throughout this manual. Chapter 1. Introduction 1-7 1.4 INTEGRATED RISK MANAGEMENT 1.4.1 The aviation system as a whole comprises many and different functional systems such as finance, environment, safety and security. The latter being the two primary operational domains of the greater aviation system. As concepts they share important features as they are all concerned with the risk of events with consequence of various magnitudes. Nevertheless, they differ in the important element of intent. Security is concerned with malicious, intentional acts to disrupt the performance of a system. Safety focuses on the negative impact to the concerned systems’ performance caused by unintended consequences of a combination of factors. 1.4.2 In the operational context, all of the functional systems produce some sort of risk that need to be appropriately managed to lessen any adverse consequence. Traditionally, each system has developed sector specific risk management frameworks and practices designed to address the distinct characteristics of each system. Most of those risk management practices include comprehensive analysis on intra-system consequences, often referred to as the management of unintended consequences. Another aspect is inter-system consequences resulting from system specific risk management processes. This relates to the fact that an effective risk management strategy of one specific sector can have an adverse impact on another operational sector of aviation. In aviation, the most often emphasized inter-system dependence is the safety/security dilemma. Effective security measures may have negative impacts on safety, and vice versa. Safety and security domains may differ in the element of underlying intent, but they converge in their common goal to protect people and assets (e.g. addressing cyber threats and risks requires coordination across the aviation safety and security domains). In some cases the management of their inherent risk may affect the other domain in unforeseen ways, such as in the following examples: • reinforced cockpit doors necessitated due to security risks may have safety implications on the operation of an aircraft; • restrictions on the carriage of personal electronic devices in the cabin may displace the security risk from the cabin to the cargo hold leading to heightened safety risk; and • change of routes to avoid flying over conflict zones may result in congested air corridors that pose a safety issue. 1.4.3 Successful risk management in aviation should aim for overall risk reduction in the system, including all of the involved functional systems. This process requires the analytical assessment of the whole system at the highest level of the appropriate entity (State, regional organizations, service providers). The assessment and integration of functional system needs and interdependence is referred to as integrated risk management (IRM). IRM focuses on the overall risk reduction of the organization. This is achieved through the quantitative and qualitative analysis of both the inherent risks, and the effectiveness and impact of sector-specific risk management processes. IRM has a system wide responsibility to coordinate, harmonize and optimize risk management processes with the single goal of risk reduction. IRM cannot replace the operating specific risk managements of the functional systems, and does not intend to delegate additional duties and responsibilities to them. IRM is a distinct high-level concept to leverage the expert advice of sector specific risk management and provide holistic feedback to achieve the highest level of system performance at a socially acceptable level. More information related to SRM may be found in Chapters 2, 8 (for States) and 9 (for service providers). Note.— The structure and areas of responsibility of the government within the State may affect oversight of each area. For example, the civil aviation authority (CAA) having responsibility for aviation safety, while the environmental protection agency has responsibility for environmental oversight. Each oversighting entity may have different requirements and methodologies. ______________________ 2-1 Chapter 2 SAFETY MANAGEMENT FUNDAMENTALS 2.1 THE CONCEPT OF SAFETY AND ITS EVOLUTION 2.1.1 This chapter provides an overview of fundamental safety management concepts and practices. It is important to understand these fundamentals before focusing on the specifics of safety management found in the subsequent chapters. 2.1.2 Within the context of aviation, safety is “the state in which risks associated with aviation activities, related to, or in direct support of the operation of aircraft, are reduced and controlled to an acceptable level”. 2.1.3 Aviation safety is dynamic. New safety hazards and risks continuously emerge and need to be mitigated. As long as safety risks are kept under an appropriate level of control, a system as open and dynamic as aviation can still be kept safe. It is important to note that acceptable safety performance is often defined and influenced by domestic and international norms and culture. 2.1.4 Progress in aviation safety can be described by four approaches, which roughly align with eras of activity. The approaches are listed below and are illustrated in Figure 1. a) Technical — From the early 1900s until the late 1960s, aviation emerged as a form of mass transportation in which identified safety deficiencies were initially related to technical factors and technological failures. The focus of safety endeavours was therefore placed on the investigation and improvement of technical factors (the aircraft for example). By the 1950s, technological improvements led to a gradual decline in the frequency of accidents, and safety processes were broadened to encompass regulatory compliance and oversight. b) Human factors — By the early 1970s, the frequency of aviation accidents had significantly declined due to major technological advances and enhancements to safety regulations. Aviation became a safer mode of transportation, and the focus of safety endeavours was extended to include human factors, including such things as the “man/machine interface”. Despite the investment of resources in error mitigation, human factors continue to be cited as a recurring factor in accidents. Human factors tended to focus on the individual, without fully considering the operational and organizational context. It was not until the early 1990s that it was acknowledged that individuals operate in a complex environment that included multiple factors which could affect behaviour. c) Organizational — During the mid-1990s, safety began to be viewed from a systemic perspective and began encompassing organizational factors as well as human and technical factors. The notion of an “organizational accident” was introduced. This perspective considered the impact of such things as organizational culture and policies on the effectiveness of safety risk controls. Additionally, routine safety data collection and analysis using reactive and proactive methodologies enabled organizations to monitor known safety risks and detect emerging safety trends. These enhancements provided the learning and foundation which lead to the current safety management approach. d) Total system — From the beginning of the 21st century, many States and service providers had embraced the safety approaches of the past and evolved to a higher level of safety maturity. They have begun implementing SSP or SMSs and are reaping the safety benefits. 2-2 Safety Management Manual (SMM) However, safety systems to date have focused largely on individual safety performance and local control, with minimal regard for the wider context of the total aviation system. This has led to growing recognition of the complexity of the aviation system and the different organizations that all play a part in aviation safety. There are many examples of accidents and incidents showing that the interfaces between organizations have contributed to negative outcomes. Figure 1. The evolution of safety 2.1.5 The steady, compounding evolution of safety has led States and service providers to a point where they are giving serious consideration to the interactions and interfaces between the components of the system: people; processes; and technologies. This has led to a greater appreciation for the positive role people play in the system. Safety benefits from collaboration between service providers, and between service providers and States. This perspective has nurtured multiple collaborative initiatives between service providers and an appreciation of the benefits of collaboration when addressing safety issues. The ICAO Runway Safety Programme is a good example. 2.1.6 For the collaborative total system approach to flourish, the interfaces and interactions between the organizations (including States) need to be well understood and managed. States are also beginning to recognize the role the total aviation system approach can play in their SSP development. For example, it helps to manage safety risks which cut across multiple aviation activities. 2.2 HUMANS IN THE SYSTEM 2.2.1 How people think about their responsibilities towards safety and how they interact with others to perform their tasks at work significantly affects their organization’s safety performance. Managing safety needs to address how people contribute, both positively and negatively, to organizational safety. Human factors is about: understanding the ways in which people interact with the world; their capabilities and limitations; and influencing human activity to improve the way people do their work. As a result, the consideration of human factors is an integral part of safety management, necessary to understand, identify and mitigate risks as well as to optimize the human contributions to organizational safety. Chapter 2. Safety Management Fundamentals 2-3 2.2.2 The following are key ways in which safety management processes consider human factors: a) senior management commitment to creating a working environment that optimizes human performance and encourages personnel to actively engage in and contribute to the organization’s safety management processes; b) responsibilities of personnel with respect to safety management are clarified to ensure common understanding and expectations; c) personnel are provided with information by the organization that: i) describes the expected behaviours in respect to the organizational processes and procedures; ii) describes what actions will be taken by the organization in response to individual behaviours; d) human resourcing levels are monitored and adjusted to ensure there are enough individuals to meet operational demands; e) policies, processes and procedures are established to encourage safety reporting; f) safety data and safety information are analysed to allow consideration of those risks related to variable human performance and human limitations, with particular attention to any associated organizational and operational factors; g) policies, processes and procedures are developed that are clear, concise and workable, with the aim of: i) optimizing human performance; ii) preventing inadvertent errors; iii) reducing the unwanted consequences of variable human performance; the effectiveness of these are continually monitored during normal operations; h) ongoing monitoring of normal operations includes assessment of whether processes and procedures are followed and, when they are not followed, investigations are carried out to determine the cause; i) safety investigations include the assessment of contributing human factors, examining not only behaviours but reasons for such behaviours (context), with the understanding that in most cases people are doing their best to get the job done; j) management of change process includes consideration of the evolving tasks and roles of the human in the system; k) personnel are trained to ensure they are competent to perform their duties, the effectiveness of training is reviewed and training programmes are adapted to meet changing needs. 2.2.3 The effectiveness of safety management depends largely on the degree of senior support and management commitment to create a working environment that optimizes human performance and encourages personnel to actively engage in and contribute to the organization’s safety management processes. 2-4 Safety Management Manual (SMM) 2.2.4 To address the way that the organization influences human performance there needs to be senior level support to implement effective safety management. This includes management commitment to create the right working environment and the right safety culture to address human factors. This will also influence the attitudes and behaviours of everyone in the organization. More information on safety culture can be found in Chapter 3. 2.2.5 A number of models have been created to support the assessment of human factors on safety performance. The SHELL Model is well known and useful to illustrate the impact and interaction of the different system components on the human, and emphasizes the need to consider human factors as an integrated part of SRM. 2.2.6 Figure 2 illustrates the relationship between the human (at the centre of the model) and workplace components. The SHELL Model contains four satellite components: a) Software (S): procedures, training, support, etc.; b) Hardware (H): machines and equipment; c) Environment (E): the working environment in which the rest of the L-H-S system must function; and d) Liveware (L): other humans in the workplace. Figure 2. SHELL Model 2.2.7 Liveware. The critical focus of the model is the humans at the front line of operations, and depicted in the centre of the model. However, of all the dimensions in the model, this is the one which is least predictable and most susceptible to the effects of internal (hunger, fatigue, motivation, etc.) and external (temperature, light, noise, etc.) influences. Although humans are remarkably adaptable, they are subject to considerable variations in performance. Humans are not standardized to the same degree as hardware, so the edges of this block are not simple and straight. The effects of irregularities at the interfaces between the various SHELL blocks and the central Liveware block should be understood to avoid tensions that may compromise human performance. The jagged edges of the modules represent the imperfect coupling of each module. This is useful in visualizing the following interfaces between the various components of the aviation system: a) Liveware-Hardware (L-H). The L-H interface refers to the relationship between the human and the physical attributes of equipment, machines and facilities. This considers the ergonomics of operating the equipment by personnel, how safety information is displayed and how switches and operating levers are labelled and operated so they are logical and intuitive to operate. b) Liveware-Software (L-S). The L-S interface is the relationship between the human and the supporting systems found in the workplace, e.g. regulations, manuals, checklists, publications, processes and procedures, and computer software. It includes such issues as the recency of experience, accuracy, format and presentation, vocabulary, clarity and the use of symbols. L-S considers the processes and procedures - how easy they are to follow and understand. c) Liveware-Liveware (L-L). The L-L interface is the relationship and interaction between people in their work environment. Some of these interactions are within the organization (colleagues, supervisors, managers), many are between individuals from different organizations with different roles (air traffic controllers with pilots, pilots with engineers etc.). It considers the importance of communication and interpersonal skills, as well as group dynamics, in determining human performance. The advent of crew resource management and its extension to air traffic services (ATS) and maintenance operations has enabled organizations to consider team performance in the management of errors. Also within the scope of this interface are staff/management relationships and organizational culture. Chapter 2. Safety Management Fundamentals 2-5 d) Liveware-Environment (L-E). This interface involves the relationship between the human and the physical environment. This includes things such as temperature, ambient light, noise, vibration and air quality. It also considers the externally environmental factors, such as weather, infrastructure and terrain. 2.3 ACCIDENT CAUSATION 2.3.1 The “Swiss-Cheese” (or Reason) Model, developed by Professor James Reason and well known to the aviation industry, illustrates that accidents involve successive breaches of multiple defences. These breaches can be triggered by a number of enabling factors such as equipment failures or operational errors. The Swiss-Cheese Model contends that complex systems such as aviation are extremely well defended by layers of defences (otherwise known as “barriers”). A single-point failure is rarely consequential. Breaches in safety defences can be a delayed consequence of decisions made at the higher levels of the organization, which may remain dormant until their effects or damaging potential are activated by certain operating conditions (known as latent conditions). Under such specific circumstances, human failures (or “active failures”) at the operational level act to breach the final layers of safety defence. The Reason Model proposes that all accidents include a combination of both active failures and latent conditions. 2.3.2 Active failures are actions or inactions, including errors and rule-breaking that have an immediate adverse effect. They are viewed, with the benefit of hindsight, as unsafe acts. Active failures are associated with front-line personnel (pilots, air traffic controllers, aircraft maintenance engineers, etc.) and may result in a harmful outcome. 2.3.3 Latent conditions can exist in the system well before a damaging outcome. The consequences of latent conditions may remain dormant for a long time. Initially, these latent conditions are not perceived as harmful, but under certain conditions may become clear when the operational level defences are breached. People far removed in time and space from the event can create these conditions. Latent conditions in the system may include those created by the safety culture; equipment choices or procedural design; conflicting organizational goals; defective organizational systems; or management decisions. 2.3.4 The “organizational accident” paradigm assists by identifying these latent conditions on a system-wide basis, rather than through localized efforts, to minimize active failures by individuals. Importantly, latent conditions, when created, had good intentions. Organizational decision makers are often balancing finite resources, and potentially conflicting priorities and costs. The decisions taken by decision makers, made on a daily basis in large organizations, might, in particular circumstances, unintentionally lead to a damaging outcome. 2.3.5 Figure 3 illustrates how the Swiss-Cheese Model assists in understanding the interplay of organizational and managerial factors in accident causation. Multiple defensive layers are built into the aviation system to protect against variations in human performance or decisions at all levels of the organization. But each layer typically has weaknesses, depicted by the holes in the slices of “Swiss cheese”. Sometimes all of the weaknesses align (represented by the aligned holes) leading to a breach that penetrates all defensive barriers and may result in a catastrophic outcome. The Swiss-Cheese Model represents how latent conditions are ever present within the system and can manifest through local trigger factors. Figure 3. Concept of accident causation Next >