Shell Aircraft International 5/10/2015 File Title Aviation Safety Management Systems Tony Cramp...

04

/18

/23

File

Tit

le

Shell

Aircraft International

Aviation Safety Management Systems

Tony Cramp

Senior Advisor (Americas)

17th May 2005

Lafayette

Underlying Safety Beliefs

• How many factors need to be removed to prevent the accident? Theoretically only one, but with each factor removed the probability for an accident is lowered

• The fundamental requirements for accident prevention are thus (i) the ruthless hunting out and elimination (the identification and management) of risk factors and (ii) using systems of work that are inherently safe

• Everyone can contribute to causing an accident, we can also contribute to preventing one

• A fundamental requirement for this is effective collaboration between line personnel and ‘management’

• These are 3rd Generation Safety beliefs

Safety Paradigms: 3rd Generation

• Safety is a corporate value. Safety practices consider the organizations particular “way of doing business” as well as corporate’s possibilities and constraints. What works well for one airline does not necessarily work equally well for others.

• Accidents are caused by systems flaws. The failures observed at the “front end” of aviation operations are considered symptoms of deficiencies in the architecture of the aviation system.

• Human error as a symptom. Error is accepted as normal component of human performance, unavoidable but manageable. Human error is a clue, which indicates where the safety investigation process must begin rather than end.

• Proaction. Attention is focused on the processes incurred by the aviation system, regardless of the outcome of these processes.

Safety Paradigms: 3rd Generation

The finding of ‘human error’ should be the starting point of an investigation, not its conclusion

Defences in Depth

If we have these beliefs then the foundation of a strategy for preventing accidents would be to introduce controls at Organizational (Systemic), Team and Personal levels so as to achieve Organizational defenses in depth:

A Systemic approach to the management of safety:

Safety Management Systems

Safety Management Systems

The formal goals of an SMS are as follows:

• To produce fully airworthy aircraft, in a safe working environment, that are subsequently operated safely

• To ensure and demonstrate that safety is being managed as formally as any other critical business function

• To ensure and demonstrate that the Organization is ‘responsible’ and exercising ‘due care’ (the counter to offence of ‘Corporate Killing’)

But what is the bottom line?

SMS is Not New!

• The concept and practice of ‘System Safety’ was first introduced consequent to the Apollo 204 pad fire in 1967 and has been embedded in engineering ever since.

• The Basic Principles of ‘System Safety in Engineering’ are:

• The assurance of safety is gained through the competence and safety-orientated procedures used by each individual engineer, however:

• In complex systems it is easy to ‘overlook the wood for the trees’: there must be an autonomous, safety oversight process that has the ‘big picture’ and a ‘watchdog’ function, and:

• There must be a system enforcing the effective communication of safety-critical information, and:

• There must be a ‘Facilitative function’ that ensures hazard identification and resolution

• This engineering / astronautics approach then migrated into the Nuclear, Maritime, Rail, Oil/Chemical industries and has shown considerable benefits

SMS in Aviation: The Challenge

• Aviation is lagging some 15 years in implementing formal SMS: flight operations already heavily regulated and traditional Flight Safety methods have a high degree of effectiveness

• SMS has been developed primarily outside of aviation: past experience e.g.CRM and QA, shows that systems from outside are not always introduced correctly or tailored correctly to aviation culture

• Have to get past the SMS language used by other disciplines, mainly the ‘speak’ of HSE and Quality Assurance

• BUT: SMS is rapidly becoming a Regulatory requirement (UK CAA, Transport Canada, FAA moving in this direction etc) as well as a Customer requirement (Shell, ExxonMobil)

• The challenge is to take the benefits of SMS distilled to date and adapt and apply them to aviation in such a way that SMS is accepted and is demonstrated to add value

SMS Primary Components

Accident cause ⌗ 1. Inadequate Procedural Baseline


① Procedural baseline to assure safety in work

Ops Manual, GMM/MPM, Ramp Procedures, Fuel Quality,OSHA Compliance


① (Full spectrum of policies,

procedures, methods, practices to assure safety in work)

②

SMS Manual SMS Manual can be written bottom- up, or preferably as a template ‘top-down’, gives the big-picture, highlights any major ‘holes’ in SMS Component ⌗1

Any holes?

The manual forms a ‘road map’, has an integrative function and if the SMS Manual consists of a template of the ‘ideal’ system, then it can be used for both assessment and development purposes


Cause ⌗ 1. Inadequate Procedural Baseline

Cause ⌗ 2. Uncontrolled Hazards

X


① Procedural baseline to assure

safety in work

②SMS Manual

③

Safety Management Program

Systems are for People?

“Even the most well-considered safety system can be wrecked by the idiosyncratic behaviour of a single individual”

SMS Component ⌗3: Safety Program Management

1. Proactive Safety Management

• Encouraging and developing Management commitment

• Creation of a Safety Culture

• Safety structure and resources, committees and meetings

• Ongoing hazard identification and management (HEMP)

• Safety education (training, information dissemination)

• ‘ Watchdog’ function

2. Reactive Safety Management

• Occurrence investigation (‘occurrences’, incidents, accidents)

• Data analysis

• Continuous learning



safety in work

②

SMS Manual

③Safety Program Management

④Safety Case

SMS Component ⌗ 4: The Safety Case

1. A Safety Case is a formal, organizational risk management exercise conducted proactively (e.g. prior to contract launch), or reactively (e.g. to gain control over the risks in current operations)

2. An aviation ‘Safety Case’ is defined as “The documented description of the major hazards that the aircraft operator faces and the means employed to control these hazards”

3. As opposed to the SMS Manual, which gives ‘big picture’ inputs, a Safety Case gives detailed inputs into the procedural baseline. It identifies individual controls required.

4. A Safety Case is a specific application of the HEMP

5. A safety case functions at Management, Supervisor and Line levels: a Living document.



Cause ⌗ 2. Uncontrolled Risk Factors / Hazards X

X

Cause ⌗ 3. Failures in Communication

⑤ SIS



safety in work

②

SMS Manual


④Safety Case

Safety Information System

1. The fifth primary element is the Organization’s ‘Safety Information System’ (SIS)

2. Several studies have shown that in the vast majority of (aircraft) accidents there was always a piece of information available somewhere that had it been in the right place at the right time, the accident might well have been prevented

3. A SIS may take a variety of forms, from the basic verbal / written communication of safety information across the organization to sophisticated company ‘intranets’.

Examples:

Hazard report forms

Regular safety meetings, with minutes recorded and distributed.

Company newsletters

Effective, updated notice boards

Intranet employee notices



Cause ⌗ 2. Uncontrolled Risk Factors / Hazards X

X

Cause ⌗ 3. Failures in CommunicationX

Next Challenge!

• How to integrate these components:

Integrating Principles

1. After 200 years of industry and 100 years of flight surely there must be a package of elements or principles that if applied will give a high level of assurance of safety?

2. Currently, there is agreement that these elements and principles are best described in systems developed by the science of ‘Quality Assurance’

3. The most current definition of an SMS is thus:

• ‘A system for the proactive management of safety that is appropriate to the Operator’s size and complexity and integrates operations, maintenance, human resources and finance and draws upon quality principles’

⑥ Quality System

⑤ SIS


② SMS Manual

① Procedural baseline to

assure safety


④Safety Case

COMMUNICATION

Customer Satisfaction

Management Review

Investigation & Follow-up

Incident Reporting

Remedial Action

Monitoring

Review

Audit Hazard Management

Risk Assessment

Product Management

Accountability & Competence

Targets & Plans

Objectives Principles & Policy

CultureFeedback

Check

Do

Plan

Strategy

Standards

A Typical Safety-Orientated ‘Quality’ System

SHELL ‘Model’ HSSE-MS Elements

⑥ Quality System

⑤ SIS

SMS Summary

② SMS Manual

① Procedural baseline to

assure safety


④Safety Case

See ‘Model Manual’

33 Sub-Elements

SMS Booklet

The Safety Case

1. A Safety Case is a formal, organizational risk management exercise conducted proactively (e.g. prior to contract launch), or reactively (e.g. to gain control over the risks in current operations)

2. An aviation ‘Safety Case’ is defined as “The documented description of the major hazards that the aircraft operator faces and the means employed to control these hazards”

3. As opposed to the SMS Manual, which gives ‘big picture’ inputs, a Safety Case gives detailed inputs into the procedural baseline. It identifies individual controls required.

4. A Safety Case is a specific application of the HEMP

5. A safety case functions at Management, Supervisor and Line levels: a Living document.

Hazards, Incidents, Accidents

Byrd’s Triangle

600 Hazards

10 Incidents

1 Accident

Eliminate hazards and you will eliminate accidents

Hazard Identification: Fundamental Requirements

1. The fundamental requirements for effective hazard identification are:

» To get past perceptions and to quantify wherever possible

» To tap into the vast reservoir of knowledge that exists within Aviation and other complex industries

» To ‘think outside the box’

» Be paranoid: believe everything and believe nothing: continually test for the truth

Type specific Hazards

Company SpecificHazards

Operation SpecificHazards

+

Generic Aviation Safety Hazards

Generic HSEHazards

Location SpecificHazards

=

MajorAviation Safety

Hazards

Significant Workplace

Hazards

Aviation Safety Case

WorkplaceSafetyProcedures(Defined in HSE-MS)

Which hazards?

Primary Sources for Identifying Hazards

Formal Hazard Models

Internal Sources

External Sources

Safety Critical

Processes

Hazard Register

Hazard and Effects Register

Note: Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full detail in an Excel Document

1. Hazard and Description : 2. Hazard Reference :

Prepared by: Custodian: Authorized by: Rev No: Date

3. Status of the hazardous event at the time of the risk assessment:

4. Activities in which the Hazardous Event may occur: 4.1 4.2 4.3

5. Remedial Actions Raised a. b. c. d. e. f.

6. Hazardous Event: 7. Location:

8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –

See appropriate Excel document. Document Reference No :

12. Risk Assessment

People Environment Asset Reputation

13. Consequence associated with hazard release: 14. Mitigation from consequences :

15. Accountable Line Management Sign-off having accepted current status: Line Department: Name: Signature : 15. Date :

Risk Analysis Process

– When identified and objectively analyzed, each hazard shall be subjected to a risk analysis. This shall accomplished by using a risk matrix of a format commonly found in the industry

– The matrix is self-explanatory and even though some of the aspects may well be subjective, it at least allows the partial quantification of risk factors.

– The hazards are then ranked in terms of the rating obtained by use of the matrix

– In terms of the Shell model, all hazards ranked as ‘intolerable’ shall be subjected to a ‘bow-tie’ analysis.

The Risk Grading (Threat Analysis) Matrix

The ‘Bow-Tie’ Process

The Bow-Tie Process

For those hazards assessed as being ‘Intolerable’, develop ‘controls in depth’ as follows:

1. Identify the Threats that might release the hazard

2. Identify Controls to contain the Threats

3. Identify factors that could prevent the Controls from being effective: Escalation Factors

4. Develop controls to contain the Escalation Factors: Escalation Controls

5. The hazard is released, but it’s consequence has not yet occurred: what controls make detection and recovery possible: Recovery Measures

6. Identify Escalation Factors hampering detection and recovery

7. Identify a final layer of Escalation Controls

8. Identify measures to mitigate the effects of the Consequence

T H E B O W - T I E

CONSEQUENCE

HazardousEvent

HAZARD

THREAT

CONTROL

CONTROL

CONTROL

ESCALATION

ESCALATION

MITIGATION MEASURES

RECOVERY

T H E B O W - T I E

Tiger Bites Keeper

TIGER

Cage Door Locking SystemTwin Locks & Warning

Lights

Competent Keepers

Unserviceable Warning System

Miss Tiger, or Tiger Evades Keeper

Effective Emergency Response Plan

HazardThreatControl

EscalationControl

RecoveryEscalation

ControlConsequence

Mitigation

Tiger out of the Cage

Shoot Tiger, or drive back in cage

Records & Maintenance

Aircraft Crashes

T H E B O W - T I E

Human ErrorInappropriate pilot

control input

PEOPLE

Errors, Mistakes, ViolationsCompetence, Procedures,

Systems

Monitoring and Feedback

Competence & Awareness

Non Compliant Pactice

Input can not be made it time

Effective Emergency Response

Make corrective control selection

HazardThreatControl

EscalationControl

RecoveryEscalation

ControlConsequence

Mitigation

0.0 5.0 10.0 15.0 20.0 25.0 30.0 35.0

Tail Rotor Impact Warning

EGPWS/TCAS

Perf Class 1/2e

HOMP/FOQA

HUMS/VHM

OC/QA/SMS

FFS Training + CRM/LOFT

Late FAR 29/Enhanced Handling

Me

as

ure

s

Percentage acidents prevented

Seven KeyInitiatives

Requires development work

Percentage of Accidents Reported in NASA Study Preventable by Individual Mitigation Measures

Hazard and Effects Register

Note: Use this control sheet, one for each hazardous event, to summarise the key information of the worked Hazardous Event normally held electronically in full detail in an Excel Document

1. Hazard and Description : 2. Hazard Reference :

Prepared by: Custodian: Authorized by: Rev No: Date

3. Status of the hazardous event at the time of the risk assessment:

4. Activities in which the Hazardous Event may occur: 4.1 4.2 4.3

5. Remedial Actions Raised a. b. c. d. e. f.

6. Hazardous Event: 7. Location:

8. Threats and Threat controls, 9. Escalations and escalation controls, 10. Recovery from Hazardous Event, 11. Escalation and Escalation controls –

See appropriate Excel document. Document Reference No :

12. Risk Assessment

People Environment Asset Reputation

13. Consequence associated with hazard release: 14. Mitigation from consequences :

15. Accountable Line Management Sign-off having accepted current status: Line Department: Name: Signature : 15. Date :

So What is an SMS?

1. An SMS is a suite of standards, policies, procedures, practices etc that will assure the safe and effective execution of work (‘Quantitative’ Quality elements)

2. An SMS contains a structure for dynamic and flexible identification and control of risk to ALARP (‘Quantitative’ procedures and methods for the proactive management of safety: safety cases). This includes the requirement for a Safety Information System.

3. An SMS requires the application of Human Factors: communication, leadership and followership, conflict management, cultural aspects, motivation & commitment (‘Qualitative’ elements)

4. An SMS should encompass flight safety, ramp and maintenance safety, industrial (workplace) safety, occupational health, environmental protection and security

5. An SMS Manual should give the ‘big picture’ regarding safety management in the organization

Conclusion

• SMS is not a magic bullet: it is a set of tools and guidelines that if tailored to the Organization and diligently applied so that the probability of an accident will be reduced to a level that is as low as is reasonably practicable (ALARP)

• Apply these tools and guidelines and you will have done all that can be reasonably expected of you as aviation professionals and as a ‘responsible operator’

04

/18

/23

File

Tit

le

Shell

Aircraft International

QUESTIONS

Shell Aircraft International 5/10/2015 File Title Aviation Safety Management Systems Tony Cramp...

Documents

Transcript of Shell Aircraft International 5/10/2015 File Title Aviation Safety Management Systems Tony Cramp...