Transcription
SAFETY MANAGEMENT SYSTEMMohamed ChakibRegional Officer, Safety Implementation,International Civil Aviation Organization (ICAO), MID OfficeSMS Aerodrome WorkshopNov 2018, Cairo
Safety Management-AerodromeModule 2: Risk Assessment27 November 20182
INTRODUCTIONSMS FrameworkRisk Management PrinciplesHAZARD ANALYSISObjectiveBOW TIE ModelBOWTIE XPRISK ASSESSMENT & MITIGATIONRisk Assessment MatrixInherent & Residual riskDecisions on mitigationsDOCUMENTATIONHazard LogCONCLUSIONS27 November 20183
SMS Framework27 November 20184
SSP Framework27 November 20185
Risk Management ProcessHAZARD IDENTIFICATION WHEN AND WHEREHAZARD ANALYSIS CAUSES AND CONSEQUENCESCONSEQUENCES RISK ANALYSIS: SEVERITYLIKELIHOOD RISK ANALYSIS: FREQUENCYTOLERABILITY RISK ANALYSIS: EVALUATIONACTIONS TO TAKE RISK CONTROL: MITIGATION27 November 20186
ObjectiveA structured hazard analysis should address these questions:1. What is the hazard?2. Which events can produce it?3. What happens when hazard is released? how can we reversethe situation?4. How can the system propagate into an accident?5. How can we avoid such adverse outcome?27 November 20187
Hazard Analysis27 November 2018Bowtie Model8
Bowtie ModelBOW TIEQ3:OUTCOMEQ2:CAUSESSAFETY EVENT 1SAFETY EVENT 2SAFETY EVENT 3SAFETY EVENT 4WHAT27 November 2018Q1:IS :CONSEQUENCE 1CONSEQUENCE 2CONSEQUENCE 3CONSEQUENCE 4RECOVERYCONTROLS9
Bowtie model with examples27 November 201810
ExampleWinter OPS: Airplane wingcontamination on thegroundContamination ofAirframe surfaceWhile on groundRTOGround staff de/anti-icingContamination ofengine intake onground27 November 2018LOC-IA/C commences TOwith contaminated flyingSurfaces or enginesCrew perform AFM proceduresfor engines iceReduced performanceSOPRESAAERPRE11
Bowtie XP: ADREP Taxonomy ADREP is the name of a common reporting taxonomy, which is periodically updated by ICAO in cooperation with relevantparties ADREP is aimed to achieve international harmonization, and thereby enable the exchange and aggregation of safetyoccurrences data To achieve that goal, safety management software tools need to be compatible with ADREP27 November 201812
Bowtie XP: Components27 November 201813
BOWTIEXP: TOP EVENTState when control is lost over the hazardAlso known as undesired state or unsafe event: The first event in a chain of negative events leading to unwanted consequences It is not a catastrophe yet, but now there is exposure to the potential harm of the hazard However, it should be possible to bring the situation under control again27 November 201814
BOWTIEXP: SAFETY EVENTSA possible cause that can release the hazard by producingthe top eventAlso known as threats, causes or triggering events: there can be multiple safety events for one top event each safety event represents a single scenario that couldindependently lead to the top event. direct means causally direct (not necessarily in terms of time)27 November 201815
BOWTIEXP: SAFETY EVENTSA possible cause that can release the hazard by producingthe top eventSufficiency and independency :Each safety event (SE) itself, should in theory, be sufficient to directly cause thetop event. If two SEs need to occur together for them to cause the top event, Theyneed to be reformulated into one independent safety event27 November 201816
BOWTIEXP: CONSEQUENCESAn unwanted event resulting from the release of thehazardAlso known as potential outcomes: Consequences are events that are caused by the top event What we ultimately want to prevent27 November 201817
BOWTIEXP: CONSEQUENCESUltimate Consequences: Making consequences specific for a top event will lead to more specific barrierslater on, and help to get more out of the bowtie Try to classify events based in type of accidents or serious incidents (e.g.according ICAO ADREP occurrence category taxonomy), including scenario relateddetails and consequences.27 November 201818
BOWTIEXP: BARRIERSSafety barriers are physical and/or non‐physical means planned toprevent, control, or mitigate undesired events or accidentsAlso known as controls or mitigations. There are three different places for barriers : Between a safety event and the top event (preventive barriers – also known as proactive barriers) Between the top event and a consequence (recovery barriers, also known as reactive or defensebarriers) Between a barrier and an escalation factor (escalation factor barriers)27 November 201819
BOWTIEXP: BARRIERSPreventive barriers: act against a safety event/top event. its effect takes place before the top event has happened (alwayspresent on the left side of the bowtie diagram). it can follow two strategies:o elimination. remove the safety event and make sure that there is nothing (or less) to cause thetop event (they should appear to the left of the safety event, but for simplicity purposes they arelocated to the right)o prevention. stop the safety event from becoming a top event, either by blocking the causal effect ofthe safety event or directly stopping the top event from happeningWildlife activity27 November 2018Wildlife radardetection/alertWHCM-PDegradedSafetymargin20
BowtieXP: Recovery Barriers:Aimed at regaining control once it is lost (top event has occurred). They act on the likelihood or severity of apotential consequence through:Control:Prevents the consequence from happeningMitigation: Does not prevent the consequence from happening, but lessens the severity of the consequence27 November 201821
Bowtie XP: Barriers Type27 November 201822
BowtieXP: Barriers EffectivenessBarrier effectiveness is a way to assess how well a barrier performs. The purpose of rating control effectiveness is to highlight areas of strength andweakness within the bowtie, potentially using this information as a basis for a matrix basedrisk assessment The results are typically displayed according to a color code (e.g. red for poor through togreen at for good). when creating your effectiveness scale consider the usefulness of allocating “average” as ascore27 November 201823
BowtieXP: Barriers criticalityNot all controls will have the same importance with regard to the management of a specific eventdifferentiating control significance according to criticality provides benefits such as:oofocusing attention for the purpose of communication to stakeholders.highlighting which controls require a greater depth of detail in terms of escalation factor consideration27 November 201824
BowtieXP: Escalation factorsA condition that leads to increased risk by defeating orreducing the effectiveness of a barrierThe following three escalation factor categories can be used :Human factors: anything a person does to make a barrier less effectiveAbnormal conditions: anything in the environment that causes a barrier to be put under strainLoss of critical services: if a barrier relies on an outside service, losing that service mightcause it to lose effectiveness27 November 201825
BowtieXP: Escalation factors barriersESCALATION FACTORS BARRIERS: Barrier that manages the conditions which reduce the effectiveness of other barriers Escalation factor barriers are the same concept as all the previously discussedbarriers, but now they do not prevent/mitigate a top event or consequence fromhappening, but they prevent a barrier from failing. The same principles that apply to normal barriers also apply to escalation factor barriers27 November 201826
Bowtie in simple way during brainstorming sessions27 November 201827
HAZARD: Human Error: Delay pilot recognition of RI by departure pilot because the departurePilot mistakes the incurring aircraft for one safely on the EATPREVENTIVE CONTROLS/BARRIERSSAFETY EVENTS-Flight crew do notcomply withproceduresATCO MONITORS&POTENTIALCONFLICT-CRM-SOPSOLVESUNSAFE (TOP)EVENTRECOVERYCONTROLS/BARRIERSPOTENTIAL OUTCOME/ ULTIMATECONSEQUENCESConflict betweenaircraft taking offand aircraft taxiingon the EAT-Compliance withprocedures-AERP. Highseverity ofRI on theEATAircraft /equipment heavydamages,fatalities.Collisionwith otheraircraft onthe EATIneffective Flight crewcommunications27 November 201828
BOWTIE: Added valueBowtie provide benefits to safety management processes due to: Effective, visual depiction of hazard components Balanced overview for internal and external stakeholders(including third party risks) Increased awareness and understanding of the hazardsleading to accident scenarios. Best practice guidance material for safety risk managementat an operational and regulatory level. Identification of critical risk controls and an assessment oftheir effectiveness27 November 201829
Risk Assessment and Mitigation
Risk Assessment and MitigationRisk is the composite of thepredicted probability (or likelihood) and severityof each possible consequence.Risk Probability&SeveritySource: ICAO SMM Doc. 9859 Chp. 5.6Aviation Risk Management31
Risk AssessmentPossibleConsequence#1Risk Probability SeverityHazard A 3Risk Probability SeverityRisk Probability SeverityAviation Risk Management32
Risk Concept SAFETYTHEISASSOCIATEDCONCEPTTORISK,OFDEFINED AS A COMBINATIONOF THE ANALYSIS OF TWOTERMS: NOBJECTIVEPROCESSTHATALLOWSFURTHER DECISION MAKING(ACCEPTANCE27 November 2018OR REJECTION)33
RISK ASSESSMENT MATRIXA risk matrix is just used for ranking events and decide whether you need to accept therisk or reduce it through mitigationsDecisions need to be based on an underlying analysis (such as a bowtie diagram), that willtell what will cause the unsafe event and what an organization is already doing to control it.Safety Risk SeveritySafety Risk Probability27 November 2E1E34
RISK ASSESSMENT MATRIXFAAThe risk matrix may be customized to reflect the contextof each service provider, and aviation activities, and maybe subject to the agreement with its regulatory authorityElements to be considered for customization areQualitative and quantitative criteria to define: Likelihood depending on the availability of the historical data series Severity, depending on the nature of the supplied service27 November 201835
VALUESEVERITYACATASTROPHICBHAZARDOUSICAO SMM (Fig 2.12) Equipment destroyed Multiple deaths A large reduction in safety margins, physical distress or aworkload such that the operators cannot be relied upon toperform their tasks accurately or completely Serious injury Major equipment damageCMAJOR A significant reduction in safety margins, a reduction inthe ability of the operators to cope with adverse operatingconditions as a result of an increase in workload or as aresult of conditions impairing their efficiency Serious incident Injury to persons NuisanceDMINOR Operating limitations Use of emergency procedures Minor incidentENEGLIGIBLE Few consequences27 November 2018FAA ARP Internal Order 5200.11- Complete loss of aircraft and/or facilities or fatal injury in passenger(s)/worker(s);- or Complete unplanned airport closure and destruction of critical facilities; or- Airport facilities and equipment destroyed- Severe damage to aircraft and/or serious injury to passenger(s)/worker(s); or- Complete unplanned airport closure, or- Major unplanned operations limitations (i.e. runway closure), or- Major airport damage to equipment and facilities- Major damage to aircraft and/or minor injury to passenger(s)/worker(s), or- Major unplanned disruption to airport operations, or- Serious incident, or- Deduction on the airport’s ability to deal with adverse conditions- Minimal damage to aircraft or- Minor injury to passengers, or- Minimal unplanned airport operations limitations (i.e. taxiway closure), or- Minor incident involving the use of airport emergency proceduresNo damage to aircraft but minimal injury or discomfortof little risk to passenger(s) or workers36
tremely RemoteICAO SMM (Fig 2.11) Almost inconceivable thatthe event will occur Very unlikely to occur(not known to haveoccurred)FAA ARP Internal Order 5200.11Expected to occur every 100 yearsExpected to occur once every 10-100 years or 25 million departures, whichever occurssoonerExpected to occur about once every year or 2.5 million departures, whicheveroccurs sooner3REMOTE Unlikely to occur, butpossible (has occurredrarely)4OCCASIONAL Likely to occur sometimes(has occurred infrequently)Expected to occur about once every month or 250,000 departures, whichever occurssooner 5FREQUENTLikely to occur manytimes (has occurredfrequently)Expected to occur more than once per week or every 2500 departures, whichever occurssooner27 November 201837
RISK ASSESSMENTSafety risk is the projected likelihood and severity of the consequenceor outcome from an existing hazard or situation: severity is defined as the extent of harm that mightreasonably occur as a consequence or outcome of sider all possible consequences related to an unsafecondition or object, taking into account the worstforeseeable situation probability is defined as the likelihood or frequency thata safety consequence or outcome might occur27 November 1D1E38
INHERENT & RESIDUAL RISKTwo possible types of risk can be estimated during the assessment of aparticular system: Inherent risk is associated to the worst foreseeable (or credible) situationsubject to analysis Residual risk that takes into account the effect of the safety actions that could beimplemented to improve system s safety performance by bringing down risk to anacceptable levelDecision making at management levelInherent riskResidual risk27 November 2018 Barriers have brought the risk down to an acceptable level but Additional effort may be required to obtain furtherrisk39
Safety risk mitigation strategies Safety risk mitigation is often referred to as a safety risk control. Safety risks should be managed to an acceptable level by mitigating the safety riskthrough the application of appropriate safety risk controls. This should be balanced against the time, cost and difficulty of taking action toreduce or eliminate the safety risk. The level of safety risk can be lowered by reducing the severity of the potentialconsequences, reducing the likelihood of occurrence or by reducing exposure tothat safety risk. It is easier and more common to reduce the likelihood than it is toreduce the severity.
Safety risk mitigation strategies Avoidance: The operation or activity is cancelled or avoided because thesafety risk exceeds the benefits of continuing the activity, therebyeliminating the safety risk entirely. Reduction: The frequency of the operation or activity is reduced, or actionis taken to reduce the magnitude of the consequences of the safety risk. Segregation: Action is taken to isolate the effects of the consequences ofthe safety risk or build in redundancy to protect against them.
TolerabilityA risk mitigation strategy may include multiple approaches and it is important to consider them to find an optimal solution. eachproposed safety risk mitigation alternative should be examined from the following perspectives: (SMM doc. 9859. 4th ED) :oeffectiveness: the extent to which the alternatives reduce or eliminate the safety riskscan be determined in terms of the technical, training and regulatory defenses that canreduce or eliminate safety risksocost‐benefit: the extent to which the perceived benefits of the mitigation outweigh thecostsopracticality: the extent to which mitigation can be implemented and how appropriate it is interms of available technology, financial and administrative resources, legislation andregulations, political will, etc.oacceptability: the extent to which the alternative is consistent with stakeholder paradigms27 November 201842
TolerabilityA risk mitigation strategy may include multiple approaches and it is important to consider them to find an optimal solution. eachproposed safety risk mitigation alternative should be examined from the following perspectives: (SMM doc. 9859. 4th ED) :oenforceability: the extent to which compliance with new rules, regulations or operating procedurescan be monitored.odurability: the extent to which the mitigation will be sustainable and effectiveoResidual safety risks. The degree of safety risk that remains subsequent to the implementation of theinitial mitigation and which may necessitate additional safety risk control measuresoUnintended consequences. The introduction of new hazards and related safety risks associated withthe implementation of any mitigation alternative.oTime. Time required for the implementation of the safety risk mitigation alternative27 November 201843
INUE OPERATIONSIDENTIFY ANDIMPLEMENT MITIGATIONSCONTINUE OPERATIONS27 November BLE RISKMITIGATIONACCEPTABLERESIDUAL RISKNONONOCANCEL OPERATIONS44
SRM Documentation Findings/results of each safety risk assessment must bedocumented. Both the results of the assessments and the decisions madewhen determining if safety assessments are required aredocumented and kept on file for the life of the proposedchange.
Suggested Hazard Worksheet ContentsA Hazard Worksheet contains, at a minimum: description of the proposed change identified hazards estimation of risk description of existing and planned mitigation description of methodology for tracking hazardsand verifying effectiveness of mitigation controls throughout the lifecycle ofthe system or change method for monitoring operational data to ensure hazards are controlled identification of the organization responsible for the conduct of the analysisand tracking of the resolution, if any a recommendation concerning the implementation decisionHazWksht
Hazard Log Each risk mitigation exercise will need tobe documented as necessary. This may be done on a basic spreadsheet or tableFor risk mitigation or by risk mitigation software tFacilitate the documentation process27 November 201847
SRA TriggersThe Safety Risk Assessment (SRA) is a safety assessment performed by a panel ofstakeholders and subject matter experts (SMEs) to analyze a safety issue, run theSRM process to establish risk mitigation actions, and document the process. TheSRA is a formal application of the SRM process to study an airport condition,either planned or discovered.The SRA is triggered by conditions or events at theairport; follows the SRM process in a formal, proactivemanner; is facilitated by a person well versed in theSRM process; and provides airport management withactionable knowledge to enhance effective, riskinformed decisions.27 November 201848
Basic PrinciplesAn SRA should be conducted any time the airport determines that a full safety analysisof an airport condition or event is warranted. Three rules of thumb can help in thedetermination: A change in the airport system is pending.The allocation of significant airport resources is requiredAn undesirable trend in airport safety metrics is revealedAn SRA Trigger is a condition, a system change, or piece of information thatprompts management to convene a panel to conduct the full SRM process oran event that automatically requires convening a panel. In most cases, SRAtriggers are associated with safety issues that require a multidisciplinary teamto perform the SRM process thoroughly.27 November 201849
Common airport SRA triggersSRA TriggerConstructionStandard Operating ProceduresChangesAirport Organization27 November 2018DescriptionExampleAirfield improvementRunway extensionAirfield rehabilitationResurfacing Taxiway CAirfield maintenance (beyond day to day work)Rubber removalConstruction of towerConstruction of new ATC towerTerminal expansionAdditional gates and gate areasLandside roadway reconfigurationAdditional lanes into the terminal areaParking area modifications or rehabParking garage rehab or updating facilitiesChanges in access roads onto airport propertyAdding or subtracting lanes and access pointsNew SOPSOP for towing aircraft; SOP for mowing grassin safety areasModification to existing SOPChanges to SOP on snow removal due tonew equipmentSignificant changes to airport organizationalstructure or key personnelRearranging the Department ofOperations; creating an SMS Division50
Common airport SRA triggersSRA TriggerSafety Reports (HazardousCondition Reports)Special EventDescriptionExampleSafety issues reported by pilots or airportemployees (including tenants)Safety issues resulting from daily inspectionsAccidents and incidentsReports of pavement failure, blind spots, orhazardous conditions on the rampFOD generated by poor pavement conditionsat the intersection of taxiwaysSurface or ramp accident; birdstrikesMajor sport eventsSuper Bowl; Olympic Games; MajorCollege Football GameNew aircraft brought in by a carrierNew Equipment or SoftwareSafety Assurance27 November 2018New passenger boarding bridgeNew ramp equipment that requires specialconsiderationChanges to information management systemsTrends identified from safety performanceindicators (e.g. birdstrikes, FOD, etc.)Safety auditsStarting operation of A380 or B787 aircraftInstallation of new bridges that havedifferent capabilitiesIntroduction of towbar less tractorChanges to reporting procedures duringself inspectionsIncrease of birdstrikes with damage to aircraftUnsatisfactory SMS internal or externalaudit results51
Categories of SRA TriggersHazard ReportsHazard reports at airports are used to describe safety issues (e.g., presence ofwildlife, damaged NAVAID, and FOD) identified during routine procedures. Thediverse sources may include: Daily inspections by airport staffPIREPsObservations from airfield workers (e.g., Maintenance, ARFF, and FBO)Observations from ATCT personnel27 November 201852
Categories of SRA TriggersAccident and Incident ReportsAccident and incident reports constitute an important category of triggers. In most cases, thesereports lead to an accident or incident investigation. The purpose of an investigation is todetermine causal and contributing factors to the event so such factors can be prevented ormitigated. Airport staff can augment and complement investigations by performing an SRA andidentifying risk mitigation actions and staff responsibilities to reduce the chances of a similarincident or accident.The most common types of accidents and incidents in this category are: Surface incidents/accidentsWingtip collisions and incidentsRunway incursions and excursionsFOD (damage)Wildlife strikes27 November 201853
Categories of SRA TriggersTrend AnalysisWith the implementation of SMS comes the introduction of safetyperformance indicators. These could be new measures of safetydeveloped to support the SMS and its SRA component. Data for theseindicators are collected and trends are followed to determine the needfor new actions if an undesirable trend is identified. Examples ofindicators in this category are the frequency of wildlife strikes at theairport, the number of FOD incidents in movement areas, or the numberof specific incidents on the ramp (e.g., frequency of vehicle/equipmentspeeding reports).27 November 201854
Categories of SRA TriggersMajor System ChangesMajor system changes at the airport are sources of risks. Some typical examples of such changes include: Airfield improvements: runway rehabilitation and extension, construction of new taxiway, renovation ofterminalsOperation of a new large aircraft: B747-800, A380Changes to airport management: reorganization of Dept. of Operations, new Director at a small airportIntroduction of new snow control equipmentSpecial events: Super Bowl, college football game, air showIntroduction of new systems: new NAVAID, new IT system for work ordersDevelopment of new operational or administration proceduresFinancial priority adjustmentsRapid airport growth: aircraft operations increases, passenger increases27 November 201855
Categories of SRA TriggersNew SOPsIn most cases, the introduction of a new SOP will not represent a major systemchange. However, SOPs that focus on procedures used in the airfield cansubstantially affect safety. Conducting an SRA may enhance the safety effect ofthe changes and enable stakeholders to examine fully how the change affectstheir operations.27 November 201856
Conducting an SRASRAPreparation-IntroductionSRM BasicsSRA template and examplesSRA facilitationIdentification of systemSRA ConductSRADocumentation27 November 2018-Review DocumentsDevelop SRA PlanIdentify panel membersIdentify facilitatorContact stakeholdersPrepare materialDevelop preliminary hazard list- Consolidated info recorded- Prepare report- Submit report for approval57
Key points to remember Risk assessment based decisions are founded upon: customized risk classification schemes for the provided service or operationan underlying analysis (such as a bowtie diagram) to explore incident/accident causal chainsand what organizations are doing to control Risk can be expressed as inherent and residual. both estimations will determine the need formitigations Risk mitigation strategies may include multiple approaches and it is important to considerthem to find an optimal solution Each risk mitigation exercise needs to be documented as necessary SRA triggers needs to be conducted thoroughly27 November 201858
THANK YOU!
Risk is the composite of the predicted probability (or likelihood) and severity of each possible consequence. Source: ICAO SMM Doc. 9859 Chp. 5.6. Risk Probability & . Aviation Risk Management 32. 27 November 2018 33. Risk Concept S. AFETY IS ASSOCIATED TO THE CONCEPT OF RISK, DEFINED AS A COMBINATION OF THE ANALYSIS OF TWO TERMS: o o R.
