SAFETY MANAGEMENT SYSTEM

Mohamed Chakib
Regional Officer, Safety Implementation, SMS Aerodrome
International Civil Aviation Organization (ICAO), MID Office Nov 2018, Cairo
Safety Management-Aerodrome

Module 1: Hazard Identification

27 November 2018 2
 Introduction
Risk Management Principles
HAZARDS
Concept
Definitions
Coding
DETECTION
Types
Sources
Analysis
DOCUMENTATION
Hazard Register
CONCLUSIONS

27 November 2018 3
How will stay in control with (nearly) no accident ?

Safety Barriers: We have to know them, to understand their role, to monitor

Them, “to maintain them”
The questions are: How far they protect us?
How do we know? Can we improve?
Accident

Recovery

27 November 2018 4
What is Risk Management?
 What is Risk Management?

 Safety Risk Management (SRM) is a key component of safety

management and includes hazard identification, safety risk
assessment, safety risk mitigation and risk acceptance.

 SRM is a continuous activity because the aviation system is

constantly changing, new hazards can be introduced and some
hazards and associated safety risks may change over time.

 In addition, the effectiveness of implemented safety risk

mitigation strategies must be monitored to determine if
further action is required
Source: ICAO SMM Doc 9859, 4th ED,
 Safety Risk Management. What Is It? (Continued)

 A fundamental component of the Safety Management

System (SMS). Risk Management serves to focus safety
efforts on those hazards posing the greatest risks.

 Weighs the probability and severity implied by the risk

against the expected gain of taking the risk.

 Facilitates the balancing act between assessed risks and

viable risk mitigation.

Source: ICAO SMM Doc. 9859

 When to Use SRM
1. During initial system and task analysis.
2. For all proposed changes, like new or modified:
 Systems
 Procedures
 Equipment
 Environment

3. When new hazards are discovered during daily

operations or Safety Assurance activities.
SMS Framework

9
SSP Framework

10
 Risk Management Principles

 Every system is inherently safety vulnerable

 System vulnerabilities are described in terms of:
- Hazards
- Consequences
- Risks
 Hazards are system components that can lead to adverse
consequences

 Safety risks are control measurements

27 November 2018 11
Risk Management Process
HAZARD IDENTIFICATION
• WHEN AND WHERE

HAZARD ANALYSIS
• CAUSES AND CONSEQUENCES

CONSEQUENCES
• RISK ANALYSIS: SEVERITY

LIKELIHOOD
• RISK ANALYSIS: FREQUENCY

TOLERABILITY
• RISK ANALYSIS: EVALUATION
ACTIONS TO TAKE
• RISK CONTROL: MITIGATION

27 November 2018 12
 Definitions

System Susceptibility of system to hazards as regards

to its exposure, diminish capacity to resist and/or
Vulnerability Recover from the effect of hazard

Possible result derived from a hazard.

Consequence The hazard capability to produce damage
Is materliazed in one or various consequences

27 November 2018 13
 What is a Hazard?

 A condition or an object with the potential to cause or

contribute to an aircraft incident or accident.

 In aviation, a hazard can be considered as a dormant

potential for harm which is present in one form or
another within the system or its environment. This
potential for harm may appear in different forms, for
example: as a natural condition (e.g. terrain) or
technical status (e.g. runway markings)

Source: ICAO SMM Doc. 9859. 4th ED

 Hazard Identification

 Hazard identification focuses on conditions or objects that

could cause or contribute to the unsafe operation of aircraft

or aviation safety-related equipment, products and services.

 A hazard may involve any situation or condition that has the

potential to cause adverse consequences. The scope for

hazards in aviation is wide.

Source: ICAO SMM Doc. 9859, 4th ED
 Hazard identification and prioritization

 Hazards exist at all levels in the organization

and are detectable through many sources
including reporting systems, inspections,
audits, brainstorming sessions and expert
judgement.

 The goal is to proactively identify hazards

before they lead to accidents, incidents or other
safety-related occurrences.
 Hazard identification and prioritization
The following should be considered when identifying hazards:

 system description;
 design factors, including equipment and task design;
 human performance limitations (e.g. physiological, psychological, physical
and cognitive);
 procedures and operating practices, including documentation and
checklists, and their validation under actual operating conditions;
 communication factors, including media, terminology and language;
 Hazard identification and prioritization
The following should be considered when identifying hazards:

 organizational factors, such as those related to the recruitment,

training and retention of personnel, compatibility of production and
safety goals, allocation of resources, operating pressures and
corporate safety culture;

 factors related to the operational environment (e.g. weather,

ambient noise and vibration, temperature and lighting);
 Hazard identification and prioritization
The following should be considered when identifying hazards:

 regulatory oversight factors, including the applicability and

enforceability of regulations, and the certification of equipment,
personnel and procedures;
 performance monitoring systems that can detect practical drift,
operational deviations or a deterioration of product reliability;
 human-machine interface factors; and
 factors related to the SSP/SMS interfaces with other organizations.
 Methods of Hazard Identification- Reactive

Mandatory Reporting Programs

1. This methodology involves analysis of past outcomes or events. Hazards are

identified through investigation of safety occurrences. Incidents and accidents are
an indication of system deficiencies and therefore can be used to determine which
hazard(s) contributed to the event.

2. These reports and notifications must be reported to the Safety Manager as well for
incorporation into the safety risk management process
Methods of Hazard Identification- Reactive
Voluntary Reporting Programs

1. Employees who work daily in the operational areas of the company are in the best
position to be aware of hazards and incidents.

2. The Voluntary Reporting Program is a confidential program that protects the identity of
the reporter.

3. The Voluntary Reporting Program is a non-punitive program that does not use
the reported information to punish employees, but is instead focused upon
developing process improvements to eliminate the identified hazards or control
the risks associated with the report.
Methods of Hazard Identification- Proactive
Operational Data Analysis

1. This methodology involves collecting safety data of lower consequence events or process
performance and analyzing the safety information or frequency of occurrence to determine
if a hazard could lead to an accident or incident.

2. The safety information for proactive hazard identification primarily comes from flight data
analysis (FDA) programmes, safety reporting systems and the safety assurance function.

3. These sources of operational data help to identify hazards.

4. Do trend analysis: data is monitored and analyzed for trends and other indications of
inherent hazards .
Hazard Propagation

Potential outcome/
Hazard Unsafe ultimate
consequence(s)
Event

27 November 2018 23
Hazard Propagation: Unsafe Event

The stage in the escalation of an

accident scenario where the accident
will occur, unless an active recovery
measure is available and is successfully
used.
(ref: ECAST guidance on hazard
identification)

27 November 2018 24
 Hazard Propagation: Potential Outcome/Ultimate Consequences

Definitions:

 The most credible outcome, ultimate event or accident

 The degree of injuries to personnel, damage to equipment or structures, loss of material,

or reduction of ability to perform a prescribed function arising from an Outcome.
Consequence has a magnitude (ECAST guidance on hazard identification)

27 November 2018 25
 Hazard Propagation: Potential Outcome/Ultimate Consequences

Recommendations:

 Consequences are what we ultimately want to prevent. They can be expressed generically as
losses, damages and/or injuries/fatalities directly. although those descriptions are valid, their
added value is limited.

 Instead we want to know how we got to that generic loss or damage. try to describe events
based in type of accidents or serious incidents including scenario related details

27 November 2018 26
Hazard Propagation- Example

Unsafe Potential
Hazard
Event outcome

27 November 2018 27
Hazard Propagation-Example

Unsafe Potential
Hazard Event outcome

27 November 2018 28
 Definitions
• Commercial Aviation Safety Team (CAST)/International Civil Aviation Organization
(ICAO) Common Taxonomy Team (CICTT): tasked with developing common
taxonomies and definitions for aircraft accident and incident reporting systems.

• ADREP: an occurrence category taxonomy that is part of ICAO’s accident and

incident reporting system. It is a compilation of attributes and the related values that
allow safety trend analysis on these categories.

27 November 2018 29
Hazard Coding: The generic component allows users to capture the nature of a
hazard with a view to aid in identification, analysis, and coding.

HAZARD TAXONOMY
PRECISE DEFINITION CONTEXT

27 November 2018 30
GENERIC TERM: HAZARD TAXONOMY (CICTT)

27 November 2018 31
GENERIC TERM: HAZARD TAXONOMY (CICTT)

Definition

Categories

Usage note

27 November 2018 32
SPECIFIC TERM: PRECISE DEFINITION

Hazard to be linked to a context to enable further processes and better understanding

27 November 2018 33
 Ultimate consequences/potential outcome: ADREP occurrence categories

Recommendation:
To classify operational consequences in terms of ADREP
Aviation occurrence category

LOC-I MAC RI RE RAMP

CFIT
27 November 2018 34
Hazard propagation: Aviation examples

POTENTIAL
HAZARD (GENERIC AND
OUTCOME/ULTIMATE
UNSAFE EVENT
SPECIFIC TERM) CONSEQUENCES

ENV. ADVERSE WEATHER - Runway incursion--

Improper snow removal Pilot misinterprets/Pilot can Aborted landing

process not see the markings

Ground Collision

27 November 2018 35
Hazard Capture

WHERE FROM? WHEN?

27 November 2018 36
 Accident Case
 During take-off, shortly after rotation, crew heard a loud
bang with associated #1Engine EGT, followed by left engine
failure. The #1 engine auto shut down and continued take-
off.

 The flight crew then declared an emergency and cleared for

landing. As the aircraft was over weighted, the rollout after
landing was prolonged causing high brakes temperature.

 Consequently resulted in the aircraft MLG thermal fuses

melted due to the high brakes temperature, and all of the
MLG tires deflated.
It was concluded that:
The shedding of the No.1nose wheel tire tread occurred as a result of tire contacting FOD.
Subsequently the damaged tire debris was ingested by the #1 engine causing engine failure

27 November 2018 38
 Some Hazard Identification and Analysis Tools used by airports
 Observation and reporting
Anyone working at the airport or using airport facilities should be able to report hazards that they see. The process
can be more effective when airport staff has received training on how to identify and report hazards, and a system or
tool is available for reporting, like a hotline or intranet based reporting system.

 Daily Inspection
Daily inspections are effective in identifying airside hazards. The procedure can be more effective if inspectors
have received training to identify types of hazards.

 Functional brainstorming
It consists of gathering a group of people to discuss the issue and identify hazards. A facilitator will make the
process more effective.

 Trend Analysis
Monitoring of safety performance indicators and statistics improves SRM by identifying undesirable trends
associated with certain hazards like birdstrikes, runway incursions, and injuries to personnel.
 Some Hazard Identification and Analysis Tools used by airports

 SRM triggers
Some common safety issues and hazardous situations can signal the need to put the SRM process in
action, or the need to convene a formal SRA.

 Accident and incident investigation

A thorough investigation can discover the causes and contributing factors, particularly those hazards
that are not obvious (for example deficient training), and investigation reports can communicate the
identified hazards to airport decision makers for SRM action.

 Audits
Safety and SMS audits are effective tools to identify hazards that are not obvious. Hidden hazards can
include outdated training, organizational issues, deficient operational processes and procedures.
 Some Hazard Identification and Analysis Tools
 Comparative Safety Assessment (CSA)
– Systematic assessment technique used to support decision-making by assessing and comparing the safety risk of
selected alternatives
 Preliminary Hazard List (PHL)
– Hazard identification tool that provides an initial overview of the potential hazards in the overall flow of the
operation
 Preliminary Hazard Analysis (PHA)
– Initial effort in risk assessment of the selected system
 Operations Analysis Tool
– Provides an itemized sequence of events or a flow diagram depicting the major events of an operation
 “What If” Process Tool
– Identifies hazards by visualizing them
– Asks “what if various failures occurred or problems arose?”
– Designed to capture the expertise of personnel involved in planning or executing an operation in a structured
manner
Hazards identification methodology
STRUCTURED WHAT‐IF TECHNIQUE (SWIFT)

• SWIFT is a facilitated brainstorming group activity It

involves a team of experts guided by a facilitator
• Typically carried out on a higher level system description
• A reduced set of prompts is used to initiate discussion

Hazards are recorded for further treatment

LIST OF PROMPTS (EXAMPLE)

• WHAT IF…?
• COULD SOMEONE…?
• HAS ANYONE EVER…?
27 November 2018 42
Template for What-If hazard analysis-Example
System What if? (1) Answer (2) Likelihood (3) Severity (4) Control Actions
Failure (5)

Fueling Mechanical failure adrift Fuel may spray Improbable Minor Use of locking mechanism
equip. nozzle during fueling out between Inspection and
mating faces maintenance Fueling
adapter on aircraft
designed to prevent back
flow

Human Faulty gauge system or Fuel spills from Remote Major (large Auto shutoff fueling
error human error leads to overfill surge tank vent on quantity of valves
of aircraft tanks the aircraft wing fuel spill) Overfill protection with fuel
onto the ramp sensors in surge tank

Aircraft Aircraft brakes are not Hose may get Improbable Major Operator should detect
equipment applied nor chocks are used ruptured aircraft movement Release
failure and aircraft moves dead man’s control to stop
fuel transfer
Chock aircraft

27 November 2018 43
 Hazard Log/Register Documentation

 A centralized hazard register may be a useful tool that ensures

harmonization and avoids duplication.

 the format may vary from a simple hazard list to a database

relating hazards and mitigations and responsibilities

As a minimum, a hazard register should contain:

• Hazard identification and description
• Risk assessment
• Potential consequences
• Risk controls description (mitigations)
• Allocation of responsibilities for mitigations and Associated
deadlines
• Other

27 November 2018 44
HAZARD LOG/Register (#1)

IDENTIFIED CONSEQUENCE EXISTING RISK FURTHER REVISED RISK ACTIONS

HAZARD MITIGATION MITIGATION (BY AND WHEN)
MEASURES

SEVERITY SEVERITY
LIKELIHOOD LIKELIHOOD
TOLERABILITY TOLERABILITY

27 November 2018 45
HAZARD LOG/Register (#2)
HAZARD TAXONOMY POTENTIAL OUTCOME
OPERATION/SYSTEM HAZARD Nº UNSAFE EVENT
/ ULTIMATE
GENERIC COMPONENT SPECIFIC COMPONENT
CONSEQUENCE

27 November 2018 46
Example
1. Runway End Safety Area (RESA)
2. Departure-End Runway Protection Zone (RPZ)
~1,500 ft
Airport
Terminal
Runway
2.
400-500 ft
Departures 1. (122-152m)

Direction of Runway Operations

Arrivals
~2600 ft (792m)

End-Around Taxiway Options

Nominal distances shown;
actual standards vary
N
Example: Hazards identification in current operations
ENV: w e a t h e r c o n d i t i o n s e x i s t t h a t c a n a f f e c t
GENERIC TERM b raking system d u ring ta ke-off
Te c h : a i r c r a f t e q u i p m e n t f a i l u r e d u r i n g t a k e - o f f
Hum: Human Error

Departure aircraft aborts take-off resulting in rwy overrun going beyond the RESA,
SPECIFIC TERM DESCRIPTION
+ CONTEXT

Unsafe Event Conflict between aircraft taking off and aircraft taxiing on the EAT

Potential outcome • High severity of RI on the EAT

• Collision with other aircraft on the EAT
27 November 2018 48
 Example: Hazards identification in current operations

HAZARD TAXONOMY POTENTIAL OUTCOME / ULTIMATE

OPERATION/SYSTEM HAZARD Nº UNSAFE EVENT CONSEQUENCE
GENERIC COMPONENT SPECIFIC COMPONENT
Environment Conflict between aircraft • High severity
Technical Departure aircraft aborts take-offtaking off and aircraft taxiing of RI on the Aircraft / equipment
Human error resulting in rwy overrun going beyondon the EAT EAT heavy damages and
Take-off 1
the RESA, • Collision fatalities
with other
aircraft on
the EAT
 Key Points to Remember
Hazards are normal system components, and their consequences are
usually manageable
When the hazard is released, control is lost and the system may
propagate into an adverse outcome
Hazards should be categorized into a generic component (in
accordance with a standard taxonomy) and a specific component
(description)
Hazards can be captured from data sources including current
processes and future changes
THANK YOU!