Title: Introduction to the management of safety New ICAO Annex 19
1Introduction to the management of safetyNew
ICAO Annex 19
- Jean-Pierre ARNAUD
- R4.2 Rulemaking officer
- 27 June 2012
2ICAO definition of SMS
- Safety Management System (SMS) a systematic
approach to managing safety, including the
necessary organizational structures,
accountabilities, policies and procedures - It provides a systematic way to identify hazards
and control risks while maintaining assurance
that these risk controls are effective.
Did you understand?
..me neither!
Lets try another way
3On the menu today
4Component n2 Safety risk management
5The Titanic case
614 April 1912
- The largest steamer in the worldpromoted as the
unsinkablesunk! - The court reported that the loss of the Titanic
was due to collision with an iceberg, brought
about by the excessive speed at which the ship
was being navigated. - Weather and navigation conditions
- Calm night, flat surface no noise, no light
reflect of waves - No moonlight at all no visibility
- In April icebergs remain a hazard when you
navigate north and the probability to hit an
iceberg is high. - 1912 was reported to be a very cold year with
numerous iceberg straying abnormally southerly. - ...role of observation, statistics and
metrics...
7Additional noticeable safety factors Applicability
- Design double bottom built to remain afloat if
as many of 4 of its watertight compartments were
flooded after the collision, 5 flooded - Manufacturing One allegation is that, under
great pressure, the shipyard resorted to using
second-rate iron rivets - Operational rules Titanic did not carry enough
lifeboats to save all aboard - although it met British safety codes
out-dated, however the most advanced at that time
- Certification and Operations organizational
factors - Inadequate emergency procedures
- Lifeboat n1 departed with only 12 people instead
of 40. - Several lifeboats were unusable due to the
configuration of the sinking - It was a maiden voyage
- No real test of the ship in operations and no
training in real conditions - Not enough experience (evacuation, size of the
boat, configuration etc) - Navigation services
- Titanic received 6 messages on April 14 warning
of the approaching ice field all disregarded
8Piling pressures
- The alleged root reasons why the captain
persevered in his course, and maintained high
speed, is probably to be found - in competition with other transportation means
- The captain of the ship was allegedly invited to
set a speed record for its landmark maiden
journey between Southampton and NY in order to
increase the profit of the investors - Therefore the ship navigated too northerly in
order to save time. - in the desire of the public for quick passages
rather than in the judgement of navigators
(safety culture) - in the beliefs he had in the boat
( unsinkable ) - Human factor - overconfidence
9Titanic case
- Hazard
- Collision with iceberg
- Probability and severity
- High if you navigate northerly
- Higher with no moonlight
- Very high if you ignore the warning messages
- Risk is the combination of hazard and probability
of severity
10Titanic case
- How to mitigate the risk?
- Reduce speed
- Increase vigilance
- Re-enforce radio monitoring
- Navigate more southerly of Canada
- Take timely effective management decision
- This is called risk management
- Identify hazard, evaluate the risk, assess
whether it is acceptable, mitigate the risk if
necessary, to reduce the risk to an acceptable
level - The Titanic case is clearly a failure in risk
management as all information were available to
avoid the accident. - Risk management is a subset of safety management
(component n2)
11This accident also highlights
- Just culture (non) Criminalization
- The captain was cleared of blame
- Safety culture
- Captain (retired for the night at 21h30 dispite
the warning messages about icebergs) - Crew team (no one questioned the captains
decision) - Senior management of the operator and
manufacturer pushing for accelerating the
assembling of the steamer - Shareholders (money, money, money)
- The need to have an effective decision-making
management process in operations
12What can we learn from this event?
- This event is not out of date and the root causes
are still of interests in the aviation domain - Human factor, piling pressure from shareholders,
safety culture, organizational and human factors - Safety management applies to any domains
- Nuclear, railways etceven your private life
- Rules, design, certification, manufacturing,
operations, navigation services, infrastructure - Safety management is not a novelty
- Clinical approach started in the 90s
- ICAO started to adopt SARPs in 2003
- Accident investigation boards have been
repeatedly highly recommended to implement it
asap.
13Safety risk management
14Safety risk management
- Key Words
- Hazard, consequence, risk, mitigating factors,
risk management. - Challenges
- Identify the relevant hazards
- Reporting systems and all kinds of safety
information will help - Assess correctly the probability and severity
- Collection of data and sharing will help
- Address the appropriate mitigating factors
- Effectively manage the safety of the operations
- Exchange of information on safety data, safety
hazards and risks between stakeholders.
15Component n3 is Safety Assurance
16Paramount objective of the safety management
- To reduce the accident rate per million flights
- Currently around 4 accident per million flights
(next slide source ICAO MTOW above 2250kg)
17Which year would you prefer to travel?
- First level
- Second level
- Third level
- Fourth level
- Fifth level
- If you had this kind of indicators in your life.
- you would start to manage your life differently
18Safety intelligence
- With the advent of the computer, data serve as a
comprehensive source of aviation safety
information. - Technology explores all domains and brings us a
huge amount of data for analysis - Equipment monitor and record everything, even
satellites - Statistics is everywhere
- Mandatory and voluntary incident and accident
reporting system, helping in identifying hazards. - Predicting the future (proactive approach) by
selecting the right metrics. and then acting
consequently
19Active failure versus latent failure
- The accidents are just tips of the iceberg named
active failures. - There is still a vast quantity of data from the
bottom of the iceberg, called latent failures
waiting for triggering factors in order to
emerge.
- Safety-related data intelligence and safety
analysis highlights capabilities that assist
organisations in - Identifying hazard and risks (systematically or
using reporting systems, incidents, any
safety-related events or reports, audits, safety
studies, experience etc) - Collecting and analyzing all these data
available - Getting the trends and acting consequently
19
20Proactive approach
- Each State or each service provider has to
- Collect safety-related data and analyse them
- Set up key safety indicators reflecting its
activities - Define and target objectives
- Monitor the system in place by evaluating the
overall performance of the system - Improve or maintain its safety performance
- Eventually allocate the most-effective resources
to meet these objectives. - This is called the proactive approach.
- In addition, the State will oversee the Safety
Performance Indicators (SPIs) of the services
providers and share data.
21High-level instances (main contributors in
accident)
- Runway safety related (incursions, excursion,
ground collisions) - EX reported accidents and serious incidents
involving runway excursions has increased during
the last decade - Loss of control in-flight
- Controlled flight into terrain
- Collision in flight
22Instances of low-level safety metrics
- State
- Development/absence of primary aviation
legislation or operating regulations - Level of regulatory compliance Lack of
Effective Implementation (LEI USOAP ICAO
indicator) - Does the audit programme cover all activities?
- State and organisation
- Incident rate or incidents reported
- Number of deviations to the SOPs (Standard
Operating Procedures) - Organisation
- Measurement of safety culture in an organisation
or open climate in an organisation for reporting - MTBF for maintenance (Aircraft, ANS and
Aerodrome) - Dispatch or stabilized approaches (operations)
- Deviations to the flight path or separation (Air
Navigation Services) - Bird strikes (Aerodrome)
23The data will set you free.
The goal is to transform data into information,
and information into insight Ernest
Greenwood
24Component n3 is Safety Assurance
25Challenges and key words for safety assurance
- Safety assurance based on effective safety
data-driven processes but not being entirely
data-driven - Collecting information in an organized and
standardized manner sharing and protecting
information - Setting the right Key Safety Indicators (moving
from concept towards implementable / practical
KSIs) - Managing properly (safety trends and effective
decision making) - Collaboration between States and Service
Providers (KSIs) - Compliance with the rules remains a must
- Develop performance-based oversight and
performance based rules - Enhancement of regional agencies (RSOOs
oversight and RAIOs Accident, incidents),
eliminating duplication of efforts, fostering
cooperation (sharing information - databases) and
independency
26Component n4 is Safety Promotion
27Safety promotion
- Safety promotion based on
- Internal and external training
- Communication and dissemination of safety
information
- Train (initial and continuous) your staff,
educate, inform, increase the level of safety
awareness, promote your policy and your
objective, communicate, instruct, share - Develop and maintain the level of safety
culture among the States, the organisations or
any stakeholders playing a role in safety - It includes senior management, front-line
management, staff in the field, decision-makers
etc
28What is Safety culture?
- Safety culture is the set of enduring values and
attitudes regarding safety issues, shared by
every member at every level of an organization. - Refers to the extent to which every individual
of the organization is aware of the risks and
unknown (?) hazards induced by their activities - Objective Raising and maintaining the level of
awareness - In that sense, component n4 of the safety
management is the safety awareness promotion
28
29Concorde and safety culture (1)
- Concorde F-BTSC accident, 25 July 2000, France
- 109 casualties, a/c destroyed
- Source final investigation report, available at
- http//www.bea.aero/docspa/2000/f-sc000725a/htm/f-
sc000725a.html - The French BEA concluded in 2002 that a wear
strip of metal, fallen off from a DC-10 that
took off 4 minutes earlier, had punctured a tire
of the Concorde, sending shards of rubber into
the fuel tanks, leading to flames pouring from
its undercarriage and making the plane crashing
into a hotel few kilometers away. - The strip was attached with rivets close to other
previous existing holes (reverse of the engine)
and was improperly attached
29
30Concorde and safety culture (2)
- Who could have thought that this 40cm long piece
of metal was a killer?
- Not even the mechanic who did the repair
- 8 holes and rivets over 5 cm long
30
31Concorde and safety culture (3)
31
32Concorde and safety culture (4)
32
33DC10 reverse as found How it should be
- Holes too close
- 37 holes in total
- Correct spacing 12 holes were only allowed
34Concorde and safety culture (6)
- The engine cowl support was drilled with 37 holes
whereas the installation of the strip required
only 12. - Therefore the strip was attached with rivets
close to other previous existing holes and was
improperly attached, resulting in it falling onto
the runway. - The mechanic (a metal sheet worker, not a
certifying staff) used titanium, rather than
aluminium (higher resistance), to construct a
replacement piece (deviation to the maintenance
repair as prescribed by the engine manufacturer). - The mechanic who did the repair and the
certifying staff who released to service the
aircraft were charged with negligence (just
culture). - This part had been replaced during a C check 6
weeks before the accident took place. - 3 weeks after the C check, the part detached
again and was replaced by another part (the one
fell off on 25 July 2000). - These signals should have alerted the maintenance
organization that improper maintenance had been
carried out and that the trouble shooting was
poor. The organisation was charged with
negligence.
34
35Component n4 is Safety Promotion
36Component n1 is
37Component n1 Policies and Objectives
- Responsibilities, accountabilities and
commitment, including identification of key
safety personnel - A legislative framework for the State
- An accident and incident investigation for the
State - A mandatory and voluntary incident reporting
system (State and service provider) - Policies and resources to collect and analyse
safety data - An emergency response planning for the service
provider - A process to set-up objectives, policies,
monitoring and maintainingthen train and
communicate - Documentation (process, manual and procedures)
- The management of changes
- An enforcement policy
38About the reporting system
- Report! And avoid the sinking
- It must
- Be voluntary
- Be anonymous
- Identify the hazards and better understand the
latent failures - Should not lead to any blaming except in the case
of malicious act or gross negligence (this is
called just culture) - Be supported by a statement / commitment of the
accountable manager (no blaming) - Just culture (definition) an atmosphere of trust
in which people are encouraged for providing
essential safety-related information, but in
which they are also clear about where the line
must be drawn between acceptable and unacceptable
behavior.
39Safety policies and objectives - component n1
- Key words Just culture
- Challenges
- Criminalization or lay off of staff
- Protection of persons and data
- Commitment of the personnel and effective
implementation of the policies - In particular middle and front-line management
(leadership and safety culture in the field play
essential roles) - Safety vision
- Transparency and sharing
- Effective implementation
40Vocabulary
- The safety management is called
- SSP (Sate Safety Programme) for the State
- EASA has developed the EASP
- ICAO has developed the GASP
- SMS (Safety Management System) for the service
provider.
41Main objectives of the State Safety Programme
- Ensure that a State has the minimum required
regulatory framework in place - Ensure coordination and harmonization amongst the
States regulatory and administrative
organizations in their respective safety risk
management roles - Facilitate monitoring and measurement of the
aggregate safety performance of the service
providers - Coordinate and continuously improve the States
safety management functions - Provides appropriate oversight functions
- Promulgate and support effective implementation
and interaction with service providers SMS - Facilitate data aggregation
- Facilitate information sharing
- Promote safety
42What is ICAO Annex 19?
43What is Annex 19 First Edition
- Compilation of common existing safety management
provisions from existing annexes into one single
new annex - Annex 1 Personnel Licensing
-
- Annex 6 Operation of Aircraft
- Part I International Commercial Air Transport
Aeroplanes - Part II International General Aviation
Aeroplanes - Part III International Operations Helicopters
-
- Annex 8 Airworthiness of Aircraft
-
- Annex 11 Air Traffic Services
- Annex 13 Aircraft Accident and Incident
Investigation - Annex 14 Aerodromes
- Volume I Aerodrome Design and Operations
44Applicability (Service providers)
- A) training services that are directly exposed to
safety risks -
- B) operation and maintenance of aeroplanes and
helicopters involved in international commercial
air transport -
- C) operation of aeroplanes and helicopters
involved in international general aviation,
except aerial work -
- D) type design and manufacture of aircraft,
engines, and propellers -
- E) air navigation services and
-
- F) operation of aerodromes.
45Content of Annex 19
- Five chapters, 2 appendices and 2 attachments
- Definitions
- Applicability
- State safety management responsibilities
- Appendix 1 State safety oversight system
- Attachment A Framework for a State Safety
Programme (SSP) - Safety Management System (Service providers)
- Appendix 2 Framework for a safety management
system (SMS) - Safety data collection, analysis and exchange
- Attachment B Legal guidance for the protection
of information from safety data collection and
processing systems
46Status of Annex 19
47Benefit of Annex 19
- The consolidation of provisions from six
different Annexes into a new draft Annex had been
undertaken with the intent of improving
implementation - Enhancing the role of the State at a higher level
(coordination between all domains and all
stakeholders) - Having a legal basis in one unique document
- Developing harmonized standards that are
applicable to several domains - Better identifying and developing the future
needs - Having a dedicated ICAO panel, working on the
next iterations (EC and EASA are members) - Having a global vision through implementation.
48Future needs or challenges
- Better integration between the SSP and the
oversight system - Better and higher State policy not only at CAA
level (implementation, overall performance and
coordination between all actors) - Collection, sharing and protection of data
- Analysis and common formatting of safety data
(standardisation) - Identification of hazard
- Just culture (Criminalization)
- Better coordination between AIG and State,
between States and Agencies - Development of an Emergency Response Plan by both
the State and the service provider - Development of implementation guidance
- Effective and efficient safety indicators
- Scalability
- Training safety culture
- Industry and State (ex oversight inspectors)
- Communication between State and Service Providers
- Moving from compliance towards performance
49Benefit of integrated safety management
- Whats being put forward is a vision of a
community identifying hazard sharing data etc - The recent agreement signed off between EASA and
Singapore illustrates this willingness. - The role of Regional Agency and Regional
investigation board is another example of
cooperation and development. - EASA / EASP common objectives 27 States
50This is not an all-cure system
- It is not a revolution but an evolution
- Just a clinical approach of better managing
safety - a kind of modern management of safety with the
available technological tools - It is an additional layer
- Traditional compliance to the rules remains a
must - Safety management builds on this fundamental
because most of the incidents or accident are due
to deviation to the SOPs - Make our processes and procedures more robust
- Raise our awareness performance and safety
culture - Develop an integrated safety system (complex
environment needed coordination).
51How does it affect EASA?
- Establishment of an EASP (the global safety
vision) - Identification of hazards and risks, safety
performance indicators etc - Coordination between all partners
- Being more data-driven, collecting all safety
info (E2, E6) - Review of our processes and procedures,
introducing the management of risks on top of
compliance to the rules - Certification of aircraft (C)
- Performance based oversight (Standardisation
Inspection Annual Programme - SIAP) (S)
workshop next October - Performance based rules (R)
- Safety assurance (E)
- International cooperation and sharing (based on
agreements) (E, R, C, S) - Training and competence (EASA staff, States,
stakeholders) - Promotion of safety everywhere safety culture
- Better managing our internal resources
52Basic Safety Management Tool Kit
- ICAO Annex 19
- Click here to access to the document
- SMM edition 3 (ICAO doc 9859)
- Click here to access to the document
- Rulemaking focal point within the Agency
Regine.hamelijnck_at_easa.europa.eu - A more detailed presentation on Annex 19 is here
available (click here)
53Advanced safety management tool kit
- Noteworthy websites about Safety management in
aviation - http//flightsafety.org/current-safety-initiatives
/corporate-flight-operational-quality-assurance-c-
foqa. - ICAO Flight Safety Information Exchange
http//www.icao.int/fsix/ - The Australian Civil Aviation Safety Authority
web site at http//www.casa.gov.au/sms/index.htm
including Advisory Circular 172-01(0) September
2005 Guidelines For Preparing A Safety Management
System (SMS) at http//www.casa.gov.au/rules/1998c
asr/172/172c01.pdf, , - The Transport Canada Civil Aviation web site at
http//www.tc.gc.ca/civilaviation/systemsafety/pub
s/menu.htm and - The UK Civil Aviation Authority web site at
http//www.caa.co.uk/default.aspx?catid872pagety
pe90pageid9953 - The Overseas Territories web site at
http//www.airsafety.aero/safety_development/sms - The IBAC web site at http//www.ibac.org. In
addition, chapter 5 Evaluating the Operators SMS
of the IS-BAO Internal Audit Manual may be
helpful in the SMS development process. - The NASA web site at http//www.nasa.gov.
- The FAA Safety Management System information
pages at http//www.faa.gov/about/initiatives/sms
/specifics_by_aviation_industry_type/ and Risk
Management Handbook at www.faa.gov/library/manual
s/aviation/media/FAA-H-8083-2.pdf - The International Helicopter Safety Team (IHST)
SMS Toolkit at http//ihst.rotor.com/Portals/54/2
009_SMS_Toolkit_ed2_Final.pdf - The European Strategic Safety Initiative (ESSI)
at http//www.easa.europa.eu/essi/index.html - FAA Advisory Circular 120-92 Introduction to
Safety Management Systems for Air Operators at
http//www.airweb.faa.gov/Regulatory_and_Guidance_
Library/rgAdvisoryCircular.nsf/0/6485143d5ec81aae8
625719b0055c9e5/FILE/AC20120-92.pdf, and FAAs
Flight Risk Assessment Tool at http//www.faa.gov/
other_visit/aviation_industry/airline_operators/ai
rline_safety/info/all_infos/media/2007/inFO07015.p
df. - EASA website www.easa.europa.eu/sms/
-
54True or false?
- Annex 19 is called risk management.
- SSP is created by Service Providers
- ICAO facilitates safety management information
sharing among Service Providers within the State - EASA oversees Service Providers Safety
performance - Risk management means you can deviate to the
rules if properly mitigating factors are in place - All statements are false
55Any comment or question, contactjean-pierre.arnau
d_at_easa.europa.eu
http//intranet/your-intranet-page