Doc # SMS/M/01 CHAPTER 6 TABLE OF CONTENTS. 6.2 Safety Data Collection for Risk Management. 6.3 Hazard Identification & Risk managements

Transcription

1 CHAPTER 6 TABLE OF CONTENTS Page 1 of Hazard Data Gathering Methods 6.1 Reactive and Proactive report 6.2 Safety Data Collection for Risk Management SAMS 6.3 Hazard Identification & Risk managements Hazard identification Risk Assessment Technique Risk Assessment ~ Tables 6.4 Risk Acceptability Matrix 6.5 Action Criteria 6.6 Risk Mitigation

2 Page 2 of HAZARD DATA GATHERING METHODS The risks and costs inherent in commercial aviation necessitate a rational process for decision-making. Implementation of risk management processes is critical to an effective safety management programme. Risks cannot always be eliminated; nor are all conceivable safety management measures economically feasible. Risk management facilitates this balancing act, beginning with hazard identification. The creation and operation of effective hazard identification programs is fundamental to effective safety management. An organization may draw from a broad menu of safety activities to identify hazards or safety issues warranting further action. The effective identification of hazards can be achieved by brainstorming, using an appropriate selection of management and staff; staff surveys and a review of pertinent accident/incident records from both internal and external sources. Hazard identification should be initially undertaken to provide a comprehensive assessment of the risks that face the Airline. Subsequently, hazard identification should be periodically reviewed. The process should also be repeated whenever there is a significant change to the organization, its staff, procedures or equipment. The line manager has the responsibility for setting in place measures to remove, or mitigate the risks of, the identified hazard. The Safety Committee will monitor the completion of this task. To be successful, the hazard identification process must take place within a non-punitive (or just) safety culture. The Management is primarily interested in learning of potential weaknesses in the system s safety that could lead to an accident or otherwise compromise the efficiency of the operation. Blame is only an issue when individuals are culpable of reckless or negligent behavior. For the most part these are two distinct elements in the safety management system: one is reactive, the other proactive. The basic difference is the method of discovery: the reactive process responds to events that have already occurred, whilst the proactive method actively seeks to identify potential hazards through an analysis of the everyday activities of the company. The exception to this rule occurs when a potential hazard has been reported through the company s safety reporting program.

3 Page 3 of Reactive and Proactive reporting Hazard identification may be reactive or proactive in nature. Occurrence reporting and investigations are essentially reactive. Proactive hazard identification processes actively seek feedback by observing and analyzing routine day-to-day operations. Trend monitoring is used to predict future hazards e.g, FDM and Engine Trend Monitoring. In addition to internal safety assessments and audits, the PIA management utilizes the following hazard identification inputs and methods: Hazard Data Gathering methods DESCRIPTION RESPONSIBILITY DOCUMENT Accident Reporting Form Incident Reporting Form Air Safety Reporting Confidential Reporting Occurrence Reporting (Additional) E forms will be completed by the operating crew and will be handed over to the operations control. SAMS- A web based application for confidential reporting Safe Card (For Confidential Reporting of both HSE and SMS hazards) Safety Risk Assessment (SRA) Pilot-in-command MOR-1 (CAA Form F.1-41) APP A Director Safety & QA MOR-1 (CAA Form F.1-41) APP A Maintenance: Chief Engineer QA CAA 055 (III) APP B Pilot-in-Command MOR (CAA Form F.1-41) APP A Director Safety & QA MOR (CAA Form F.1-41) APP A PCAA AW 114 Engineering & Maintenance Delay incident Reporting APP B Form Cockpit crew CS/ASR/COCKPIT/001 APP D-1 Cockpit / cabin Crew CS/CORE/COCKPIT/001 APP D-2 General Manager Central Control will forward the copy of E series form to Director Safety & QA Director Safety & QA All PIA Employees Safety Action Groups shall maintain (develop, update, keep record) of SRAs, a controlled copy shall be sent to Director Safety & QA for oversight, consolidation and Safety Data base Management & Facilitation. Punctuality & Delay Incidents Report De-Brief Reports Bird Strike Report Near Miss Lightning Strike APP E-1 APP E-2 APP E-3 APP E-4 A web based application for confidential reporting both for air and ground through registered reporters HSE-F-14 A (APP L ) Risk assessment can be done through different means,like SAMS, SAG Meetings, HSE-F-02 A (APP L ), or any other approved document/form

4 6.1.2 Types of Hazard Page 4 of 22 PIA SMS program covers all types of Hazards in its reporting mechanism. Following are the examples of some hazards, but not limited to this list, which are to be reported and analysed for risk assessment and mitigation; a) Inadequate preflight preparation and/or planning. b) Failure to obtain and/or maintain flying speed. c) Failure to maintain direction control. d) Improper level off. e) Failure to see and avoid objects or obstructions f) Mismanagement of fuel. g) Improper inflight decisions or planning. h) Misjudgment of distance and speed. i) Improper operation of flight controls j) Undocumented cannibalization of aircraft parts k) Undocumented maintenance on aircraft. l) Operation of ground equipment without authorization / permission. Vehicles driving without permit license. m) No information/intimation of Missing tools. n) Maintenance of aircraft without consulting AMM / other relevant documents and not following SOP s. o) Birds menace / droppings on Aircraft during groundings. p) Improper receiving of U/S components and loss of components. q) Unattended, U/S and consumable items outside cage. r) 50% aircraft not covered in docks. s) Tire servicing. t) Improper aircraft jacking. u) Aircraft Towing. v) Transportation of Engine for dispatch to cargo Other than these, hazards associated with weather, intended landing sites, exceptions to TCAS alert, operations in conflicting traffic in airspace without radar coverage, flight following capabilities outside controlled airspace and hostile environment are also reported for risk analysis and mitigation All above mentioned hazards associated with operations and maintenance are identified, analyzed and mitigated with control strategies at acceptable level through defined procedures

5 Page 5 of Safety Data Collection and Risk Management By Using SAMS Besides other conventional methods, PIA is also using SAMS for Safety management. SAMS (Safety Assessment and ) is a web based software tool, developed by Airbus, used for processing, measurement and analysis of identified hazards and safety reports. SAMS is a dedicated tool for the enforcement of SMS requirements which is used for hazard identification, risk assessment, and actions management. It is primarily designed for flight operations, Engineering and Maintenance along with other ground & support services. SAMS provides PIA Safety department a platform to submit safety reports, analyse them, perform statistics, record actions taken and manage safety issues. SAMS promote the confidential reporting culture by using options to filter out the reporter s identification information from reports contents. It can also interact with AirFASE, extract selective data and has the ability to produce the information statistically.

6 Page 6 of Terms & Abbreviations associated with SAMS TERM/ABBREVIATION SAMS REPORTER OPERATOR ANALYST GATE KEEPER ADMINISTRATOR REPORT OCCURRENCE ISSUE ACTION ORC KRC SIRA SUBMITTED IN ANALYSIS VALIDATED PROCESSED DEFINITION/DESCRIPTION Safety Assessment Authority to create report and follow actions Authority to create report, Occurrence, issue and initial assessment Authority to create report, Occurrence, issue, final assessment, validation and Safety judgment In addition to analysis roles, authority to identify reporters Authority to manage backhand system issues Identified hazard with proper information A proper filled and analysed report with allocated risk index Potentially severe hazard/report, repeated occurrence To assign the responsibility for mitigation of the risk Occurrence Risk Categorization ( Impact on process) KeyWord Risk Categorization, Safety Issue Risk Assessment Submitted report, ready to create occurrence (if required) and analysis Analysis in progress by the operator and analyst with allocation of risk index Analyst authority for final safety judgment of an Occurrence Completely processed and no longer to be analysed further Key Roles and Work flow in SAMS There are 5 key roles designed in SAMS application from reporting till risk management with their assigned roles described in subsequent sections. 1. Reporter 2. Operator 3. Analyst 4. Gate keeper 5. Administrator

7 Reporter Page 7 of 22 Reporter can be any person, having access to SAMS, who can identify a hazard and generate safety report. The primary function of reporter is to submit reports of potential safety hazards observed during every day work. The assigned roles and work flow of a Reporter are described as under; Report Flow Reporter s Roles Create Safety Reports Access his/her Safety Reports Follow-up on actions assigned Create Safety Report Attach Report Docs Submit Safety Report When the reporter /user is creats a report, this report is not saved in SAMS data base, therefore, it has no status at the moment. For having status it has to be submitted through submit icon. After the submission, a report is considered as submitted and its source data cannot be modified anymore. It carries a unique reference number e.g (SR ). It signifies that report is awaiting for its review and further analysis. A submitted report is available for it to be analysed and create occurrence and then actions, if needed. In SAMS, four standard templates are being used for reporting. These templates contain all basic and standard information relevant to process/operation and situation being reported for analysis and mitigation purpose. Following are the Templates; Cabin Services Cabin reports Other Cabin Crew Reports SMS Staff report Engineering Ground Staff report

8 Page 8 of Operator Maintenance report Security Report Flight Line Operations Air Safety Report ATC Report Line Observation Other Cockpit Crew Report Flight Operations FDA Report Flight Ops Staff report The safety analysis of the report starts at this stage. In addition to the reporters roles, operator can initially analyse the submitted report, create occurrence (with automated system generated unique number OC ), based upon submitted report and assigns action to the relevant process owner. The Operator level is the first significant stage. Departmental/Divisional SAG members can only be designated as an operator with appropriate qualification and experience of relevant process. The assigned roles and work flow of an operator are described as under; Operator Flow Submitted Report De Identified Report Analysis Edit Safety Report Data & Attach Doc Add More & Create Occurrence Start Analysis Operator s Roles In addition to Reporter s roles, Operator can also Create Occurrences Initial Analysis, Not the final analyst Actions to mitigate risks Create Issues Close assigned actions Create Issue Create Actions Close Action (Issue/ Occurrence)

9 Page 9 of (a) Risk assessment Techniques In SAMS, for occurrence, there are two methodologies used, one is Quick ORC, and other is specific to domain/sub domain based keyword Rating of criticality. Both have the numeric values and colour coding parameters, KRC & ORC Values ORC technique using in SAMS for establishing risk, through numeric values and colour coding, are as follows.

10 Page 10 of Analyst When an operator or analyst opens the submitted report, it automatically changes its status from submitted to in Analysis. Safety report is analysed at this level. Supplementary information is filled describing the reporter from an analyst point of view. Additional documents can be attached, and report risk index and occurrence risks (ORC) are defined. The operator can take actions to mitigate risks associated to the identified hazard or situation reported through safety report. Analyst is the most significant level in SAMS risk management process. The role of analyst can be assigned to head of Departmental/Divisional SAG or his/her nominee. Depending upon the scope of the process/operations, role of analyst can be assigned to more than one operator with appropriate qualifications and experience. In addition to Operator s roles, analyst can give final safety judgment and validate the risk index (ORC). The assigned roles and work flow of an analyst are described as under;

11 Page 11 of 22 Analyst Flow Submitted Report De Identified Report Analysis Edit Safety Report Data & Attach Doc Add More & Create Occurrence Edit ORC Validate Risk Index Start Analysis Safety judgment Analyst s Roles In addition to Operator's roles, Analyst can do Final Analysis/judgment Validation authority Close assigned actions Create Issue Create Actions Close Action (Issue/ Occurrence) Supplementary information is filled describing the reporter from an analyst point of view. Additional documents can be attached, and report risk index and occurrence risks (ORC) are defined. Safety report is completely analysed at this level and final safety judgment is made with the authority of validation Gate Keeper In PIA, the primary role of gate keeper is to have the oversight of the SAMS process, from reporting of Hazards till the mitigation of risks with assigned actions. In addition to roles of analyst, gate keeper has the authority of identify a reporter s The gate keeper shall hold the monthly meeting with all analysts on regular basis.

12 Page 12 of Administrator Administrator s role is to maintain the hard ware and software issues of SAMS alongwith maintenance and updation of server and data base. Administrator has to liaison with SAMS backhand support service provider, allocation of authority/access rights as per the corporations laid down procedures Issue (Creation and management) In SAMS, Issues can also be created depending upon the potential severity and history of reoccurrence or with the combination of both. Hazard identification can expose Safety Issues, Furthermore, in SAMS, link with AirFASE database can also established and expose Safety Issues. The Risk assessment technique used in SAMS for issue management is based upon ICAO Risk assessment Guidelines (Both for probability and severity), Note: For further details, SOP for Qualification & Regularization of Roles in SAMS and SAMS user guide/ training material can be referred

13 Page 13 of SAMS Work Flow Management (A Complete Process Map) SAMS WORK FLOW MANAGEMENT Gatekeepr Operator / Analyst Reporter Create Safety Report Follow-up Safety Report To be analyzed To Send the request to gatekeeper, the operator create an Action Analyse Satistics and reports Follow-up Safety issues to be Analyzed Follow-up re identification requests through record Cancel Safety report Submit Safety Report Analyze Safety Report Request Identified Data Create Occurrence Request Identified Data Process Re identification request Create Safety Issue Create Actions Analyze Safety Issue Follow-up Safety Report Analyst Follow-up Actions Status Processed Safety Reports Close Safety issue

14 Page 14 of Other Means of Hazard Identification and Risk management Hazard Identification Sources of hazard identification can be from the voluntary reporting system (SAMS, confidential reporting, safe card, Investigation outcomes, safety survey results, safety case outcomes, pksafe, pksms and audit findings) which are proactive in nature. They can also be through accidents/ incident occurrence reporting forms which is reactive in nature and they can also be through Flight Data Monitoring, Maintenance Data Monitoring and investigation findings. Persons/Groups responsible to carry out risk identification have been mentioned in given table Risk Assessment Technique All identified hazards are to be critically assessed and ranked in order of their risk potential. They may be assessed subjectively by experienced personnel, or they may be assessed using more formal analytical techniques. All Departmental/Divisional heads are responsible for ensuring that area managers in their jurisdiction utilize modern techniques to identify hazards associated, for every task ( both routine and non-routine)) performed in their area of responsibility; these hazards need to be recorded in the data bank, analyzed critically in terms of their severity and probability and prioritized for subsequent address. The reporting forms listed at Hazard Reporting and at various appendices, form part of the Airlines pro-active data collection program. Hazard reports through SAMS are analyzed by designated analysts of relevant operational areas in SAG meetings or special risk assessment sessions. Those hazards have the cross functional implications can be assessed or analyzed in cross functional sessions/meetings. In SAMS, risk index obtained through an predefined automated criteria/parameters based upon industry practices Risk Assessment ~ Tables In Risk Assessment, there are two main factors to consider: the likelihood of the occurrence (table A) and the severity of the consequences ((Table B)) should there be an occurrence. In assessing risks, the defenses that have been put in place to protect against such hazards need to be evaluated. These defenses can, through their absence, misuse, poor design, or conditions contribute to the occurrence or increase the risks. Through such a risk assessment process, a determination can be made as to whether the defenses are adequate. If the defenses are not adequate, then steps should be taken to increase the defenses to eliminate or mitigate the hazard.

15 Page 15 of 22 The departmental SAGs can define more relevant severity & likelihood definitions based on relevance to the risk type. However, if any such tables are made the it must be communicated to Director Safety &QA for approval. The PIA method for estimation of the likelihood of a hazard occurring is based on the following table: (A) Likelihood PROBABILITY OF OCCURRENCE Qualitative definition Meaning Value Frequent Likely to occur many times (has occurred frequently) 5 Occasional Likely to occur sometimes (has occurred infrequently) 4 Remote Unlikely to occur, but possible (has occurred rarely) 3 Improbable Very unlikely to occur (not known to have occurred) 2 Extremely Almost inconceivable that the event will occur improbable 1 TABLE A The above table specifies the likelihood as qualitative categories, but also includes numerical values for the probabilities associated with each category. In some cases, data may be available which will allow direct numerical estimates of the likelihood of failure to be made. (For example, for the hardware elements of a system, extensive data is often available on historical component failure rates). The estimation of the likelihood of occurrence of hazards associated with human error will generally involve a greater degree of subjective assessment (and it should be borne in mind that even when assessing hardware, there is always the possibility of failures due to human error, for example, incorrect maintenance procedures). The following table (Table B) specifies the severity of the consequences of occurrences. The table also includes the numerical values assigned to severities associated with each category.

16 6.3.5 (B)Severity Scale Page 16 of 22 Aviation definition Catastrophic Hazardous Major Minor SEVERITY OF OCCURRENCES Meaning (Consider both potential or historical aspects) Equipment destroyed Multiple deaths A large reduction in safety margins, physical distress or a work load such that the operators cannot be relied upon to perform their tasks accurately or completely. Serious injury(resulting in permanent disability, loss of limb etc) to a number of people Major equipment damage. A significant reduction in safety margins, a reduction in the ability of the operators to cope with adverse operating conditions as a result of increase in work load, or as a result of conditions impairing their efficiency. Serious incident. Injury to person(s). Nuisance. Operating limitations. Use of emergency procedures. Minor incident. Value A B C D Negligible Little consequences. E TABLE B Safety risk severity is defined as the possible consequences of an unsafe event or condition, taking as reference the worst foreseeable situation. The assessment of the severity of the consequences of the hazard if its damaging potential materializes during operations aimed at delivery of services can be assisted by questions such as: I. How many lives may be lost (employees, passengers, bystanders and the general public)? II. What is the likely extent of property or financial damage (direct property loss to the operator, damage to aviation infrastructure, thirdparty collateral damage, financial and economic impact for Airline)? III. What is the likelihood of environmental impact (spillage of fuel or other hazardous product, and physical disruption of the natural habitat)? IV. What are the likely political implications and/or media interest? Based on the considerations emerging from the replies to questions such as those listed in above, the severity of the possible consequences of an unsafe

17 Page 17 of 22 event or condition, taking as reference the worst foreseeable situation, can be assessed using a safety risk severity table. Table (A) presents a typical safety risk severity table, also a five-point table. It includes five categories to denote the level of severity of the occurrence of an unsafe event or condition, the meaning of each category, and the assignment of a value to each category. As with the safety risk probability table, this table is an example presented for educational purposes only. The acceptability of a risk is dependent on both its likelihood and the severity of its consequences. The product of two factors Likelihood (L) & Severity (S) determines the overall significance of risk. The hazards in tolerable region should be reviewed. Risks in this category are not automatically classed as tolerable. Every case must be reviewed taking into account the benefits which will result from implementation of the proposed changes as well as the risk. In general the PIA philosophy is to follow ALARP or reducing the risk to as low as reasonably practicable. It is necessary to obtain an overall assessment of the safety risk. This is achieved by combining the safety risk probability and safety risk severity tables into a safety risk assessment matrix, an example of which is presented in Table (A). For example, a safety risk probability has been assessed as occasional (4). The safety risk severity has been assessed as hazardous (B). The composite of probability and severity (4B) is the safety risk of the consequences of the hazard under consideration. Extending the discussion said above it can be seen, through this example, that a safety risk is just a number or alphanumerical combination and not a visible or tangible component of the natural world. The color coding in the matrix in Table (A) reflects the tolerability regions in the inverted triangle in Figure (B). The safety risk index obtained from the safety risk assessment matrix must then be exported to a safety risk tolerability matrix that describes the tolerability criteria. The criterion for a safety risk assessed as 4B is, according to the tolerability table in Figure (B), unacceptable under the existing circumstances. In this case, the safety risk falls in the intolerable region of the inverted triangle

18 Page 18 of 22 SAFETY RISK TOLERABILITY TABLES Table (A) Figure 6.3.7(B)

19 Page 19 of Risk Acceptability Matrix As per PIA SMS program, risk acceptability index/sequence would be as under Risk Assessment Index Risk Index in Intolerable region (Red ) Risk Index in tolerable (yellow region) Risk Index in Acceptable region (Green) Suggested Action Criteria Un acceptable under the existing circumstances requires immediate action and/or stopping of operations by the concerned authorities. Risk Control/Mitigation is required. Further Management Decision on cost vs benefit. Implementation of decisions shall also be on priority basis. Acceptable, management may review impact in context of any potential change in environment.. Table 6.3.7(C) Figure 6.3.7(D)

20 6.5 Action Criteria Page 20 of 22 Departmental Safety Action Group SAGs shall initiate actions based on existing risk levels to bring it down to an acceptable level. For this the respective SAG shall prepare a set of possible suggested controls along with their estimated cost, implementation duration and expected impact on existing risk level. The concerned authority shall evaluate amongst the given options, or may suggest a new option for risk review. The concerned management shall take a decision based as appropriate which may be a long term or short term strategy as suited. The minutes initiated in this context shall carry a tag line of immediate action required, on priority basis or standard minute to relate with the Action Criteria. For implementation of approved controls, the respective SAG shall follow-up the matter and verify the implemented controls. Verification shall be done by an independent person not directly involved in the implementation of the decision. Progress report shall also be reviewed and communicated to the departmental/divisional head on regular basis. 6.6 Risk mitigation As analyzed, if the risk does not meet the pre-determined acceptability criteria, an attempt should always be made to reduce it to acceptable region, or if this is not possible, to a level as low as reasonably practicable, using appropriate mitigation procedures. The identification of appropriate risk mitigation measures requires a good understanding of the hazard and the factors contributing to its occurrence, since any mechanism which will be effective in reducing risk will have to modify one or more of these factors. Risk mitigation measures may work through reducing the probability of occurrence, or the severity of the consequences, or both. Achieving the desired level of risk reduction may require the implementation of more than one mitigation measure. The possible approaches to risk mitigation include: a) Revision of the system design; b) Modification of operational procedures; c) Changes to staffing arrangements; and d) Training of personnel to deal with the hazard. The effectiveness of any proposed risk mitigation measures must be assessed by first examining closely whether the implementation of these measures might introduce any new hazards. In that case, the foregoing steps must be repeated by re-estimating hazard severity, the likelihood of the hazard occurring and then evaluating the risk. Once the system is implemented, particular attention should be paid, when evaluating the results of safety performance monitoring, to verifying that the mitigation measures are working as intended.

21 Important Note: Page 21 of 22 Hazard Identification & Risk Management in context of SMS shall focus on Operational Safety hazards that may have a direct impact on operational safety of the airline and performance of personnel in safety critical positions.

22 Page 22 of 22 PAGE INTENTIONALLY LEFT BLANK