Aviation SMS Implementations Have Risk!
Imagine you are the pilot recently assigned the "extra" task of being the safety manager of an existing aviation safety management system (SMS).
Or perhaps you are the safety manager who has worked hard for years and your SMS is running very smoothly. Now what?
Every aviation SMS implementation has a risk, just as any other project at your company.
When safety managers identify risk early, there is a higher chance that the aviation SMS implementation will succeed.
Related Articles on Aviation Safety Managers
- What Makes a Good Aviation Safety Manager?
- How to Tell If Aviation Safety Manager Is Doing Their Job
- Tips to Increase Aviation SMS Budgets - for Safety Managers
SMS Require Consistent Attention
Having worked with hundreds of aviation service providers in their SMS implementations, I have seen many successes and many failures. Aviation SMS requires consistent, year-after-year effort and continuous monitoring.
Your SMS is like a garden. If you don't water it, sections will start withering and dying piece by piece.
Aviation safety managers today face many challenges not only with a successful aviation SMS implementation but to ensure that their SMS is sustainable. A current challenge today is that safety managers lack a template to highlight potential risks to their aviation SMS implementations.
This article explores risks that all aviation safety managers must be aware of.
Identifying and Treating Risk to SMS
Once risks to the SMS are identified, then risk management controls can be implemented and monitored. If you are new to SMS or don't quite understand all the concepts, the objective is to stop "The Accident" through a process of continuous improvement.
The short version can be summarized as:
- A problem is identified, maybe from the result of a hazard manifesting itself.
- You fix it.
- During the process of fixing it, you will implement risk controls to prevent recurrence or reduce damage should the event recur.
- Not all problems require risk controls. Determining whether additional risk controls are needed is determined after risk analysis and assessment. If no further risk controls are implemented, your company is "accepting" the risk, which is evaluated by determining the most credible risk consequences.
- Risk consequences are the injuries or harm associated with the most likely scenario should the hazard reappear and cause harm.
- Risk controls are not always in place to keep a hazard from manifesting itself (causing harm). Risk controls can be categorized in multiple ways, depending on the context. A common way of categorizing risk controls is by their role in controlling risk, such as:
- Detective (monitor the hazard and alert before harm occurs);
- Preventive (stop the hazard from manifesting); and
- Corrective (fixing the issue after the hazard manifests itself).
Classifying Risk Controls in Aviation SMS
The above example of classifying risk controls is based on where in the risk management process they occur. This information becomes useful for evaluating the effectiveness of controls and understanding the purpose of the control. Risk controls are often called by different names, such as
- control measures;
- mitigation strategies;
- risk mitigation strategy;
- simply "controls;"
- mitigations; or
- "risk controls."
I have always preferred "control measures," but the important thing to note is that depending on a person's region, culture, training, or preference, they may use a different word for risk controls. Don't be confused. I'll try to use risk control to avoid confusion.
The above example of classifying risk controls does not imply that risk controls fall into a neat bucket. Risk controls may be a combination of detective, preventive, and corrective, such as:
- Detective and preventive;
- Preventive and corrective; etc.
You will see this risk classification type used considerably when performing bow-tie analysis. The point is that risk controls can serve more than one purpose for mitigating risk, but as a safety manager, you need to know how these risk controls work in aviation risk management processes.
I've found that the above method for classifying risk controls is more useful when working on reactive risk management processes. There are at least two other common ways of classifying risk controls and I'll briefly discuss the most popular and when or where I find it used most often.
Related Articles on Aviation Risk Management
- Difference between Reactive, Predictive and Proactive Risk Management in Aviation SMS
- How to Practice Reactive, Proactive, and Predictive Risk Management in Your Safety Program
- From Reactive to Proactive Risk Management in Aviation SMS
Hierarchy of Control Used to Classify Risk Controls
When you are designing your system during the proactive hazard analysis phase (SRM for FAA audience), you are:
- identifying hazards;
- listing credible risk scenarios that could cause harm;
- list existing risk controls to keep the hazard from manifesting (detective and preventive);
- assess risk levels for each risk scenario;
- determine whether the risk is acceptable, acceptable with mitigation, or unacceptable; and
- decide as to what's next (we won't go there today).
That is the fast summary of part of the safety risk management process (SRM in the FAA lingo). We don't want to get off track, because we intend to discuss another classification strategy for understanding and evaluating risk controls. Therefore, please don't be overly critical of my cursory description of SRM. I say this because the FAA audience is very good at keeping me "informed."
When you are listing risk controls, it is useful to group them according to the industry-accepted "hierarchy of controls." It will be most expedient if I list the hierarchy first, and then discuss how to use this classification strategy. According to the hierarchy of controls, the different types of controls are classified based on their effectiveness in controlling risk. For example:
- Engineering controls;
- Administrative controls; and
- Personal protective equipment.
Look quickly at the image to the right. You will notice the image aligns with the list above, and that "elimination" will prove to be the most effective at controlling risk and personal protective equipment is the least effective.
Why is this useful? When you are listing out risk controls to mitigate an associated hazard's risk, grouping risk controls in this fashion provides managers with a visual representation of:
- how risk is managed by the effectiveness of each risk control;
- where in the hierarchy are implemented risk controls; and
- whether there may be a better risk management strategy.
You may be thinking,
- this looks like a lot of work; or
- how do I do this in the real world? or
- when/where do I use this strategy?
This is very easy to do if you are set up with SMS database tools. You may be able to do this yourself, depending on your tools, available expertise, and time.
How do you use this setup in the real world? Look at an example tool in the image below. It was taken from an SMS database while managing a reported safety issue in the SMS' reactive risk management process:
In the example tool above, we see the inverted triangle as a visual representation for managers who may not intuitively grasp the concept of the "hierarchy of controls." After all, not all management stays awake during risk management training. On the right side of the tool, there is a list of related risk controls listed according to their categorization in the SRM process. For SMS Pro users, this is done in the "Proactive Hazard Analysis Tool." Where do the risk controls come from?
Related Articles on Risk Controls in Aviation SMS
- How to Monitor the Effectiveness of Control Measures
- How to Implement Effective Control Measures
- What Is a Risk Control in Aviation SMS: Meaning, Purpose, Application
During the proactive hazard analysis process (SRM if you are FAA focused or you may see this concept called "safety risk analysis" in other circles), document risk controls that mitigate risk for each hazard. When listing risk controls, determine where they fit into the hierarchy. This part of the job is done. Now we start monitoring risk controls using the safety assurance (SA) processes.
Based on FAA guidelines, monitoring risk controls occurs in "safety assurance" activities, which typically come into the system as:
- reported safety issues; and
- audit findings.
When reacting to audit findings and reported safety concerns, you will be monitoring the risk controls as part of "treating" each item. As the safety team reviews the controls, they determine whether each implemented risk control is:
- Not effective; or
- Unable to determine or not applicable to the current safety concern (NA).
In the above image, you will see risk controls listed on the right, and if you look closely at the risk control title, immediately to the right is a measure of the effectiveness of each risk control. For example, next to Fatigue Risk Management Policy, you will see "(+43, -6). In this tool, those numbers translate to:
- 43 times this risk control has been evaluated as being effective; and
- 6 times this risk control either failed or proved to be ineffective.
If you have been following along, the astute safety professional will ask: how did we associate the reported safety concern or audit finding (the issue being treated) to the risk controls?
If you remember, when we documented our hazards and listed out our risk controls in the SRM process, we were setting ourselves up to monitor the risk controls of a particular hazard. Whenever we associate SA issues being treated with this hazard, we immediately get access to review related risk controls.
This is very sexy and easy. Feel free to use this idea in your SMS.
This is the most effective, sustainable manner of continuously monitoring risk controls in your reactive risk management processes.
From this example, we see SRM processes and SA processes working together to monitor and improve the system.
Why Is Understanding Risk Controls Important to SMS Implementations
Why did we spend so much time discussing risk controls? When operators do not have an easy way to document and monitor risk controls, this process does not happen. True story. I've seen it happen at hundreds of companies in EVERY aviation industry segment.
Safety managers may understand the concepts and theory. However, they may not know how to monitor risk controls. There is a lot of talk about what is required in aviation SMS, but few details as to how to perform these tasks, and for good reason. There are many types of
- aviation service providers;
- simple and complex operations; and
- available data management choices.
It would be impossible to account for every permutation. Therefore, regulatory authorities do what they can. They show you the process and the process is GOOD! But you will only benefit if you work the process.
The above approach is an example of a sustainable process that is very easy to implement in your SMS. While you could use spreadsheets using the above strategy, your risk management process will not be sustainable in the long run because spreadsheets and point solutions do not work with this approach.
You will need an SMS database to practice this strategy in order to have a repeatable process that can be used for many years to come. Spreadsheets are the wrong technology.
Related Articles on Using Spreadsheets to Manage Aviation SMS Data
- 5 Things Spreadsheets Can't Do for Your SMS
- Spreadsheets vs Software for Aviation Safety Management
- See How Spreadsheet Not EASA Compliant Aviation Hazard Reporting Database
You may have noticed that I quickly mentioned that point solutions will not work using the suggested strategy. This is partially true. Point solutions are software programs that have been designed to handle one main business task, such as:
- Safety Reporting System;
- Hazard Analysis Software;
- Accident Investigation Software;
- Audit System; or
- Training Management System.
More than a few SMS implementations' data management strategies are based on point solutions. This is an indication of:
- lack of budget;
- poor planning (not knowing SMS documentation requirements in the early stages); or
- Ignorance (not having data management professionals to offer guidance).
The reason that point solutions won't work well while monitoring risk controls in the long term, the sustainable process is because data is scattered in multiple systems. There is no easy, efficient way to pull data from one system and use it quickly in another. Let's take an example to explain this better.
→ Company A has a hazard register that is documented and managed in either a spreadsheet or a point solution. Managers love this hazard register because it is based on the same spreadsheet that was given to them by the regulatory agency. How can they go wrong? It was given to them by their CAA. Some companies will put this hazard/risk register into Google Docs or SharePoint.
→ Company A has another system that handles its reactive risk management processes for reported safety concerns. Company A also has an auditing system and none of these systems talk to another.
→ When Company A wants to monitor risk controls that have been implemented to mitigate risk from either a reported safety issue or an audit finding, the safety team has to review these controls in another system. If this takes more than a couple of minutes, the chances of these controls being reviewed are slim-to-none.
→ This explains why point solutions are not a good data management strategy for SMS implementations. They actually increase the risk to the SMS implementation and prevent the organization from fully capitalizing on SMS benefits.
To summarize, spreadsheets and point solutions are not desirable technologies for efficiently managing SMS data. The best solution is a single SMS database that was built to address all SMS documentation requirements. The next best solution is a group of point solutions integrated into a seamless risk management system.
You will see this data management strategy practiced by some of the more popular enterprise SMS solutions (not SMS Pro) where the SMS database provider cobbles together a bunch of point solutions and calls it an SMS data management platform. Their point solutions can be integrated if there is knowledgeable technical support, but it's more difficult to customize to an individual client's needs. The architecture behind integrated point solutions isn't pretty and can prove to be a maintenance and support nightmare.
When getting technical support from a provider of cobbled-together point solutions, you will often notice a delay of up to one day or more to receive an answer. This is due to the reseller (such as Sabre or ETQ) having to contact the original developers for support, which introduces the frustrating delay. The extended delay occurs because the original point solution developer has to research the issue and respond back to the reseller.
Based on the support scenario, you may realize that point solutions, even those that are cobbled together and sold as a single product, may offer unacceptable risk to your SMS implementation.
Related Aviation SMS Database Articles
- What Is an Aviation Safety Database
- 5 Most Important Things to Know before Buying Aviation SMS Database
- How to Choose the Best Aviation Safety Database Software
Daily Routines Also Present Risk to Aviation SMS Implementations
Aviation risk management processes commonly address operational risk, such as risk to:
- Environment; and
- Company reputation.
For both developing and mature SMS implementations, the safety manager commonly is focused on:
- Managing reported events;
- Tracking corrective actions;
- Safety promotion activities; and
- Monitoring safety performance.
A common phenomenon is that safety managers are caught up in the day-to-day safety tasks and either forget or neglect to review their SMS implementations. An SMS implementation is a project with a timeline of three to five years. The implementation requires regular review, even after you have reached Phase 4 or the final stage of your SMS.
The reason you should review your SMS implementation plan after you believe you have a fully implemented SMS is because of "back-sliding." More than once, I have seen operators (usually airlines) in their sixth or eighth year of SMS get dinged on audit findings because their processes were not monitored to ensure the SMS continues to perform as designed across the entire organization.
What were the most common audit findings for these back-sliding operators? Inadequate review of their:
- risks; and
- risk controls.
This applies equally to operators with state-of-the-art SMS databases. The root cause for this finding in every case I've seen is poor safety culture. There are two scenarios I commonly see play out:
- Department heads with risk acceptance authority become distracted by the daily activities that they eventually and completely ignore reviewing their hazards and risk controls.
- Safety managers could not get department heads involved in the proactive hazard analysis activities and did this work for the department heads. This set a bad precedent and future reviews didn't occur because the safety manager was overworked, or didn't have risk acceptance authority to sign off on these risk management elements.
Related Articles on Aviation SMS Performance Monitoring
- How to Be Compliant with ICAO Safety Performance Monitoring and Measurement
- 4 Pillars | How to Conduct Safety Performance Monitoring and Measurement
- My Safety Score - What's Yours? Aviation SMS Performance Monitoring
Why Your Aviation SMS May Fail
Another common phenomenon is that safety managers may begin monitoring risk to their SMS implementations, but as the years pass, these monitoring activities fall by the wayside. This often occurs due to:
- The human tendency to forget;
- Change of safety personnel;
- Lack of controls in place to monitor aviation SMS system;
- Lack of robust aviation SMS database to efficiently manage tasks; or
- Gradual (almost imperceptible) deterioration of safety culture.
Categorizing Hazards to Aviation SMS
Hazard identification and risk assessment are among the most important processes in aviation risk management today. Hazard identification focuses on which hazards may affect your SMS implementation and document their characteristics and root causes.
Hazards affecting aviation SMS projects will generally fall into these four categories:
- Environment; and
Identifying Hazards and Risk to Aviation SMS
There are several techniques to identify hazards and associated risks to your aviation SMS implementation. These tools include but are not limited to:
- Documentation Reviews;
- Gap Analysis Reviews;
- SMS Implementation Plan Reviews;
- Information Gathering Techniques (surveys);
- External SMS Expert Analysis;
- External and Internal Audits; and
- Gut-level assumptions.
Have You Read
- 4 Pillars | What Is Hazard Identification in Aviation SMS
- From Reactive to Proactive Hazard Identification in Aviation SMS
- FAA Part 5 Compliance | Safety Risk Management Hazard Identification Requirement
Recovering from or Controlling Risk to Aviation SMS
Identification of the risk is an important first step.
Next, you should evaluate the risk as to the severity. When the risk is not acceptable, further action is required. Once you determine an unacceptable risk to your aviation SMS, you will then need to identify the root cause. It makes little sense to treat the symptoms.
After you have identified the root cause, then apply one or more of the following risk management strategies:
- Transfer; and
Final Thoughts on Managing Aviation SMS Implementations
Risk analysis and evaluation is critical to the success of every aviation SMS. The sooner SMS risk can be identified and the root cause uncovered, the easier will be the task of bringing the SMS implementation back on track.
You may have noticed that when we discussed risk to the SMS implementation, we used a very similar process to managing operational risk from:
- reported safety concerns;
- audit findings.
SMS is a system of processes. Evaluating risk is an iterative process that moves from SRM to SA and back and forth, back and forth.
We recommend evaluating your aviation SMS implementation plan annually for the first six years. Again, the reason for monitoring implementation details for so long is to catch yourself back-sliding.
If possible, bring as many managers as possible into the SMS implementation evaluation process. This practice will certainly help reduce resistance and increase ownership of the SMS.
Below is a very useful resource to evaluate the risk to your aviation SMS implementation. It was created by SMS Pro and Gary Williams, a highly regarded aviation SMS expert. We hope you will find it valuable as considerable time and thought was put into the creation.
If you are managing an SMS on paper, spreadsheets, or a clunky toy SMS database, you may be inspired by watching how others do it. Here are some short SMS videos demonstrating efficient hazard reporting and risk management processes.
Live SMS Pro Demo
Did you like the videos? Does it look like we are a good fit for you?
Do you have questions? Sign up for a live demo.
Last updated August 2023.