The intent of the SMS initiative

In my previous blog, “Design Organisation Approval:??The integration of Safety Management and Organisation Performance”, we considered the stimulus for regulators (such as EASA) to move towards a “Performance Based Environment”.?What we have not considered in that discussion is the intent behind the Safety Management System (SMS) initiative.?None of this should be new to us…but somehow I wonder if many of us might have lost sight of the original intent behind the first drafts (in the early 1990s) of the ICAO SMS Manual.?In order to do so, I am going to consider 2 aspects:??Safety in Design and?Safety in Practice

?A)?Safety in Design:?

Allow me to extract the following from para 6 in EASA’s AMC25.1309 (Iss21)[1]:

?“For a number of years aeroplane systems were evaluated to specific requirements, to the "single fault" criterion, or to the fail-safe design concept. As later-generation aeroplanes developed, more safety-critical functions were required to be performed, which generally resulted in an increase in the complexity of the systems designed to perform these functions. The potential hazards to the aeroplane and its occupants which could arise in the event of loss of one or more functions provided by a system or that system's malfunction had to be considered, as also did the interaction between systems performing different functions. This has led to the general principle that an inverse relationship should exist between the probability of a Failure Condition and its effect on the aeroplane and/or its occupants” (see Figure below).

“In assessing the acceptability of a design it was recognised that rational probability values would have to be established. Historical evidence indicated that the probability of a serious accident due to operational and airframe-related causes was approximately one per million hours of flight. Furthermore, about 10 percent of the total were attributed to Failure Conditions caused by the aeroplane's systems. It seems reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aeroplane designs. It is reasonable to expect that the probability of a serious accident from all such Failure Conditions be not greater than one per ten million flight hours or 1 x 10-7 per flight hour for a newly designed aeroplane. The difficulty with this is that it is not possible to say whether the target has been met until all the systems on the aeroplane are collectively analysed numerically. For this reason it was assumed, arbitrarily, that there are about one hundred potential Failure Conditions in an aeroplane, which could be Catastrophic. The target allowable Average Probability per Flight Hour of 1 x 10-7 was thus apportioned equally among these Failure Conditions, resulting in an allocation of not greater than 1 x 10-9 to each. The upper limit for the Average Probability per Flight Hour for Catastrophic Failure Conditions would be 1 x 10-9, which establishes an approximate probability value for the term "Extremely Improbable". Failure Conditions having less severe effects could be relatively more likely to occur”.

From the above, I would like to draw 3 facets to the reader's attention:

• Historically it was considered to be acceptable[2] to have a large transport aviation disaster every million[3] flying hours (1E-6).
• Only 10% were deemed to be caused by aircraft systems. This is the origin of the design safety target of 1E-9 for catastrophic failure conditions[4].?Satisfying this target allows the aircraft to be Type Certified and released into service.????
• So, up to 90% of accidents are attributed to other causes (such as weather, CFIT, human error, airspace system infrastructure, etc.

?All Continuing Airworthiness regulations are focused on trying to keep the aircraft as close as possible to the “as designed” baseline[5].?However, in practice, all safety events can be traced back to mistakes/errors in the “as-designed” baseline or deviations in the “as maintained” and/or “as operated” baselines.?So we need to consider safety in practice.

?B)?Safety in Practice:

There are numerous studies conducted on an annual basis with graphs (such as the example below) showing that we have successfully achieved this target of 1E-6 ….. in fact we are exceeding it approaching an order of magnitude.

[https://www.1001crash.com/index-page-statistique-lg-2-numpage-2.html]

The problem, though, is that:

• The aircraft industry (and its underlying technology) has become much more complex in the last decade, resulting in an increased vulnerability of human error (in both commission and omission)
• The skies are becoming more crowded, with a million flying hours rapidly being accumulated in a matter of weeks (i.e. this could soon result in a large aircraft catastrophe every week and still be within the 1E-6 tolerance)
• Budgetary pressure is increasing all the time in an industry with incredibly tight profit margins (this puts pressure on staff, which increases the probability of human error)

?So, what are our options to improve aviation safety??Well, one approach would be to make the design safety targets more stringent.?This was explored by R.W. Howard in his 2000 paper entitled “Planning for super safety: the fail-safe dimension”.?Although this is a noble initiative, it neglects two facts:

• 1E-9 is hard to achieve, and increasing it with additional redundancy will imply a significant penalty in system reliability (i.e. more systems that can fail whilst still retaining the function) and strain on all-up-weight and available aircraft real-estate.
• It possibly ignores the benefits derived from the application of the Pareto Analysis:?We should surely move our attention to the causes of the 90% of all accidents.

SMS to the Rescue

The primary intent of the SMS initiative is to focus our attention on the 90% of accidents attributed to “other causes”. It is now generally accepted that most aviation accidents result from human error, both in commission (e.g. during production, maintenance and operation) and in omission (e.g. during design). It would be easy to conclude that these errors indicate carelessness or incompetence on the job, but that would not be accurate. Investigations are finding that the human is only the last link in a chain that leads to an accident. These accidents will not be prevented by merely changing people; increased safety can only occur when the underlying causal factors are addressed. Enhancing overall safety in the most efficient manner requires the adoption of a systems approach to safety management. Every segment and level of an organization must become part of a safety culture that promotes and practices risk reduction.

Safety management is based on the premise that there will always be safety hazards and human errors. The SMS initiative merely establishes processes to improve communication about these risks and take action to minimize them.

There’s a Thomas Jefferson quote about eternal vigilance being the price of liberty.?“Well, the same things goes for safety.?Eternal vigilance is the price we pay for safety” [B. Ready][6], and this is the intent of the SMS initiative

?

?

[1] The origin of EASA CS25.1309 can be traced back to FAR25.1309 and ICAO Airworthiness Manual (Doc 9760, see page 266 in 3rd edition, 2013).?However, I was interested recently learn [see https://adsabs.harvard.edu/abs/2010ESASP.680E..44Q]that the accident rate was first analysed in the UK for the British Civil Aviation Requirements (BCAR).

[2] Do not misinterpret the word “acceptable”, it was merely a line in the sand that we did not want to cross in the Regulator’s efforts (in the mid 1960s) to move from “prescriptive regulations” to “goal-based regulations” so as to reduce the regulatory burden and not stifle innovation.

[3] To put this (i.e. one accident in a million flying hrs) in perspective :?“There are were about 13 000 large jet aircraft in the world at the start of this millennium, flying a total of about 50 million hrs per year whilst occurring about 50 fatal accidents” [Howard (2002, para 1)]

[4] This leads to an accident probability of 0.0000001 (10-7) per hour for technical cause factors. Therefore, for transport category aircraft, most civil airworthiness authorities require that aircraft systems and associated components (considered separately and in relation to other systems) be designed in a manner such that the occurrence of any failure condition which would prevent the continued safe flight and landing of the aircraft should virtually never occur in the life of an aircraft type.

[5] In configuration management, a "baseline" is an agreed description of the attributes of a product, at a point in time, which serves as a basis for defining change.?A change is a movement from this baseline state to a next state. The identification of significant changes from the baseline state is the central purpose of baseline identification [MIL-HDBK-61, pages 3-4]

[6] Bill Ready, NASA’s associate administrator for?the Office of Space Flight, at the Flight Test Readiness for?the shuttle Endeavour’s November 2002 launch. (quote found on p53 of in The Final Flight of Shuttle Columbia, by M Cabbage and W. Harwood ISBB 0-7432-6091-0)