Monitoring Safety

As a pilot, would you want to know that the airplane you're getting ready to fly had a fuel leak six times during a five-day period? And would you also want to know that maintenance addressed these fuel leaks by removing and replacing the sealant on the fuel tank? Finally, would you suspect that critical, undetected structural damage inside the wing led to skin cracks and the recurring leaks?

A crew working for the "oldest operating airline in the country" did not know, and on December 19, 2005, they and their 18 passengers were killed when the wing came off their Grumman Turbo Mallard seaplane, causing it to crash into the sea shortly after takeoff from Miami, Florida.

There's no way to know if such knowledge would have prevented the accident. But the FAA believes a new concept involving management, maintenance, operations, and flight crews could help to improve safety.

It's a Safety Management System, or SMS, and it's one of the newest buzzwords in the FAA's lexicon. In fact, an advisory circular on the subject, AC 120-92, "Introduction to SMS for Air Operators," was issued in June 2006. What's more, in July 2007, the FAA released a "Flight Risk Assessment Tool" in the form of an "Information for Operators" or InFO document (see "The Risk Matrix," below).

You're not likely to face an SMS at your local flight school in the near future. For those of you planning an airline career, however, SMS will become familiar sooner rather than later. It's based upon guidance from the International Civil Aviation Organization, and it's mandatory in the United Kingdom, Canada, and other countries. In the United States, the FAA strongly encourages airlines and charter companies to develop and implement a SMS. Nevertheless, some safety experts predict it won't be long before the FAA follows suit and mandates SMS for commercial operators in this country.

What is a Safety Management System? It's a companywide, risk-based safety program that uses reactive, proactive, and predictive tools--on a continuous basis--to identify and mitigate hazards.

Although that description is a mouthful, the individual elements are relatively straightforward. In a large aviation organization (such as an airline or a large corporate flight department), company wide means that the system includes everyone, from the top executives down to the person who cleans the hangar floor. It starts with management's commitment to safety, and the "safety culture" is promulgated through policies, procedures, and organizational structure.

Risk-based means hazards are identified and then ranked using risk assessment tools. Once risks are identified and ranked, controls or tools are used to eliminate or mitigate them. A control can be as simple as a warning sign, or as complex as changing an entire procedure. Risk-control tools can be grouped by when they are used. For example, reactive tools are used after there is an incident or accident, which may include a debriefing and analysis of what went wrong and what needs to be changed to prevent such events in the future. Proactive tools are used to avoid accidents or incidents, and include items such as a preflight risk assessment checklist. Predictive tools try to sniff out potential sources of trouble; they include things like safety audits and reviews.

How does all of this apply to you? Safety is as much a mindset as it is anything else. And you can take that mindset with you wherever you go.

To illustrate this, let's look at a hypothetical flight school from a safety management system point of view. First, does the flight school management promote a safety culture? Does management communicate this safety culture through policies, procedures, and organizational structure? For example, at some flight schools, before a student can fly solo, he or she must take a phase check or stage check flight with the chief instructor. This policy is a quality-control measure to verify that the flight instructors are teaching all the required pre-solo items to proficiency. It also provides a feedback path from the chief instructor to the flight instructors regarding the progress of their students. In theory, the system continuously improves, thereby satisfying the "continuous basis" tenet of the SMS.

An example of a safety procedure might be how the school wants you to start and shut down the aircraft. Are you asked to pull the aircraft out of the tiedown spot before starting the engine to reduce prop wash? Or is it acceptable to just start the airplane in place? Another popular procedure is to momentarily turn the magneto switch to "off" to verify the integrity of the magneto ground leads before shutting down the engine. Is the flight school responsible for these procedures, or is it just the individual instructor? Remember, another tenet of a SMS is that it's company wide.

Maintenance

What about the flight school's maintenance? Does it use licensed and qualified airframe and powerplant mechanics, or does it use some students who are working on their A&P certificates? Do the mechanics have access to the manufacturer's maintenance manuals, or are they going by experience? And do they have the proper tools for the job?

Questions like these were central to the investigation of a Beechcraft 1900D airliner that crashed after takeoff from Charlotte, North Carolina, in 2003. The NTSB determined the probable cause was "the loss of pitch control (which) resulted from the incorrect rigging of the elevator system compounded by the airplane's aft center of gravity, which was substantially aft of the certified aft limit." Contributing to the cause of the accident were the company's lack of oversight of the work being performed at its outlying maintenance station, the company's maintenance procedures and documentation, and the quality assurance inspector's failure to detect the incorrect rigging of the elevator control system.

Competent maintenance is just one element that makes up a safe aviation system. Consider how a flight school manages squawks. Is there a document where recent squawks and the maintenance actions to clear them are recorded? Is it readily available to the pilots who fly the aircraft? When the school dispatches a rental aircraft, is there a big board on the wall that shows when the last annual inspection, 100-hour inspection, and pitot-static and transponder tests were done, or does that require a special inquiry? Each of these issues is an example of how the various policy, procedural, and organizational structure aspects of a SMS can work together to minimize risk.

Understanding risk

In the safety world, risk is composed of two components: the likelihood of an injurious event occurring and the severity or worst credible outcome of the event. It is typically plotted on a matrix, with severity plotted on the horizontal axis, and likelihood on the vertical axis (see "The Risk Matrix," pp. 50).

Let's look at some accident data from the AOPA Air Safety Foundation's 2006 Nall Report. According to the report, maneuvering was the leading cause of accidents involving single-engine, fixed-gear aircraft in 2005, at 39.5 percent. Maneuvering accidents were also the most fatal, with a lethality index of 61.2 percent. Thus, when plotted on the matrix, maneuvering events score high in both likelihood and severity. It's no wonder that maneuvering accidents are the special emphasis topic of the 2006 Nall Report. To learn how to avoid the hazards possible in maneuvering flight, read the AOPA Air Safety Foundation's Maneuvering Flight Safety Advisor. From a SMS perspective, the Nall Report discussion is a proactive risk mitigation tool that seeks to raise awareness about this hazard and help pilots develop skills in this area.

As another example, consider midair collisions. Where would they fall into the risk matrix? Well, midair collisions are rare, so they have a low probability. However, the result of a midair collision is generally fatal, so their severity is high. Thus, midair collisions would be somewhere in the lower right quadrant of the matrix. Now, back to the hypothetical flight school. What kinds of controls or tools could be used to help mitigate the risk of a midair collision? Since some midairs are the result of formation flights, there could be a policy of "no formation flights, period." This might be effective, but it would depend on whether pilots comply with the policy. Another policy might be "no practicing of ground reference maneuvers during student solo flights." Again, these policies are only effective if pilots follow them.

A more effective approach usually starts with training to avoid the hazard, followed by a sensible policy. Ground training might include an awareness program teaching that midair collisions typically occur in visual meteorological conditions and within 10 miles of an airport. Hot spots include established student training areas and bottlenecks caused by airspace or terrain constrictions. Flight training might emphasize the proper use of clearing turns, as well as nontowered and towered airport traffic pattern procedures. A sensible policy might implement the mandatory use of landing and anticollision lights on training aircraft. These elements could work together to mitigate the hazard.

Another SMS element is a flight data analysis program (FDA). Foreign air carriers have successfully used FDA programs for many years. Currently, all major U.S. airlines have implemented FDA programs. Now, the FAA is encouraging FAR Part 135 (charter operators), supplemental air carriers, and FAR Part 91 corporate operators to adopt FDA programs as well.

In a FDA program, the parameters for a particular flight are captured by the aircraft's digital flight data recorder, downloaded, and collected. This flight data includes heading, altitude, airspeed, power settings, and gear and flap position. The data is then analyzed to spot deviations from standard operating procedures and/or operating limitations. It is also combed for unstable approaches, hazardous trends, or other abnormal events with the goal of preventing accidents. Sometimes, FDA data shows that a "slam dunk" descent required by air traffic control (ATC) is the real culprit, or a particular runway has a difficult instrument approach. Sometimes the airlines pass this data onto the FAA, so that it can modify ATC or instrument approach procedures to reduce deviations and improve safety. Used in this manner, a FDA program can be considered both a reactive and proactive risk mitigation tool.

Another valuable tool available to all pilots, mechanics, and others is the Aviation Safety Reporting System, or ASRS. Administered by NASA, a neutral third party, a so-called NASA report must be postmarked within 10 days after an "event." Examples of such events are altitude deviations or airspace incursions. By volunteering a description of the event, including possible causes, the party filing the report helps NASA to improve the National Airspace System in return for limited immunity if a violation of the regulations is found. Used in this manner, NASA reports are a reactive tool. (For more information, see "Legal Briefing: One that didn't work," October 2007 AOPA Flight Training.)

Now back to our hypothetical flight school. Obviously, small general aviation aircraft are not equipped with digital flight data recorders, but NASA forms are readily available online. You can download one from AOPA Online. Along those lines, a safety suggestion box or anonymous self-reporting system could be used to improve system safety. It wouldn't take much to implement such a system in a flight school.

Aviation is getting more and more complicated. These days we're faced with security concerns, airspace restrictions, and other issues--at the same time commercial, business, and corporate aviation are booming. Proactive operators can choose to adopt a safety management system, or the elements appropriate to their situation, if they wish to achieve a higher level of safety than would result from a baseline of conscientious compliance with the federal aviation regulations. One benefit could be quicker reactions to any new operating challenges.

Christopher L. Parker is a CFI and an aviation author, speaker, and FAA remedial training specialist. He flies internationally as a contract captain on a Bombardier Challenger business jet and lives in Los Angeles.

The risk matrix The FAA's InFO 07015, developed jointly by the FAA and the business aviation community, describes the proactive identification of possible hazards and the use of risk management tools to mitigate risks as aspects of a safety management system (SMS). These tools will provide ways for aircraft operators to determine which flights have more risk and allow operators to reduce that risk when possible. Risk assessment tools are only part of an SMS and should not be considered the whole system. One tool is the risk matrix. It has two components--likelihood, which runs along the vertical axis, and severity, which runs along the horizontal axis. Risk is defined as the product of likelihood and severity. In other words, likelihood multiplied by severity equals the risk value. Risk matrices may be color-coded, like this example, with unacceptable areas in red, acceptable areas in green, and areas acceptable with mitigation shown in yellow. Unacceptable (red). Where combinations of severity and likelihood cause risk to fall into the red area, the risk would be assessed as unacceptable and further work would be required to eliminate that associated hazard or to control the factors that lead to higher risk likelihood or severity. Acceptable (green). Where the assessed risk falls into the green area, it may be accepted without further action. The objective in risk management should always be to reduce risk to the lowest practicable level, regardless of whether or not the assessment shows that it can be accepted as is. This is a fundamental principle of continuous improvement. Acceptable with mitigation (yellow). Where the risk assessment falls into the yellow area, the risk may be accepted under specific circumstances. An example of this would be a crosswind limit of five knots for student pilot solo flights, or minimum ceiling and visibility requirements for student pilot solo cross-country flights. Not all risk matrices are the same; on the contrary, each organization should develop a matrix that best represents its operational environment. Part of this tailored approach involves defining the severity and likelihood criteria. Although specific definitions of likelihood and severity are somewhat subjective, they should be as objective as possible. Here are some definitions taken from Advisory Circular 120-92: Severity criteria 5 Catastrophic. Equipment destroyed, multiple deaths. 4 Hazardous. Large reduction in safety margins, physical distress or a workload such that operators cannot be relied upon to perform their tasks accurately or completely. Serious injury or death to a number of people. 3 Major. Significant reduction in safety margins, reduction in the ability of operators to cope with adverse operating conditions as a result of an increase in workload, or as result of conditions impairing their efficiency. Serious incident. Injury to persons. 2 Minor. Nuisance. Operating limitations. Use of emergency procedures. Minor incident. 1 Negligible. Little consequence. Likelihood criteria 5 Frequent. Likely to occur many times. 4 Occasional. Likely to occur sometimes. 3 Remote. Unlikely, but possible to occur. 2 Improbable. Very unlikely to occur. 1 Extremely improbable. Almost inconceivable that the event will occur. To see how these likelihood and severity criteria work, let's use a hypothetical example of hand-propping an aircraft with a dead battery, a bum starter, or no starter. The likelihood that a hazardous event could occur while hand propping depends on a multitude of factors, but one could rank the likelihood of an event occurring as 4, occasional or likely to occur sometimes. However, one could rank the outcome of such an event as 3, major, a potential serious incident with injury (or even death) to persons. Looking at the risk matrix, this falls into the yellow area, acceptable with mitigation. What are those mitigation measures? An organization's safety expert would be responsible for establishing them, but some possibilities could be having a qualified and trained pilot at the controls, having a qualified and trained person hand-propping the aircraft, ensuring the aircraft is securely chocked and the brakes are set, and not hand-propping when standing on wet or slippery surfaces. The use of these measures could move the hazard into an acceptable or green area.

Want to know more?
Links to additional resources about the topics discussed in this article are available at AOPA Flight Training Online.