Chapter 9. SMS Operation 9-3 9.4 RISK ASSESSMENT AND MITIGATION 9.4.1 Once hazards have been identified, the safety risks of their potential consequences must be assessed Chapter 5. Safety risk assessment is the analysis of the safety risks of the consequences of the hazards that have been determined as threatening the capabilities of an organization. Safety risk analyses use a conventional breakdown of risk into two components — the probability of occurrence of a damaging event or condition, and the severity of the event or condition, should it occur. Safety risk decision making and acceptance is specified through use of a risk tolerability matrix. While a matrix is required, discretion is also required. The definition and final construction of the matrix should be left to the service provider’s organization to design, and be subject to agreement by its oversight organization. This is to ensure that each organization’s safety decision tools are relevant to its operations and operational environment, recognizing the extensive diversity in this area. 9.4.2 After safety risks have been assessed though the preceding step, elimination andor mitigation to ALARP must take place. This is known as safety risk mitigation. Safety risk controls must be designed and implemented. These may be additional or changed procedures, new supervisory controls, changes to training, additional or modified equipment, or any of a number of other eliminationmitigation alternatives. Almost invariably these alternatives will involve deployment or re-deployment of any of the three traditional aviation defences technology, training and regulations, or combinations of them. After the safety risk controls have been designed, but before the system is placed “online,” an assessment must be made of whether the controls introduce new hazards to the system. 9.4.3 At this point, the system is ready for operational deploymentre-deployment, assuming that the safety risk controls are deemed to be acceptable. The next component of an SMS, safety assurance, utilizes auditing, analysis, review and similar techniques, in line with those utilized by quality management systems. These techniques are used to monitor the safety risk controls to ensure that they continue to be implemented as designed and that they continue to be effective in the dynamic operational environment. 9.5 SAFETY ASSURANCE — GENERAL 9.5.1 Safety risk management requires feedback on safety performance to complete the safety management cycle. Through monitoring and feedback, SMS performance can be evaluated and any necessary changes to the system effected. In addition, safety assurance provides stakeholders an indication of the level of safety performance of the system. 9.5.2 Assurance can simply be defined as “something that gives confidence”. The safety risk management process in the SMS starts with the organization obtaining a good understanding of its operational processes and the environments in which it operates; progresses through hazard identification, safety risk assessment and safety risk mitigation, and culminates in development and implementation of appropriate safety risk controls. Once controls for the safety risks of the consequences of hazards are designed, deemed to be capable of controlling safety risks, and put into operation, safety assurance takes over safety risk management. 9.5.3 Once safety risk controls are developed and implemented, it is the organization’s responsibility to assure that they continue to be in place and that they work as intended. Under the above definition of “assurance,” this consists of processes and activities undertaken by the organization to provide confidence as to the performance and effectiveness of the controls. The organization must continually monitor its operations and the environment to assure that it recognizes changes in the operational environment that could signal the emergence of new and unmitigated hazards, and for degradation in operational processes, facilities, equipment conditions, or human performance that could reduce the effectiveness of existing safety risk controls. This would signal the need to return to the safety risk management process to review and, if necessary, revise existing safety risk controls or develop new ones. 9.5.4 A process of permanent examination, analysis and assessment of these controls must continue throughout the daily operation of the system. The safety assurance process mirrors that of quality assurance, with requirements 9-4 Safety Management Manual SMM regarding analysis, documentation, auditing, and management reviews of the effectiveness of the safety risk controls. The difference is that the emphasis in safety assurance is on the assurance that safety risk controls are in place, being practised, and remain effective. The traditional emphasis in quality assurance is typically on customer satisfaction, which, unless the proper perspectives are respected, may or may not fully parallel safety satisfaction. A brief discussion follows. 9.5.5 Quality assurance in aviation has traditionally been associated with maintenance and manufacturing operations and less often used in flight-related operations, except for limited use in training and checking. Some earlier regulations called for quality assurance programmes, although the requirements were often not comprehensive or well defined across all functions of the organization. The fact remains, however, that quality assurance is a familiar term although often associated with customer satisfaction and achievement of commercial objectives rather than safety. Nevertheless, as a means of assuring attainment of organizational objectives, quality assurance techniques are applicable to safety assurance. In order to use these techniques for safety assurance, the organization must be careful in setting and measuring objectives with respect to safety. 9.5.6 The most important aspect is for the organization to design and implement all operational processes in such a manner as to incorporate safety risk controls based on a sound application of safety risk management principles and to provide assurance of those controls. The organization’s choice of title — “quality” or “safety” — for the assurance process is of lesser importance as long as a focus on safety is maintained in the SMS. 9.5.7 Chapter 6 discusses compliance- and performance-based approaches to safety management. One aspect that might be overlooked in assuring performance, unless a proper perspective is observed, is the inclusion of assurance of regulatory compliance. Chapter 6 introduces the notion of regulations as safety risk controls. As such, regulations are an integral part of the safety risk management process. In a properly deployed SMS, there should be no conflict between safety risk assurance and regulatory compliance assurance. Regulations should be part of the system design, and regulatory compliance and safety risk management are parts of the same whole. Compliance with regulations is still an expectation and should be within the purview of safety assurance as an activity aimed at “giving confidence” in the performance of the SMS. 9.5.8 In conclusion, senior management must ensure that safety satisfaction and customer satisfaction objectives are balanced in order to maintain business viability while maintaining safety of operations. While integration of SMS and QMS objectives might result in economy of resources, the possibility of mismatches between safety satisfaction objectives and customer satisfaction objectives means that the two are not automatically interchangeable or even aligned. It is up to the organization’s management to provide for this type of integration. Assessment of system performance and verification that the system’s performance continues to control safety risks in its current operational environment remains the fundamental concern, from the perspective of safety management. 9.5.9 Lastly, the safety assurance activities should include procedures that ensure that corrective actions are developed in response to findings of reports, studies, surveys, audits, evaluations and so forth, and to verify their timely and effective implementation. Organizational responsibility for the development and implementation of corrective actions should reside with the operational departments cited in the findings. If new hazards are discovered, the safety risk management process should be employed to determine if new safety risk controls should be developed. 9.6 SAFETY PERFORMANCE MONITORING AND MEASUREMENT 9.6.1