2-2 Safety Management Manual SMM is certainly desirable, they are unachievable goals in open and dynamic operational contexts. Hazards are integral components of aviation operational contexts. Failures and operational errors will occur in aviation, in spite of the best and most accomplished efforts to prevent them. No human activity or human-made system can be guaranteed to be absolutely free from hazards and operational errors. 2.2.3 Safety is therefore a concept that must encompass relatives rather than absolutes, whereby safety risks arising from the consequences of hazards in operational contexts must be acceptable in an inherently safe system. The key issue still resides in control, but relative rather than absolute control. As long as safety risks and operational errors are kept under a reasonable degree of control, a system as open and dynamic as commercial civil aviation is considered to be safe. In other words, safety risks and operational errors that are controlled to a reasonable degree are acceptable in an inherently safe system. 2.2.4 Safety is increasingly viewed as the outcome of the management of certain organizational processes, which have the objective of keeping the safety risks of the consequences of hazards in operational contexts under organizational control. Thus, for the purposes of this manual, safety is considered to have the following meaning: Safety. The state in which the possibility of harm to persons or of property damage is reduced to, and maintained at or below, an acceptable level through a continuing process of hazard identification and safety risk management. 2.3 THE EVOLUTION OF SAFETY THINKING 2.3.1 During its early years, commercial aviation was a loosely regulated activity characterized by underdeveloped technology; lack of a proper infrastructure; limited oversight; an insufficient understanding of the hazards underlying aviation operations; and production demands incommensurate with the means and resources actually available to meet such demands. 2.3.2 It is a given in systems safety theory that production systems that set ambitious production objectives without deploying the necessary means and resources to deliver them develop the potential for frequent breakdowns. Therefore, it is hardly surprising that the early days of commercial aviation were characterized by a high frequency of accidents, that the overriding priority of the early safety process was the prevention of accidents, and that accident investigation was the principal means of prevention. In those early days, accident investigation, hampered by the absence of other than basic technological support, was a daunting task. 2.3.3 Technological improvements due in no small measure to accident investigation, together with the eventual development of an appropriate infrastructure, led to a gradual but steady decline in the frequency of accidents, as well as an ever-increasing regulatory drive. By the 1950s, aviation was becoming in terms of accidents one of the safest industries, but also one of the most heavily regulated. 2.3.4 This resulted in the still pervasive notion that safety can be guaranteed as long as rules are followed and that deviation from rules necessarily leads to safety breakdowns. Without denying the immense importance of regulatory compliance, its limitations as the mainstay of safety have increasingly been recognized, particularly as the complexity of aviation operations has increased. It is simply impossible to provide guidance on all conceivable operational scenarios in an operational system as open and dynamic as aviation. 2.3.5 Processes are driven by beliefs. Therefore, under the belief that regulatory compliance was the key to aviation safety, the early safety process was broadened to encompass regulatory compliance and oversight. This new safety process focused on outcomes i.e. accidents andor incidents of magnitude and relied on accident investigation to determine the cause, including the possibility of technological failures. If technological failures were not evident, attention was turned to the possibility of rule-breaking by operational personnel. Chapter 2. Basic Safety Concepts 2-3 2.3.6 The accident investigation would backtrack looking for a point or points in the chain of events where people directly involved in the safety breakdown did not do what they were expected to do, did something they were not expected to do, or a combination of both. In the absence of technological failures, investigations would look for unsafe acts by operational personal, i.e. actions andor inactions that could be directly linked to the outcome under investigation. Once such actionsinactions were identified and linked, with the benefit of hindsight, to the safety breakdown, blame in different degrees and under different guises was the inevitable consequence, and punishment would be meted out for failing to “perform safely”. 2.3.7 Typical of this approach was to generate safety recommendations aimed at the specific, immediate safety concern identified as causing the safety breakdown, almost exclusively. Little emphasis was placed on the hazardous conditions that, although present, were not “causal” in the occurrence under investigation, even though they held damaging potential for aviation operations under different circumstances. 2.3.8 While this perspective was quite effective in identifying “what” happened, “who” did it and “when” it happened, it was considerably less effective in disclosing “why” and “how” it happened Figure 2-1. While at one time it was important to understand “what”, “who” and “when”, increasingly it became necessary to understand “why” and “how” in order to fully understand safety breakdowns. In recent years, significant strides have been made in achieving this understanding. In retrospect, it is clear that aviation safety thinking has experienced a significant evolution over the last fifty years. Figure 2-1. Traditional approach — Preventing accidents ™ Preventing accidents Traditional approach – ™Identifies: ¾Focus on outcomes causes ¾Unsafe acts by operational personnel ¾ perform safely Assign blamepunish for failure to “ ” ¾Address identified safety concerns exclusively HOW? WHY? WHAT? WHO? WHEN? ™But does not always disclose 2-4 Safety Management Manual SMM 2.3.9 The early days of aviation, those before and immediately following the Second World War until the 1970s, can be characterized as the “technical era” where safety concerns were mostly related to technical factors. Aviation was emerging as a mass transportation industry, yet the technology supporting its operations was not fully developed, and technological failures were the recurring factor in safety breakdowns. The focus of safety endeavours was rightly placed on the investigation and improvement of technical factors. 2.3.10 The early 1970s saw major technological advances with the introduction of jet engines, radar both airborne and ground-based, autopilots, flight directors, improved navigation and communications capabilities and similar performance-enhancing technologies, both in the air and on the ground. This heralded the beginning of the “human era”, and the focus of safety endeavours shifted to human performance and Human Factors, with the emergence of crew resource management CRM, line-oriented flight training LOFT, human-centred automation and other human performance interventions. The mid-1970s to the mid-1990s has been dubbed the “golden era” of aviation Human Factors, in reference to the huge investment by aviation to bring under control the elusive and ubiquitous human error. Nevertheless, in spite of the massive investment of resources in error mitigation, by the mid-1990s human performance continued to be singled out as a recurring factor in safety breakdowns Figure 2-2. Figure 2-2. The evolution of safety thinking 1950s 2000s 1970s 1990s HUMAN FACTORS TO D A Y TECHNICAL FACTORS ORGANIZATIONAL FACTORS Chapter 2. Basic Safety Concepts 2-5 2.3.11 The downside of Human Factors endeavours during a significant portion of the “golden era” was that they tended to focus on the individual, with scant attention to the operational context in which individuals accomplished their missions. It was not until the early 1990s that it was first acknowledged that individuals do not operate in a vacuum, but within defined operational contexts. Although scientific literature was available regarding how features of an operational context can influence human performance and shape events and outcomes, it was not until the 1990s that aviation acknowledged that fact. This signalled the beginning of the “organizational era” when safety began to be viewed from a systemic perspective, to encompass organizational, human and technical factors. It was also at that time that the notion of the organizational accident was embraced by aviation. 2.4 ACCIDENT CAUSATION — THE REASON MODEL 2.4.1