7-4 Safety Management Manual SMM 7.3 SMS FEATURES 7.3.1 Three features characterize an SMS. It is: a systematic; b proactive; and c explicit. 7.3.2 An SMS is systematic because safety management activities are in accordance with a pre-determined plan and applied in a consistent manner throughout the organization. A long-range plan to keep the safety risks of the consequences of hazards under control is developed, approved, implemented and operated on a non-stop, daily basis. As a consequence of their systematic and strategic nature, SMS activities aim at gradual but constant improvement, as opposed to instant dramatic change. The systematic nature of an SMS also leads to a focus on processes rather than outcomes. Although outcomes i.e. adverse events are duly considered to extract conclusions that support the control of safety risks, the main focus of an SMS is the capture of hazards, which are the precursors to outcomes, during the course of the routine operational activities processes that the organization engages in during delivery of services. 7.3.3 An SMS is proactive because it builds upon an approach that emphasizes hazard identification and safety risk control and mitigation, before events that affect safety occur. It involves strategic planning, seeking to keep safety risks under the constant control of the organization, instead of engaging in repair action when an adverse event is experienced, and then reverting to “sleep mode” until the next adverse event is experienced and repair action is re- engaged. In order to sustain effective hazard identification, constant monitoring is conducted of operational activities necessary for the provision of services. This in turn allows for the collection of safety data on hazards, allowing data- driven organizational decisions on safety risks and their control, as opposed to formulating decisions on safety risks based on opinion or, even worse, on bias or prejudice. 7.3.4 Lastly, an SMS is explicit because all safety management activities are documented, visible and therefore defensible. Safety management activities and the ensuing safety management know-how of the organization are formally recorded in official documentation that is available for anyone to access. Thus, safety management activities are transparent. In this respect, the “safety library” discussed in Chapter 4 plays a fundamental role in ensuring that safety management activities and know-how are documented in formal organizational structures and do not reside in the heads of individuals. An organization that allows a situation to develop where safety management activities and know- how reside in the heads of individuals exposes itself to a highly volatile situation in terms of preservation of safety activities and know-how. 7.4 SYSTEM DESCRIPTION 7.4.1 A system description is the first prerequisite to the development of an SMS. Chapter 2 discusses the interrelationship between people, context and safety in aviation environments. The discussion proposes that the sources of safety vulnerabilities during the delivery of services are found in mismatches in the interface between people and the other components of the operational context in which people conduct their service-delivery activities. Potential safety vulnerabilities as a consequence of the interactions between people and other components of the operational context can specifically be characterized in terms of hazards, which have identifiable and controllable elements. Hazards are unique components of production systems, and most hazards unleash their damaging potential as a consequence of operational interactions with the different components of the system. 7.4.2 A simple example follows. Fuel is a component of the aviation system and, just like any source of energy, is a hazard. While it is stored in underground tanks, untouched, the damaging potential of fuel as a hazard is low. Chapter 7. Introduction to Safety Management Systems SMS 7-5 Aircraft are also components of the aviation system. People must fuel aircraft. During fuelling operations by people an operational interaction essential for service delivery, the damaging potential of fuel as a hazard increases significantly. Fuelling procedures are then implemented to bring the safety risks of fuelling operations under organizational control. These procedures are based on the identification and control of the elements of the hazard. The identification of the elements of hazards and, to a large extent, the control, relies as a first and essential step, on the system description. 7.4.3 The example used in Chapter 2 to explain the interrelationship between people, context and safety in aviation environments is also useful to explain a system description. 7.4.4 Figure 7-2 depicts an environment in which a service delivery activity takes place. The service in question is the delivery of small packages to the other side of the mountains by people the caveman. The combination of people involved in the service delivery, the tools and means that they will utilize, and the features of the environment constitute the operational context in which the service delivery activity will take place. The system in question is a socio-technical system i.e. a system that combines people and technology for delivery of packages. Since the sources of safety vulnerability are specifically characterized as hazards that can be found in mismatches in the interface between people and other components of the operational context in which people conduct their service-delivery activities, the first step in identifying such mismatches is to describe the system in terms of its components and their interactions. Figure 7-2. System description 15 7-6 Safety Management Manual SMM 7.4.5 A description of this system in term of its components and their interactions, utilizing the SHEL model discussed in Chapter 2, could be as follows. The function of the socio-technical system is package delivery. It interfaces with other systems: a topographical system, a weather system, a wildlife system. There is a social component: people. There are human performance considerations which are fundamental for system operation: how will people perform when interacting with the lions, with the mountains and with the weather? There are hardware components in the system: the road across the mountains, the warning signs. There are also software components: documentation, procedures and training to guide people in the operation of and interaction with the system how to deal with the lions, how to negotiate the curves in the road, how to protect against the weather while at the same time ensuring service delivery packages must be delivered intact to the other side of the mountain. 7.4.6 In formal or technical terms, a system description in aviation should include the following: a system interactions with other systems in the air transportation system; b system functions; c required human performance considerations for system operation; d hardware components of the system; e software components of the system, including related procedures that define guidance for the operation and use of the system; f the operational environment; and g contracted and purchased products and services. 7.4.7 Appendix 1 to this chapter provides guidance on system description. 7.5 GAP ANALYSIS 7.5.1