4-2 Safety Management Manual SMM 4.2.4 Consider, for example, wind, a normal component of the natural environment. Wind is a hazard: it is a condition with the potential to cause injuries to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function. A fifteen-knot wind, by itself, does not necessarily hold potential for damage during aviation operations. In fact, a fifteen-knot wind blowing directly down the runway will contribute to improving aircraft performance during departure. However, when a fifteen-knot wind blows in a direction ninety degrees across a runway of intended take-off or landing, it becomes a crosswind. It is only then, when the hazard interfaces with the operations of the system take-off or landing of an aeroplane aimed at service delivery the need to transport passengers or cargo tofrom the particular aerodrome while meeting a schedule that its potential for damage becomes a safety concern a lateral runway excursion because the pilot may not be able to control the aeroplane as a consequence of the crosswind. This example illustrates the discussion in 4.2.3: a hazard should not necessarily be considered as a “bad thing” or something with a negative connotation. Hazards are an integral part of operational contexts, and their consequences can be addressed through various mitigation strategies to contain the hazard’s damaging potential, which will be discussed later in this manual. 4.2.5 A consequence is defined as the potential outcome or outcomes of a hazard. The damaging potential of a hazard materializes through one or many consequences. In the example of the crosswind above, one consequence of the hazard “crosswind” could be “loss of lateral control”. A further, more serious consequence could be “runway lateral excursion”. An even more serious consequence could be “damage to landing gear”. It is important, therefore, to describe all likely consequences of a hazard during hazard analysis and not only the most obvious or immediate ones. 4.2.6 The discussion on the consequences of hazards brings two important points to bear in mind. First, hazards belong in the present. They are, in most cases, part of the operational context, and therefore they are present in the workplace before operational personnel “show up to work”. As physical components of the operational context or workplace, most hazards are, and should be, detectable through audits. Consequences, on the other hand, belong in the future. They do not materialize until hazards interact with certain operations of the system aimed at service delivery. It is as a consequence of this interaction that hazards may unleash their damaging potential. This brings about one essential tenet of safety management: mitigation strategies should aim at proactively containing the damaging potential of hazards and not at waiting until the consequences of hazards materialize and then reactively address such consequences. 4.2.7 Second, for the purpose of safety management, the consequences of hazards should be described in operational terms. Many hazards hold the potential for the ultimate and most extreme consequence: loss of human life. Most hazards hold the potential for loss of property, ecological damage and similar high-level consequences. However, describing the consequences of hazards in extreme terms makes it difficult to design mitigation strategies, except cancellation of the operation. In order to design mitigation strategies to address the safety concerns underlying the less- than-extreme, lower-level operational consequences of the hazard for example, crosswind, such consequences must be described in operational terms runway lateral excursion, rather than in extreme terms loss of life. 4.2.8 Chapter 2 discusses safety as a condition of controlled safety risk. The description of the consequences of hazards that may affect a particular operation is part of the assessment of the safety risks of the consequences of hazards discussed in Chapter 5. The assessment of the safety risks of the consequences of hazards allows an organization to make an informed decision about whether it can achieve the condition of control of the safety risks and thus continue the operation. If the consequences of the hazard crosswind are described in extreme terms loss of life rather than operational terms runway lateral excursion, the safety risk assessment is largely voided, since the condition of control of the safety risks will unlikely be achieved, unless formidable expenditure is incurred, and the likely mitigation will be cancellation of the operation. 4.3 FIRST FUNDAMENTAL — UNDERSTANDING HAZARDS 4.3.1 As already discussed, there exists a tendency to confuse hazards with their consequences. When this happens, the description of the hazard in operational terms then reflects the consequences rather than the hazard itself. In other words, it is not uncommon to see that hazards are described as their consequences. Chapter 4. Hazards 4-3 4.3.2 Stating and naming a hazard as one of its consequences has the potential for not only disguising the true nature and damaging potential of the hazard in question, but it also interferes with the identification of other important consequences of the hazard. 4.3.3 On the other hand, properly stating and naming hazards allows one to identify the nature and damaging potential of the hazard, to correctly infer the sources or mechanisms of the hazard and, most importantly, to evaluate the outcomes other than extreme outcomes in terms of the magnitude of the potential loss, which is one of the final objectives of safety risk management as discussed in Chapter 5. 4.3.4 A further example is presented to illustrate the difference between hazards and consequences. An aerodrome operates with its signage in a state of disrepair. This complicates the task of ground navigation by aerodrome users, both aircraft and ground vehicles. In this case, the correct naming of the hazard could be “unclear aerodrome signage” i.e. a condition with the potential to cause injuries to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function. As a result of this hazard, many possible consequences are possible. One consequence i.e. one potential outcome of the hazard “unclear aerodrome signage” may be “runway incursion”. But there may be other consequences: ground vehicles driving into restricted areas, aircraft taxiing into wrong taxiways, collision between aircraft, collision between ground vehicles, collision between aircraft and ground vehicles, and so forth. Thus, naming the hazard as “runway incursion” instead of “unclear aerodrome signage” disguises the nature of the hazard and interferes with the identification of other important consequences. This will likely lead to partial or incomplete mitigation strategies. 4.3.5 Hazards can be grouped into three generic families: natural hazards, technical hazards and economic hazards. 4.3.6 Natural hazards are a consequence of the habitat or environment within which operations related to the provision of services take place. Examples of natural hazards include: a severe weather or climatic events e.g. hurricanes, winter storms, droughts, tornadoes, thunderstorms, lighting and wind shear; b adverse weather conditions e.g. icing, freezing precipitation, heavy rain, snow, winds and restrictions on visibility; c geophysical events e.g. earthquakes, volcanoes, tsunamis, floods and landslides; d geographical conditions e.g. adverse terrain or large bodies of water; e environmental events e.g. wildfires, wildlife activity, and insect or pest infestation; andor f public health events e.g. epidemics of influenza or other diseases. 4.3.7 Technical hazards are a result of energy sources electricity, fuel, hydraulic pressure, pneumatic pressure and so on or safety-critical functions potential for hardware failures, software glitches, warnings and so on necessary for operations related to the delivery of services. Examples of technical hazards include deficiencies regarding: a aircraft and aircraft components, systems, subsystems and related equipment; b an organization’s facilities, tools and related equipment; andor c facilities, systems, subsystems and related equipment that are external to the organization. 4-4 Safety Management Manual SMM 4.3.8 Economic hazards are the consequence of the socio-political environment within which operations related to the provision of services take place. Examples of economic hazards include: a growth; b recession; and c cost of material or equipment. 4.3.9 Safety management activities aimed at controlling safety risks will mostly, but not necessarily exclusively, address technical and natural hazards. 4.4 SECOND FUNDAMENTAL — HAZARD IDENTIFICATION 4.4.1