Chapter 3. Introduction to Safety Management 3-9 system, people deliver the activities aimed at service delivery inside the drift. The fact remains, however, that in spite of all the system’s shortcomings leading to the drift, people operating inside the practical drift make the system work on a daily basis. People deploy local adaptations and personal strategies that embody the collective domain expertise of aviation operational professionals, thus circumventing system shortcomings. This adaptation process is captured by the vernacular expression “the way we do business here, beyond what the book says. 3.4.21 Capturing what takes place within the practical drift through formal means e.g. formally capturing collective domain expertise holds considerable learning potential about successful safety adaptations and, therefore, for the control of safety risks. The formal capture of collective domain expertise can be turned into formal interventions for system re- design or improvements, if the learning potential is applied in a principled manner. On the minus side, the unchecked proliferation of local adaptations and personal strategies may allow the practical drift to develop far too much from the expected baseline performance, to the extent that an incident or an accident becomes a possibility. Figure 3-4 illustrates the notion of the practical drift discussed in this paragraph. 3.5 STRATEGIES FOR SAFETY MANAGEMENT 3.5.1 The development of the practical drift is inevitable. All aviation organizations, even the soundest, most resilient organizations, conduct their daily operations inside the practical drift. The practical drift is simply inherent to the nature of dynamic and open socio-technical production systems, of which aviation is a prime example. On an everyday basis, while pursuing delivery of services, organizations navigate the practical drift, seeking to position themselves as far away as possible from points where the drift is at its maximum, and as closely as possible to the point of inception of the practical drift. During this daily navigation, organizations must overcome potentially opposing “currents” or obstacles: these are the hazards that arise as a consequence of an unbalanced allocation of resources to support the needs of the organization, and the non-resolution of the “dilemma of the two Ps”. Figure 3-4. The practical drift Operational deployment Baseline performance Op era tion al p erfo rm anc e “Practical drift” System design Te ch no lo gy Tra in in g R eg ula tio ns Source: Scott A. Snook 3-10 Safety Management Manual SMM 3.5.2 In order to successfully navigate the practical drift, organizations need navigation aids that generate the necessary information to negotiate currents and obstacles see Figure 3-5. These navigation aids capture operational data that, once analysed, will inform organizations of the best passages through the currents and obstacles. There are a number of navigation aids available to aviation organizations, which can be grouped into three types according to the seriousness of the consequences of the triggering event that launches the safety data capture process: reactive, proactive and predictive. 3.5.3 Reactive navigation aids require a very serious triggering event, with oftentimes considerable damaging consequences, to take place in order to launch the safety data capture process. Reactive navigation aids are based upon the notion of waiting until “something breaks to fix it”. They are most appropriate for situations involving failures in technology andor unusual events. Reactive navigation aids are an integral part of mature safety management. The contribution of reactive navigation aids to safety management nevertheless depends on the extent to which the information they generate goes beyond the triggering causes of the event, and the allocation of blame, and includes contributory factors and findings as to safety risks. The investigation of accidents and serious incidents are examples of reactive navigation aids. 3.5.4 Proactive navigation aids require a less serious triggering event, probably with little or no damaging consequences, to take place in order to launch the safety data capture process. Proactive navigation aids are based upon the notion that system failures can be minimized by identifying safety risks within the system before it fails, and taking the necessary actions to mitigate such safety risks. Mandatory and voluntary reporting systems, safety audits and safety surveys are examples of proactive navigation aids. 3.5.5 Predictive navigation aids do not require a triggering event to take place in order to launch the safety data capture process. Routine operational data are continually captured, in real time. Predictive navigation aids are based upon the notion that safety management is best accomplished by trying to find trouble, not just waiting for it to show up. Therefore, predictive safety data capture systems aggressively seek safety information that may be indicative of emerging safety risks from a variety of sources. Figure 3-5. Navigating the practical drift Organization Navigation aids Reactive Proactive Predictive Baseline performance Op era tion al p erfo rm anc e “Practical drift” Chapter 3. Introduction to Safety Management 3-11 3.5.6 Predictive safety data collection systems are essentially statistical systems, whereby a considerable volume of operational data, which alone are largely meaningless, are collected and analysed, and combined with data from reactive and proactive safety data collection systems. The aggregation of data thus leads to the development of a most complete intelligence that allows organizations to navigate around obstacles and currents and position themselves optimally within the drift. Hazard reporting systems, flight data analysis and normal operations monitoring are examples of predictive navigation aids. 3.5.7 Reactive, proactive and predictive safety data capture systems provide safety data for equivalent reactive, proactive and predictive safety management strategies, which in turn inform specific reactive, proactive and predictive mitigation methods. A summary of safety management strategies, as discussed in the previous paragraphs, is presented in Figure 3-6. 3.5.8 Mature safety management requires the integration of reactive, proactive and predictive safety data capture systems, a judicious combination of reactive, proactive and predictive mitigation strategies, and the development of reactive, proactive and predictive mitigation methods. Nevertheless, it is important to keep in mind, when developing mitigation strategies, that each of the three safety data capture systems discussed collect safety data at different levels of the operational drift. It is equally important to keep in mind that each of the three mitigation strategies and methods intervene at different levels of the practical drift. 3.5.9 In order to illustrate this, one must return to the practical drift, as pictured in Figure 3-7. Hazards exist as a continuum along the practical drift. If uncontained, they travel down the drift with increasing damaging potential. Close to the point of origin or inception of the practical drift, hazards are relatively harmless because they have had no opportunity to develop their damaging potential. The more hazards progress unimpeded along the practical drift, the more they gather momentum and increase their damaging potential. As hazards approach the point where the practical drift is widest, they have developed maximum potential for damage, including the potential for serious breakdowns. It is therefore essential for safety management to capture hazards as close as possible to the point of inception of the practical drift. Figure 3-6. Safety management strategies Predictive method The predictive method captures system performance as it happens in real-time normal operations to identify potential future problems Reactive method The reactive method responds to events that have already happened, such as incidents and accidents Proactive method The proactive method looks actively for the identification of safety risks through the analysis of the organization’s activities 3-12 Safety Management Manual SMM Figure 3-7. Strategies — Levels of intervention and tools 3.5.10 Predictive safety data capture systems, strategies and methods operate quite close to the origin or point of inception of the practical drift. This is a very high level of intervention and a highly efficient one. The reason for the high efficiency of predictive safety data capture systems, strategies and methods is two-fold: on the one hand, they deal with hazards when they are in their infancy, have had no opportunity to start developing their damaging potential, and are therefore easier to contain. Because of this, the mitigations developed from predictive safety data turn into containment nets or filters of such tightness that they almost totally block the passage of emerging hazards further down the continuum of the practical drift. 3.5.11 Proactive safety data capture systems, strategies and methods also operate upstream of the practical drift and the hazard continuum, but not as close to the origin or point of inception of the practical drift as predictive safety data capture systems, strategies and methods. This is also a high level of intervention, and a very efficient one. Nevertheless, hazards have had the opportunity to start developing their damaging potential. Because of this, the mitigations developed from proactive safety data turn into containment nets or filters that, while tight, allow the passage of developing hazards down the continuum. 3.5.12 Reactive safety data capture systems, strategies and methods operate at two levels of the practical drift. Some, such as mandatory occurrence reporting systems, operate at a middle level of intervention. This is an efficient level, but hazards have continued to grow in damaging potential. The mitigations developed from this first level of reactive safety data thus turn into containment nets or filters with a loose texture, which can frequently be penetrated by hazards. At the lowest level of reactive safety data capture systems, strategies and methods, accidents and serious incident investigation operate in a damage repair mode. The information derived from purely reactive safety data is insufficient for safety management. Predictive Safety management levels Highly efficient Desirable management levels Very efficient High Middle Low Hazards Insufficient Accident and incident reports ASR MOR ASR Surveys Audits FDA Direct observation systems Efficient Proactive Reactive Reactive Chapter 3. Introduction to Safety Management 3-13 3.6 THE IMPERATIVE OF CHANGE 3.6.1