4-1

Chapter 4 HAZARDS

4.1 OBJECTIVE AND CONTENTS

This chapter presents the fundamentals of hazard identification and analysis and includes the following topics: a Hazards and consequences; b First fundamental — Understanding hazards; c Second fundamental — Hazard identification; d Third fundamental — Hazard analysis; and e Fourth fundamental — Documentation of hazards. 4.2 HAZARDS AND CONSEQUENCES 4.2.1 Hazard identification and safety risk management are the core processes involved in the management of safety. They are neither new, nor have they been developed as a consequence of recent interest in safety management and, in particular, safety management systems SMS. Hazard identification and safety risk management are dogmatic components that underlie the overarching concept of system safety. This is an all-encompassing, engineering-based approach that contributes to system design and which was developed more that forty years ago. The difference between traditional system safety and present-day safety management is that, because of its engineering roots, system safety focused mostly on the safety implications of technical aspects and components of the system under consideration, somewhat at the expense of the human component. Safety management, on the other hand, builds upon the dogma of system safety hazard identification and safety risk management, and expands the field of perspective to include Human Factors and human performance as key safety considerations during system design and operation. 4.2.2 The differentiation between hazards and safety risks is oftentimes a source of difficulty and confusion. In order to develop safety management practices that are relevant and effective, a clear understanding of what is a hazard and what is a safety risk is essential. This chapter discusses hazards exclusively, while Chapter 5 discusses safety risks. In discussing hazards, and to assist in the understanding of the difference between hazards and safety risks, the discussion splits the overall concept of hazards into two components: the hazard itself, and its consequences. A clear understanding of the difference between these two components is also paramount for the practice of safety management. 4.2.3 A hazard is defined as a condition or an object with the potential to cause injuries to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function. Systems in which people must actively and closely interact with technology to achieve production goals through delivery of services are known as socio-technical systems. All aviation organizations are thus socio-technical systems. Hazards are normal components or elements of socio-technical systems. They are integral to the contexts where delivery of services by socio-technical production systems takes place. In and by themselves, hazards are not “bad things”. Hazards are not necessarily damaging or negative components of a system. It is only when hazards interface with the operations of the system aimed at service delivery that their damaging potential may become a safety concern. 4-2 Safety Management Manual SMM 4.2.4 Consider, for example, wind, a normal component of the natural environment. Wind is a hazard: it is a condition with the potential to cause injuries to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function. A fifteen-knot wind, by itself, does not necessarily hold potential for damage during aviation operations. In fact, a fifteen-knot wind blowing directly down the runway will contribute to improving aircraft performance during departure. However, when a fifteen-knot wind blows in a direction ninety degrees across a runway of intended take-off or landing, it becomes a crosswind. It is only then, when the hazard interfaces with the operations of the system take-off or landing of an aeroplane aimed at service delivery the need to transport passengers or cargo tofrom the particular aerodrome while meeting a schedule that its potential for damage becomes a safety concern a lateral runway excursion because the pilot may not be able to control the aeroplane as a consequence of the crosswind. This example illustrates the discussion in 4.2.3: a hazard should not necessarily be considered as a “bad thing” or something with a negative connotation. Hazards are an integral part of operational contexts, and their consequences can be addressed through various mitigation strategies to contain the hazard’s damaging potential, which will be discussed later in this manual. 4.2.5 A consequence is defined as the potential outcome or outcomes of a hazard. The damaging potential of a hazard materializes through one or many consequences. In the example of the crosswind above, one consequence of the hazard “crosswind” could be “loss of lateral control”. A further, more serious consequence could be “runway lateral excursion”. An even more serious consequence could be “damage to landing gear”. It is important, therefore, to describe all likely consequences of a hazard during hazard analysis and not only the most obvious or immediate ones. 4.2.6 The discussion on the consequences of hazards brings two important points to bear in mind. First, hazards belong in the present. They are, in most cases, part of the operational context, and therefore they are present in the workplace before operational personnel “show up to work”. As physical components of the operational context or workplace, most hazards are, and should be, detectable through audits. Consequences, on the other hand, belong in the future. They do not materialize until hazards interact with certain operations of the system aimed at service delivery. It is as a consequence of this interaction that hazards may unleash their damaging potential. This brings about one essential tenet of safety management: mitigation strategies should aim at proactively containing the damaging potential of hazards and not at waiting until the consequences of hazards materialize and then reactively address such consequences. 4.2.7 Second, for the purpose of safety management, the consequences of hazards should be described in operational terms. Many hazards hold the potential for the ultimate and most extreme consequence: loss of human life. Most hazards hold the potential for loss of property, ecological damage and similar high-level consequences. However, describing the consequences of hazards in extreme terms makes it difficult to design mitigation strategies, except cancellation of the operation. In order to design mitigation strategies to address the safety concerns underlying the less- than-extreme, lower-level operational consequences of the hazard for example, crosswind, such consequences must be described in operational terms runway lateral excursion, rather than in extreme terms loss of life. 4.2.8 Chapter 2 discusses safety as a condition of controlled safety risk. The description of the consequences of hazards that may affect a particular operation is part of the assessment of the safety risks of the consequences of hazards discussed in Chapter 5. The assessment of the safety risks of the consequences of hazards allows an organization to make an informed decision about whether it can achieve the condition of control of the safety risks and thus continue the operation. If the consequences of the hazard crosswind are described in extreme terms loss of life rather than operational terms runway lateral excursion, the safety risk assessment is largely voided, since the condition of control of the safety risks will unlikely be achieved, unless formidable expenditure is incurred, and the likely mitigation will be cancellation of the operation. 4.3 FIRST FUNDAMENTAL — UNDERSTANDING HAZARDS 4.3.1