INTRODUCTION

ICAO Doc 9859 is a valuable source of information for everyone who wants to understand Safety Management System (SMS) in details.

In this blog I am going to use flower pot illustration from ICAO Doc 9859 Ed 2 to explain why we should be focused on how Hazard could be released (Hazard Consequence) and not on Hazard itself.

Every Hazard may release its potential in more than one, usually several different scenarios, which resulted in several different Hazard Consequences. It is important to recognise that it is not Hazard itself, but different Hazard release scenarios, are subjects for Safety Risk Assessments (SRA). Scenarios with negligible severity or extremely low probability might be considered as scenarios with acceptable risk, while others should be considered as Safety Issues.

Result of SRA is risk tolerability which could be compared with traffic light; red (unacceptable risk), amber (tolerable risk) and green (acceptable risk). Red light orders to stop immediately your activities and to apply appropriate mitigation measures to either reduce the likelihood of occurrence or consequence severity.

Scenarios with amber risk might be tolerated for certain time period and under controlled conditions.In return to such facilitation, you get some additional time to modify your activities and find a solution with acceptable safety risk level.

FLOWER POT AS MOVIE STAR

When assessing safety risks we are like movie directors looking for “interesting” scenarios. Scenario with acceptable risk is not interesting for us, but we shall record it to our safety library for evidence and for reassessment after a certain period according to established reassessment policy (e.g. after 2 years).

Scenarios

Scenario with negligible severity would be when flower pot of good quality falls down from the shelf of the ground floor apartment without any damage. No consequence (cost), except some time needed to put it back on the shelf. Such risk is acceptable, but not many people would like to see this movie, so this is not an “interesting” scenario for SRA.

On the opposite side scenario with catastrophic outcome would be when flower pot falls down from the shelf of the second floor apartment, hurting/killing someone passing by below the shelf. Scenario resulting in a dead person has unacceptable safety risk and it is an excellent template for a dramatic movie, so this is a “top interesting” scenario for SRA.

In between, (may be not interesting for movie makers, but definitely for aviation service providers) are scenarios with many different outcomes (costs). For all such scenarios appropriate SRA has to be performed and risk level has to assessed based on predefined criteria.

Safety risk

Safety Risk is a product of Severity (of Consequence, if it would occur) and Likelihood (of potential Occurrence).

If we want to keep Safety Risk low in cases with high Severity, we need to ensure that Likelihood would be as low as possible. We can reduce safety risk to an acceptable level in one step or via intermediate tolerable level, by implementing effective mitigation measures (in our illustration removing shelves, blocking window opening, installing protective bar, fence, … ).

Mitigation measures (also called Barriers or Controls) could be identified on 3 different levels: technology, regulation/procedure or training.

TIPS AND TRAPS

Remember that you should always, not just in aviation, be vigilant about possible risky situations and aware of possible scenarios how release of related Hazard potential may result in several different Hazard Consequences. At least some of them would always need to be considered as Safety Issues for a which thorough Safety Risk Assessments shall be performed.

Keep SRA up to date! Once when Safety Risk Assessment is finished and completed, it represents the existing situation of risk based on our knowledge about the safety related conditions at that particular time. To keep SRA up to date, an adequate “maintenance” procedures should be established defining when and what has to be reviewed.

Flower pot play a role of Hazard in all our scenarios, but Hazard Consequences differ from scenario to scenario, telling us that Hazard Consequence depends on circumstances (ground floor or second floor window, someone passing by, car parked, … ) present when Hazard potential has been released.

Let’s take “using wrong runway exit” as flower pot. Capt. Lucky and Capt. Unlucky might be put in the same situation, but on different airports, in different weather conditions, traffic density, visibility, fatigue level, etc. (different circumstances), resulting in no consequence at all for Capt Lucky (flower pot on ground floor apartment shelf) and in a catastrophic outcome for Capt Unlucky (flower pot on the second floor apartment shelf).

Andrej Petelin

Aviation Safety and Compliance Consultant
December, 2019