Safety controls (often referred to as safety barriers or mitigation measures) are defences put in place
to prevent realisation of a hazard or its escalation into undesirable consequences.
Safety controls might be found on technical, regulation/procedural or training level, might be of
hardware, software or organisational nature, in form of policy, process, procedure or plan. Mainly the
following two types of Safety controls are used:
Prevention control - any measure taken either to remove the cause or to reduce event (threat)
likelihood of occurrence that can generate unsafe state and have potential to release the hazard.
Recovery control - any measure taken either to reduce likelihood of consequence occurrence or to
mitigate severity of the consequence.
Safety controls existed already before the SMS era, but they were not considered as the independent
system elements. A need to formally identify safety controls appeared when barrier-based risk models
(like Bow-Tie) have been recognised as a valuable approach for effective risk
assessment/visualisation and risk communications.
SAFETY CONTROLS REGISTER
First step in establishing a barrier-based SMS approach is to identify all safety controls and to store
them with the unique id in the Safety Control Register.
Each safety control listed there shall be independent from other safety controls and shall be “owned”
by one person only.
In practice this “independence” and “one person only” responsibility criterias, in some cases could
generate multiple “sister” safety controls. For an example, “generic” safety control Quick Reference
Handbook (QRH), is splitted into multiple safety controls for each aircraft type (QRH A320, QRH CRJ,
…) having different “owners” (in this case Fleet Chief Pilots). The same logic also applies for Minimum
Equipment List (MEL) safety control.
Another question while identifying safety controls is whether controls should be specified on a higher
system level (more generic and less detailed) or on lower operational level (less generic and more
detailed). Here are some examples for illustration.
Go-around is a statistically based operational Safety Control, actually a procedure established to be
used if the aeroplane is not stabilized i.a.w. the air operator stabilised approach criteria in order to
prevent Runway Excursion. Speed crosscheck at 100 kts IAS is a Safety Control which shall tell Pilot
In Command (PIC) if use of another Safety Control, named Aborted Take-off (if needed for more
detailed purposes, this Safety Control might be divided into High Speed Aborted Take-Off and Low
Speed Aborted Take-Off), shall be used in order to prevent Take-Off with unreliable speed indication.
What about safety controls provided by external service providers? Should external safety controls
also be part of the Safety Control Register?
For example, on system level we shall take into account that Airport Security should be of the same
standard in EASA states, but different (e.g. no Controlled Part of Security Restricted Area (CPSRA))
and possibly specific in non-EASA states. On operational level Airport Security Check is one of safety
controls we do not “own”, but is followed by our safety controls: Aircraft Access Control and Aircraft
Security Search (if needed for more detailed purposes, this safety control might be divided into Aircraft
Interior Security Search and Aircraft Exterior Security Search) which we can use to compensate not
adequately reliable or effective externally performed Airport Security Control to certain extent.
Airport Wildlife Management is also one of external safety controls where the only (indirect) safety
control would be the contract with the airport. We may consider Bird Visual Detection, followed by
preventive Aborted Take-Off, as 2 direct safety controls we have as operator, but the first one, the
triggering one, is too unreliable.
The main problem with contract related safety controls is that their effectiveness greatly depends on
who acts as a customer in the relation. Some arrogant suppliers might be found in real life in areas of
maintenance and ground handling by smaller air operators. However, Contract, Joint Procedure
Manual (JPM), Supplier Monitoring, Supplier Audit are definitely as safety controls to be used to
manage safety risks coming from external services providers, Acceptance / Incoming Inspection might
be used in addition for suppliers of products.
TIPS AND TRAPS
Dilemma about external safety controls actually does not exist. The ICAO Doc. 9859 fourth edition
from 2018, introduced “Total system safety approach” where all service providers and their systems
(and safety controls) have to be considered as subsystems of our SMS and therefore we have to
include external safety controls in our safety controls register.
While developing Safety Control Register we should always keep in mind that safety controls should
be appropriately identified to meet our needs for a) barrier-based risk assessment b) barrier-based
investigation and c) control performance measurement (effectiveness, reliability and efficiency)
Safety controls shall be regularly addressed by the management (e.g. on Safety Review Board (SRB),
Safety Action Groups (SAGs) meetings) and checked by audits (e.g. Safety Audits). Hazard “owners”
shall be periodically informed about safety controls performance from safety control “owner” and from
the Safety Manager as independent monitoring source.
Aviation Safety and Compliance Consultant