INTRODUCTION

Safety controls (often referred to as safety barriers or mitigation measures) are defences put in place to prevent realisation of a hazard or its escalation into undesirable consequences.

Safety controls might be found on technical, regulation/procedural or training level, might be of hardware, software or organisational nature, in form of policy, process, procedure or plan. Mainly the following two types of Safety controls are used:

Prevention control - any measure taken either to remove the cause or to reduce event (threat) likelihood of occurrence that can generate unsafe state and have potential to release the hazard.

Recovery control - any measure taken either to reduce likelihood of consequence occurrence or to mitigate severity of the consequence.

Safety controls existed already before the SMS era, but they were not considered as the independent system elements. A need to formally identify safety controls appeared when barrier-based risk models (like Bow-Tie) have been recognised as a valuable approach for effective risk assessment/visualisation and risk communications.

SAFETY CONTROLS REGISTER

First step in establishing a barrier-based SMS approach is to identify all safety controls and to store them with the unique id in the Safety Control Register.

Each safety control listed there shall be independent from other safety controls and shall be “owned” by one person only.

In practice this “independence” and “one person only” responsibility criterias, in some cases could generate multiple “sister” safety controls. For an example, “generic” safety control Quick Reference Handbook (QRH), is splitted into multiple safety controls for each aircraft type (QRH A320, QRH CRJ, …) having different “owners” (in this case Fleet Chief Pilots). The same logic also applies for Minimum Equipment List (MEL) safety control.

Another question while identifying safety controls is whether controls should be specified on a higher system level (more generic and less detailed) or on lower operational level (less generic and more detailed). Here are some examples for illustration.

Go-around is a statistically based operational Safety Control, actually a procedure established to be used if the aeroplane is not stabilized i.a.w. the air operator stabilised approach criteria in order to prevent Runway Excursion. Speed crosscheck at 100 kts IAS is a Safety Control which shall tell Pilot In Command (PIC) if use of another Safety Control, named Aborted Take-off (if needed for more detailed purposes, this Safety Control might be divided into High Speed Aborted Take-Off and Low Speed Aborted Take-Off), shall be used in order to prevent Take-Off with unreliable speed indication.

What about safety controls provided by external service providers? Should external safety controls also be part of the Safety Control Register?
For example, on system level we shall take into account that Airport Security should be of the same standard in EASA states, but different (e.g. no Controlled Part of Security Restricted Area (CPSRA)) and possibly specific in non-EASA states. On operational level Airport Security Check is one of safety controls we do not “own”, but is followed by our safety controls: Aircraft Access Control and Aircraft Security Search (if needed for more detailed purposes, this safety control might be divided into Aircraft Interior Security Search and Aircraft Exterior Security Search) which we can use to compensate not adequately reliable or effective externally performed Airport Security Control to certain extent.

Airport Wildlife Management is also one of external safety controls where the only (indirect) safety control would be the contract with the airport. We may consider Bird Visual Detection, followed by preventive Aborted Take-Off, as 2 direct safety controls we have as operator, but the first one, the triggering one, is too unreliable.

The main problem with contract related safety controls is that their effectiveness greatly depends on who acts as a customer in the relation. Some arrogant suppliers might be found in real life in areas of maintenance and ground handling by smaller air operators. However, Contract, Joint Procedure Manual (JPM), Supplier Monitoring, Supplier Audit are definitely as safety controls to be used to manage safety risks coming from external services providers, Acceptance / Incoming Inspection might be used in addition for suppliers of products.

TIPS AND TRAPS

Dilemma about external safety controls actually does not exist. The ICAO Doc. 9859 fourth edition from 2018, introduced “Total system safety approach” where all service providers and their systems (and safety controls) have to be considered as subsystems of our SMS and therefore we have to include external safety controls in our safety controls register.

While developing Safety Control Register we should always keep in mind that safety controls should be appropriately identified to meet our needs for a) barrier-based risk assessment b) barrier-based investigation and c) control performance measurement (effectiveness, reliability and efficiency)

Safety controls shall be regularly addressed by the management (e.g. on Safety Review Board (SRB), Safety Action Groups (SAGs) meetings) and checked by audits (e.g. Safety Audits). Hazard “owners” shall be periodically informed about safety controls performance from safety control “owner” and from the Safety Manager as independent monitoring source.

Andrej Petelin

Aviation Safety and Compliance Consultant
February, 2020