S AFETY O RGANIZ ATION 3

3.2 Basic Safety Concepts

In order to understand and build the justification of SMS, ICAO has reviewed the strengths and weaknesses of many established approaches to safety. A contemporary approach to safety, according to ICAO, should take the view that (ICAO, 2013b, 2013c):

Safety is the state in which the possibility of harm to persons or property damage is reduced to, and maintained at or below, an acceptable level through a continuing process of hazard identification and safety risk management.

Traditional approaches to safety have focused on active failures and tended to neglect the role of latent work conditions created by organiza-tions. Their focus has been on the outcome of safety management rather than on the organizational processes that manage safety. Organizational processes that create latent conditions of failure are under the direct control of senior management and include: policy making, planning and communication, allocation of resources, supervision, and so forth.

Safety thinking has also been expanded from studying technical factors to include human factors and organizational factors in safety.

In modern systems, practitioners, tools, and technologies interact in complex ways and present challenges that often exceed human capabilities. Understanding how system complexity affects humans at work is fundamental to safety management. Therefore, safety is not a matter of error-free performance but rather it is a question of effec-tive error management (McDonald 2006). This implies that errors should be studied together with cases of successful action in certain working conditions. In this sense, ICAO considers operational errors as normal outcomes of complex systems where people and technology interact to achieve production goals.

6 8 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

In the ICAO documents, safety management is just another orga-nizational function that must be considered with the same impor-tance as other core business functions. Although safety may not be the first priority of organizations, the management of safety allows them to achieve their business objectives and deliver their services. In this sense, safety management should examine the organization’s goals and allow for a balanced allocation of resources between production and protection.

Stolzer et al. (2008) have proposed that safety management can be seen as a system that allows organizational processes relevant to safety to be identified, measured, monitored, and finally improved. Indeed, safety should have a high priority in the organizational structure and not be an issue that is dealt within the safety department. In the same way that quality management systems cut across departments so should safety cut across common organizational silos (Ulfvengren 2010). Safety management has built on quality management prin-ciples and moved away from measuring safety outcomes in terms of undesired events. Especially for organizational change and innova-tion, there is a growing demand for integrating the management of quality, safety, and productivity.

ICAO argues that aviation service providers should apply their business practices to aviation safety and collect operational data in order to develop their safety space.

“Within a safety space, the organization can freely roam while delivering its services, with the assurance that it is within a space of maximum resistance to the safety hazards which exist in the context in which it must operate to deliver its service.” (ICAO 2013c).

In the past, many organizations relied on reactive data collection triggered by incidents and accidents. ICAO has advocated the use of proactive data collection using safety surveys, safety audits, man-datory and voluntary reporting. More safety matured organizations adopt advanced data collection systems by making use of confiden-tial reporting, flight data analysis, and normal operations monitoring (Rignér et al. 2009). A statistical analysis of this information may be indicative of emerging risks from a variety of sources. When combin-ing reactive, proactive, and predictive strategies, a safety intelligence function is developed which shows the level of maturity in safety management (Kirwan 2013).

SAFETY ORGANIZATION AND RISK MANAGEMENT 6 9 3.3 The Safety Envelope of Aviation Systems

A system of work operates within a dynamic environment that exerts pressure and makes the system modify its structure and behavior over time. Financial pressures create a gradient toward efficiency that constrains practitioners into plans that cater for efficiency and economic survival. Furthermore, demand-capacity mismatches and workload create a gradient toward economic effort that forces prac-titioners to find “easier ways” to do the job or take more responsi-bilities with fewer resources. Finally, work is constrained by safety requirements that create a third gradient toward safe performance and away from the safety failure boundary. Overall, the three boundary conditions create a safety envelope within which orga-nizations should work (Rasmussen 1997). As the performance of organizations varies over time, some variability should be expected that is represented as an operating point or a cycle inside the safety envelope (Figure 3.1).

Boundary to unacceptable workload Safety failure

boundary

Operating Point (OP) Boundary to financial

failure Marginal

boundary

Safety margin

Gradient

toward safety Gradient to

economic effort Gradient

toward efficiency

Accident

Figure 3.1 A safety envelope created by the boundaries of financial failure, high workload and safety failure. (From Rasmussen, J., Safety Science, 27, 183–213, 1997.)

70 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

The size of the safety envelope is a function of the constraints imposed by the boundaries of operation. By increasing competi-tion, for instance, the financial failure boundary creates a smaller performance envelope by limiting the possible options of operating staff. The size of performance envelope may also change over time from the initial design of the system to its operation and evolution.

According to Amalberti (2001), at the design stage, the system is designed to operate according to a set of rules and procedures with some regard for the likely financial pressures; procedures act as defenses against errors and constrain variability in the plans of practitioners. As the system commences operation, it must adapt continuously to new social and technical demands. The pressure to increase system output with constrained resources (that is, doing the same amount of work with less staff and tools) can make prac-titioners act more quickly and bypass procedures. This adapta-tion of work to increasing system demands may cause a migraadapta-tion toward the safety failure boundary. However, system performance may appear stable since there is a buffer zone or safety margin that keeps the system away from the safety failure boundary. Operating close to the safety margin can be viewed as providing management with the maximum benefit for an accepted probability of harm (Amalberti et al. 2006). This mode of performance is seen as ben-eficial rather than risky and it is tolerated or sometimes required by management.

As practitioners try harder to work in more efficient ways, they are coming closer to the safety failure boundary but this migration is invisible since it becomes so routine and seems to evolve without any breach of safety. Migration from official work practices can persist and evolve for years, without any breach of safety, until the real safety failure boundary is reached. After an accident, practitioners may won-der what happened because they did not do anything different from what they had done in the recent past. Therefore, accidents in com-plex systems do not occur only because of unusual events or actions;

instead, they may result from a combination of increasing demands and a hidden migration of work practices.

The extent to which practitioners can stay within work boundar-ies determines how much drift the organization can tolerate without failure. Safety can be improved by three means:

SAFETY ORGANIZATION AND RISK MANAGEMENT 71

1. Increasing the size of the safety space by relaxing constraints and boundaries

2. Reducing the circle of the operating point of the system by reducing variability of performance within the operating teams 3. Operating the system away from the safety failure boundary The third characteristic of performance may be exploited by safety critical organizations in different ways. For instance, low-risk organi-zations may choose to stay well away from the safety failure boundary.

Others may choose an operating point much closer to the safety fail-ure boundary but where safety is achieved by knowing its location and ensuring small migrations. Cook and Rasmussen (2005) found that high reliability organizations (HROs) manage small transgressions inside the margin of safety without losing sight of the work boundar-ies (see Figure 3.2).

Systems may become unstable as they become more tightly coupled and attempt larger movements away from the safety failure bound-ary (in other words, the operating point moves closer to the safety failure boundary and also its circle size may increase). Losing sight of the safety failure boundary and attempting large migrations usually

Boundary to unacceptable workload Safety failure boundary

(OP)

Boundary to financial failure Marginal

boundary

Safety margin

(OP)

Operating point (OP)

Boundary defined by official rules

Operates near margin, operating point becomes

wider due to variability Operates near margin,

maintains smaller operating point

Stays away from boundary of unacceptable performance

Figure 3.2 Mapping high and low reliability organizations into the safety envelope. (From Cook, R.I. and Rasmussen, J., Quality and Safety in Health Care, 14, 2, 130–134, 2005.)

72 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

characterizes low reliability organizations (Cook and Rasmussen 2005). Hence, organizations that come closer to the margin of safety should try to recognize such cases and institute actions to reestablish operations inside the performance envelope. On some occasions, it must be also recognized that a boundary may be crossed intention-ally in execution of appropriate safety interventions (e.g., in case of unexpected emergencies due to unrecognized events and conditions).