This document discusses the challenges of implementing preventative safety regulation in aviation rather than reactive regulation. It argues that current risk assessment methods are limited by relying on expert judgement without extensive data. There is also no integrated risk metric for the entire air transport system to assess different risks. As a result, the implementation of safety management systems may not be able to prevent complex system accidents involving multiple factors. The document calls for improvements to risk assessment methodologies and the development of a standardized system-wide risk metric in order to realize the goals of preventative safety management.
An overview of Enterprise Security Architecture (ESA), with a brief description of its key elements: TRA/PIA, Threat Modeling, Security Controls, Risk Assessment and Security Debt.
Human Factors_ The Journal of the Human Factors and Ergonomics Society-2016-L...Dr Marie Langer
The document describes two studies conducted to develop and deploy a Maintenance Operations Safety Survey (MOSS) tool modeled after the Line Operations Safety Audit (LOSA) used in flight operations. Study 1 involved developing MOSS through test observations to evaluate conducting peer observations of maintenance tasks and coding the data using a Threat and Error Management (TEM) framework. Study 2 deployed MOSS through observations of line maintenance checks by expert observers. The observations identified an average of 7.8 threats and 2.5 errors per check as well as links between threats, errors, and undesirable outcomes. The research demonstrated the feasibility of observing routine maintenance operations and using TEM-based results to identify successful strategies for managing threats and errors.
Human Factors (HF) covers a variety of issues that relate primarily to the individual and workforce, their behavior and attributes. Human error is still poorly understood by many stakeholders and so the risk assessments of operations or process often fall short in their capture of potential failures. There is little consideration of human factors in the engineering design of equipment, operating systems and the overall process, procedures and specific work tasks. Operational human factor issues are often treated on an ad-hoc basis in response to individual situations rather than as part of an overarching and comprehensive safety management strategy. The role that human factors play in the rate of incidents, equipment failure and hydrocarbon releases is poorly understood and underdeveloped.
The document discusses applying situation awareness (SA) theory to improve computer security incident response (IR) processes. It defines SA as having three levels - perception, comprehension, and projection. SA is important for effective decision making during IR phases like detection, analysis, containment, and improvement. The article recommends organizations focus on both technical and human/behavioral aspects of IR by establishing SA training, measuring SA, and making SA a shared responsibility across an organization. This will help IR teams make timely, informed decisions to advance incident response capabilities.
This document discusses a study that examined the effect of safety management systems on the performance of aviation firms in Kenya. It provides context on the aviation industry, defines safety management systems, and outlines the study's hypotheses that aspects of safety management systems (safety policy, safety risk management, safety assurance, and safety promotion) have significant effects on firm performance. The study used questionnaires to collect data from employees in aviation security departments in Kenya. The findings indicated that safety policy, safety risk management, and safety promotion had significant effects on performance, but safety assurance did not due to minimal external audits. The document provides background information on the aviation industry, safety management systems, and the study's theoretical framework and literature review.
1) Safety management systems (SMS) have been developed and implemented worldwide by aviation organizations to proactively manage safety risks through identification of hazards.
2) The International Civil Aviation Organization (ICAO) requires all airlines, air traffic control providers, aviation maintenance organizations, and airports to implement an SMS program by 2009.
3) An SMS uses procedures to identify and analyze hazards, eliminate them if possible, and manage associated risks through mitigation efforts and ongoing monitoring within a structured safety framework.
The document details an incident response investigation into several security breaches at Elf University, including a distributed denial of service attack against an API used to plan Santa's sleigh route, availability issues with a holiday cheer laser and MongoDB database, and compromised user profiles and terminal access. Vulnerabilities in the API allowed external attackers to alter weather data and prevent Santa from finding a safe route, and weaknesses across the environment contributed to various availability and integrity issues if not addressed could have threatened Christmas. The investigation identified over 95 unique IP addresses and user agents involved in the attacks and made recommendations around firewall configuration, credential management, and backups to prevent recurrence.
This document discusses security system monitoring in healthcare facilities. It defines a security command center and outlines important considerations for their design and operation, including officer selection and training, physical and psychological limitations of monitors, and how ergonomics can impact performance. Effective security command centers require defining the role and selecting trained officers, understanding human limitations, and optimizing the work environment through lighting, temperature, noise control and more.
An overview of Enterprise Security Architecture (ESA), with a brief description of its key elements: TRA/PIA, Threat Modeling, Security Controls, Risk Assessment and Security Debt.
Human Factors_ The Journal of the Human Factors and Ergonomics Society-2016-L...Dr Marie Langer
The document describes two studies conducted to develop and deploy a Maintenance Operations Safety Survey (MOSS) tool modeled after the Line Operations Safety Audit (LOSA) used in flight operations. Study 1 involved developing MOSS through test observations to evaluate conducting peer observations of maintenance tasks and coding the data using a Threat and Error Management (TEM) framework. Study 2 deployed MOSS through observations of line maintenance checks by expert observers. The observations identified an average of 7.8 threats and 2.5 errors per check as well as links between threats, errors, and undesirable outcomes. The research demonstrated the feasibility of observing routine maintenance operations and using TEM-based results to identify successful strategies for managing threats and errors.
Human Factors (HF) covers a variety of issues that relate primarily to the individual and workforce, their behavior and attributes. Human error is still poorly understood by many stakeholders and so the risk assessments of operations or process often fall short in their capture of potential failures. There is little consideration of human factors in the engineering design of equipment, operating systems and the overall process, procedures and specific work tasks. Operational human factor issues are often treated on an ad-hoc basis in response to individual situations rather than as part of an overarching and comprehensive safety management strategy. The role that human factors play in the rate of incidents, equipment failure and hydrocarbon releases is poorly understood and underdeveloped.
The document discusses applying situation awareness (SA) theory to improve computer security incident response (IR) processes. It defines SA as having three levels - perception, comprehension, and projection. SA is important for effective decision making during IR phases like detection, analysis, containment, and improvement. The article recommends organizations focus on both technical and human/behavioral aspects of IR by establishing SA training, measuring SA, and making SA a shared responsibility across an organization. This will help IR teams make timely, informed decisions to advance incident response capabilities.
This document discusses a study that examined the effect of safety management systems on the performance of aviation firms in Kenya. It provides context on the aviation industry, defines safety management systems, and outlines the study's hypotheses that aspects of safety management systems (safety policy, safety risk management, safety assurance, and safety promotion) have significant effects on firm performance. The study used questionnaires to collect data from employees in aviation security departments in Kenya. The findings indicated that safety policy, safety risk management, and safety promotion had significant effects on performance, but safety assurance did not due to minimal external audits. The document provides background information on the aviation industry, safety management systems, and the study's theoretical framework and literature review.
1) Safety management systems (SMS) have been developed and implemented worldwide by aviation organizations to proactively manage safety risks through identification of hazards.
2) The International Civil Aviation Organization (ICAO) requires all airlines, air traffic control providers, aviation maintenance organizations, and airports to implement an SMS program by 2009.
3) An SMS uses procedures to identify and analyze hazards, eliminate them if possible, and manage associated risks through mitigation efforts and ongoing monitoring within a structured safety framework.
The document details an incident response investigation into several security breaches at Elf University, including a distributed denial of service attack against an API used to plan Santa's sleigh route, availability issues with a holiday cheer laser and MongoDB database, and compromised user profiles and terminal access. Vulnerabilities in the API allowed external attackers to alter weather data and prevent Santa from finding a safe route, and weaknesses across the environment contributed to various availability and integrity issues if not addressed could have threatened Christmas. The investigation identified over 95 unique IP addresses and user agents involved in the attacks and made recommendations around firewall configuration, credential management, and backups to prevent recurrence.
This document discusses security system monitoring in healthcare facilities. It defines a security command center and outlines important considerations for their design and operation, including officer selection and training, physical and psychological limitations of monitors, and how ergonomics can impact performance. Effective security command centers require defining the role and selecting trained officers, understanding human limitations, and optimizing the work environment through lighting, temperature, noise control and more.
Future internet articleermoctave a risk management fraarnit1
This document introduces a new risk management framework called ERMOCTAVE for assessing risks associated with adopting cloud computing. ERMOCTAVE combines two existing risk management methods - Enterprise Risk Management (ERM) and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) - to provide a more comprehensive approach. The framework distributes ERM components across the three phases of the OCTAVE method. A case study is presented to demonstrate how ERMOCTAVE can be applied to assess risks when migrating systems to the Microsoft Azure cloud.
Human Factors in a Safety
Management System – Breaking the
Chain
A safety management system (SMS) goes
beyond the health and safety concerns
usually associated with the mining or
building and construction disciplines. Ever
thought about the aerospace and defence
industries?
This presentation includes understanding
the human factors and cultural growth that
need to occur within any industry wanting
to implement a successful SMS.
White paper holistic_approach_to_government_continuity_of_operations_apr2014EMC
This document discusses the need for government agencies to take a holistic, automated approach to continuity of operations (COOP) planning given the diverse and changing threat landscape. It recommends that agencies develop comprehensive COOP plans that incorporate governance, risk management, compliance and address physical, cyber and operational threats. The plans should be maintained in a centralized tool to ensure they are up-to-date, integrated and accessible across all relevant parties.
This document analyzes intuitive and sophisticated aviation systems, and proposes that a resilience system combining both approaches is best. It notes intuitive systems are easy to learn but unstable, while sophisticated systems are stable but complex. A resilience system allows organizations to tailor the approach based on factors like employee experience levels and workload. Large established groups could rely more on sophisticated systems, while new airlines may prefer intuitive systems, but all benefit from a balanced resilience model.
This reviews the strengths and weaknesses of long-established approaches to safety, and proposes new perspectives and concepts underlying a contemporary approach to safety.
This includes the following topics:
a) The concept of safety;
b) The evolution of safety thinking;
c) Accident causation — The Reason model;
d) The organizational accident;
e) People, operational contexts and safety — The SHEL model; and
f) Errors and violations;
Cybersecurity risks must be addressed at the executive level through an enterprise-wide risk management framework. While cybersecurity has traditionally been viewed as a technical issue managed by IT, it is critical that top management be fully engaged in cybersecurity risk governance to ensure proper protection is incorporated as a business goal. There are various models for integrating cybersecurity management into risk management structures, with the most effective approach ensuring board visibility, balanced governance of both IT and non-IT risks, and authority across the organization to enforce protocols.
The challenges faced by a security operations center (SOC) are many and well-documented:
the workload is tremendous, while the workforce is limited, strained, and ill-equipped to handle the influx of alerts that constantly bombard their desktops.
Visit - https://www.siemplify.co/blog/security-orchestration-made-simple
The document discusses key concepts for safety in the work environment including the three elements of procedures, equipment, and personnel. It also outlines the five steps of classic risk management which are hazard identification, evaluation, prioritization, control, and monitoring. An effective safety officer understands both theory and practical application of these concepts to achieve a safe workplace.
School Incident Management Presentationguestd6096bf
The document discusses key principles of the National Incident Management System (NIMS) and Incident Command System (ICS) and how they can be applied to school-based emergencies. It explains that NIMS provides a standardized framework for incident response that improves coordination between responding agencies. The ICS establishes clear lines of command, management sections, common terminology and organizational structures to effectively respond to various incidents. The document outlines ICS roles and responsibilities and how schools can integrate NIMS and ICS principles into their emergency plans.
The aviation system is a complex and interrelated network with concern on the airline operations safety. Safety in aviation involves airport conditions, aircraft maintenance, communication with the system operators and route information which aims at avoiding airline hazards on and off flights (Cushing, 1997). The Federal Aviation Regulations is a set of guidelines that are set for airline operations to be safe, enhancing effective air traffic control, effective airline safety measures among other safety procedures. There are also other aviation authorities that monitor commercial and general aviation to improve safety. The industry also depends on statistical research which justifies changes and improvements of the safety features of airlines. Safety in aviation also depends on external factors such as economic and political environments for effective safety measures and therefore the aerospace industry works in alliances and partnerships with other companies and the military aviation for a safe civil aviation practice (Cushing, 1997). Costs of operations, liability insurance covers, meteorological conditions and human errors which are safety related factors in commercial aviation are evaluated and used to develop safe and comfortable aviation practices in commercial aviation. In this paper, the safety guidelines in commercial aviation and the relevant authorities that monitor aviation safety are the significant concern especially in commercial airline companies.
This document discusses human factors in safety management and risk governance. It notes that while hazards are understood, human risks can be uncertain. Major accidents tend to focus on hardware over the human experience. Designs increase in complexity but the human element remains unchanged. Three key drivers for effective human factors in safety management are commitment from leadership, cognizance of human and organizational impacts, and competence in safety tools. Predictive analysis can help manage human factors issues. Organizational challenges include properly evaluating the human element and balancing hard and soft skills.
Fault tree analysis (FTA) is a systematic approach to identify potential causes of failures using a fault tree diagram with a top-down graphical representation. The main purpose is to help identify causes of system failures before they occur. It involves identifying a top undesired event and breaking it down into intermediate events and lowest level basic causes using logic gates. FTA provides benefits like prioritizing issues, evaluating reliability, and designing tests and maintenance procedures. It should be performed to increase reliability, identify weaknesses, and calculate failure probabilities.
This document discusses safety engineering for systems that contain software. It covers topics like safety-critical systems, safety requirements, and safety engineering processes. Safety is defined as a system's ability to operate normally and abnormally without harm. For safety-critical systems like aircraft or medical devices, software is often used for control and monitoring, so software safety is important. Hazard identification, risk assessment, and specifying safety requirements to mitigate risks are key parts of the safety engineering process. The goal is to design systems where failures cannot cause injury, death or environmental damage.
This document outlines the roles and responsibilities of various personnel involved in developing and sustaining an enterprise security program (ESP). It discusses nine groups of personnel including the board risk committee, senior officers, cross-organizational ESP team, asset owners, business managers, operational personnel, certification agent, board audit committee, and internal/external audit personnel. It provides details on the responsibilities of the ESP team, including the chief security officer, chief information officer, business line executives, general counsel, and chief financial officer. The responsibilities include asset management, security assessments, planning and strategy, controls and performance management, and reviews/audits.
Session 01 _Risk Assessment Program for YSP_Introduction, Definitions and Sta...Muizz Anibire
Program Objectives
In light of industrialization trends across the globe, new hazards are constantly introduced in many workplaces. This program aims to provide Young Safety Professionals (YSPs) from diverse backgrounds with the requisite skill to address the health and safety hazards in the modern workplace.
The document provides a risk assessment of JPMorgan Chase following a 2014 data breach that compromised 83 million customer records. It identifies stakeholders, assets, and six main risks: 1) Inadequate controls allowing external access to data and systems, 2) Lack of customer data monitoring enabling long intrusions, 3) Slow technology adaptation leaving the bank vulnerable, and 4) Inefficient security communication. For each risk, drivers are analyzed and current/planned mitigations are described, such as access controls, third-party oversight, training, and a security-focused culture. The assessment follows the ISO 31000 risk management framework.
The aviation system is a complex and interrelated network with concern on the airline operations safety. Safety in aviation involves airport conditions, aircraft maintenance, communication with the system operators and route information which aims at avoiding airline hazards on and off flights (Cushing, 1997). The Federal Aviation Regulations is a set of guidelines that are set for airline operations to be safe, enhancing effective air traffic control, effective airline safety measures among other safety procedures. There are also other aviation authorities that monitor commercial and general aviation to improve safety. The industry also depends on statistical research which justifies changes and improvements of the safety features of airlines. Safety in aviation also depends on external factors such as economic and political environments for effective safety measures and therefore the aerospace industry works in alliances and partnerships with other companies and the military aviation for a safe civil aviation practice (Cushing, 1997). Costs of operations, liability insurance covers, meteorological conditions and human errors which are safety related factors in commercial aviation are evaluated and used to develop safe and comfortable aviation practices in commercial aviation. In this paper, the safety guidelines in commercial aviation and the relevant authorities that monitor aviation safety are the significant concern especially in commercial airline companies.
The document discusses principles of independent safety assessment (ISA) for railway projects. ISA provides assurance that safety management processes have been adequately implemented and risks reduced to acceptable levels. The document outlines the concept of ISA, its role in auditing safety processes and identifying potential issues. It recommends defining the ISA's role early and involving qualified independent assessors to evaluate safety activities free from conflicts of interest. ISA helps ensure hazards have been properly identified and safety requirements met.
Summary of Selected Accident Modeling Papers stargate1280
This document summarizes and compares two journal articles on accident modeling approaches. The first article by Hollnagel describes general modeling approaches like sequential, epidemiological, and systemic models. It also discusses the role of humans in accidents in terms of their actions and work mentality. The second article by Sklet compares 14 accident investigation methods based on criteria like graphical representation, safety barriers focus, and required expertise. Both articles highlight the importance of using multiple modeling approaches and accounting for human factors when investigating accidents.
Session 04_Risk Assessment Program for YSP_Risk Analysis IMuizz Anibire
Program Objectives
In light of industrialization trends across the globe, new hazards are constantly introduced in many workplaces. This program aims to provide Young Safety Professionals (YSPs) from diverse backgrounds with the requisite skill to address the health and safety hazards in the modern workplace.
This document summarizes several existing approaches to operational performance management in the airline industry, and proposes a new predictive safety performance management system (PSPMS). It describes frameworks like the ATMAP, ARMS, and APF which define key performance areas, indicators, and integrate safety data to assess performance. The document also discusses ICAO's safety management system requirements for continuous monitoring and assessment of safety performance. It concludes that a new human factors-based framework is needed to better govern system performance and safety by identifying what changes are required and measuring their effects.
The document discusses risk assessment and management in port safety. It describes the three main activities: 1) assessing risk in terms of probability and consequences, 2) managing risk through options and tradeoffs, and 3) considering the impact of decisions on future risks. Several analytical tools are used for risk assessment, including fault tree analysis, event tree analysis, and failure modes and effects analysis. Safety indicators like accidents and precursors (near misses) are also discussed. The value of preventing human losses through willingness to pay approaches is covered. Accidents can have wider effects beyond direct costs through changes in public behavior or organizational decisions.
Future internet articleermoctave a risk management fraarnit1
This document introduces a new risk management framework called ERMOCTAVE for assessing risks associated with adopting cloud computing. ERMOCTAVE combines two existing risk management methods - Enterprise Risk Management (ERM) and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) - to provide a more comprehensive approach. The framework distributes ERM components across the three phases of the OCTAVE method. A case study is presented to demonstrate how ERMOCTAVE can be applied to assess risks when migrating systems to the Microsoft Azure cloud.
Human Factors in a Safety
Management System – Breaking the
Chain
A safety management system (SMS) goes
beyond the health and safety concerns
usually associated with the mining or
building and construction disciplines. Ever
thought about the aerospace and defence
industries?
This presentation includes understanding
the human factors and cultural growth that
need to occur within any industry wanting
to implement a successful SMS.
White paper holistic_approach_to_government_continuity_of_operations_apr2014EMC
This document discusses the need for government agencies to take a holistic, automated approach to continuity of operations (COOP) planning given the diverse and changing threat landscape. It recommends that agencies develop comprehensive COOP plans that incorporate governance, risk management, compliance and address physical, cyber and operational threats. The plans should be maintained in a centralized tool to ensure they are up-to-date, integrated and accessible across all relevant parties.
This document analyzes intuitive and sophisticated aviation systems, and proposes that a resilience system combining both approaches is best. It notes intuitive systems are easy to learn but unstable, while sophisticated systems are stable but complex. A resilience system allows organizations to tailor the approach based on factors like employee experience levels and workload. Large established groups could rely more on sophisticated systems, while new airlines may prefer intuitive systems, but all benefit from a balanced resilience model.
This reviews the strengths and weaknesses of long-established approaches to safety, and proposes new perspectives and concepts underlying a contemporary approach to safety.
This includes the following topics:
a) The concept of safety;
b) The evolution of safety thinking;
c) Accident causation — The Reason model;
d) The organizational accident;
e) People, operational contexts and safety — The SHEL model; and
f) Errors and violations;
Cybersecurity risks must be addressed at the executive level through an enterprise-wide risk management framework. While cybersecurity has traditionally been viewed as a technical issue managed by IT, it is critical that top management be fully engaged in cybersecurity risk governance to ensure proper protection is incorporated as a business goal. There are various models for integrating cybersecurity management into risk management structures, with the most effective approach ensuring board visibility, balanced governance of both IT and non-IT risks, and authority across the organization to enforce protocols.
The challenges faced by a security operations center (SOC) are many and well-documented:
the workload is tremendous, while the workforce is limited, strained, and ill-equipped to handle the influx of alerts that constantly bombard their desktops.
Visit - https://www.siemplify.co/blog/security-orchestration-made-simple
The document discusses key concepts for safety in the work environment including the three elements of procedures, equipment, and personnel. It also outlines the five steps of classic risk management which are hazard identification, evaluation, prioritization, control, and monitoring. An effective safety officer understands both theory and practical application of these concepts to achieve a safe workplace.
School Incident Management Presentationguestd6096bf
The document discusses key principles of the National Incident Management System (NIMS) and Incident Command System (ICS) and how they can be applied to school-based emergencies. It explains that NIMS provides a standardized framework for incident response that improves coordination between responding agencies. The ICS establishes clear lines of command, management sections, common terminology and organizational structures to effectively respond to various incidents. The document outlines ICS roles and responsibilities and how schools can integrate NIMS and ICS principles into their emergency plans.
The aviation system is a complex and interrelated network with concern on the airline operations safety. Safety in aviation involves airport conditions, aircraft maintenance, communication with the system operators and route information which aims at avoiding airline hazards on and off flights (Cushing, 1997). The Federal Aviation Regulations is a set of guidelines that are set for airline operations to be safe, enhancing effective air traffic control, effective airline safety measures among other safety procedures. There are also other aviation authorities that monitor commercial and general aviation to improve safety. The industry also depends on statistical research which justifies changes and improvements of the safety features of airlines. Safety in aviation also depends on external factors such as economic and political environments for effective safety measures and therefore the aerospace industry works in alliances and partnerships with other companies and the military aviation for a safe civil aviation practice (Cushing, 1997). Costs of operations, liability insurance covers, meteorological conditions and human errors which are safety related factors in commercial aviation are evaluated and used to develop safe and comfortable aviation practices in commercial aviation. In this paper, the safety guidelines in commercial aviation and the relevant authorities that monitor aviation safety are the significant concern especially in commercial airline companies.
This document discusses human factors in safety management and risk governance. It notes that while hazards are understood, human risks can be uncertain. Major accidents tend to focus on hardware over the human experience. Designs increase in complexity but the human element remains unchanged. Three key drivers for effective human factors in safety management are commitment from leadership, cognizance of human and organizational impacts, and competence in safety tools. Predictive analysis can help manage human factors issues. Organizational challenges include properly evaluating the human element and balancing hard and soft skills.
Fault tree analysis (FTA) is a systematic approach to identify potential causes of failures using a fault tree diagram with a top-down graphical representation. The main purpose is to help identify causes of system failures before they occur. It involves identifying a top undesired event and breaking it down into intermediate events and lowest level basic causes using logic gates. FTA provides benefits like prioritizing issues, evaluating reliability, and designing tests and maintenance procedures. It should be performed to increase reliability, identify weaknesses, and calculate failure probabilities.
This document discusses safety engineering for systems that contain software. It covers topics like safety-critical systems, safety requirements, and safety engineering processes. Safety is defined as a system's ability to operate normally and abnormally without harm. For safety-critical systems like aircraft or medical devices, software is often used for control and monitoring, so software safety is important. Hazard identification, risk assessment, and specifying safety requirements to mitigate risks are key parts of the safety engineering process. The goal is to design systems where failures cannot cause injury, death or environmental damage.
This document outlines the roles and responsibilities of various personnel involved in developing and sustaining an enterprise security program (ESP). It discusses nine groups of personnel including the board risk committee, senior officers, cross-organizational ESP team, asset owners, business managers, operational personnel, certification agent, board audit committee, and internal/external audit personnel. It provides details on the responsibilities of the ESP team, including the chief security officer, chief information officer, business line executives, general counsel, and chief financial officer. The responsibilities include asset management, security assessments, planning and strategy, controls and performance management, and reviews/audits.
Session 01 _Risk Assessment Program for YSP_Introduction, Definitions and Sta...Muizz Anibire
Program Objectives
In light of industrialization trends across the globe, new hazards are constantly introduced in many workplaces. This program aims to provide Young Safety Professionals (YSPs) from diverse backgrounds with the requisite skill to address the health and safety hazards in the modern workplace.
The document provides a risk assessment of JPMorgan Chase following a 2014 data breach that compromised 83 million customer records. It identifies stakeholders, assets, and six main risks: 1) Inadequate controls allowing external access to data and systems, 2) Lack of customer data monitoring enabling long intrusions, 3) Slow technology adaptation leaving the bank vulnerable, and 4) Inefficient security communication. For each risk, drivers are analyzed and current/planned mitigations are described, such as access controls, third-party oversight, training, and a security-focused culture. The assessment follows the ISO 31000 risk management framework.
The aviation system is a complex and interrelated network with concern on the airline operations safety. Safety in aviation involves airport conditions, aircraft maintenance, communication with the system operators and route information which aims at avoiding airline hazards on and off flights (Cushing, 1997). The Federal Aviation Regulations is a set of guidelines that are set for airline operations to be safe, enhancing effective air traffic control, effective airline safety measures among other safety procedures. There are also other aviation authorities that monitor commercial and general aviation to improve safety. The industry also depends on statistical research which justifies changes and improvements of the safety features of airlines. Safety in aviation also depends on external factors such as economic and political environments for effective safety measures and therefore the aerospace industry works in alliances and partnerships with other companies and the military aviation for a safe civil aviation practice (Cushing, 1997). Costs of operations, liability insurance covers, meteorological conditions and human errors which are safety related factors in commercial aviation are evaluated and used to develop safe and comfortable aviation practices in commercial aviation. In this paper, the safety guidelines in commercial aviation and the relevant authorities that monitor aviation safety are the significant concern especially in commercial airline companies.
The document discusses principles of independent safety assessment (ISA) for railway projects. ISA provides assurance that safety management processes have been adequately implemented and risks reduced to acceptable levels. The document outlines the concept of ISA, its role in auditing safety processes and identifying potential issues. It recommends defining the ISA's role early and involving qualified independent assessors to evaluate safety activities free from conflicts of interest. ISA helps ensure hazards have been properly identified and safety requirements met.
Summary of Selected Accident Modeling Papers stargate1280
This document summarizes and compares two journal articles on accident modeling approaches. The first article by Hollnagel describes general modeling approaches like sequential, epidemiological, and systemic models. It also discusses the role of humans in accidents in terms of their actions and work mentality. The second article by Sklet compares 14 accident investigation methods based on criteria like graphical representation, safety barriers focus, and required expertise. Both articles highlight the importance of using multiple modeling approaches and accounting for human factors when investigating accidents.
Session 04_Risk Assessment Program for YSP_Risk Analysis IMuizz Anibire
Program Objectives
In light of industrialization trends across the globe, new hazards are constantly introduced in many workplaces. This program aims to provide Young Safety Professionals (YSPs) from diverse backgrounds with the requisite skill to address the health and safety hazards in the modern workplace.
This document summarizes several existing approaches to operational performance management in the airline industry, and proposes a new predictive safety performance management system (PSPMS). It describes frameworks like the ATMAP, ARMS, and APF which define key performance areas, indicators, and integrate safety data to assess performance. The document also discusses ICAO's safety management system requirements for continuous monitoring and assessment of safety performance. It concludes that a new human factors-based framework is needed to better govern system performance and safety by identifying what changes are required and measuring their effects.
The document discusses risk assessment and management in port safety. It describes the three main activities: 1) assessing risk in terms of probability and consequences, 2) managing risk through options and tradeoffs, and 3) considering the impact of decisions on future risks. Several analytical tools are used for risk assessment, including fault tree analysis, event tree analysis, and failure modes and effects analysis. Safety indicators like accidents and precursors (near misses) are also discussed. The value of preventing human losses through willingness to pay approaches is covered. Accidents can have wider effects beyond direct costs through changes in public behavior or organizational decisions.
Safety Management System aims to reduce risks by identifying hazards and addressing gaps. It is important for aviation organizations to comply with safety standards and maintain a comprehensive SMS as required by national and international bodies. An organization can control long-term risks by fostering a strong safety culture. Recent aviation accidents like one in Paris could have been avoided with proper SMS implementation. The Zagreb incident was also due to negligence and could have been prevented. There is a need to modify some existing regulations to make compliance easier for operators and stakeholders.
The document discusses practical applications of system safety and risk management. It covers topics like developing safe operational plans using mission analysis, principles of operational risk management, risk assessment models like SPE and GAR, and the risk management process. Assessment tools like the consequence/probability matrix and hazard risk matrix are introduced. Effective communication, supervision, and planning are emphasized as important elements in managing risk.
This document discusses safety standards for critical systems and proposes a new concept called Assured Reliability and Resilience Level (ARRL). It notes that while safety standards aim to reduce risk, their requirements differ across domains. The document argues that Safety Integrity Levels (SIL) alone are not sufficient and that Quality of Service is a more holistic criterion. It also notes standards provide little guidance on composing systems from components. The ARRL concept aims to address these issues and complement SIL by considering factors like component trustworthiness and fault behavior. The document suggests ARRL could help foster cross-domain safety engineering.
ARRL: A Criterion for Composable Safety and Systems EngineeringVincenzo De Florio
While safety engineering standards define rigorous and controllable
processes for system development, safety standards’ differences in distinct
domains are non-negligible. This paper focuses in particular on the aviation,
automotive, and railway standards, all related to the transportation market.
Many are the reasons for the said differences, ranging from historical reasons,
heuristic and established practices, and legal frameworks, but also from the
psychological perception of the safety risks. In particular we argue that the
Safety Integrity Levels are not sufficient to be used as a top level requirement
for developing a safety-critical system. We argue that Quality of Service is a
more generic criterion that takes the trustworthiness as perceived by users better
into account. In addition, safety engineering standards provide very little
guidance on how to compose safe systems from components, while this is the
established engineering practice. In this paper we develop a novel concept
called Assured Reliability and Resilience Level as a criterion that takes the
industrial practice into account and show how it complements the Safety
Integrity Level concept.
The document discusses safety management systems and hazard identification at aerodromes, including defining hazards, detecting hazards through various methods, documenting hazards in a hazard register, and providing examples of hazard identification and analysis tools. It provides information on the hazard identification process, such as defining hazards and their consequences, and coding hazards using a taxonomy. Examples of specific hazards are also given to illustrate the hazard identification methodology.
46 ProfessionalSafety FEBRUARY 2017 www.asse.org.docxalinainglis
46 ProfessionalSafety FEBRUARY 2017 www.asse.org
Program Management
Peer-reviewed
P
art 1 of this article (PS, January 2017,
pp. 36-45) discussed the three key elements
of a modern occupational safety program:
engineering and technical standards and controls,
management and operation systems, and human
factors. Each element plays an important role, yet
many organizations continue to stress one at the
expense of the others, which creates an unbalanced
and ineffective OSH program. The human factor is
present in most every incident, yet often the focus
is too narrowly trained on blaming at-risk behav-
iors or unsafe acts rather than on identifying and
addressing the conditions, systems and norms that
enable or cause those errors.
Part 2 of this article examines how employers
can better incorporate engineering and system
elements into worker-oriented initiatives to cre-
ate a more comprehensive approach to OSH and
thereby better understand incident causes, reduce
incident rates, confirm regulatory compliance, and
prevent serious injuries and fatalities.
Proving due diligence
While some allege that companies may use
behavior-based safety (BBS) as due-diligence
or reasonable-care proof in potential litigation
(United Steelworkers Local 343, 2000), in the au-
thor’s opinion, BBS observation documentation
does not appear to be strong in that regard, as it
is typically based on basic observations of work-
ers’ behaviors by nonprofessionals, and often
has nothing to do with recognizing and control-
ling occupational hazards. Traditional regulatory
compliance-based safety systems should be ex-
pected to provide due diligence.
only applicable to “best in class”?
BBS programs are often recommended for best-
in-class companies that already have engineering
controls and systems in place and an excellent
safety culture. Implementation in less-advanced
safety systems may be less ideal.
For example, “Practical Guide for Behavioral
Change in the Oil and Gas Industry,” states:
During the past 10 years, large improvements
in safety have been achieved through improved
hardware and design, and through improved
safety management systems and procedures.
However, the industry’s safety performance has
leveled out with little significant change being
achieved during the past few years. A different
approach is required to encourage further im-
provement. This next step involves taking action
to ensure that the behaviors of people at all lev-
els within the organization are consistent with an
improving safety culture. (Step Change in Safety,
2001)
The potential effect of behavior modifications on
safety performance (incident rates) is illustrated in
Figure 1 (p. 48). The conclusion suggested by Fig-
ure 1 is that significant incident reduction can be
achieved through engineering and systems con-
trols. When those two are addressed, an organi-
zation can then work on behavioral modifications
for further imp.
This document provides guidance on hazard identification as part of a safety management system. It defines key terms like hazard, safety event, and undesirable event. It describes methods for identifying hazards, including data-driven and qualitative approaches. Specific tools are summarized, like brainstorming, HAZOP studies, checklists, and FMEA. The document stresses that hazard identification should be periodically reviewed since completeness cannot be ensured. It provides a template for documenting identified hazards in a hazard log. Annexes include hazard examples and information sources that can aid in identification.
The document discusses the evolution from a just culture to an accountability culture in aviation safety. It outlines some of the commercial pressures that led to safety issues and the need for more formal safety management systems. Key aspects of an accountability culture include shared responsibility, data-driven hazard identification, and clear lines of accountability throughout an organization. Protecting sources of safety information is important to encourage reporting and continuous safety improvement.
Preliminary Hazard Analysis (PHA): New hybrid approach to railway risk analysisIRJESJOURNAL
Abstract: The Preliminary hazard analysis (PHA) is used to essentially identify potential accidents related to the system and its interfaces to assess their probability of occurrence and the severity of the damage they may cause and finally propose solutions that will reduce, control or eliminate. Although essential in the process of analysis and safety evaluation of high-risk industrial system, the method PHA is very differently developed and remained unclear. This method is generally classified in theory by an inductive approach. However, in practice, a deductive approach is essentially used as the Fault tree analysis. To enhance the quality of the safety analysis in terms of completeness and consistency, we suggest a new hybrid method that combines these two modes of reasoning: induction and deduction. Indeed, the safety analysis of a complex system requires from experts in the field implementation of an iterative analysis process involving both inductive and deductive approaches. The ambition of this new method is to deconsolidate and renovate conventional approaches. In addition, this method is based on the use of a standardized vocabulary and a rigorous analytical approach likely to be accepted by all actors who participate in the development of safety documentation. Indeed, in accordance with national and European regulations and in particular the Railway Safety Directive, this paper proposes a generic approach for development assistance, assessment and prevention of risks which takes account of uses, theory and our experience in this domain.
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
This document introduces a new risk management framework called ERMOCTAVE for assessing risks associated with adopting cloud computing. ERMOCTAVE combines two existing risk management methods - Enterprise Risk Management (ERM) and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). It structures the processes of OCTAVE into three phases and maps the components of ERM to each phase to provide a more comprehensive approach. The document then describes ERMOCTAVE in detail and provides a case study example of how it can be applied by a company migrating parts of its system to Microsoft Azure cloud.
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans ...
This document provides an overview of a training course on Safety Management Systems (SMS). It discusses the history and concepts of SMS, including some of the earliest examples from aviation in the 1940s. It also outlines the International Civil Aviation Organization's (ICAO) structure for SMS and how it relates to national State Safety Programs. The course schedule and modules are presented, with Module 1 focusing on SMS history, concepts, and the relationship between SMS and other management systems such as quality and work health and safety programs.
Quantified Risk Assessment as a decision support for the protection of the Cr...Community Protection Forum
by Micaela Demichela
SAfeR – Centro Studi su Sicurezza Affidabilità e Rischi Dipartimento di Scienza Applicata e Tecnologia - Politecnico di Torino
e-mail: micaela.demichela@polito.it
Risk Analysis at Ship to Shore (STS) Cranes in Container Terminal Operational...IRJET Journal
This document discusses using Failure Mode and Effects Analysis (FMEA) to analyze risks at ship-to-shore cranes in the container terminal operations of a green port. It first provides background on container movement and risk analysis in ports. It then describes conducting an FMEA to identify risks from tools like ship-to-shore cranes. The analysis identified the highest priority risks as the wooden bearings on the ship's hold hatch when handled by the crane and the protective pin of the spreader hitting the ship's hold. The document recommends addressing these risks to improve safety.
arriers thatd due to lackm factorsthese causalent ca.docxdavezstarr61655
arriers that
d due to lack
m factors
these causal
ent causation
idents—it
analyzes the
haviors—it
uld” follow.
edges the
g
he new
requency of
ts.
Systems Model of Construction Accident Causation
Panagiotis Mitropoulos1; Tariq S. Abdelhamid2; and Gregory A. Howell3
Abstract: The current approach to safety focuses on prescribing and enforcing “defenses;” that is, physical and procedural b
reduce the workers’ exposure to hazards. Under this perspective, accidents occur because the prescribed defenses are violate
of safety knowledge and/or commitment. This perspective has a limited view of accident causality, as it ignores the work syste
and their interactions that generate the hazardous situations and shape the work behaviors. Understanding and addressing
factors that lead to accidents is necessary to develop effective accident prevention strategies. This paper presents a new accid
model of the factors affecting the likelihood of accidents during a construction activity. The model takes a systems view of acc
focuses on how the characteristics of the production system generate hazardous situations and shape the work behaviors, and
conditions that trigger the release of the hazards. The model is based on descriptive rather than prescriptive models of work be
takes into account the actual production behaviors, as opposed to the normative behaviors and procedures that workers “sho
The model identifies the critical role of task unpredictability in generating unexpected hazardous situations, and acknowl
inevitability of exposures and errors. The model identifies the need for two accident prevention strategies:~1! reliable production plannin
to reduce task unpredictability, and~2! error management to increase the workers’ ability to avoid, trap, and mitigate errors. T
causation model contributes to safety research by increasing understanding of the production system factors that affect the f
accident. The practical benefit of the model is that it provides practitioners with strategies to reduce the likelihood of acciden
DOI: 10.1061/~ASCE!0733-9364~2005!131:7~816!
CE Database subject headings: Occupational safety; Construction site accidents; Accident prevention.
as a
sures
aised
safety
injury
the
the
f
d on
en-
that
f the
iors.”
li-
, en-
t
li-
ance.
acci-
ance
h.
. It
safety
zards
of
eased
dd
table
afety
ts are
s to
ch as
a less
d the
ffec-
ces in
es are
ol of
ment
323.
um,
ssions
te by
ging
pos-
2004.
-
05/
Introduction
In recent years, construction accident rates have declined
result of substantial effort by many parties. Increased pres
from OSHA and owners, and increased cost of accidents r
the contractors’ awareness. In turn, contractors increased
training and enforcement. These efforts have reduced the
and illness rate from 12.2 in 1993 to 7.9 in 2001. However,
rate of fatalities has shown little improvement—since 1997,
number of fatalities per year is consistently over 1,100~Bureau o
Labor Statistics 2004!.
The current appr.
Case-Based Reasoning for the Evaluation of Safety Critical Software. Applicat...IJERDJOURNAL
ABSTRACT: The purpose of the work described in this paper is to improve the assessment of the safety analyses for railway transport systems in France. The modes of reasoning which are used in the context of safety analysis and the very nature of knowledge about safety mean that a conventional computing solution is unsuitable and the utilization of artificial intelligence techniques would seem to be more appropriate. The approach which was adopted in order to design and implement an assistance tool for safety analysis involved the following two main activities: – Extracting, formalizing and storing hazardous situations to produce a library of standard cases which covers the entire problem. This process entailed the use of knowledge acquisition techniques; – Exploiting the stored historical knowledge in order to develop safety analysis know-how which can assist experts to judge the thoroughness of the manufacturer’s suggested safety analysis. This second activity involves the use of machine learning techniques in particular the use of Case-Based Reasoning. This paper presents a mock-up of a tool for storing and assessing Software Error Effect Analysis (SEEA) for the safety of automatic devices of terrestrial guided transport system. The purpose of our work is to exploit historical SEEA, which have already been carried out on approved safety-critical software, in order to assess SEEA of new software.
Case-Based Reasoning for the Evaluation of Safety Critical Software. Applicat...
Sms Reg Nick Morten
1. CHAPTER XX
Can safety regulation in
aviation be preventive
rather than reactive?
N. McDonald*, M. Ydalus**
*School of Psychology Trinity College Dublin (Ireland)
**Head of Safety Office STOOB Airline Operations SAS STOCKHOM (Sweden)
ABSTRACT
ICAO requires aviation organizations to have Safety Management Systems and
states to have State Safety Programs. This new approach to safety is preventive,
proactive rather than reactive, it aspires to be performance driven, systemic, and
able to deliver verifiable improvement. Could the implementation of this regulation
prevent the complex system accidents? This is unlikely for the following reasons.
Risk assessment methodologies are largely based on expert judgment unsupported
by extensive data. There is no integrated Air Transport System risk metric that
allows risks of different types and sources to be assessed with reference to each
other. The anticipation and preparation for potential emergencies is not integrated
into normal everyday operational planning. Because there is no system-wide risk
metric it is not possible for system improvements to be evaluated against some
projected risk reduction target. There is no standard for safety performance that a
regulator can use to audit, evaluate or require an operator to improve its safety
system. The present paper seeks to address these fundamental defects in order to
pave the way for what can be done in respect to the successful implementation of
current requirements for SMS regulation.
Keywords: safety management, risk, system accidents, prevention
THE PROBLEM
The next generation Air Transport System (ATS) requires systemic,
2. proactive, performance-based safety management that is fully integrated into
seamless ATS operational management, capable of delivering measurable
performance improvement. While this is the aspiration of the current
generation of SMS regulation, available processes, methods and tools are not
adequate to realize this. The ICAO regulation (ICAO, 2008), mandates states to
implement legislation requiring aviation organizations to have Safety
Management Systems and for states to have State Safety Programs. The
European Commission defines a safety management system as ‘a pro-active
system that identifies the hazards to the activity, assesses the risks those
hazards present, and takes action to reduce those risks to an acceptable level. It
then checks to confirm the effectiveness of the actions. The system works
continuously to ensure any new hazards or risks are rapidly identified and that
mitigation actions are suitable and where found ineffective are revised.’ This
new approach to safety is preventive, proactive rather than reactive, it aspires
to be performance driven, systemic, risk based and able to deliver verifiable
improvement. However, ‘…there is not yet a universally accepted risk assessment
methodology in common use across the European Union for all the aviation
domains which would enable a standardised approach and better priority setting
to tackle those risks that pose the greatest threat to safety. This shortcoming will
have to be overcome.’ (European Commission, 2011a).
The ATS has to be able to anticipate and manage complex system interactions
(where each element on its own may seem acceptable) before they are manifest in
operational emergencies and use operational experience more effectively as a
preventive resource. Recent aviation accidents have demonstrated that this is a
significant weakness of the aviation system. When Air France 447 took off from
Rio on June 1 2009 everything was apparently normal: the aircraft was fine – the
pitot tubes were an unknown and acceptable defect. The crew, aircraft, route and
weather were ok – nothing unusual. Nothing changed. Yet these elements in
combination created a situation that ultimately the crew could not manage. There
are two ways of looking at this disaster. Hindsight: why did the crew apparently not
have basic airmanship skills? The interim investigation report has recommendations
about crew training (BEA, 2011). This is the classic reactive approach – address the
issues arising from the most recent serious safety event. This is essential. More
challenging is to ask: What could have been done before that flight to minimize the
possible risks associated with it? The risks were built into the operational situation
before takeoff. Could routine measures in advance not just prevent this accident
happening again but provide a more general preventive shield against a wide range
of system accidents?
Could the implementation of the ICAO regulation (as European Directive and
national legislation) prevent the type of accident that befell AF447? It is, of course,
impossible to be certain, but, if one examines current methodologies and processes
for managing safety, it is hard not to conclude that prevention would be unlikely
given the current state of the art of safety management. This is for the following
3. reasons:
• Risk assessment methodologies are largely based on expert judgment
unsupported by extensive data and hence find it difficult to encompass
complex system interactions.
• There is no integrated Air Transport System risk metric that allows risks
of different types and sources to be assessed with reference to each
other, singly or in combination.
• The active management of risk in planning and management of
operations is not well supported
• The anticipation and preparation for potential emergencies is not
integrated into normal everyday operational planning
• Because there is no system-wide risk metric it is not possible for system
improvements to be evaluated against some projected risk reduction
target.
• There is no standard for safety performance that a regulator can use to
audit, evaluate or require and operator to improve its safety system.
RISK ASSESSMENT
Current approaches to risk assessment tend to be based on either expert
judgment or extensive data-mining, but rarely both. The probability of an outcome
of a certain severity is core to the conceptual definition of risk. Yet the practice of
risk assessment nearly always comes down to an expert judgment, of one or more
experts (see, for example, Luxhøj, 2003; Rantilla and Budescu, 1999; Ayyub,
2001). Most often this is due to absence of accurate and timely data.. Bow-tie
analysis, which is built around expert judgment, is at the heart of the ARMS
(Airline Risk Management Solutions) methodology (Nisula and Ward, 2008). Fault
Trees, Failure Mode and Effect Analysis, Human Reliability methods (e.g., THERP,
TESEO, HEART, ATHEANA) and Functional Analysis all rely on expert
judgment. Its major limitations relate to the reliability of judgments; hence the
concern with combining the judgment of different experts. The judgements of
experts are not sufficiently rigorous or reliable enough to assess complex
combinations of factors.
Because there is an inverse relationship between probability and severity (more
severe outcomes are less frequent than minor variations), it is important to get a
composite picture that exploits the strengths and weaknesses of knowledge about
different types of outcome. The distribution of minor variations can tell something
about the vulnerabilities of the system to major breakdown. The investigation of
major breakdown will rely partly on analyzing the normal mechanisms of the
operation, trying to establish what causal influences came from normal system
variation, what came from exceptional events. System risk assessment is thus an
integrated, composite process. Understanding system safety requires the ability to
4. explore complex, often remote, interactions. It therefore needs a strong data
integration capability, the ability to link a variety of antecedents to consequences,
and a strong modeling and analysis capability. Standard safety performance
indicators are necessary, but not sufficient – they need to be interpolated in a
composite measure of risk that can form a guiding index for a programme of risk
reduction. Basic taxonomies and performance indicators need to reflect the full
gamut of human, social and technical system functions.
Achieving an assessment of risk that provides meaningful links between
antecedents and consequences and is rich in data is not easy. Different tools have
addressed different parts of this challenge. Tools such as Vision Monitor and APF
(Aerospace Performance Factors) (Eurocontrol, 2009) set performance indicators
and integrate data. The SCOPE Model (McDonald and Morrison, 2006, Leva et al.,
2011) examines the relationship between human factors and safety in operational
systems. The SCOPE model has been developed precisely for the purpose of linking
an in-depth analysis of the operation to relevant safety performance indicators and
their antecedents (Leva et al., 2011).
System risk
Despite the interdependencies between all the components of the Air Transport
System there is no integrated system risk concept. Even within an airline between
flight operations and maintenance risk means different things to different parts of an
organization each of which have different baselines and priorities. For example,
deferred defects may be an acute immediate risk for a maintenance organization, but
not high on the priorities for flight operations. Therefore it is important to establish
a common framework of safety performance because it is these mutual
interdependencies that ultimately determine system risk. However a challenge in
achieving this is the lack of one institutional owner of a system risk concept.
Collaborative risk sharing between competitive organizations (airline and third
party maintenance organization) was demonstrated in the HILAS project in an
improvement process (Ward et al, 2010). In this case the airline believed it carried
the risk but did not manage it and had no effective oversight over how it was
managed by the maintenance organisation. Recognising this led to developing a
common program for improvement; this established a win-win framework for
collaboration that resulted in a very successful series of checks (in terms of both
safety and cost) for both partners. This can be seen as the first step in the
development of an integrated risk framework that establishes sufficient
commonality between safety performance indicators to support an appropriately
integrated analysis of risk.
MANAGEMENT OF RISK
5. Risk analysis and assessment should be part of a risk management process that
concludes with an evaluation of risk reduction following the implementation of
measures to mitigate and control the risk; or where it is not possible to mitigate the
risk (through design, process change, planning, etc.) there is active and explicit
management of operational risks in real time by crew during operations. Hence the
quality of the management of risk is dependent on the quality of the initial
assessment of the risk itself. Unfortunately current operationally focused risk
management methodologies are not integrated with an effective risk assessment
methodology.
The active management of risk in flight operations and Air Traffic Management
has been much enhanced by the development of Threat and Error Management
(TEM) (Helmreich et al., 2001). LOSA (Line Operations Safety Audit) and NOSS
(Normal Operations Safety Survey) formalise this procedure, for flight operations
and ATM respectively, as an operational audit using observers on the flight deck or
at the ATC station under ‘no jeopardy’ procedures to assess real time management
of threat and error (Henry, 2005; Knauer et al., 2005). However, the validity of
these tools is questionable in some circumstances because, within their
methodology, there is no independent criterion of quality or safety beyond the
procedure. This problem was explored in a HILAS case study: what was seen
through the LOSA findings to be a problem of error and performance standards, was
in fact a problem of procedure within a very challenging flying situation, requiring
high skill and experience to manage effectively (Cahill, 2011). This demonstrates
the importance of having an independent criterion of system risk, as outlined in the
previous sections.
The Intelligent Flight Plan concept, developed in the HILAS Project (from an
Iberia use of TEM), is a smart concept for improving operational management of
risk, incorporating an operational risk assessment in the normal flight preparation
process rather than having it as an extra task with more effort involved (Cahill,
2011). This could be developed further by incorporating a comprehensive,
authoritative and up-to-date data driven account of operational risk.
Anticipation of emergencies
The accident involving AF447 is just one example (amongst many) of a lack of
preparedness for a potential emergency becoming manifest in inappropriate control
actions inadvertently escalating the situation. Mental preparedness for an emergency
is critical in ensuring appropriate response. The cognitive processes of dealing with
critical or emergency situations correspond more to a process of recognising a type
of situation priming a schema or mental script for how to deal with this
appropriately – not a process of listing and weighing up alternative courses of action
(Zsambok and Klein, 1997). It follows that stimulating a mental rehearsal of
potential scenarios involving relevant risks should significantly improve readiness
6. to act appropriately and highlight areas of lack of preparedness.
Airports have a statutory requirement for periodic major emergency exercises,
and simulation training for flight crew includes special training of non-normal
processes and coping with particular types operational emergencies. Nevertheless
there seems to be a gap in the routine priming of emergency preparedness. The
provision of smart up-to-date and targeted risk information about an operation being
planned will provide the opportunity not only to plan and prepare for how to
manage such threats in a normal way, but also to rehearse potential emergency
scenarios that are relevant to that particular operation.
It is important to find ways to maintain awareness of potential risks, at the
operational level, including many hidden risks from time delays or deficiencies in
the technical safety process. However there is no clear methodology for ordering
and comparing the risks arising from different system defects or process
deficiencies and hence for prioritizing improvements or for maintaining a high level
of risk awareness at operational level.
IMPROVEMENT OF RISK
Improvement processes are weak in aviation as in other industries (McDonald,
2006). Research in the AMPOS project showed that each stage in the improvement
is more difficult than the last. It is almost impossible to get evidence of evaluation
of implementation of recommendations. In ADAMS 2 research on response to
serious incidents showed up a pattern of ‘cycles of stability’ in which little is
actually achieved in terms of change from organizational effort into investigation
and recommendations. Complex human factor and operational issues often fall off
the improvement agenda or the incident is closed prematurely before any change
has been implemented, let alone documented. For these reasons the HILAS project
developed general organizational protocols for tactical and strategic and the
MASCA project is following this up in developing a ‘Change Management
System’, which is being deployed in a number of case studies of operational change
(Ulfvengren et al. 2012).
REGULATION OF SAFETY
Because there is no independent system standard for safety performance,
the regulation of safety is currently subject to a fundamental contradiction – it is
impossible to regulate safety, but only possible to regulate safety management.
Even formulating policy goals is difficult. In Flightpath 2050 (European Union,
2011b), which guides the goals and objectives of the EU Framework RTD program,
one of the key safety goals is the reduction of accidents by 80% - an aspirational
7. figure, not based on any serious scientific analysis that would justify this as a
realistic target.
In Europe, of all the elements of an ATS, only Air Traffic Management is
regulated at European level (in the ‘Single European Sky’ - SES). The Performance
Review policy for safety in the SES is currently based mainly on one dimension -
implementing Safety Management Systems. Without independent operationally
grounded criteria neither regulator nor regulated can show measurable improvement
in safety. Furthermore the performance of the ATM system is itself dependent on
the performance of airlines and airports. Hence the development of a meaningful
performance concept at the core of aviation regulation really requires an integrated
whole system approach.
SAFETY MANAGEMENT AND SYSTEM CHANGE
The aviation system is changing rapidly. New business models are transforming
operational norms. There are major technological initiatives, such as SESAR and
NextGen, which are bringing new processes and operational concepts. Do current
safety management capabilities meet this challenge? It is possible to trace an
evolution of safety management as it attempts to address these challenges.
In Stage 1, Classic safety management, safety acts as a brake on change. Static
safety standards provide a fixed reference point against which the system is
evaluated. “Safety margins” maintain an uneasy balance between the opposing
forces of safety and cost. Safety is managed as an independent system within the
organization with little leverage over operational change. Stage 1 is typical of the
JAA Regulations from the late 1980s and 1990s.
In Stage 2, safety management has to provide assurance in a time of change.
Change erodes safety margins, for example in flight time limitations. Boundaries
between what is safe and what is not are no longer clear. Active risk management is
necessary to monitor system safety, for example in the development of fatigue risk
management. Safety failure is a major corporate threat, because the leading business
model is about reduced margins & lean processes. Safety Management System
models are built on aspirations to be proactive and systemic, with no adequate
guidelines on how to implement these goals. Safety culture is seen as instrumental
in safety performance, but it is not clear how to measure or influence this. A good
exemplar of this model is the work done by easyJet, both in the HILAS project and
outside of it, in developing a corporate strategic risk management approach and
implementing this in a much more dynamic fatigue risk management processes
(refs).
In the evolution of Stage 3, safety management is a partner in change. Rigorous
operational safety analysis delivers robust processes that give high reliability from
8. all points of view. Safety is part of an integrated management concept with common
performance indicators, integrated risk management and a common change
program. All of this manages the transition from present to future – projection of
future process is based on full modeling and analysis of all implications and risks.
The approach integrates culture and system showing how to change the way the
system works in order to influence culture. In this model a strong performance
concept delivers an independent operational criterion of adequacy. This gives
confidence that change can be managed against a rigorous criterion of operational
effectiveness. Thus, when SESAR (or any other major technology initiative)
delivers its new information systems and new operational concepts into the air
transport system, it will be necessary to have a robust performance management
framework to monitor its safety effectiveness. Safety management in Stage 3 seeks
to provide a methodology for operational evaluation of new systems, offering the
potential to link safety assessment at the design stage with safety assessment at the
operational stage.
PROACTIVE SAFETY PERFORMANCE FOR OPERATIONS
A research and development program has been initiated to address these
challenges. It is called PROSPERO (Proactive Safety Performance for Operations)
and is funded by the European Commission. Its common performance management
concept is designed around two active management cycles, one concerning the real-
time management of risk in operations (operational loop) and the other concerning
system change and redesign (learning loop). The Operational loop is as follows:
Risk information production:
System risk assessment is an integrated, composite process. Performance
indicators are linked meaningfully to system functions, combining operational data
and reports. Consequences are linked back to their antecedents. In order to control
the outcome, it is necessary to control the inputs or antecedents that are causally
related to the outcome. It is important to understand those causal links and to be
able to create tight statistical relations between antecedents and consequences,
encompassing complex interactions.
Risk information distribution: Up to date risk information is embedded in the
normal supply of information for the planning and management of flights through
the IT systems for managing aircraft technical status, crew rostering, route planning,
weather, etc.
Risk information use: Anticipation and mitigation of threats (including complex
combinations of system risks) becomes an explicit part of flight operations planning
and management all the way through to crew briefings and actions before and
during flights. This provides for heightened anticipation of and preparedness for,
not only routine management of threats, but also the specific characteristics of
potential emergency situations. Where risks have been identified, specific feedback
is triggered about the management of those risks in both normal and abnormal
circumstances, feeding the production of up to date risk information.
9. The Learning loop is also triggered by risk information production:
Solution identification: the objective is to initiate a process of progressive
systemic risk reduction, encompassing both what may be considered background
risks (e.g. deferred defects, technical warnings) with immediate operational threats
(e.g. weather). Solutions to optimize the system risk picture are proposed and taken
up by those who are capable of implementing solutions.
Solution implementation: Proportionate effort is invested in implementing
solutions at whatever level will create maximum leverage over system risk
reduction – infrastructure, technologies, information systems, business and
management processes, human resources, etc. As such initiatives are driven by
projections of system risk reduction, their implementation is accompanied by
comparing these projections with actual system risk outcomes (in so far as other
influences can be discounted).
While ownership of risk often appears most salient at the level of a single
organization, gaining leverage over system risk requires an integrated risk model or
picture and a co-ordinated response of all air transport system stakeholders to risk
management and mitigation. Creating this collaboration in what is often a
competitive environment requires clear and repeated demonstration of actual and
potential common system benefits. Thus a major goal for PROSPERO will be to
demonstrate the efficacy of both operational and learning loops at an air transport
system level – ATM, airport, flight operations, ground operations, maintenance.
At the regulation level (for example, Single European Sky), the whole system
across a region is encountered. Here requirements are set to drive down accountable
performance parameters. Performance is a function of the integrated activity of the
ATS, not just one component. This is also the level where a larger, more powerful,
dataset can be collected and integrated. Real leverage comes in enabling the
regulator to have effective oversight of both the operational loop and the
organizational learning loop at local and regional ATS levels and within individual
organizations. This can give assurance that the risks identified are actually being
managed and provides the basis for smarter and more cost-effective regulation.
ACKNOWLEDGMENTS
The research reported here has been supported by the European Commission
Framework RTD Program. ADAMS2, AMPOS, HILAS, MASCA and PROSPERO
are or were projects supported by this program.
REFERENCES
Ayyub B. M.: Elicitation of Expert Opinions for Uncertainty and Risks, CRC Press, 2001.
10. BEA 2011. Interim Report n°3 On the accident on 1st June 2009 to the Airbus A330-203
registered F-GZCP operated by Air France flight AF 447 Rio de Janeiro – Paris.
Bureau d’Enquêtes et d’Analyses pour la sécurité de l’aviation civile. Ministère de
l’écologie, du développement durable, des transports et du logement
Cahill J., Mc Donald N., Losa G. 2011. ‘Intelligent Planning and the Design of a New Risk
Based, Intelligent Flight Plan’. Cognition, Technology and Work. Volume 13. Number
1, pp 43-66, Springer London
Eurocontrol 2009. The Aerospace Performance Factor. Brussels: Eurocontrol
European Commission 2011a. Setting up an Aviation Safety Management System for
Europe. COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND
THE EUROPEAN PARLIAMENT, Brussels, 25.10.2011 COM(2011) 670 final
European Commission 2011b. Flightpath 2050 Europe’s Vision for Aviation. Luxembourg:
Publications Office of the European Union
Helmreich R. L., Klinect J. R., Wilhelm J. A. 2001. System safety and threat and error
management-The Line Operational Safety Audit (LOSA), 11th International
Symposium on Aviation Psychology
Henry C. 2005. Normal Operations Safety Survey (NOSS), 1st ICAO Global Symposium on
TEM and NOSS, Luxemburg.
International Civil Aviation Organisation (ICAO). 2008. Safety management manual (SMM),
second edition, Doc 9859, Montreal, Canada: ICAO.
Knauer M., Fallow P., Ruitenberg B. 2005. First NOSS Trials conducted successfully,
www.icao.int.
Leva et al. 2011 Deliverable: D 2.1 Review of requirements for change Deliverable to EU
Commisson as part of MASCA project FP 7-AAT-2010-4.3-4. Grant agreement n°
266423. School of Psychology: Trinity College Dublin
Luxhøj J. T. 2003. Probabilistic Causal Analysis for System Safety Risk Assessments in
Commercial Air Transport, in Proceedings of the Workshop on Investigating and
Reporting of Incidents and Accidents (IRIA), Williamsburg , VA, Sep 2003.
McDonald, N. 2006. Organisational Resilience and Industrial Risk in, editor(s) Erik
Hollinagel David D Woods Nancy Leverson, Resilience Engineering, Concepts and
Precepts , Surrey UK: Ashgate Publishing , pp155 - 180,
McDonald N., Morrison R. 2006. Modelling the human role in operational systems—theory
and practice. 2nd Resilience Engineering Symposium , Antibes France , 8-10
November 2006
Nisula, J. and Ward, M. 2008. Challenges of maintenance SMS practical implementation.
Presentations to the ICAO Asia and Pacific Ocean Approved Maintenance
Organisation and Air Operator Maintenance Organisation SMS Implementation. June
3–4 2008, Bangkok.
Rantilla A. K., Budescu D. V. 1999. Aggregation of Expert Opinions, Proceedings of the
32nd Hawaii International Conference on System Sciences.
Ulfvengren, P, McDonald, N., Ydalus, M. 2012. A methodology for managing system change
applied to an airline developing a safety performance management process. 4th
International Conference on Applied Human Factors and Ergonomics (AHFE),July 21-
25, 2012, San Francisco, CA, U.S.A
Ward M.; McDonald N.; Morrison R.; Gaynor D., Nugent T. 2010. A performance
improvement case study in aircraft maintenance and its implications for hazard
identification Ergonomics, 1366-5847, Volume 53, Issue 2, Pages 247 – 267
Zsambok, C. E. and Klein G. A. 1997. Naturalistic Decision Making. Mahwah, New Jersey:
Lawrence Erlbaum