5 FOREWORD i
6 EDITORIAL ADVISORY BOARD MEMBERS Robert Eagles Director, Safety Operations & Infrastructure International Air Transport Association, Asia Pacific Prof Henry Fan Professor, Centre for Infrastructure Systems School of Civil and Environmental Engineering Nanyang Technological University, Singapore Dr K Raguraman Joint Associate Professor Department of Geography and Civil Engineering National University of Singapore Sivakant Tiwari Principal, Senior State Counsel Attorney-General s Chambers, Singapore Dr Jarnail Singh Chairman Civil Aviation Medical Board, Singapore Cletus MJ Packiam Chief, Airport Emergency Service Civil Aviation Authority of Singapore Goh Chin Ee Director, Singapore Aviation Academy Civil Aviation Authority of Singapore EDITORIAL TEAM Ms Chan Pin Pin Ms Jasmin Ismail Ms Addrienne Kang Ms Eudora Tan ii
7 iii CONTENTS Aviation Safety 1 The Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction 1 Professor Patrick Hudson Leiden University, The Netherlands 2 Aviation Safety Investigations Cooperative, Independent, No-blame and Accountable 13 Mr Alan Stray Australian Transport Safety Bureau 3 Balancing Safety and Compliance in the Regulatory Environment 23 Mr William Voss Flight Safety Foundation Aviation Security 4 Benefits of Aviation Security Audits and Quality Control Systems 29 Mr Bernard Lim Ministry of Transport, Singapore Aircraft Accident Investigation 5 The Role of Safety Culture in Aircraft Accidents 37 Professor Graham Braithwaite Cranfield University, UK
8 Aviation Technology 6 State-of-the-Art Technology in Airport Pavement 47 Dr Satish K Agrawal Federal Aviation Administration, US Crisis Management 7 Evidence-based Medical Response to Mass Casualty Event at Airports 55 Dr Mark Leong Singapore General Hospital Airport Management 8 Opening of New Terminals Changi Airport s T3 experience 65 Mr Foo Sek Min Civil Aviation Authority of Singapore Sustainable Aviation 9 Towards Sustainable Aviation 73 Mr Michael Rossell International Civil Aviation Organization iv
9 Aviation Safety Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction ABSTRACT This paper examines the necessity for safety reporting in terms of risk management, using the Bowtie model as a way of showing how reports of minor incidents can provide vital information about how well an organisation is managing the risks of the business. As the underlying causes of both major accidents and minor incidents are similar, reporting all types of incidents provides invaluable information that can be used to prevent accidents. In today s commercial aviation industry, we cannot afford to learn these lessons from actual accidents, so there is no real choice if we are to avoid further major accidents. The International Civil Aviation Organization has recognised this necessity in its definition of how Safety Management Systems (SMS) should operate. Nevertheless, there are many situations in which people are afraid to report, because of a blame culture, or do not feel it is worthwhile. This paper identifies three different types of blame culture, the Personal, the Professional and the Political and then examines how these might be countered, primarily by education and an understanding of how accidents are caused. The paper ends with a plea for all involved, from pilots and engineers to regulators, politicians and the media, to put aside natural tendencies to blame in favour of supporting full and open reporting in commercial aviation.
10 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction ABOUT THE AUTHOR Professor Patrick Hudson Professor Patrick Hudson is with the Centre for Safety Research, Leiden University, Netherlands. He has been Project Leader of the Tripod Research Programme on Human Error for Shell International since 1988, cooperating closely with Prof. J. Reason of Manchester University, UK. He was involved in the early development of safety management systems as well as human factors programmes. He currently leads the Hearts and Minds research programme on the development of safety culture in the Oil and Gas industry. Prof Hudson is a member of ICAO s Human Factors Awareness Group and the Joint Aviation Authorities Human Factors Steering Group. His involvement with aviation includes working with companies such as Ansett Australia, Emirates, British Airways, Cathay Pacific, Shell Aircraft, KLM Helicopters and Swissair. He has over 180 publications in scientific journals, books and conference proceedings.
11 Aviation Safety Professor Patrick Hudson Leiden University, The Netherlands Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction INTRODUCTION Many incidents in aviation would go unknown unless someone reports them. This is unfortunate, because learning from minor incidents is the most cost-effective way of making the aviation system safer. Accidents are obvious and fortunately rare, but near misses and minor incidents are much more common and can go undetected unless someone is willing to tell what happened. The causes of accidents and near misses are the same, especially at the level of the underlying causes (Reason, 1997), which is why they are commonly collected together under the term incidents. This paper will first discuss why it is so important to report more than just the major incidents, placing reporting firmly in the context of safety management, and then consider why people find it so difficult to report, describing a number of distinct organisational cultures. The paper then considers the range of possible mechanisms for ensuring reporting and concludes with a plea to put aside culturally determined barriers in favour of encouraging a truly proactive management of the risks of aviation. WHY REPORT? After a major incident, whether an actual accident or a very public near miss, there will be a formal investigation to discover what happened and, more importantly, why 1. After such an investigation, the results can be disseminated throughout the industry and the expectation is that the 1 ICAO Annex 13 is quite explicit in its requirement to uncover the reasons why an incident happened and to do this in a blame-free setting. This paper explores just why the blame-free element is so important, especially when incidents do not reach their full disastrous potential. 1
12 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction safety of the system, as a whole, can be improved and possible accidents avoided. In the last 100 years of aviation, learning from accidents has been the main way in which the industry has become safer; almost every line of the ICAO annexes can be traced back to an incident that now need no longer be repeated. Experience with major incidents in a great many different industries has shown that there are almost always precursors that were, or could have been, identified in less serious incidents. In many cases these minor incidents fall below the threshold that required them to be officially reported and, subsequently, investigated (see Figure 1). These incidents will have breached one or more barriers, slices of cheese, but will not have gone so far as to be classified as an actual accident. Barriers are intended to prevent hazards from creating losses, such as an accident. Some barriers may involve design and procedures, others may involve competence and vigilance. Poor design or inappropriate procedures are latent conditions that are represented by holes in the cheese, but an accident may be prevented by the competence and vigilance of an operator, such as a pilot or air traffic controller. With the benefit of hindsight, such minor incidents have often proven to be the harbingers of a future disaster. The immediate precursors that can be identified from minor incidents will themselves have been caused by organisational failures or shortcomings, such as lack of oversight, inappropriate procedures or a shortage of funding. These are all factors that typically have an impact on a great many other possible defences that prevent future accidents (Reason, 1997). It is this information that reporting of incidents can and should provide. In an ideal world sufficient levels of proactive reporting of minor incidents, allowing the identification of the underlying causes of potential incidents, should help drive down the numbers of incidents where actual damage or injury occurs. Figure 1: The Swiss Cheese model of accident causation (Courtesy J. Reason) 2
13 Journal Aviation Management 2008 REPORTING AND RISK MANAGEMENT Reporting is one of the three major methods for acquiring information about how well risks are being managed. This is the reason why incident reporting is stressed as one of the major component of an SMS (ICAO, 2005). The other two are audits and, the most unforgiving, accidents and major incidents where no one can deny that something went wrong. Reporting enables us to identify systemic weaknesses as well as providing an important way of identifying new hazards or threats that need to be managed to assure safety. To see reporting in context it is necessary to understand how risk analysis is performed in other hazardous industries. Risk analysis in general involves: Discovering how undesired consequences can occur and what hazards are involved (eg. terrain, other aircraft, birds, Foreign Object Damage etc.); Uncovering both the superficial and the root or underlying causes of problems; Identifying how these causes can be managed effectively so that the problems do not arise. Risk assessment goes further than analysis and involves quantifying the probabilities of such consequences and identifying the frequency of underlying threats how they may arise - and assessing the effectiveness of preventative and mitigation barriers intended to prevent problems from arising. EXAMPLE AIRSIDE COLLISIONS WITH NEW GENERATION COMPOSITE AIRCRAFT There is a specific example which shows how reporting of apparently trivial incidents can no longer be treated as a luxury. Future generations of aircraft will almost certainly increasingly be constructed from composites, like the Boeing 787. One particular problem for such aircraft lies exactly in their strength. Many components may fail to show, to simple visual inspection, that they have been damaged to the point of threatening airworthiness as materials may spring back after being hit. There are effective non-destructive techniques that are capable of detecting such damage and allowing an assessment of whether repair is necessary or not, but it is necessary first to know whether and where to look. Whether the damage is caused by dropping tools in engineering or vehicle collisions on the ramp, the only way to set a testing process in operation is to have someone report what happened and where; the alternative of checking the whole of every such aircraft before every flight is unthinkable. At the same time such reports also provide information about why such a collision occurred in the first place; collecting such reports can show if there are trends, such as airside drivers who may not have been given sufficient training to acquire the necessary competence to drive heavy vehicles in the vicinity of composite aircraft. In aviation, we are concerned with a wide range of possible consequences ranging from multiple fatalities and aircraft loss, eg. Controlled Flight into Terrain (CFIT), to damage without injury and reputation damage to airlines, airports, Air Traffic Mangement (ATM) providers and the sector as a 3
14 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction whole. One of the lessons from other high-hazard industries is the need to manage the full range of the problems that can cause such outcomes, not just by working backwards in the hope of preventing specific outcomes like CFIT or runway incursions (Hudson, 2003a). There are two basic approaches, viz reactive and proactive, to analysing the risks of an operation. The reactive approach uses actual incidents and uncovers root causes by working backwards from consequence to cause. A more proactive version of incident analysis imagines what possible incidents could happen and again works backwards to ascertain how such an incident could happen. An explicitly proactive approach, Failure Mode and Effect Analysis (FMEA), moves forward from possible causes towards potential incidents, by systematically varying every element or component in a system and seeing what failures can result. FMEA, while fully proactive, is labour intensive and is usually only applied to engineering problems with a concentration on hard component failures because of the difficulty in developing such a systematic approach with softer human factors issues. REPRESENTING RISKS - THE BOWTIE DIAGRAM One way of understanding how accidents can be prevented involves using a risk analysis method called the Bowtie, shown in Figure 2, which provides a way of combining these two approaches while significantly reducing the complexity. Bowties are based around a top event, the point at which no adverse consequences have yet occurred, but where control over the hazard has been lost. There are a number of threats, ways in which the hazards can be released leading to a top event and on to the undesirable consequences. To prevent hazards being released and the consequences happening, we can place barriers on the threat pathway. These barriers may depend on hard controls, such as designed hardware or softer controls such as procedures. The barriers are explicit representations of the slices of cheese in the Swiss Cheese model. A full bowtie represents a risk analysis, with all the threat pathways and barriers identified. If the frequencies of threats and the effectiveness of the barriers are also quantified, then we have a risk assessment. 4
15 Journal Aviation Management 2008 Figure 2: The Bowtie diagram EXAMPLE OF A BOWTIE ANALYSIS BIRD STRIKE Bird strike is a major issue in aviation, which can result in a crash or major damage to engines and airframes. These are the consequences that we wish to avoid, but the Top Event, where we have lost control, is the point where birds and aircraft are in the same airspace. Birds are the hazards, either flocks of small birds like pigeons, gulls or occasional large birds such as pelicans or geese. To the left of the Top Event we represent how this can happen (the threats - how we get birds near airports) and what we can do to avoid this from happening in the first place, (the barriers such as managing rubbish dumps or using bird-scaring tactics). To the right of the Top Event are the recovery measures, mitigation defences, which show what we can do to ensure that the worst consequences are not reached if there is a bird strike despite our best preventative endeavours (engine design, pilot procedures, fire brigade, pre-designed press releases). Each of these barriers is, in fact, a slice of cheese in the Swiss Cheese model shown in Figure. 1. The Escalation factors are shown to see how specific barriers and mitigation measures might fail how the holes get into the cheese. If one barrier is for an aerodrome to employ an ornithologist, the escalation factor might be cost pressure and it is possible to see that some steps would need to be taken to ensure that cost reduction did not result in the loss of an ornithologist and subsequent increased risk of major bird strike. The conventional barriers and defences are found on the main bowtie; the organisational underlying causes are to be found on the escalation factors. Reporting provides a major mechanism for discovering that one or more barriers are ineffective at either the main bowtie level or within the escalation factors. 5
16 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction Reports can be made about failures at any point on the trajectory from a hazard as well as about novel hazards. At the level of consequences we will have had an actual accident, at the level of the top event and where right-hand side barriers have failed, we will have had an incident that can be easily recognised as a near miss. Prior to the top event, on the left-hand side, we could have identified a failing preventative control. The bowtie diagram, in the case of any incident, enables us to identify just which barriers failed and which barriers also worked to avoid the full consequences. Accidents and public near-misses may suffice to set investigation in progress, but there is already a cost, if only to reputation. The less obvious incidents, in contrast, can also be analysed and can provide the same information at considerably less cost, at least in terms of public exposure. One thing is clear from this analysis of reporting as an integral part of the risk management process. Reports have to be investigated to the point where they reveal information about systemic shortcomings that could potentially impact operations and so cause more serious incidents. Without such analysis, reporting is no more than a token exercise most likely to reflect badly on the reporter. The problem is that professional investigation of incidents is often seen as time-consuming and expensive, requiring extensive training if anything more than a superficial re-description of the incident and some trivial trending is to be achieved. The bowtie, once in place, provides an accessible and relatively rapid way of setting out the set of barriers available 2, allowing the investigator to identify which ones failed, which remained intact, and what if any hazards and new threats can be identified. WHY NOT REPORT? If the case for reporting is so clear, why should people not report? The reality is that reporting in many organisations and countries is sometimes infrequent; this despite the belief that there is quite a lot happening, even in very safe operations, worthy of being reported, because individuals fear being personally blamed for what went wrong, or more specifically, the consequences. Blame cultures are those in which there is a strong desire to identify and punish those who have failed in some way, typically those most closely identified with causing some bad outcome. They are found in a wide variety of professions and in many national cultures. Blame cultures can be understood in the light of two factors. One is a well-known and reliable psychological phenomenon called the Fundamental Attribution Error. This refers to the disparity in explanations of events between the individuals involved and observers; observers explain individuals failures in terms of their poor internal psychological characteristics, while those same individuals explain their actions with reference to the external environment. The term pilot error, for instance, is used to blame the pilot, typically in terms of the individual pilot s personal failings while the pilot might point to the environmental factors 3. The second factor is the belief that people, unlike inanimate forces, have the power to control their own destiny. Taken in combination with hindsight bias (Hudson, 2001; Fischhoff, 1975; Fischhoff & Beyth, 1975), where people believe 6 2 This is not necessarily to imply that the bowtie is the only possible methodology, but it sets a benchmark for quick and effective investigation of minor incidents that other methodologies will have to meet. 3 In contrast people do tend to attribute their successes to their individual qualities, while outsiders may make reference to the environment those individuals found themselves in.
17 Journal Aviation Management 2008 that they knew it all along, this leads to explanations of events in which a person can be expected to have known what was happening and to have had the ability to prevent the bad consequences from happening. The belief is that individuals, typically at the last moment, could have and should have exercised sufficient control over their actions. The fact that they did not makes them candidates for blame. There appear to be three different types of blame culture, the Personal, the Professional and the Political. In the Personal culture, there is a belief that people who immediately cause an accident should pay for it. Individuals are afraid of the consequences if they should report, especially when it is their own actions, or inactions, that they are reporting. Even if they are not afraid of the organisational consequences, such as punishment, they may still be keenly aware of the loss of face reporting one s own failures can incur. In many national cultures the fear of such outcomes is enough to provide a significant impediment to reporting. These impediments to reporting can be overcome if there is sufficient appreciation that front line operators, whose actions may have been in error at the end of the whole incident trajectory, are equally the victims when there are underlying causes over which they have little or no control (shown in Figure 1). In the Professional culture, individuals may still feel ashamed of the fact that they have performed below their own expectations and would rather not tell. Professional Cultures are those in which the key individuals - pilots, engineers, and doctors form good examples feel that they possess exceptional characteristics and have been given special training so that any failure to exercise the highest professional standards of performance must reflect upon them personally. In many ways these groups may be seen to fall under a reversed attribution error; failure reflects on their failure to exercise sufficient control whatever the circumstances, while success is only what would be expected every day. Finally, the Political culture covers the complex of public constituencies outside the organisation that also seek to identify individuals to blame, from the law to the media. There may be impediments to reporting from external agencies that mean that, even with an open culture within the organisation with the understanding that everyone is fallible, reporting is still an open invitation to some form of sanction, whether legal or in terms of reputation damage to either individuals or the organisation as a whole. The law, almost by definition, institutionalises the concept of blame and subscribes to the belief that identification and punishment of those who fail, whether intentionally or not, is essential. Often there is a belief that punishment, especially in public, will ensure that other people do not make the same errors a belief that flies in the face of 100 years of psychological study. The media is also served by providing easily understood explanations of why things went wrong, especially after a public disaster unfortunately accurate explanations rapidly become too complex to capture in a sound bite or a headline, while pilot error meets the bill easily. In commercial aviation the problem may be exacerbated by the public perception that aviation is safe, therefore any failure of the system must be due to one or more individuals who actively subverted that safe system. 7
18 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction Some or all of these cultures may be in effect at the same time, they are different but not incompatible because the same psychological mechanisms of blame underlie all three. TYPES OF REPORTING SYSTEM There are a variety of different ways to collect reports. A number of these systems are intended to encourage reporting by avoiding some of the cultural pitfalls. This section describes the different types of system available, the next section considers how they can be used to get people to report. Barach & Small (2000) provide a comprehensive review of reporting systems. Anonymous reporting systems, while potentially capable of lowering the threshold to report, suffer from a number of problems that make them effectively useless. One is that such systems are open to abuse, allowing people to make reports that bring individuals into focus that may be the result of malicious rather than well-intentioned intent. But more important is the fact that it is hard, or impossible, to get the information that is really important; one is left with the immediate description of what happened and little if any trustworthy information about why the event happened. Yet I have argued above that this is the true value of reporting. Confidential reporting systems are intended to overcome the problems with anonymous reporting, removing both malicious reporting and the inability to follow up reported incidents. They should allow people who feel that they may be blamed to report anyway because their names should never be released to those who will blame. The necessity of such systems reflects on the overall culture of the organisation, as it is still felt necessary to protect reporters. Protected reporting systems are those that provide a degree of protection from prosecution. The American ASRS provides immunity for those who report in a timely manner. Open reporting may be constrained, names are known but reports and their results are typically published without references to persons, or totally open, as when access to all reports in the system is available to everyone in the organisation, or limited to those with a need to know. Mandatory reporting is normally demanded by legal requirements. Such reports are invariably specific about individuals, but may be confidential within the confines of the organisation and the regulator, unless the legal authorities decide that they wish to intervene. ICAO Annex 13 (Aircraft Accident & Incident Investigation) sets clear requirements for full and blamefree investigation, implying the same for reporting on non-accident incidents, but the possibility for prosecuting authorities to proceed has always remained, subject to the requirement that they have to collect their own evidence 4. These different systems are intended to make reporting easier for reporters, except for mandatory systems that simply require, with the clear threat of sanctions for non-reporting. It is clear that the level of protection felt necessary to make people feel comfortable with reporting will be a function of the overall safety culture of the organisation (Hudson 2003b), which primarily impacts on the 8 4 Most jurisdictions allow individuals to remain silent in the event that speaking would provide evidence of guilt in a criminal case. The requirement of Annex 13 is to ensure that the information needed to prevent future accidents becomes available, but the fact that something has been stated in the context of Annex 13 means that prosecutors would need to find other proof. The situation in civil cases is, in my opinion, less clear.
19 Journal Aviation Management 2008 personal blame culture. A more advanced culture would, hopefully, also have fewer problems with the professional culture (see Figure 3). As the safety culture improves the tendency to report increases. At the same time we expect the number of actual serious incidents to reduce, but this shows that the absolute number of reports may be expected to rise to a point where there are fewer serious incidents and the number of reports starts to drop. A rise in the number of reports may, therefore, be good news about an improvement in the safety culture rather than indicating that real safety performance is getting worse. Unfortunately all reporting will take place within the political blame culture. In societies where blame is directed at individuals, this will always remain as a residual barrier to full and open reporting unless quite explicit steps are taken both within the organisation and at the level of the State to protect individuals. Figure 3: The relationship between safety culture and reporting rate Whistle-blower systems are sometimes provided to compensate for the reporting of particularly difficult cases. However these tend to concentrate on the faults of others, often those higher in the organisation, and again reflect on the true state of the culture of an organisation if they continue to be felt to be necessary. HOW DO YOU GET PEOPLE TO REPORT? What can overcome the barriers to reporting? The logical arguments for the advantages of reporting are not always sufficient to overcome the obstacles set up by one or more of the different types of blame culture. Personal blame cultures need to overcome the belief amongst management and peers that it is just the individuals closest to an incident who should carry the responsibility. This means more than just forgiving those individuals, it also means developing an acceptance that most incidents will have an organisational cause and that management have a role to play. 9
20 Safety Reporting in Aviation: Safety Management and Safety Culture in Interaction This is not such a burden as it might appear; incident reporting can uncover weaknesses in the system, especially on the left-hand side of the bowtie, leading to improvements that are typically cost-effective, benefiting the organisation as a whole, and where management can often be happy that issues have been identified before anything wrong or blameworthy has happened. Two major problems arise, one is the continuing belief of management in the reprehensibility of individuals who could have prevented an incident at the last moment, the second is the belief (and expectation) in such individuals that punishment will still be meted out, despite public protestations to the opposite by senior staff. Professional blame cultures are, if anything, more difficult to manage. Professionals like pilots and surgeons have to learn the same lesson as management in the Personal culture, but now applied to themselves. They need to understand that even though they may be put into impossible situations, that it is worth reporting to uncover and remedy the reason for those problems. Extending reporting requirements within an explicit framework of professional risk management may help such people to realise that being professional involves discovering sources of error and failure as well as combating them. Political blame cultures are the hardest to circumvent. The historical and cultural background that determines the attitudes of lawmakers and the media are outside the power of most organisations to change. The one possibility that appears to work is supra-national regulation. ICAO, and especially Annex 13, provides an example of how international regulation can be used to overcome national tendencies. The European Union has also made a requirement for blame-free reporting in directive 2003/42/EC. ICAO and the European Union have, unfortunately, little if any influence on the media s perception that when bad things have happened someone has to pay, and their belief that retribution is what the public wants. Nevertheless even here a proactive approach to the media, coupled with openness from senior management in the organisation, can result in a change in opinion that the media can reflect. Figure 3 shows an interesting relationship between the expected safety performance of an organisation and the number of reports, a message that could be passed to those who immediately equate an increase in the number of reports with a worsening situation 5. The lesson appears to be that education about how incidents actually happen, and how information about failures can actually serve to make the system better rather than just provide evidence that things are bad, can impact on blame cultures at all three levels. But there are two other requirements that are essential. First, even with the development of the understanding of how incidents can be illuminating rather than just symptomatic, it is essential that all parties can be made to believe that reporting of all except the most egregious events should be blame-free (or blame-light) and even rewarded (Hudson et al, 2008). In order to do this a track record of reporting without negative consequences for the reporter needs to be constructed, and this will take time. One way to develop such a track record involves approaching individuals and essentially setting up a number of reports that prime the 5 The question that can be asked in the aviation setting is, Would you rather fly with an airline that reported, or one that didn t? 10