SMS Part 6: Strategies for Identifying and Selecting Risk Controls


In this article we will begin to look at the high level strategies for selecting mitigations – or risk controls – to reduce the risks associated with aviation safety hazards.

Aviation Maintenance Magazine has been publishing a series of articles explaining how to establish and use a safety risk management (SRM) system to identify aviation safety hazards and assess them for risk. The SRM is one of the key elements of a complete Safety Management System (SMS). This article assumes that you have some familiarity with the basic concepts of SMS that were covered in those articles. If you do not, then we recommend that you go back and read the past five articles (you can find all five on Aviation Maintenance Magazine’s website).

In the past articles on SMS, we have discussed how to identify a hazard, how to assign values to the hazard correlating to likelihood of harm and consequence of such harm, and how to assess the total risk posed by the hazard. The nature of this process is that you will be able to rank the risks so that the hazards that pose the greatest risk can be addressed first. This allows an aviation business to focus its limited resources on mitigating the most important risks first, while at the same time preserving the less important risks to be addressed at a later date.

But what do we mean when we say, “address the risks?”

Two easy meta-strategies for mitigating the risk associated with a hazard are (1) to reduce the likelihood that the hazard will arise and (2) to reduce the consequences of the hazard if it arises. Remember that likelihood and consequence are the two metrics hat we used to calculate total risk associated with each hazard. And these are both things that we do in aviation every today.

A typical hazard in a repair station is the possibility that the person performing maintenance will skip a step. This is a hazard that is mitigated in most repair stations through risk control processes aimed at both likelihood and consequence. For example, it is normal for the repair station to develop a “traveler” that describes the step-by-step process for the intended repair. This will typically be developed from the existing maintenance manual(s) for the article to be repaired. The mere existence of the traveler as a guide is a risk control to help mitigate the likelihood of missed steps in the repair. But that is not all we do. We also typically ask the person completing the processes to initial or stamp a check-box for each step to show that the step has been completed. This provides a visual cue to the maintenance technician that each step has been completed, and makes it obvious which step is next to be completed (this also mitigates other hazards, like the hazards posed by maintenance that spans over more than one shift). Each of these processes reduces the likelihood that the maintenance technician will skip a step during maintenance.

That is not all we do to mitigate the risk of skipped steps. We’ve all heard the adage that the work is not complete until the paperwork is complete. It is normal in repair stations for the traveler to be reviewed by an inspector before the work is considered to be complete. In such a review, if a step was skipped them the inspector will identify this as an issue that needs to be corrected before the article can be approved for release to service. This review is a process that mitigates a number of hazards, but one of the things that it does is it mitigates the consequence of errors. This is because if an error was made (like a skipped step), then the consequences are less likely to escape from the system because of the review process. Thus, the safety consequences of skipped steps are mitigated to an insignificant level when the review process works correctly to identify when such steps may have been skipped.

Anther way of looking at this particular mitigation (inspecting the work to ensure steps were not skipped) is that it limits the exposure of the hazard. By identifying the hazard in-house when it arises and preventing the affected article from leaving the quality system, the processes insulate the repair station’s customers from exposure to the risk. Exposure limitation can also arise in ways that are more attenuated from consequence mitigation, such as preventing access to areas in which hazards arise.

Modern technology is being used to reinforce these efforts. Computer-based travelers can be programmed to prevent an article from moving to the next step unless each step is confirmed to have been completed.

As you can see from these last few paragraphs, there are a number of ways to mitigate risks. While the meta-strategies are to reduce the likelihood or to reduce the consequences of the hazard, there are specific strategies that are commonly used to accomplish these meta-strategies.

Four common risk process control strategies – in order of their priority – are:

1. Design for minimum risk

2. Incorporate safety devices

3. Provide warning devices

4. Develop procedures and training

When you can design for minimum risk, that always allows helps to ensure that inherent hazards are mitigated. This can be true in the design of the article by the manufacturer, but it can also be true in the design of a repair station’s facility. For example, if an identified hazard is inhalation of paint fumes, then the risks associate with that hazard can be mitigated through a facility design that keeps painting separate from humans, and effectively exhausts the fumes through a mechanism that reduces their toxicity to acceptable levels.

When it is not possible to minimize risk through design approaches, then the next consideration should be incorporation of safety devices and mechanisms. Using the paint-shop inhalation hazard, appropriate respirators can be safety devices that help to mitigate the inhalation risks for those employees who must be potentially exposed to inhalation hazards.

Warning devices can also be risk mitigations. They are typically used to reduce the likelihood of harm from a hazard, because they warn the employees away from the hazard or provide advice on how to best mitigate the risk posed by the hazard. Warning devices are used throughout aviation, from signs warning unauthorized personnel away from a place with hazards, to “remove before flight” tags hung from access panels that must be closed at the conclusion of a maintenance operation.

Developing procedures and training is listed last. Ensuring that your colleagues have the right training, and the right procedures is important; but if you rely solely on these then you are introducing human factors into the risk process controls, which means that there is a greater likelihood of failure in these controls. This doesn’t mean that procedures and training are not important. They might be the only way to reasonably control a risk. They are also useful as a supplement to other risk process controls. But when they are the only risk process controls in place then it is especially important to ensure that they are effective (techniques for accomplishing this include auditing and are covered in the Safety Assurance element of SMS).

This article should not be used as a boundary. You should never hesitate to apply creative solutions to thorny problems. But if you are looking for a way to start the hazard-risk mitigation process, then using these categories as a guide can help you to begin identifying what sort of mitigation might yield the results that you want.

Want to learn more? We have been teaching classes in SMS elements, and we have advised aviation companies in multiple sectors on the development of SMS processes and systems. Give us a call or send us an email if we can help you with your SMS questions.