Assessing Aviation Safety

Unit 1 Assessing Aviation Safety 1
Aviation Safety & Accident
Prevention
Unit 1
Assessing Aviation Safety
Ronald I C Bartsch AM
2022 UNSW School of Aviation
CRICOS Provider Code 00098G
Unit 1 Assessing Aviation Safety 2
Contents
Overview ……………………………………………………………………………………………………………….. 3
Unit structure ………………………………………………………………………………………………………… 4
Unit flow chart……………………………………………………………………………………………………….. 5
What is safety? ………………………………………………………………………………………………………. 6
Life after the pandemic …………………………………………………………………………………………. 6
Perceptions of safety…………………………………………………………………………………………….. 8
Definition & terminology ……………………………………………………………………………………… 9
Managing safety…………………………………………………………………………………………………. 10
Organisational culture………………………………………………………………………………………….. 12
National culture………………………………………………………………………………………………….. 13
Corporate culture ……………………………………………………………………………………………….. 13
Safety culture …………………………………………………………………………………………………….. 14
Components of a safety culture…………………………………………………………………………….. 15
Creating a safety culture ……………………………………………………………………………………… 16
System safety ……………………………………………………………………………………………………….. 18
Safety models…………………………………………………………………………………………………….. 19
Risk management process……………………………………………………………………………………. 19
Risk acceptability…………………………………………………………………………………………………. 21
An uncomfortable judgment ………………………………………………………………………………… 21
Ideals and reality………………………………………………………………………………………………… 21
Affordable safety ……………………………………………………………………………………………….. 22
Further Reading …………………………………………………………………………………………………. 22
Conclusion …………………………………………………………………………………………………………… 24
Unit 1 Assessing Aviation Safety 3
Overview
In the context of a post pandemic aviation environment this unit introduces the concept of
safety and an overview of how safety impacts on organisations and cultures. E
veryone on
the planet is acutely aware that our world has changed almost beyond recognition since 2020
when the coronavirus upended our lives
. Within this changed landscape the importance of
understanding what is meant by safety and a systems approach to safety is considered from
this perspective for those working in the aviation industry. This unit further explains the task
of risk acceptability in terms of the needs of the travelling public considering the impact that
COVID-19 has had on our industry and other risks associated with flying.
The unit begins by defining the term safety and looking at the two perceptions of safety. In
its first usage, safety is seen in a technical sense, that in terms of risk assessment theory and
cost benefit analysis. Other terms that are defined are risk and hazard. The final section of
this topic considers the task of managing safety. Again there are problems as to individuals’
perceptions of what is involved in managing safety, and how safety is measured.
The meaning and importance of culture is considered at its various levels, that of: national
culture; corporate or organisational culture and finally safety culture. The various
components of culture are identified and the means of creating a safety culture examined.
The final sections of this unit explain the meaning of the terms ‘system safety’ and ‘risk
acceptability’ from a viewpoint of safety management.
Objectives
At the end of this unit you should be able to:
explain the impact upon aviation safety caused by the pandemic;
define the term safety, risk and hazard;
describe two ways in which safety may be perceived;
describe the three levels of culture from a safety perspective;
recall the five components of safety culture;
describe the concept of system safety and explain why this is the preferred
approach to safety management and assessment; and
explain the concept of risk acceptability in terms of the meaning of safety and
the assessment of risk.

Unit 1 Assessing Aviation Safety 4
Unit structure
Unit 1, Assessing Aviation Safety, explains within the context of a post-pandemic
environment, the meaning of the term safety and the difficulties of assessment. This unit
considers the following questions:
What is the public perception of aviation safety?
What role does culture play in the safety health of an organisation?
Why is a system safety approach considered best?
What are the considerations in determining risk acceptability?
These questions are addressed in the following sections of this unit:
What is Safety?
Organisational culture
System safety
Risk acceptability
The first section to unit 1,
What is safety? defines and distinguishes between the terms safety,
risk
and hazard. The importance of being able to assess risk and hence judge safety is then
explained.
The next section,
Organisational culture, introduces you to the various levels of culture in
society. The importance of developing a healthy safety culture is explained. The various
components of safety culture are discussed and their importance to the overall safety health
of the organisation explained. The steps involved in creating a safety culture are stated.
The third section,
System safety, explains this mode of approach to safety management and
lists the advantages of such an approach. The various applications of a system safety
approach within the aviation industry are discussed and the interaction between the various
sectors explained. In terms of the numerous contemporary models and theories that have
been developed to explain the cause of accident, the advantages of those relating to a
systemic approach is described.
The final section of this unit,
Risk acceptability, describes the vital link between risk and
safety and the interaction of the two terms. While there is no doubt that the process of
determining risk acceptability is commonplace and considered important in modern society,
it is nevertheless a concept and a process which is not generally freely discussed. The general
misconception that, with respect to aviation, any risk is simply unacceptable is discussed.
Finally, the confusion between that which one would like (zero risk) and that which exists
(level of acceptable risk) is considered in an attempt to resolve.

Unit 1 Assessing Aviation Safety 5
Unit flow chart

Section Objectives Action
What is safety? To define the terms a safety,
risk and hazard. How do we
explain the concept of safety
in both its public and
technical senses in a post
COVID-19 world?
Bartsch R, Aviation Law
in Australia (5
th edition)
Thomson Reuters,
Sydney 2019, Para 16.05-
16.10.
Organisational
culture
To define the terms
corporate culture and safety
culture. Be able to recall the
three levels at which culture
exists.
Bartsch R, The Corona
Dilemma,
Vivid,
Australia, 2021. (Pages
61-67)
Aviation Law in Australia
(5
th edition) Thomson
Reuters, Sydney 2019,
Para 16.85-16.90
System safety To define the term system
safety.
To be able to describe the
terms
active failures and
latent conditions.
Exercise 1, Civil Aviation
Safety Authority AC 119-
01 –
Safety Management
Systems For Regular
Public Transport
Operations
Risk acceptability To be able to describe the
relationship between risk and
safety in terms of
risk
acceptability
.
To explain the concept of
affordable safety.
Case Study 1,
Bartsch R,
Aviation Law
in Australia (5
th edition)
Thomson Reuters,
Sydney 2019, Para 16.60.

Unit 1 Assessing Aviation Safety 6
What is safety?
Aviation safety is an extremely emotive topic. And rightly so. Whenever the safety and wellbeing of humans is concerned there is, and always should be, a high degree of public interest.
Aviation is no exception. In fact the scrutiny and monitoring of aviation safety, especially
by the media, is to a certain extent out of proportion to the level of risk it poses to the
community at large. Whether this level of interest is warranted is a separate issue, but the
fact remains that aviation safety is prominent in the public eye and always on the mind of
even the most seasoned frequent flier.
Even when a determination of safety is made — using widely accepted methodologies —
rarely will there be absolute consensus. Aviation safety, mostly due to its diverse and
dynamic operating environment, is a prime example of how difficult it is to determine the
level of risk that is considered as “safe”.
Life after the pandemic
The COVID-19 pandemic absolutely blindsided us all, and its impact on our personal lives
and on businesses around the world is undeniable. The life we knew before 2020 will likely
never be the same. As individuals and as business leaders, we’re sitting at the crossroads of
something extraordinary and we’re all being presented with two clear choices:
1 . Should we continue on as before and try to replicate the pre-pandemic aviation
world within the constraints that a post-pandemic world will bring? Or
2 . Should we take this unique opportunity to forge a new path, one not just built
around the challenges of a post-pandemic world, but one that actively embraces
the new environment we’re now living in?
It remains to be seen whether those airlines and other aviation enterprises that survive the
pandemic will maintain the requisite levels of financing to ensure air travel remains safe. For
this to happen, airline executives will need to support such expenditure and governments and
safety regulators throughout the world will need to remain vigilant to ensure that they do.
There’s a saying in the industry that “a safe airline is more than likely also a profitable
airline.”
Safety, due to its nebulous nature, is a subjective experience. But what is safety? Safety has
been described as the freedom from those conditions that cause accidents. This assessment
would present no difficulties if one could be certain that all the conditions that cause
accidents had, in advance, been considered. History and hindsight have proven to be the only
reliant sources of such information.
Another definition of safety considers something as safe if its risks are judged to be
acceptable. This definition is probably more workable in that it acknowledges both the
subjective and relative aspects of safety — the need for judgment and a determination of
what constitutes an acceptable level of risk.

Unit 1 Assessing Aviation Safety 7
The Australian Standards define safety as:
“A state in which the risk of harm (to persons) or damage is limited to an
acceptable level.”
1
Accordingly, whenever judgment is exercised (to assess what is “acceptable”) there must be
reliance on some predetermined value or objective. Whether we like it or not any assessment
of safety will always be an estimate. No aspect of human endeavour will ever be 100% safe.
In addition to the normal risks associated with flying COVID-19 has brought with it
additional and unprecedented risks.
According to CNN Travel in a
leaked memo obtained by the Australian press, national carrier
Qantas detailed errors made by its pilots after long periods of inactivity due to Covid, such
as starting a take-off with the brakes still on.
Similar reports have surfaced from all over the world, many through NASA’s
Aviation Safety
Reporting System
, a platform where industry professionals can log incidents anonymously,
for the wider community to discuss. A CNN
analysis of the platform has found several
Covid-related mistakes, one of which involved a plane landing without having obtained
permission to do so. “Since Covid-19 breakout, I was not flying as frequently as before,”
wrote one of the pilots from that flight. “I believe this was factored into this incident.”

In July 2020, the International Air Transport Association (IATA) released a notice
to inform the aviation industry of an increasing number of “unstable
approaches,” or landing attempts in which the speed, direction or descent rate of
the aircraft were incorrect. They had more than doubled compared to pre
pandemic levels.
CNN Report

1 The international standard for risk management is ISO 31000. This standard provides comprehensive
principles and guidelines and helps organisations with their risk analysis and risk assessments. However,
Australian Standard AS/NZS ISO 31000 Risk Management defines some widely accepted principles that
should be followed.
The pandemic wreaked financial devastation across the aviation value chain,
most notably for airlines. All subsectors reported massive losses in 2020,
except for freight forwarders and cargo airlines.
Steve Saxon
Unit 1 Assessing Aviation Safety 8
Perceptions of safety
Even when a determination of safety is made — using widely accepted methodologies —
rarely will there be absolute consensus. Aviation safety is a prime example. It should be
noted that safety in the workplace (OHS or WHS) is sometimes differentiated from
operational safety or, as in the case with the aviation industry, safety of flight issues.
2
Although it is almost universally accepted that travel by air is the safest form of mass
transportation, because the tragic consequences of a single accident, air accidents, when they
occur, attain the forefront of public attention. Air accidents are less tolerable than a simplistic
cost-benefit analysis might otherwise suggest.
By way of example, Solomon
3 points out that 100 car accidents each with a single fatality is
not
perceived to be equivalent to a single accident that kills one hundred people. The media
and ‘the spectacle’ of the event has a lot to do with this perception. However, to put the
comparison of the hazards posed by these two modes of transportation in perspective some
hard cold facts should be considered. Each year in Australia approximately 1,700 people are
killed as a result of motor vehicle accidents. This means that in the past two years more
people have died on our roads than have died in aircraft accidents during the 80 year history
of aviation in Australia.
Take another example relating to people’s perception of safety. In Australia each year, on
average, more people are killed when rock fishing than any other sport or form of recreation.
But what is the public’s perception of rock fishing as compared with say, sky diving, bungie
jumping or playing with your pet bull terrier? When was the last time you saw television
footage of the rock from which the ill-fated fisherman fell?
Jim Hall, Chairman of the National Transport Safety Board in the United States has another
account as to why people are so fascinated by aircraft accidents:
“Most of us can walk, most of us can drive and most of us can swim, but most
of us can’t fly, and I think there always will be a fascination with flight, and
with the average person, I think there is that little sinking feeling in the
stomach when they’re at 30,000 feet and they’re not in control.”
In light of this commonly held public perception (bear in mind perception is not reality) and
fascination with aircraft accidents any discussion of air safety must encompass both the
technical sense of safety in terms of probability risk assessment and the popular sense of
safety in terms of the public perception of risk and whether that risk is deemed acceptable.
In aviation there seems to be a very close correlation between the public’s perception of
safety and the commercial viability of the industry.
2 The new International Standard for Occupational Health and Safety Management Systems is AS/NZS 4801
which has been superseded by ISO 45001:2018. This is now the benchmark Standard for OHS management
systems, organisations currently certified to AS/NZS 4801 must migrate to ISO 45001:2018 by 13 July 2023.
Safe Work Australia is the body leading the development of national policy to improve work health and
safety and workers’ compensation across Australia. The interests of the Commonwealth, states and territories
as well as workers and employers in Australia are all represented. See:
https://www.safeworkaustralia.gov.au
3 K A Solomon, Swimming Pool Risks: How do they compare to other Accidental Risks? (Rand Report, Santa
Monica, USA, 1993) p7841.

Unit 1 Assessing Aviation Safety 9
The concept of flight safety goes back to the Wright brothers. The aviation environment is
very unforgiving and it was realised very quickly that, for it to become commercially viable,
the public would need to be reassured it was safe.”
4
Throughout this subject both interpretations of safety will be considered. Wherever possible
the two views will be accommodated in an integrated approach, in other instances each view
will be considered in context.
Please read your textbook at paragraphs [16.05]-[16.40]
Definition & terminology
From the outset it is important to have a working definition of a few words and concepts
that will be used throughout this subject.
And without a sanctioned definition of safety, there can be no safety
yardstick, no safety standard.”
Flying Blind, Flying Safe
From the outset it is important to have a working definition of a few words and concepts that
are used throughout this publication and are the basis of safety-related legislation in
Australia. It is important that when defining any important terms or processes that there is
consistency in the application of such definitions. This is particularly so in respect of aviation
because of its global nature and almost universal application of technical standards.
ICAO Annex 13: Aircraft Accident and Incident Investigation and Annex 19 – Safety
Management, 2nd Edition, dated July 2016 provides definitions in relation to certain safetyrelated terms such as: aircraft accident and incident, serious incident and serious injury.
However, the terms: safety, safety management and safety management systems are not
specifically defined in respect of aviation operations. Therefore, when regulating for
legislative compliance in this area it is important that these, and other related terms, are
clearly and consistently understood by the aviation community.
A
hazard is a source of potential harm or a situation with a potential to cause loss.5 It is
implied that for the consequences of an event to be defined as a hazard, that is the potential
for causing harm, there is some risk to the human population and therefore absolute safety
could not be guaranteed, even if the risk is accepted when judged against some criterion of
acceptability.
The ICAO
Accident Prevention Manual states that a hazard is: “any condition, event or
circumstance which could induce an accident.” In some respects this term includes “events”
4 T Glasspool, “Developing and Maintaining an Aviation Safety Case” (paper delivered at Effective Safety
Management Conference, Christ’s College, Cambridge, 15-18 September 2003,) p 1.
5 AS/NZS ISO 31000 Australian/New Zealand Standard – Risk Management – viewed 01 April 2022.
Unit 1 Assessing Aviation Safety 10
that are sometimes classed as incidents,6 and so these two terms — hazard and incident —
are not mutually exclusive. It can be said that all accidents and incidents involve hazards,
however, not all hazards result in either an accident or incident.
Risk is defined as the likelihood and consequences of injury or harm occurring.7 It is the
chance of something happening (‘the event’ possibility an accident) that will have an impact
upon objectives. It is measured in terms of the product of the likelihood of the event
occurring (expressed as either a frequency or probability) and the consequences if the event
does occur.
Please read your textbook at paragraphs [16.45]
Some commentators see safety as the freedom from risks that are harmful to a person or a
group of persons, either local to the hazard, nationally or even worldwide. This implies,
however, that safety can be considered in absolute terms — that there can be absolute safety.
This simply is not true. As previously stated, safety is a relative concept and is best
considered as a state in which an acceptable level of risk exists. And in aviation, as 11
September 2001 has proven, there will always be that element of unknown risk.
Managing safety
Safety unlike risk cannot be measured directly. We measure the risk to assess the level of
safety. As managers we are concerned with managing the risk, which in effect is what safety
management is all about. From the above definition of risk it can be seen that assessing risk
involves two separate processes. Risk is an expression of the possibility of an accident in
terms of first, the hazard probability (likelihood) and second, the hazard severity
(consequences).
Safety management is the deliberate application of management practices to mitigate,
eliminate or reduce safety risks associated with the operational activity of the organisation
and to achieve the highest levels of safety performance within the resources available.
Safety management has been defined as the systematic management of the risks associated
with flight operations and related ground operations to achieve high levels of safety
performance.
8
A safety management system is an integrated set of work practices, beliefs and procedures
for monitoring and improving the safety ‘health’ of all aspects of your operation. It
recognises the potential for errors and establishes robust defences to ensure that errors do
not result in incidents or accidents.
6 ICAO defines an incident as: “an occurrence, other than an accident, associated with the operation of an
aircraft which affects or could affect the safety of operation”. See ICAO Doc 9859 – Safety Management
Manual, 4th Edition, dated 2018.
7 AS/NZS ISO 31000 Australian/New Zealand Standard – Risk Management.
8 See Civil Aviation Safety Authority AC-119 Safety Management Systems For Regular Public Transport
Operations.

Unit 1 Assessing Aviation Safety 11
The CASA Manual of Standards defines a safety management system (SMS) as an explicit
element of the corporate management responsibility that sets out an operator’s safety policy
and defines how it intends to manage safety as an integral part of its overall business.
9
CASR Part 119.275 requires an operator10 to have a SMS, which includes provision for a
safety management, accident prevention and flight safety management system. This
requirement supports the ICAO recommended practice
11 for operators to have such a system
in place.
Risk exists whenever the future is unknown.”
CASA Entry Control Course, 1997
The future is certain. Give us time to work it out.”
David Byrne, Talking Heads
Braithwaite points out that in common usage the word ‘risk’ is generally associated with
‘high risk’.
12 Phrases which describe an activity as being ‘open to some risk’ or an
individual’s actions being ‘risky’ suggest that the risk is higher than normal. All activities,
by definition, carry some element of risk. The confusion, Braithwaite suggests, appears to
lie in discriminating between risk and safety. Activities which are deemed to be safe still
carry an element of risk. The presence of risk does not necessarily equate with a lack of
safety. To further complicate the matter, many people’s perception of risk does not always
follow a logical discourse. As previously purported the media is often the perpetrator of such
perceptions.
It should be pointed out that media focus on aviation safety issues is not necessarily a bad
thing. In a review of airline safety in
Flight International the following observation was
made.
The increase in public consciousness of flight safety, as well as the fact that more
people are travelling by air, has led to creation of a growing media niche-industry
producing air travel-safety reports and documentaries. Many of these are latching on
to the statistical fact of significant differences in safety standards according to country
or region, a truth which 1997 has re-affirmed. If this more investigative approach by
the media persists, a more informed and selective travelling public may increase the
pressure on less-safe regions to invest in safety.
13
In Unit 2 we will consider in more detail the concept of risk, risk measurement and risk
analysis.
9 CASA Advisory Circular Part 119, s 4: Definitions.
10 To whom subpart E of Part 119 applies.
11 Annex 6 Parts I and II.
12 G Braithwaite, “Australian aviation safety: A systematic investigation” Research Thesis. See also Braithwaite
G, “How do we define safety” A systemic Investigation Case Study, Loughborough University.
13 D Learmount, “Safety perceptions” in Flight International 21-27 January 1998, p36.
Unit 1 Assessing Aviation Safety 12
Organisational culture
Culture is concerned with group norms and is to a human collective what personality is to
an individual.
14 Just as an individual’s personality influences one’s perception of risk, so too
does the ‘culture’ within which one lives and works influence their personality. Culture is
multi-dimensional in that it exists at various levels: the group; the organisation; and at the
national level. The safety culture of an organisation is a subset of the organisational culture.
Unless there exists an overall dominant and coherent organisational culture there can be no
true strength in that organisation’s safety culture — no matter what safety measures are
taken.
The most important aspect of any organisation’s safety initiatives or safety management
system is the people within it. The safety culture of an organisation is without doubt the most
critical factor determining safety within that enterprise. This must be driven from the top
down: “senior management must want all staff to think ‘safety first’”.
15
Fundamental to the creation of a favourable safety culture within any organisation is the role
of management and indeed that of senior management. In aviation and airline operations the
development of a healthy safety culture is more important than achieving a final outcome
based on an empirical assessment of raw accident and incident data.
This view is shared by Professor James Reason who has stated:
“It is worth pointing out that if you are convinced that your organisation has a good safety
culture, you are almost certainly mistaken. Like a state of grace, a safety culture is something
that is striven for but rarely attained. As in religion, the process is more important than the
product. The virtue — and the reward — lies in the struggle rather than the outcome.”
16
A true safety culture is one that recognises that not to have any accidents should always be
followed with the word “yet”. A low accident or incident rate is no guarantee that risks are
being effectively controlled.
17 Safety culture, which should be much more than just a pair of
words, is one of those industrial clichés which is in danger of losing its meaning through
careless use. What a safety culture means is: “if the boss thinks safety is important and lets
it be known, so will everybody else in the organisation.”
18
14
According to Hofstede “Culture is the collective programming of the mind which distinguishes the members
of one group from another.” G Hofstede,
Culture’s Consequences: International Differences in Work Related
Values
(Sage Publications, Beverly Hills, CA, 1980)
15 T Glasspool, “Developing and Maintaining an Aviation Safety Case” (paper delivered at Effective Safety
Management Conference, Christ’s College, Cambridge, 15-18 September 2003,), p 3.
16 J Reason, Managing the risks of organizational accident, (Ashgate Publishing, England, 1997), p 220.
17 This is particularly so with organisational accidents (see [2.27] and [16.16]) where the probability of a serious
accident is so remote but where the consequences can be most severe.
18 Aviation Insurance & Law, May 2016.
Unit 1 Assessing Aviation Safety 13
National culture
According to Professor Reason “every organisational culture is shaped by the national
context in which it exists — and this is especially true for multinational organisations.”
19
International airlines that employ pilots from varying ethnic and cultural backgrounds must
be cognisant of the interaction of an individual’s culture with an airline’s safety culture.
Cultural differences exist not only between countries but also within countries, between
regions, social classes, generations, sexes and occupations. It influences or conditions the
way we perceive reality. Because of our culture, we select aspects of reality and give that
reality a meaning. It includes a value system and this can affect our priorities, and therefore
the decisions we make. The influence of national culture or ethnicity is considered later units
of this program in relation to human factors (Unit 6) and crew resources management (CRM)
training (Unit 7).
Corporate culture
All large organisations develop their own culture. This is true of all establishments whether
from the public or private sector. A corporate culture refers to the shared values (what is
important) and beliefs (how things work) that interact with an organisation’s structure and
control systems to produce behavioral norms (the way we do things around here). In other
words, a corporate culture is akin to an individ- ual’s paradigm in that it determines how a
company will respond to the world around it.
Corporate culture refers to the shared values (what is important) and beliefs
(how things work) that interact with an organisation’s structure and control
systems to produce behavioural norms (the way we do things around here).
Uttal20
In other words the corporate culture of an organisation is the way it views itself and others,
and what it does.
Due to the unprecedented sanctions imposed under COVID-19 measures, especially with the
closure of national boarders, the entire global airline sector is on life support as it struggles
to survive. Provided an organisation has a healthy corporate culture — in terms of practising
safety
awareness principles — then the introduction of new safety initiatives should be a relatively
easy task. In some instances however, deep-rooted cultural attitudes, those which are not
conducive or consistent with safety practices, may obstruct or subvert attempts at change.
19 J Reason, Managing the Risks of Organizational Accidents (Ashgate Publishing Limited, Aldershot,
England, 1997) p220.
20 B Uttal, “The Corporate vultures” in Fortune 17 October 1983.
Unit 1 Assessing Aviation Safety 14
Safety culture
There has been much discussion about the importance of developing and nurturing an
appropriate “safety culture” within aviation organisations.
21 According to Hayward a
company’s safety culture is inextricably linked with, but can be distinguished from its
organisational culture. In all organisations, not just airlines, there are examples of good and
bad safety cultures. The
quality or health of a safety culture will depend on a number of
factors including: the way in which the organisation handles the often conflicting goals of
safety and profitability; the trade-offs between the two; and the level of demonstrated
commitment to safety.
Safety culture also depends heavily on perceptions of the organisational communication
styles. For example, if an employee is concerned about the safety of a certain practice or
procedure, are channels open for that concern to be communicated to management? If so,
how will management respond? Is the flight safety department proactive or reactive? Are
messengers shot? These are the questions that need to be considered in the development of
an appropriate organisational safety culture.
In summary, and in an ideal world, the safety culture of an aviation organisation would form
an integral part of that organisation’s corporate culture. But what exactly is it?
Safety culture
refers to a set of values, beliefs, behaviours and assumptions concerned with minimising the
exposure to danger and risk.
Pidgeon & O’Leary
22 offer a more formal definition of safety culture. They define the term
as being the set of beliefs, norms, attitudes, roles and social and technical practices within
an organisation which are concerned with minimising the exposure of individuals, both
within and outside the organisation, to conditions considered to be dangerous. In practical
terms safety culture means “this is the way we do things around here to minimise exposure
to conditions considered to be dangerous”.
Safety culture, which should be much more than just a pair of words, is one
of those industrial clichés which is in danger of losing its meaning through
careless use. What it means is,
if the boss thinks safety is important and
lets it be known, so will everybody else in the organisation
.
Aviation Insurance & Law, June 1997
Safety culture, like any form of culture, is not limited to tangible factors. According to
Professor James Reason, safety culture is made up of a number of interacting elements that
21 For example see: J Lauber, “Safety cultures and the importance of human factors” in CRM Advocate,
1994(4), 1-3 and also: B Hayward “Culture, CRM and aviation safety” paper presented at the 1997 ANZSASI
Asia Pacific Conference.
22 N Pidgeon & M O’Leary, “Organisational safety culture and aviation practice” in N McDonald et al,
Organisational safety culture: Implications for aviation practice (Ashgate Aldershot, 1995).
Unit 1 Assessing Aviation Safety 15
have enhanced “safety health” as their natural by-product. But Reason has the following
words of caution to add.
“Finally, it is worth pointing out that if you are convinced that your organisation has
a good safety culture, you are almost certainly mistaken. Like a state of grace, a safety
culture is something that is striven for but rarely attained. As in religion, the process
is more important than the product. The virtue — and the reward — lies in the
struggle rather than the outcome.”
23
Developing, promoting and enhancing a safety culture within an organisation or industry is
the outcome or objective of a specific program or system. The precise title given to such
programs or systems
designed to assess, analyse and control (manage) risk may vary
between organisations; however, for the purpose of this subject, we will accommodate all
such endeavours under the classification of
system safety. This concept will be examined in
more detail later in this unit.
Components of a safety culture
In Managing the Risks of Organisational Accidents Professor Reason has identified the main
components of a safety culture and their various interactions. These components, according
to Reason, are extracted below.
An ideal safety culture is the engine that continues to propel the system
towards the goal of maximum safety health, regardless of the leadership’s
personality or current commercial concerns. Such an ideal is hard to achieve
in the real world, but is nevertheless a goal worth striving for.
The power of this engine relies heavily upon a continuing respect for the
many entities that can penetrate and breach the defences. In short, its power
is derived from not forgetting to be afraid.
In the absence of bad outcomes, the best way — perhaps the only way — to
sustain a state of intelligent and respectful wariness is to gather the right
kinds of data. This means creating a safety information system that collects,
analysis and disseminates information from incidents and near-misses as
well as regular proactive checks on the system’s vital signs. All of these
activities can be said to make up an
informed culture — one in which those
who manage and operate the system have current knowledge about the
human, technological, organisational and environmental factors that
determine the safety of the system as a whole. In most important respects,
an informed culture
is a safety culture.
Any safety information system depends crucially on the willing participation
of the work force, and the people in direct contact with the hazards. To
achieve this it is necessary to engineer a
reporting culture — an
organisational climate in which people are prepared to report their errors and
near misses.
An effective reporting culture depends, in turn, on how the organisation
handles blame and punishment. A ‘no-blame’ culture is neither feasible nor
desirable. A small proportion of human unsafe acts are egregious (for
example, substance abuse, reckless non-compliance, sabotage and so on)
and warrant sanctions, severe ones in some cases. A blanket amnesty on all
unsafe acts would lack credibility in the eyes of the work force. More
importantly, it would be seen to oppose natural justice. What is needed is a
23 J Reason, op cit at 220.
Unit 1 Assessing Aviation Safety 16
just culture, an atmosphere of trust in which people are encouraged, even
rewarded, for providing essential safety-related information — but in which
they are also clear about where the line must be drawn between acceptable
and unacceptable behaviour.
The evidence shows that the high-reliability organisation — domain leaders
in health, safety and environmental issues — possess the ability to
reconfigure themselves in the face of high-tempo operations or certain kinds
of danger. A
flexible culture takes a number of forms, but in many cases it
involves shifting from the conventional hierarchical mode to a flatter
professional structure, where control passes to task experts on the spot, and
then reverts back [sic] to the traditional bureaucratic mode once the
emergency has passed. Such adaptability is an essential feature of the crisisprepared organisation and, as before, depends crucially on respect — in this
case, respect for the skills, experience and abilities of the work force and,
most particularly, the first-line supervisors. But respect must be earned, and
this requires a major training investment on the part of the organisation.
Finally, an organisation must possess a learning culture — the willingness
and competence to draw the right conclusions from its safety information
system, and the will to implement major reforms when their need is indicated.
The preceding bullet points have identified four critical subcomponents of a safety culture:
a
reporting culture, a just culture, a flexible culture and a learning culture. Together they
interact to create an
informed culture which, for our purposes, equates with the term ‘safety
culture’ as it applies to the limitation of organisational accidents.
24
Creating a safety culture
According to Reason many people talk as if safety culture can only be achieved through
some awesome transformation, akin to a religious experience. Reason however takes the
opposite view, arguing that “a safety culture can be socially engineered by identifying and
fabricating its essential components and then assembling them into a working whole.
It is undoubtedly true that a bad organisational accident can achieve some dramatic
conversions to the ‘safety faith’, but these are all too often short lived. A safety culture is not
something that springs up ready-made from the organisational equivalent of a near-death
experience, rather it emerges gradually from the persistent and successful application of
practical and down-to-earth measures. There is nothing mystical about it.
Acquiring a safety
culture is a process of collective learning, like any other.
Nor is it a single entity. It is made
up of a number of interacting elements, or ways of doing, thinking and managing that have
enhanced safety health as their natural by-product.”
25
See: https://www.casa.gov.au/operations-safety-and-travel/safety-managementsystems/safety-management-legislation-guidance-and-resources
24 Ibid at 195-196.
25 Ibid at 192.
Unit 1 Assessing Aviation Safety 17
Any corporation by virtue of its design, structure and charter continually strives to achieve
its destined objectives. Those corporations – particularly public companies – when immersed
in a highly competitive commercial environment “naturally” align their activities toward
attaining their commercial objectives. Invariably such objectives are growth and the
maximisation of profits. The question that needs to be asked is, what “checks and balances”
are there within such organisations to ensure that safety is afforded its rightful priority?
Within the commercial airline context the answer seems to suggest the following approach:
In a commercial setting, business imperatives tend to dominate safety concerns
unless management takes deliberate steps, and build the requisite
culture and
systems
, to prevent that from happening.1
What then does an organisational culture that gives safety a priority look like?
Please read your textbook at paragraphs [16.90]-[16.105]
Further research on Safety Culture:
https://www.icao.int/APAC/Meetings/2015 APRAST6/06 – IATA_Safety Culture from the Top Down.pdf
Closing Thoughts
x A strong Safety Culture — a vital condition to a well functioning SMS
x It is possible to have a good Safety Culture without a formal SMS
x But is not possible to have an effective SMS without a good Safety Culture
Unit 1 Assessing Aviation Safety 18
System safety
According to the Federal Aviation Authority’s Strategic Plan, system safety is the application
of engineering and management principles and techniques to optimise all aspects of safety
within the constraints of operational effectiveness, time and cost throughout all phases of the
system life cycle. This somewhat all encompassing definition is perhaps best summarised as
follows:
System safety is an organised effort to identify and evaluate risk and
find an optimised solution to resolve the risk while satisfying various
constraints.
FAA Strategic Plan 1994
In the context of the above definition “resolve the risk” does not mean ‘eliminate’ the risk.
As previously stated it is never possible to eliminate entirely the element of risk, however,
this does not mean that creating such a environment might not remain as one’s objective. As
stated by Solomon “All activities have an inherent risk and risks can never be removed
completely from any activity.”
26 ‘Resolve the risk’ equates to ‘manage the risk’ — applying
managerial principles to achieve the desired outcome within the constraint of available
resources.
The adoption of a system safety approach in aviation needs to be embraced from the highest
levels. At a safety conference in Canberra, the then Minister for Transport and Regional
Services, made the following comments:
“I would like to highlight from the outset that I firmly believe we need to take a “systems
safety” approach to ensure that air travel remains the extremely safe form of transport that it
is. It is not enough to simply focus on what is happening in the cockpit of an aircraft, and to
attribute all failures of the aviation system to “pilot error”.
By “systems safety” I mean we need to take an integrated approach to aviation safety that
also encompasses:
air traffic control;
aircraft maintenance;
the interaction between the flight deck and cabin crew;
the interaction between the aircraft crews and the ground crews; and also
decisions made by management at all levels which can impact upon the safety
of operations.
26 Solomon op cit.
Unit 1 Assessing Aviation Safety 19
This systems safety approach is essential in meeting some of the major challenges that will
be arising in the near future.”
27
Safety models
There are a number of contemporary models and theories that have been developed that
attempt to explain the cause of ‘accidents’ and how ‘hazards’ might best be managed.
Although there is a divergence of thought on the subject most theorists agree that rarely is
the cause of an accident attributable to a single cause. Macarthur Job, in providing an
explanation for the 1977 Teneriffe accident, says that the accident was “the final outcome of
an unfavourable coincidence of a whole class of circumstances that individually were
relatively insignificant.”
28
Accidents that can be attributed to a breakdown of a system or process within a system are
termed
systemic. To avoid further such accidents the system needs to be modified so as to
minimise or eliminate the likelihood of similar such occurrences.
One of the principal exponents of the system approach is Professor James Reason of the
University of Manchester. The international aviation community’s contemporary approach
to safety philosophy and practice has been greatly influenced by the work of Reason and his
colleagues. Reason’s
accident causation model has been supported by ICAO and
recommended for investigating the role of management policies and procedures in aircraft
accidents and incidents.
Professor Reason makes the point that like many other high-hazard, low-risk systems,
modern aircraft have acquired such a high degree of technical (eg redundancy) and
procedural (eg standard operating procedures) protection that they are generally not
vulnerable to single failures, whether human or mechanical.
29 Reason notes that such
systems are much more likely to fall prey to an
organisational accident — that is, a situation
in which
latent conditions, arising mainly in the managerial and organisational spheres,
combine adversely with local triggering events (weather, location, etc) and with the
active
failures
of individuals at the “sharp end” (errors and procedural violations). Reason’s
accident causation model and other tools and techniques of risk analysis and safety
management, will be considered in more detail in Unit 3.
Risk management process
An organisation or regulatory authority should, in its normal course of business, manage risk
within its mode of operation. A disciplined risk management process is essential to good
decision making. Simply put, a system safety program is a risk management process.
Therefore the assessment of system safety is a subset of the assessment of risk. While risk
management encompasses considerations beyond ‘safety risk’ (eg political considerations)
such elements are inevitably interrelated because resources (whether human, material or
financial) of any organisation are finite. Decisions need to be made to best manage these
resources in an attempt to achieve that organisation’s goals.
27 “Setting the Right Aviation Culture” Safeskies Conference, Canberra, 6 November 1997.
28 M Jobb, Air Disaster Vol 2 (Aerospace Publications Pty Ltd, Weston Creek, ACT, 1996).
29 J Reason, “Identifying the Latent Causes of Aircraft Accidents before and after the Event” International
Society of Air Safety Investigators 22
nd Annual Seminar, Canberra, November 4-7 1991.
Unit 1 Assessing Aviation Safety 20
Therefore, in the interests of air safety, it is important that all sectors of the air transport
system have, as part of their corporate objective, a commitment that embellishes safety and
safe operations. By air transport system I include all aircraft operators, regulatory authorities,
aircraft and aircraft component manufacturers, maintenance providers, and air traffic
management system and infrastructure. The development of strategies and programs within
these organisations that specifically address the question of safety management is discussed
in detail in subsequent units. Unit 3 specifically considers organisational structures within
aviation regulatory authorities whereas Unit 4 looks at various models and risk management
processes within the private sector.
E x e r c i s e 1
1.1 Provide a dot point summary of some of the safety issues for the
aviation industry that has arisen as a result of COVID 19.
1.2 Give an account of the two commonly held perceptions of safety.
Discuss the merits of each and state whether you consider it is an
advantage, to society in general, that both exist simultaneously.
1.3 If you arrive at your destination on a charter flight after having had a
very near mid-air collision, did you have a
safe flight? Was your flight
hazardous? Explain.
1.4 Discuss the importance of a
safety culture within an organisation.
1.5 What is your understanding of the difference between
affordable
safety and acceptable safety?
1.6 Research the internet (or elsewhere) to find an authoritive assessment
of the cost of a human life – in Australia or overseas – so that you
understand the methodology. Can a cost benefit assessment of safety
be justified on moral grounds?

Unit 1 Assessing Aviation Safety 21
Risk acceptability
Risk acceptability has been described as being the vital link between risk and safety.30 With
respect to aviation, this is absolutely correct. Travel by air, or for that matter any other mode
of transportation, can never be perfectly safe. Risk acceptability is a subjective assessment
(whether by a regulatory authority, an organisation or an individual) of a state of affairs that
constitutes a sufficient level of safety.
An uncomfortable judgment
What value is considered as being “sufficient” or good enough in terms of safety will depend
on who is making the assessment. For example, is it the aviation regulatory authority, the
airline, the aircraft manufacturer or the potential passenger? Each decision maker has their
own determination of risk acceptability based on their own unique criteria or values.
Kasperson suggests the term risk acceptability “conveys the impression that society
purposely accepts risks as the reasonable price for some beneficial technology or activity.”
31
The authors further elaborate in stating:
For some special cases this may approach reality. Hang-gliding, race-car
driving, mountain climbing, and even adultery, divorce, and midlife career
changes are all high-risk activities in which the benefits are intrinsically
entwined with the risks. These activities are exhilarating because they are
dangerous. But most risks of concern are of the undesired and often
unforeseen by-products of otherwise beneficial activities or technologies.
Another commentator sees the criteria for acceptance of risk in relation to human safety as
deriving from “each person’s attitude towards safety and also from social conditions and the
attitudes of the mass media and politicians. We are here faced with a spectrum of attitudes.
Some of these may serve as starting points for rational evaluations and decisions: other
attitudes are too ‘narrow’ or emotional to provide general norms.”
32
Ideals and reality
While there is no doubt that the process of determining risk acceptability is commonplace
and considered important in modern society, it is nevertheless a concept and a process which
is not generally freely discussed. A suggested reason for this apparent dichotomy relates to
the fact that the underlying premise involved in such a determination (ie risk assessment)
ultimately relates to putting a price on human life. This is not a premise that is easily accepted
and subsequently it is often ignored or pushed aside. To further complicate the matter there
is a general misconception that, with respect to aviation, any risk is simply unacceptable.
Apart from being naive such a view is counter productive to gaining an understanding of the
processes involved in determining risk acceptability.
30 Braithwaite “Australian aviation safety: A systematic investigation” op cit at para 2.3.3.
31 R & J Kasperson, “Determining the Acceptability of Risk: Ethical and Political Issues” (Clark University
Hazard Assessment Group, Clark University, Worcester, USA, 1984).
32 Norwegian Safety Society, Safety, Man and Society (Det Norske Veritas, Oslo, Norway, 1979).
Unit 1 Assessing Aviation Safety 22
The later confusion exists because of the divergence of thought between that which one
would like (zero risk) and that which exists (level of acceptable risk).
The acceptable level of risk is not the ideal risk. Ideally, the risks should be
zero. The acceptable level is a level that is ‘good enough’, where ‘good
enough’ means you think that the advantages of increased safety are not
worth the costs of reducing risk by restricting of otherwise altering the
activity.
Facts and Fears: Understanding Perceived Risk33
Affordable safety
At the beginning of this unit we defined a thing as safe if its risks are judged to be acceptable.
Irrespective of the basis of such judgment — whether a cost/benefit analysis, informed
opinion or gut instinct — the acceptability of risk is determined. Essentially it is a matter of
what price (whether determined objectively or subjectively) the decision maker puts on
safety. In fact the whole concept of safety
is based on affordability. It is the point at which
we consider certain risks to be acceptable, that is where we consider resources allocated to
risk countermeasures to have reached a reasonable limit.
34
Further Reading
x ICAO Doc 9859 – Safety Management Manual, 4th Edition – 2018
x ICAO Integrated Safety Management website
x EUROCONTROL Generic Safety Management Manual (EGSMM)
x Safety Regulatory Requirement – ESARR 3, Use of Safety Management Systems
by ATM Service Providers: From Safety-I to Safety-II: A White Paper,
EUROCONTROL, Sept. 2013
x Systems Thinking for Safety: Ten Principles. A White Paper. Moving towards SafetyII, EUROCONTROL, August 2014
33 P Slovic et al, Paper from “Societal Risk Assessment” Symposium, 8-9 October 1979, Warren, Michigan,
USA.
34 See Braithwaite, op cit at para 2.3.5 “Is Acceptability the same as Affordability?”.
Unit 1 Assessing Aviation Safety 23
The following extract provides a good overview of how safety can be objectively assessed
to determine if it is “affordable” or not.
Case Study 1_________________
Aviation Safety Improvement using Cost Benefit Analysis35
The objective of this project is to improve aviation safety through the development
of a novel safety approach. This approach will allow aviation stakeholders (from
EASA, to civil aviation authorities, airlines, airports, air traffic control, and
manufacturers):- to understand and manage the effective risk reduction when
adopting a safety measure;- to prioritise their safety investments when multiple
options are potentially feasible;- to increase safety as much as possible within the
limiting budgets available;- to justify investments in safety from a cost perspective.
The safety approach will consist of a methodology enabling aviation stakeholders to
assess the effects of their technical, managerial and political decisions at the safety
level, together with the associated costs and benefits. The approach will support
decisions such as whether or not to introduce a safety measure, by making priorities
for investments in safety, based on the most beneficial outcome. The methodology
will be implemented into a Decision Support System (DSS) providing a step-by-step
procedure that will support the user throughout the different phases for assessing
the cost effectiveness of safety measures. The DSS will incorporate a data pool for
the estimation of risk reduction and costs related to the implementation of specific
safety measures. Cost benefit analysis of safety measures is a relatively new
concept in the aviation community and decision on safety related matters are taken
without knowing precisely what will be the final effect of such decisions.
http://www.airlineratings.com/news/630/who-is-the-worlds-safest-airline-for-2016
In respect to cost-benefit studies in Australia see: Bureau of Transport and Regional
Economics – Cost of Aviation Accidents and Incidents (BTRE Report 113) –
Commonwealth of Australia 2006
Managers, regulators, manufacturers and individuals, on a daily basis, can and
do put a price
on safety. There is a finite ‘safety dollar’ and allocating available resources to maximise
lives saved, is in its simplest restatement, what safety management is all about.
35 From http://www.ist-world.org/ProjectDetails.aspx?ProjectId=20a1aaa03b5245438e92918ff40ac6de
viewed 30 August 2013.
Unit 1 Assessing Aviation Safety 24
Conclusion
In this unit, Assessing Aviation Safety, you have been introduced to some basic concepts and
definitions necessary to understand what is required to gain an insight into safety assessment.
The worldwide impact of the coronavirus pandemic is considered in the context of aviation
safety. After defining the terms
safety, risk and hazard the importance of being able to assess
risk and hence judge safety is then explained.
This unit also introduces you to the various levels of culture in society. The various
components of safety culture are discussed and their importance to the overall safety health
of the organisation explained. The importance of developing a healthy safety culture is
explained. The steps involved in creating a safety culture are stated.
The importance and advantages of adopting a
systemic approach is described in relation to
other, more traditional approaches to safety management. The various applications of a
system safety approach within the aviation industry are discussed and the interaction
between the various sectors explained. In terms of the numerous contemporary models and
theories that have been developed to explain the cause of accident,
The unit concludes by describing the interdependence between risk and safety and the
interaction of the two in relation to the concept of
risk acceptability. The general
misconception that any risk is simply unacceptable is explained. Finally, the misconception
between the terms zero risk, and the level of acceptable risk, is resolved.
______________________________

Unit 2 Safety Data Analysis 1
Aviation Safety & Accident
Prevention
Unit 2
Safety Data Analysis
Ronald I C Bartsch AM
2022 UNSW School of Aviation
CRICOS Provider Code 00098G
Unit 2 Safety Data Analysis 2
Contents
Overview ……………………………………………………………………………………………………………….. 3
Unit structure ………………………………………………………………………………………………………… 4
Unit flow chart ……………………………………………………………………………………………………..5
Introduction…………………………………………………………………………………………………………… 6
Difficulties in safety assessment …………………………………………………………………………………… 6
International studies ……………………………………………………………………………………………………… 7
Comparative analysis……………………………………………………………………………………………………. 8
Defined operational environment………………………………………………………………………………….. 9
Measuring risk …………………………………………………………………………………………………….. 11
Types of risk……………………………………………………………………………………………………………….. 11
Risks defined………………………………………………………………………………………………………………. 12
Measures of risk………………………………………………………………………………………………………….. 15
Judging safety ………………………………………………………………………………………………………. 18
Methodologies ……………………………………………………………………………………………………………. 18
Causal factors approach………………………………………………………………………………………………. 20
Risk hazard matrix ………………………………………………………………………………………………. 21
Hazard categorisation………………………………………………………………………………………………….. 21
Risk hazard index ……………………………………………………………………………………………………….. 23
Decision authority matrix……………………………………………………………………………………………. 25
Conclusion …………………………………………………………………………………………………………… 28
Unit 2 Safety Data Analysis 3
Overview
This unit provides an overview of what is involved in safety data analysis. The problem and
difficulties associated with the analysis of safety data is investigated. Some of the issues
relate to the varying definitions of safety and also to the scope of the aviation industry. The
variance of safety records of different carriers and geographic regions is explored.
The next section defines risk and then looks at the various issues relating to its measurement.
Unless one can measure risk there is no way of being able to determine if risk is being
reduced and hence the level of safety improved. In aviation there are a myriad of factors that
constitute hazards and to further complicate the matter there are no single measures or
metrics of risk.
The method of assessing or judging safety, in terms of determining the acceptability of the
level posed by a particular risk, is explained. Safety assessment relies on two somewhat
distinct methodologies used to varying degrees in a particular assessment depending on the
nature of the problem and the availability of the data.
Due to the myriad of variables involved and the possible consequences that may result from
hazards, any attempt to generalise the estimated consequences of hazards is unlikely to be
of much assistance. The limitations of the design, usefulness and application of tools
designed to assess safety will vary between organisations. A valuable insight is gained in
reviewing the variety of tools available and methods of safety assessment used so that safety
management decisions can be made. An overview of the structure and importance of risk
hazard matrices is provided.
Objectives
At the end of this unit you should be able to:
state the problems associated with safety data analysis;
define the term risk;
recall the three types of risks;
recall the methods of judging safety;
describe one method for constructing a risk hazard matrix.
Unit 2 Safety Data Analysis 4
Unit structure
Unit 2, Safety Data Analysis, explores the problems of, and methods available, for analysing
safety data. In particular, this unit considers the following questions:
What problems are associated with analysing safety data?
What types of risks are there and how are they measured?
What is the process by which safety is judged?
How do you construct a risk hazard matrix?
These questions are addressed in the following sections of this unit:
Introduction
Measuring risk
Judging safety
Risk hazard matrix
The first section to Unit 2,
Introduction, introduces you to the problem and difficulties
associated with the analysis of safety data are investigated. Some of the issues relating to the
varying definitions of safety are explored. The variance of safety records between
organisations and geographic regions is examined.
The next section
measuring risk defines risk and then looks at the various issues relating to
its measurement. Unless one can measure risk there is no way of being able to determine if
risk is being reduced and hence the level of safety improved. In aviation there are a myriad
of factors that constitute hazards and to further complicate the matter there are no single
measures or metrics of risk.
The third section,
judging safety, describes the methods of making a subjective assessment
of the level of safety within an organisation. Safety assessment relies on two somewhat
distinct methodologies used to varying degrees in a particular assessment depending on the
nature of the problem and the availability of the data.
The final section,
Risk hazard matrix, introduces you the limitations of the design, usefulness
and application of tools which are designed to assess safety. A valuable insight is gained in
reviewing the variety of tools available and methods of safety assessment used in safety
management. An overview of the structure and importance of risk hazard matrices is
provided.

Unit 2 Safety Data Analysis 5
Unit flow chart

Section Objectives Action
Introduction The difficulties of analysing
safety data are explained. A
number of aviation safety
studies are reviewed.
Bartsch R, Aviation Law
in Australia (5
th edition)
Thomson Reuters,
Sydney 2019, Ch 16.
Measuring Risk Risks are considered and
defined in various groups.
The various ways in which
risk can be measured is
examined.
AS/NZS ISO 31000
Australian/New Zealand
Standard –
Risk
Management.
Judging safety The way in which safety is
assessed is explained. Risk
hazard matrices are defined
and their application as a
assessment tool examined.
ICAO Doc 9859
AN/474
Safety
Management Manual
(4th Edition 2018)
Risk hazard matrix The way in which safety is
assessed is explained. Risk
hazard matrices and bowtie
methodologies are defined
and their application as a
assessment tool examined.
Exercise 2. ISO 31000
Risk management —
Principles and
guidelines on
implementation.

Unit 2 Safety Data Analysis 6
Introduction
Safety, as defined in the previous unit, relates to the likelihood or probability of the
occurrence of a particular risk or a number of different risks. Therefore in order to
determine the level of safety (of a particular activity) it is necessary to determine the risk
associated with that activity.
Safety is not measurable; risks are measured. Safety may be judged
relative to its level of risk versus the acceptable level of risk. To determine
safety therefore, involves
two quite separate activities; measuring risk
and judging safety ie the acceptability of risks. It is therefore vital to
reconcile the term safety with risk.
Graham Braithwaite
The management of safety necessarily involves the management of those risks identified as
being associated with a particular activity.
That having been said it may appear that a determination of the level of safety of a particular
activity would be a rather straight forward statistical exercise. Not so. If we adopt the
approach of Braithwaite (as extracted above) there are two elements to consider in the safety
determination equation. In the first instance
“measuring risks” is never an easy task. Risks,
by their very nature, are never certain nor are they static. Secondly,
“judging safety”
necessarily requires a subjective assessment. A value judgment is required. And as we know,
values are a part of the cultural environment in which the judgment is made.
Difficulties in safety assessment
There have been only relatively few quantitative studies that have examined aviation safety
at the system level. In the following extract, Braithwaite reviews the methodologies and
highlights the limitations of a few of the major studies in this area.
1
Barnett et al2 at the Massachusetts Institute of Technology examined safety records of world
airlines and were forced to defend their findings against fierce criticism from, amongst
others, a Transport Research Board panel. In essence, the findings considered a method of
comparing safety records of airlines and predicting the likelihood of a fatal accident
involving that airline. Airlines were grouped by size (smaller airlines being shown to
experience more accidents than their larger counterparts) and their apparent safety was
calculated from their past performance.
1 Op cit.
2 A Barnett et al, “Airline Safety: Some Empirical Findings” in Management Science (Vol 25, no 11,
November 1979) pp1045-1056.

Unit 2 Safety Data Analysis 7
The US National Transportation Board (NTSB) criticised the methodology and conclusions
warning that the infrequency of accidents meant extrapolating information from them was a
dangerous undertaking and one at which MIT had not succeeded. There was also a strong
reaction to the second paper,
Airline Safety: The Last Decade (Barnett et al 1989) for its
attempt to examine the effects of the 1982 deregulation of the US domestic air market. All
criticisms seemed to stem from the same concern: that the reliability of statistical
investigations into such a complex subject as airline safety was open to question. Barnett et
al needed to assume a level of homogeny in the airlines they considered.
For example, all airlines were deemed to have a choice regarding the airports they operated
to and therefore considering airlines “as hapless victims of airport conditions beyond their
control” was dismissed by the authors. For future studies, comparison of airlines like KLM,
operating from a country with flat approached and a financially sound airport authority with
an operation like Air Nuigini (Papua New Guinea) which operates in areas of high terrain
and short landing strips in a poor country seems flawed. Different nationalities of airlines do
not have full control over where they fly and therefore their operating environment cannot
be assumed to be homogeneous.
Statistical analysis using MIT methodology provides a valuable indication of safety trends
over time, but need to be developed further to be of use to those concerned with the details
of aviation safety. ICAO warn that “statistics can be misleading in understanding the nature
of accidents and devising prevention measures.”
3 Statistics generally refer to causal factors
experienced on a particular day to a particular aircraft and not deficient processes which may
exist much more of the time.
International studies
Considering the inherent difficulties attached to aviation safety assessment, one could
reasonably expect that when attempting the task at an international level the problems would
be multiplied. To a certain extent this is true. For example, consider the variance in safety
records of international carriers. In 1995 the probability of being an airline passenger
involved in an accident with at least one fatality varied by a factor of 42 among commercial
airlines.
4 In an earlier study in 1984 a comparison was made between the level of accidents
on a geographic basis.
5 The results, over a ten year period, showed that the fatalities per
million flights varied from 0.656 for Australia (the lowest) to 509.693 for Colombia (the
worst). In this example the variance is by a factor of 777. In other words, the chances of an
airline passenger being killed in Colombia are 777 times that in Australia.
Can such alarming disparities be attributed solely to the non-compatibility of international
statistics? I think not. Professor James Reason agrees and comments that “commercial
aviation is an industry that possesses an unusual degree of uniformity worldwide.”
6 This fact
would support the proposition that such comparisons are valid.
3 ICAO (1994) Human Factor Digest No 10, Human Factors Management and Organisation (ICAO Circular
247-An/148, Montreal, Canada)
4 Data from Flight Safety Icarus Committee as reproduced in Reason, op cit, at 191. The statistics show that
the chance of death or injury vary from 1 in 260,000 to 1 in 11,000,000 among world carriers.
5 L Taylor, AirTravel, (Blackwell Science Ltd, Oxford, UK, 1997) at 144.
6 Reason, op cit at 191.
Unit 2 Safety Data Analysis 8
Airlines across the globe fly much the same types of aircraft in comparable
conditions. Flight crews, air traffic controllers and maintenance engineers
are trained and licensed to very similar standards.
James Reason, 1997
No doubt part of this statistical disparity might be explained by factors such as different
operational environments, varying training standards and resources, the level of safety
oversight and investment in safety mechanisms. Likewise Reason concedes that factors such
as national and company resources will play their part but concludes “there can be little
doubt that differences in safety culture are likely to contribute the lion’s share of this
enormous variation.”
7 This statement is consistent with the importance of a healthy safety
culture as was stressed in Unit 1.
There are other considerations in attempting to collecting safety data at the international
level. Oster, Strong and Zorn examined the worldwide safety record in response to what they
describe as a perceived “deterioration in the underlying safety of the aviation industry.”
8 The
authors used aircraft accidents as the basis of their study which is entirely justified on the
grounds they were examining safety records. Their conclusions relate to the comparative
safety performance of different airlines around the world with particular emphasis on the
effect of deregulation of the US domestic airline industry. While the methods utilised are
statistically sound, they rely on the accident statistics which are formed solely from the
‘primary cause’ of accidents. This means that they are susceptible to the historical bias of
accident investigation towards ‘the last thing to go wrong’ as opposed to the multiple cause
approach.
Braithwaite concludes that, although understandably (considering the magnitude of the task),
the research of Oster et al does not focus on the reason behind accident causal factors. Their
research does however provide a detailed analysis of the performance of different levels of
air carriers in the US, different regions of jet carriers around the world and the effect of
public policies on aviation safety records.
Comparative analysis
Although the measurement of the level of air safety in general is considered of vital
importance, most research to date has been directed at the individual company operational
level or within a specific national or operational environment. The difficulties associated
with compiling comparative analysis statistics is compounded when considered
internationally and across national and cultural boundaries and also between various sectors
of the aviation industry (eg airlines and general aviation).
7 Ibid at 191.
8 C Oster et al, Why Airplanes Crash – Aviation Safety in a Changing World (Oxford University Press, New
York, USA 1992)

Unit 2 Safety Data Analysis 9
International Fatality Rates: A Comparison of Australian Civil
Aviation Fatality Rates with International Data
How does Australia’s aviation safety record compare with that of other Western countries? To answer
this, fatal accident and fatality rates for Australia were compared with similar rates for the United
States, Canada, the United Kingdom, and New Zealand, between 1995 and 2004 (the latest year for
which comparable data was available). The ATSB aviation accident and incident database was
searched to identify all fatal accidents involving Australian civil registered aircraft during this period.
The dataset was then matched with comparable datasets for the overseas countries, taking into
consideration the variation in operational definitions between the countries. In the period studied,
Australia had no high capacity regular public transport fatal accidents and one low capacity regular
public transport fatal accident. The key findings indicated that the fatal accident rate for Australian air
carrier operations, which includes all regular public transport and commercial charter operations, was
slightly higher than the rate for the United States for all years, except for 2002 when it was marginally
lower, and for 2004, when the rate was zero. The fatal accident rates for the non-general aviation
sector for both countries are largely influenced by the commercial charter (Australia) and on-demand
(United States) operational categories, which each have a much higher fatal accident rate than
scheduled airline services. In Australia, commercial charter operations account for 32 per cent of the
total air carrier activity. This has a greater impact on the overall air carrier fatal accident rate compared
with the United States, where on-demand operations account for only 15 per cent of the total air carrier
activity. If Australia’s activity profile mirrored that of the United States, Australia’s overall fatal accident
rate would fall below that of the United States. Both Australia and the United States recorded a
significant downward trend for the general aviation fatal accident rate. For most years, the rate of fatal
accidents for all operations in Australia was slightly lower than that for Canada. Australia also recorded
a significant decline in the rate of non-public transport fatal accidents during this period compared with
the United Kingdom. Australia recorded one low capacity regular public transport fatal accident, which
resulted in eight fatalities, and New Zealand recorded two fatal accidents, which resulted in 10
fatalities.
See: http://www.atsb.gov.au/publications/2006/b20060002.aspx
Apart from the varying methodologies (as discussed above) and different measures of risk
(see below), definitions of certain basic categorisation vary between countries (for example,
the definition of high capacity and low capacity aircraft and what constitutes commercial
operations). Quite often the distinction between ‘fare-paying passengers’ and other types of
‘commercial’ operations is not considered. Just as there is no universally accepted
classification of operations nor is there standardisation of airworthiness (eg installation of
GPWS or TCAS) and flying operations (eg number of crew or experience/training
requirements) requirements. Another variable relates to the standard and methodology of
aircraft incident and accident investigation. All of these factors, and there are others, make
meaningful comparative analysis of aviation safety extremely difficult.
Defined operational environment9
The study of aviation safety on a worldwide basis is undoubtedly a mammoth task. The
degree of variance (whether judged on a regional basis or according to carrier) as indicated
above, suggests a need for caution when making direct comparisons between individual
carriers or between countries or regions. Aviation, due to its very nature and its inherent
disregard for traditional boundaries, is not conducive to being ‘compartmentalised.’
9 A phrase developed by the author in 2000 in a paper delivered to Airservices Australia.
Unit 2 Safety Data Analysis 10
The very essence of aviation is travel. With the rapid advancements in aircraft design and
technology, largely attributable to the two World Wars, aircraft are able to fly faster, further
and higher than ever before. In no other field of human endeavour or scientific achievement
have advances been accomplished so swiftly and with such global application, than has been
the case with aeronautics.
10
Some of the variables in the aviation safety equation have been discussed above (and below)
and include:
variance in research techniques and methodologies;
different ways in which safety data is recorded (eg departures vs distance);
varying definitions and classifications of class of operations;
causal factors approach versus ‘final thing to go wrong’ approach.
All of the above will lead to inaccuracies in studies concerned with making comparisons.
The above list is by no means exhaustive. To make the process of safety assessment more
efficient it is important to clearly define the overall basis of safety data assessment and the
assumptions and premises upon which such studies are founded. When such a
defined
operational environment
is stated the subsequent comparison of data and validity of
findings must be more meaningful. Apples must be compared with apples in an industry of
such variance and where causal factors abound.
Please read
Airline Operations in your textbook at paragraph [12.30]
In consideration of the above, and as a starting point, it is necessary to adopt a particular
definition of safety (as we have done) then examine the steps necessary to assess safety on
that basis. In the following sections we will examine the two distinct activities required to
assess the level of safety, namely
measuring risk and judging safety. Once an acceptable
methodology has been established then, and only then, can a determination, and if required
a comparison between systems, of aviation safety be made.
10 R Bartsch, Aviation Law in Australia 2nd Edition (Thomson Lawbook Co, Sydney, Australia, 2004) at 266.
Unit 2 Safety Data Analysis 11
Measuring risk
Unless we are able to measure risk there is no way of being able to determine if risk is being
reduced and hence the level of safety improved. There is no single measure or metric of risk.
In aviation there are a myriad of factors that constitute hazards. Furthermore, many of these
factors vary according to the geographic location or mode of operation. For instance, in
Australia, many of the hazards of aviation are not as prevalent as they are in say, North
America or Europe. Examples include high terrain, congested airways and terminal areas
and severe winters. Hazards also extend to socio-political factors such as varying
communication standards with ATC, local procedures, risk of hijacking and other terrorist
activity.
Therefore when reporting accident causes on a worldwide basis, it is essential to consider
not only the different causes of accidents, but also to account for the differential regional
rates at which accidents occur. Only then can data be compiled to enable a valid comparative
analysis between different countries and regions. In a report commissioned by the
Netherlands Ministry of Transport
11 a number of different classes of risk were identified.
Each of these classes are now examined.
Types of risk
As previously stated there is no single common measure or metric of risk. Risks can be
measured in terms of fatalities or in terms of injuries that have varying degrees of severity.
Risk is commonly defined as the product of the probability or likelihood of an event and the
consequences or magnitude of that event integrated over all events being considered (see
Unit 1, definition of risk). For example, based on 1992 NTSC statistics since 1970, the crash
probability per commercial, scheduled aircraft in the Western Hemisphere is about 0.05 fatal
crashes per 100,000 hours flown.
12 If an average individual flies a single two-hour flight per
year, then the probability that this average individual will be in an airline crash is one in a
million per year.
13 If the probability of dying given involvement in a crash is 0.8, then the
probability that this average person will die in an airline crash is one in 1.25 million per year.
This measure is called
individual risk.
As another example of individual risk, we can measure the risk to people on the ground from
an aircraft crashing into them. According to a 1993 Boeing Aircraft study, 879 people on the
ground died as a result of accidents involving 550 commercial jets between 1970 and 1992.
Assuming a world population of four billion people (average of the 23 years), the probability
of a third-party fatality is about one in a hundred million per year. Obviously, because this
is an average individual risk across the world population, people who live in the vicinity of
a major airport will be subject to a much higher individual risk.
Consequential risk is another way in which risk can be categorised. As was mentioned in
Unit 1, risk may also be considered in terms of the perceived social consequences, as
11 Airport Growth and Safety, Executive Summary of the Schiphol Project, p7.
12 See discussion below, relating to measures of risk.
13 There are further complications. As the probability of an aircraft crashing is much higher during the takeoff
and landing phase of flight one single two-hour flight would be more safe than two one-hour flights. Also
low
capacity
scheduled flights have in general a higher accident rate than high capacity scheduled flights.
Unit 2 Safety Data Analysis 12
compared with direct empirical data. As previously stated, one hundred single fatal car
accidents are not perceived to be equivalent to a single aircraft accident involving one
hundred fatalities. The single high-consequence accident is viewed as more significant than
the sum total of low-consequence accidents. Therefore the risk of a large number of fatalities
could be determined on the basis of calculating the probability that more than a given number
of people are killed in a single accident during a specified period such as a year. This riskconsequence distribution is a useful matrix of measure in comparing risks in terms of how
they are perceived psychologically by society.
A third metric of measure is
group risk. This measures the expected number of fatalities in
a specified group in a given time period. For example, if there are ten million hours of
commercial airline flights per year in the United States and the average number of fatalities
in a crash is 50, then the expected number of fatalities in the group of all people who fly
commercial airlines in the USA is 250 per year.
14
Another example of group risk can be drawn from the ground population risk discussed
above. The 879 ground fatalities between 1970 and 1992 equates to an average annual group
risk of about 40 fatalities per year for the world (third party) population group.
Risks defined
The FAA in its Strategic Plan define various different types of risk as opposed to ways of
measuring risk as discussed above. The following definitions of the various types of risks
are provided by the FAA
Total risk is the sum of identified and unidentified risks.
Identified risk is that risk which has been determined through various analysis
techniques. The first task of system safety is to identify, within practical
limitations, all possible risks. Once the various risks have been identified it is then
necessary to undertake a determination of the two processes that relate to each
risk. From above these were identified as, first, measure the risk, in terms of the
likelihood of its occurrence and, second, judging safety in terms of determining
the significance and consequences should that risk eventuate. The time and cost
of analysis efforts, the quality of the safety program, and the state of the
technology impact the number of risks identified.
Unidentified risk is the risk not yet identified. Some unidentified risks are
subsequently identified when a mishap occurs. For instance, it took a tragic
accident of the Comet aircraft before the effect of structure fatigue and window
design was fully realised. The first incident involving volcanic dust at high altitude
is another example. Some risk is never known (or contemplated) in advance –
remember September 11?
Unacceptable risk is that risk which cannot be tolerated by the managing
authority. It is a subset of identified risk which must be eliminated or controlled.
14 Based on 1992 NTSC op cit.
Unit 2 Safety Data Analysis 13
Acceptable risk is the part of identified risk which is allowed to persist without
further engineering or management action. Making this decision is a difficult yet
necessary responsibility of management. This decision is made with full
knowledge that it is the user who is exposed to this risk. A component of
acceptable risk may have derived from unacceptable risk subsequent to its
mitigation (or elimination) by system safety measures.
Residual risk is the risk left over after system safety efforts have been fully
employed. It is not necessarily the same as acceptable risk. Residual risk is the
sum of acceptable risk and unidentified risk. This is the total risk passed on to the
user.
Types of Risks
Of residual risk only acceptable risk can be managed. Accepting risk is a function of both
risk assessment and risk management. This concept is discussed in more detail in Unit 5.
When it comes to safety management unknown risks should never equate
to foreseeable risks – just because they were unforeseen.
Ron Bartsch, ‘Drones in Society’
Rutledge, UK, 2016
Consider the above statement in respect to hazards that have been previously undetected that
have resulted in major risks (with significant loss of life) in the aviation industry. The
terrorists events of 9-11, MH 370 and MH17 and GermanWings accident – are all examples
of where there was an ‘unknown risk’ that, at least in some instances, ought not to have been
unknown in that it ought to have been reasonably foreseeable.
Please read your textbook under heading of ‘foreseeability’

TOTAL RISK
Unacceptable Risk
Acceptable Risk Unidentified Risk

Residual Risk

Unit 2 Safety Data Analysis 14
Extract from Bartsch et al, Drones in Society Routledge, UK, 2017, Ch 7
Drone Terrorism
“Be afraid. Be very Afraid.”
Geena Davis in ‘The Fly’
If 900 grams of weapons-grade anthrax were dropped from a drone at a height of 100 m just
upwind of a large city of 1.5 million people all inhabitants would become infected. Even with
the most aggressive medical measures that can realistically be taken during an epidemic a
study estimates that approximately 123,000 people would die – 40 times more fatalities
than from the 2001 World Trade Centre terrorists attacks.
The above chilling scenario was one that was put forward more than a decade ago by Eugene
Miasnikov in his report
Threat of Terrorism Using Unmanned Aerial Vehicles. If such was a
plausible threat of drones in the hands of terrorists back in 2005 imagine the threat that
exists today. As science and technological innovation continues to rampage we often loose
sight of how much the world has changed – and in this instance, the extent to which
terrorists will go to achieve their objectives. With this is mind, consider the following modern
day scenario.
A terrorist organisation parks a small removalist van in a crowded street of a major city under
the flight path of a nearby international airport. The van’s canopy has an open top but the
sides are high and obscured from the view of passers-bye is its payload of half a dozed high
performance quadcopter drones. To each drone is attached an explosive device – not
dissimilar to those worn by suicide terrorists. The day and time chosen have been well
planned to coincide with the runway being used for take-off. The targeted aircraft – an
Airbus A380 – is departing with a full payload of passengers and fuel, possibly in excess of
500 passengers and over 250 tonnes of fuel. The aircraft lifts off and the drones are launched
remotely and rapidly ascend. With the aid of the high-resolution cameras onboard, the
controllers are able to direct the drones into the path of the A380’s four enormous engines.
The catastrophic consequences are beyond belief and immediately impact upon the lives of
families and friends of 500 fatalities and world economies are sent into chaos.
Such a situation as described above should not be uncontemplatable. Wishing that such a
deplorable act upon humanity would never eventuate is no deterrence in the minds of
terrorists seeking to inflict maximum carnage and media attention. As a society we should
not allow ourselves to be detracted from the goal of safeguarding public security just
because the thought of such acts is unconscionable. Previously inconceivable acts, such as
those inflicting grief with the 9-11 attacks, should now never occur – even if they require a
more sophisticated process of hazard identification. If such acts are conceivable to terrorists

Unit 2 Safety Data Analysis 15
then they should be conceivable to those charged with the responsibility of public safety
and security. In other words, when it comes to safety and security management unknown
risks should never equate to foreseeable risks – just because they were unforeseen.
Measures of risk
Having reviewed the various types of risks we now examine the various different ways in
which risk can be expressed in terms of probability or frequency. The fact that there are so
many different ways in which a measure of risk can be expressed is one of the problems
encountered when attempting to make meaningful comparisons between safety data from
varying sources. Clinton Oster in
Why Airplanes Crash devotes an entire appendix to
reviewing some of the most common measures of risk and explains the relative advantages
and limitations of each. The following extract from that publication provides a good
overview of the some universally accepted methodologies.
Each accident has its own unique characteristics and almost all involve more than one cause.
Developing measures of aviation safety is difficult because no single measure can reflect
everything one would like to know. At a minimum, safety measures should reflect the
likelihood that an individual passenger will be killed or seriously injured while taking an
airline flight, how that likelihood varies across segments of the industry, and how that
likelihood has changed over time. Such measures should also help shed some light on why
safety performance varies and how it can be improved. Safety measures must combine the
outcomes of exposure to risk: fatalities, injuries, and accidents; with measures of the amount
of exposure to risk: take-offs, landings, flights, and so forth; encountered during the various
phases of flight.
Determining the probability of being killed on a flight is one possible approach. The measure
is a conditional probability that is the product of the likelihood of a fatality — producing
accident and the fatality rate (proportion of passengers killed) for that accident. There are
several problems associated with constructing this conditional probability. The first
difficulty encountered is that both the probability of an accident and the fatality rate depend
on the type of accident. For example, one would expect to have a better chance of surviving
an accident where the aircraft rolls off the end of the runway on landing than of surviving a
midair collision. A review of accidents support this expectation: when a DC10 slid off the
end of the runway in Boston, there were only two fatalities; however, in the Aeromexico
midair collision over Los Angeles there were no survivors. While in principle a
aforementioned problem could be addressed by estimating large set of conditional
probabilities based on accident type, there are potential aggregation problems since each
airline accident has unique elements.
A second, more serious measurement problem is the lack of a sufficient number of accidents
to make reliable estimates of the probability of each type of accident and the fatality rate for
each type of accident. Fortunately, airline accidents are extremely rare events. Even if such
estimates could be made, there is the further problem that neither the probability of an
accident nor the fatality rate could be expected to be stable over time. The continual push
for improved safety by aviation regulatory authorities, airlines, manufacturers and others
should lower these rates over time. For example, cabin flammability standards in the US
should improve post-crash fire survivability (see Unit 6) and invalidate survivability estimate
based on the experience of crashes prior to the new standards. Similarly, efforts to improve

Unit 2 Safety Data Analysis 16
crash, fire, and rescue operation at airports may well have reduced the number of fatalities
in the 1989 United Airlines DC10 crash in Sioux City, Iowa.
Faced with these difficulties in constructing conditional probabilities of being killed on a
flight, the most common alternative approach is to construct aggregate safety rates where
data permit with outcomes in the numerator and exposure to risk in the denominator.
Potentially useful outcome measures for the numerator include passenger fatalities, serious
passenger injuries accidents resulting in passenger fatalities, and accidents resulting in
serious injuries to passengers.
It is also useful to examine rates for less serious accident because frequent non-injury
accidents may portend problems that could eventually result in more severe accidents.
Please read your textbook at paragraph [16.05]
Selecting the appropriate measure of exposure to risk to used in the denominator is another
important decision involved in constructing aviation safety rates. Transportation safety rates
are typically based on either the distance travelled or the number of trips. While one would
like a measure that permits comparison across transportation modes, the nature of risk differs
across modes and makes such comparisons difficult.
While fatal and serious injury accidents are newsworthy and cause for
immediate concern, the difference between a situation that results in a
major disaster and one that leads only to a minor accident, or even incident,
is often very small.”
Thus, it is useful to include accidents resulting in minor injuries or no injuries as outcome
measures.
For surface travel in private auto, the risk is roughly proportional to the distance travelled —
a 500-mile trip poses about twice the risk of a 250-mile trip with all else being equal. Thus
distance based measures have come to dominate surface travel safety assessments.
Conversely, the vast majority of airline accident and incidents occur during take-off or
landing. Therefore, a better measure of exposure to risk in aviation would reflect the takeoff and landings a passenger is exposed to rather than distance travelled. This suggests that
aviation safety rates should employ a denominator based on aircraft departures or passenger
departure rather than aircraft miles or passenger miles, because distance based measures may
be misleading in assessing the risk of accident associated with take-off and landing. A nonstop 1000 mile flight has no greater take-off and landing risk than does a non-stop 500 mile
flight or a non-stop 150 mile flight; all three flights involve one take-off and one landing.

Unit 2 Safety Data Analysis 17
Distance-based measures are particularly inappropriate when comparing the safety
performance of jet carriers and commuters. In the United States the former have an average
flight length of 800 miles while the latter have an average flight length of 125 miles. It would
take more than six take-offs and landings by the average commuter to travel the same
mileage covered by the average jet carrier with one take-off and landing.
15 Thus, a passenger
on a commuter carrier would have been exposed six times more than a passenger on the jet
to the more risky phases of flight while a distance-based measure would consider the risk
faced by both passengers to be similar. To assess properly the likelihood of passenger being
killed or injured, the aviation safety rate should be based on passenger departures rather than
aircraft departures.
Unfortunately, while aircraft departure data are frequently available, data on passenger
departures are not. Enplanement data can act as a reasonable proxy for passenger departures,
with a few qualifications. A passenger is counted as an enplanement each time he or she
boards a flight, but, if the flight involve multiple stops, for example an intermediate stop at
a hub where the passenger does not change planes, a passenger is counted a one enplanement
regardless of the number of times the plane takes off and lands with the passenger on board.
Thus, for flight with intermediate stops, enplanements and passenger departure are not equal.
Few data are available to assess the magnitude of this divergence. There is, however, little
reason to believe that serious systematic biases for or against any particular segment of the
airline industry would be introduced by using enplanements in lieu of passenger departures.
Thus, where the focus is on aviation safety in the United States and Canada, the basic safety
measure used are fatalities per one million enplanements and fatal accident per 100,000
aircraft departures. For other carriers (including Australia) reliable enplanement data are not
available. Thus, fatalities per one million enplanement measures cannot be constructed and
a different approach is required. The basic measures used in international aviation (for
example, ICAO’s Accident/Incident Reporting (ADREP) system) to evaluate risk are the
number of fatal accidents per million flight departures, and the measure of the “death risk”
per one million departures based on a measure developed by Barnett, Abraham, and
Schimmel, known as the Q-statistic.
16 Q is measured as:
where N is the number of flights performed by airline i and x
i is the proportion of passengers
on the i
th of these flights who do not survive it. Thus, if a flight lands safely xi equals zero.17
Q can be thought of as the death risk per flight; alternatively, Q times one million can be
thought of as the odds of dying in one million flights, which is a measure roughly analogous
to the fatalities per one million enplanements measure.
15 C Oster et al, Commuter Airline Safety (Washington DC, US Department of Transportation, 1982)
16 A Barnett et al, “Airline Safety: Some Empirical Findings” op cit, pp1045-1056.
17 Statistically, a traveller choosing a flight at random has a 1/N chance of picking that airline’s ith flight, and a
conditional probability x
i of being killed on the flight he or she has chosen.
Unit 2 Safety Data Analysis 18
Judging safety
Once the risks associated with the hazards and system deficiencies have been identified the
method of assessing safety, in terms of determining the acceptability of the level posed by a
particular risk, must be considered. Safety assessment relies on two somewhat distinct
methodologies (ie analytic based and empirical based) used to varying degrees in a particular
assessment depending on the nature of the problem and the availability of the data.
Safety assessment is as much an art as it is a science”
The following example contrasts the differences between the two methodologies
mentioned.
18
Methodologies
When nuclear reactor safety is assessed, the analyst typically relies on historical or empirical
data to learn about the failure rates of individual components in the reactor system.
Component failure rates such as the failure rate of a valve or a pipe are usually well defined.
Then these failure rate data are used along with
analytic tools such as event trees to determine
the course of events that contribute to an accident and fault trees to determine the reliability
of systems. Technologies rich in components and well-defined
events (such as nuclear
reactors) lend themselves well to safety analysis that rely on both analytic and empirical
tools.
However, this safety assessment does not evolve from a technology that has well-defined
set
of sequences
that could lead to an accident. Unlike a nuclear reactor accident, hundreds of
variables play a role in determining the likelihood of a plane crash, where it crashes, and the
effects of that crash.
The safety assessment task becomes especially difficult when one considers the vast amount
of uncertainties present in the crash rate data, in the crash distribution, in the sequence
assumptions, and in the ability to predict the timeliness and effectiveness of safetyenhancement measures.
Uncertainty arises from the fact that aircraft crashes are relatively infrequent and those
factors that determine where a plane will crash are many. Therefore we are dealing with very
low probability statistics and wide ranging consequences. As such it is necessary to
aggregate data.
18 Extracted from R Hillestad et al, Airport Growth and Safety (Study of Schiphol Airport commissioned by
the Netherlands Ministry of Transport, 1993) p9.

Unit 2 Safety Data Analysis 19
The Schiphol study19 listed various specific uncertainties and their likely impact on the
assessment of safety.
No two accidents are identical and historical accident data fail to distinguish
precisely the
causes of past accidents and hence reduce the predicability of future
accidents. In 1993 Boeing adopted a new approach to the study of aviation safety to
consider accidents in terms of causal factors. The Boeing accident prevention
strategy is discussed below.
Often when the cause of a past accident is determined, the problem become more
recognised and thus less likely to happen in the future.
20 So the nature of the accidents
in the future is not always the same as the ones in the past.
Accidents have many known and unknown causes that contribute to their likelihood,
location and severity. Because of these many variables and infrequent occurrences,
inferring characteristics of future accidents from past accidents is challenging to say
the least.
Because of their very nature, safety-enhancement measures are not quantifiable. At
best, an estimate of the effect of such measures, may be made.
Although the above uncertainties limit the ability to assess the precise level of safety
of an activity they nevertheless provide a method for determining general safety
trends and the relative effect of various safety-enhancement measures.
In summary the two important contributions of the above methodology is:
emphasis of the importance of the causal factors approach; and
recognition of the special nature of aviation accidents.
The following aviation safety study undertaken by Boeing Aircraft Corporation is consistent
with the above approach. Braithwaite summaries Boeing’s strategy.
21
19 Ibid at pp10-11.
20 Provided, of course, that such causes are widely known. For example, after the 1982 British Airways flight
into volcanic dust in Indonesian airspace, the hazard became immediately realised and preventative measures
on a worldwide scale were introduced. In contrast, the 1974 crash of the Turkish Airlines DC10 near Paris
which claimed the lives of 346 persons would most probably have been avoided had the cause (faulty design
of cargo door hatch) been rectified following an almost identical accident over Windsor, Ontario in 1972.
21 G Braithwaite, “Australian aviation safety: A systematic investigation” Research Thesis.
Unit 2 Safety Data Analysis 20
Causal factors approach
Although the subject of accident prevention is considered in detail in Unit 11 the following
case study is useful in providing an example of a causal factors safety assessment approach.
In 1993, Boeing took the bold step of introducing a new focus for aviation studies.
Commensurate with the growing trend to review accidents in terms of the causal factors of
an accident chain rather than the “last line of defence — primary cause” Boeing examined
the multiple ways of preventing accident recurrence.
Termed
accident prevention strategies, Boeing reviewed the findings of 232 commercial jet
aircraft accidents for “several possible avenues of intervention” which could prevent such
an event re-occurring. While some accidents (17.5%) could only have been prevented in one
way (for example, aircraft loss due catastrophic structural failure), the rest have multiple
prevention strategies (an average of 3.8 per accident) up to a maximum of 20 strategies per
accident.
According to Boeing an accident prevention strategy is required to meet two
criteria:
a future accident might be reasonably avoided if this strategy were to be
successfully employed;
at least one definite action can be envisaged that will provide a substantial
reduction in the frequency or probability that such an event will re-occur
The advantage of such an approach is in terms of the multiple ways to prevent not just the
same accidents happening again but also other variations to the theme. This allow cost
effective safety measures to be selected on the grounds of maximum potential benefit.
As mentioned above, ideally, a study such as the Boeing program would include not just
accident findings, but also incidents. This would provide a more stable sample of data
(through increased sample size) and highlight factors that have been involved in serious
incidents but not accidents. The Boeing study was, however, limited to aircraft accidents.

Unit 2 Safety Data Analysis 21
Risk hazard matrix
Some of the difficulties associated with attempting to assess the level of safety associated
with aviation-related activities have been discussed above. There is, and never will be, no
universally accepted ‘correct way’ to approach the subject. Quite often the best approach in
assessing safety within a particular organisation or
defined operational environment is to
design a program that best suits that organisation’s needs or corporate objectives. This topic
is discussed in more detail in Unit 5 under the heading of Safety Management.
Invariably, individual or specific safety assessment programs or initiatives, very much rely
for their design and implementation on the input of key players within that particular
organisation. Safety consultants and program design specialists may assist the process but it
is those working within the sphere of operational activities within that organisation that best
understand the hazards and risks associated with such activities. Because of the myriad of
variables involved and the possible consequences that may result from hazards, any attempt
to generalise the estimated consequences of hazards is unlikely to be of much assistance.
In view of the above limitations the design, usefulness and application of tools designed to
assess safety will vary from organisation to organisation. Nevertheless a valuable insight is
gained in reviewing the variety of tools available and methods of safety assessment used so
that decisions can be made at the corporate level to design a program that best suits that
company’s needs. The following overview has been based on the FAA’s Strategic Plan.
Hazard categorisation
Categorisation of hazard severity and in particular hazard probability is a process that needs
to be considered at the local level, that is, within and organisation or within a defined
operating environment. Without a documented (and accurate) history of that organisation’s
safety performance, in terms of the specific items considered (for example, a database of
reported incidents), it is difficult to make the subjective qualitative assessment of hazard
probability. Any determination will therefore be an estimate and should by updated over
time with the collection of empirical data. The following FAA categorisation provides an
example of the way in which hazard severity and probabilities might be expressed. The
values selected are arbitrary but nevertheless provide a well considered approach.
Hazards do not necessarily result in accidents. If a hazard is realised, the possible severity
of the accident can vary significantly. By way of example, the problem with the DC10 cargo
door hatch (as discussed above) was not rectified until the particular occurrence of the hazard
caused the loss of 346 lives. It was later revealed that some 100 instances of the door not
closing properly had been reported during the first two-month period the DC10 had been in
service. Unfortunately it took a catastrophic accident to effect change rather than examining
the potential severity of the previously reported hazards. In this particular instance the
potential severity of the hazard (resulting from the subsequent structural damage to floor
following rapid depressurisation) should have been known and yet the relatively large
number of non-fatal incidents perhaps masked the true potential of the hazard.
Hazard severity categories are defined to provide a qualitative measure of the worst credible
mishap resulting from such factors as: personnel error; environmental conditions; design

Unit 2 Safety Data Analysis 22
inadequacies; procedural deficiencies; or system, sub-system, or component failure or
malfunction.

Description Categor
y
Mishap Definition
Catastrophic I Death or system loss
Critical II Severe injury, severe occupational illness, or
major system damage
Marginal III Minor injury, minor occupational illness, or
minor system damage
Negligible IV Less than minor injury, minor occupational
illness, or minor system damage

FAA Hazard Severity Categories
These hazard severity categories provide guidance to a wide variety of programs. However,
adaptation to a particular program is generally required to provide a mutual understanding
between the responsible managers and the contractors as to the meaning of the terms used in
the category definitions. The adaptation must define what constitutes system loss, major or
minor system damage, and severe and minor injury and occupational illness. The probability
that a hazard will be created during the planned life expectancy of the system can be
described in potential occurrences per unit of time, events, population, items, or activity.

Descriptio
n
Level Specific Individual
Item
Fleet or Inventory
Frequent A Likely to occur frequently Continuously
experienced
Probable B Will occur several times in
the life time of an item
Will occur frequently
Occasional C Likely to occur sometime in
life of item
Will occur several
times
Remote D Unlikely, but possible to
occur in life of an item
Unlikely but can
reasonably be
expected to occur
Improbable E So unlikely it can be
assumed occurrence may
not be experienced
Unlikely to occur but
possible

FAA Qualitative Hazard Probabilities
The definitions above, are meant to be customised for each organisation. Note that the hazard
probabilities are evaluated on either a per system or an entire fleet basis. If a particular hazard
is classified as “Remote” on a per aircraft basis and there are, for instance, 100 aircraft in
service, it might fall into the “Probable” category when the entire inventory is considered.
Assigning a quantitative hazard probability to a potential design or procedural hazard is
generally not possible early in the design process. A qualitative hazard probability may be
derived from research, analysis, and evaluation of historical safety data or similar systems.

Unit 2 Safety Data Analysis 23
Supporting rationale for assigning a hazard probability should be documented in hazard
analysis reports. The definitions or descriptive words in the above tables should be modified
based on system considerations. The correct status should be reflected in a
Risk Management
Plan
(see later in Unit 4). The size of the fleet or inventory should be defined as it is an
important input to the hazard probability definition.
An example of a modified hazard probability definition is presented below. This type of
modification is applicable for a cyclic device such as a landing gear.
Level Approximate Frequency

Frequent 1 failure in 100 (10-2) cycles
Probable 10-2 to 10-4 cycles
Occasional 10-4 to 10-5 cycles
Remote 10-5 to 10-6 cycles
Improbable less than 10-6 cycles

The values selected above are arbitrary and should be determined to best suit the particular
activity or process under review.
Risk hazard index
Risk hazard index is the name given to the matrix created by combining the probability of
occurrence hazard severity.
The risk hazard index forms the basis for judging both the
acceptability of a risk and the management level at which the decision of acceptability will
be made.
The index may also be used to prioritise resources to resolve risks due to hazards
or to standardise hazard notification or response actions.
Prioritisation may be accomplished either subjectively by qualitative analysis resulting in a
comparative hazard risk assessment or through quantification of the probability of
occurrence resulting in a numeric priority factor for that hazardous condition. The following
two sample matrices for hazard assessment can be applied to provide qualitative priority
factors for assigning corrective action.
Example 1 Risk Assessment Matrix

Frequency
of
occurrenc
e
Hazard Categories
Catastrophic
1
Critical
2
Marginal
3
Negligibl
e
4
A
Frequent
1A 2A 3A 4A
B Probable 1B 2B 3b 4b
C
Occasional
1C 2C 3C 4C
D Remote 1D 2D 3D 4D
E
Improbable
1E 2E 3E 4E

Unit 2 Safety Data Analysis 24
From the above matrix, risk hazard indices can be grouped according to their relative
importance (see below) and with a suggested criteria indicating what action (if any) should
be taken by management as part of the risk management process.

Risk Hazard Index Suggested Criteria
1A, 1B, 1C, 2A, 2B, 3A
1D, 2C, 2D, 3B, 3C
1E, 2E, 3D, 3E, 4A, 4B
Unacceptable
Undesirable (decision required)
Acceptable with review
4C, 4D, 4E Acceptable without review

Another way in which a risk assessment matrix can be compiled is by arbitrarily assigning
numerical risk indices (1 to 20) with 1 being the highest risk.
Example 2 Risk Assessment Matrix

Frequenc
y
of
occurren
ce
Hazard Categories
Catastrop
hic
Critical Marginal Negligible
Frequent 1 3 7 13
Probable 2 5 9 16
Occasional 4 6 11 18
Remote 8 10 14 19
Improbable 12 15 17 20

This matrix design assigns a different index to each frequency-category pair, thus avoiding
the situation caused by creating indices as products assigned to frequency and category
which causes common results such as 2 x 6 = 3 x 4 = 4 x 3. This situation hides information
pertinent to prioritisation.

Risk Hazard Index Suggested Criteria
1A, 1B, 1C, 2A, 2B, 3A
1D, 2C, 2D, 3B, 3C
1E, 2E, 3D, 3E, 4A, 4B
4C, 4D, 4E
Unacceptable
Undesirable (decision required)
Acceptable with review
Acceptable without review

It should be remembered that the relevance of these examples of risk assessment methods
will be a function of how accurately the severity and probability scales have been defined.
Furthermore, these examples will not fit all safety assessment programs.

Unit 2 Safety Data Analysis 25
Decision authority matrix
Decision authority matrices can be constructed using a similar methodology to that discussed
above. Such a matrix can provide a useful tool for determining the level of managerial input
based on the assessed risk hazard level.
Example Decision Authority Matrix for Risk

Frequenc
y
of
occurrenc
e
Hazard Categories
Catastroph
ic
Critical Marginal Negligible
Frequent High High High Medium
Probable High High Medium Low
Occasional High High Medium Low
Remote High Medium Low Low
Improbable Medium Low Low Low

The list of decision authorities shown below provides an example of how a delegation of
decision making authority can be predetermined according to the assessed level of the risk.
Once again the decision authority and the criteria for index categorisation would need to be
carefully determined for each specific organisation.

Risk Hazard Level (Index)
High
Decision Authority
Board/Senior Management
Medium Safety Director
Low Program Manager

In concluding it should be stressed that the usefulness and application of tools designed to
assess safety will be a function of the degree of sophistication and maturity of the
organisation’s overall safety program. The above methodologies and processes provide a
generic oversight of how certain tools may be incorporated within an organisation’s safety
assessment program. There are other tools and processes that may be equally applicable to
an organisation apart from those discussed above.
As the measurement of risk and the judgment of safety need to be considered at the local,
organisational (enterprise) level, each of the above methodologies need to be tailor made for
each activity or mode of operation being assessed. In general the main determinant as to
which will be the most appropriate or effective methodologies or tools will be related to the
general category into which the particular type of activity being considered, falls.

Unit 2 Safety Data Analysis 26
Bowtie risk assessment models
The models are a visual risk tool that display the causal factors (threats) and outcomes
(consequences) for a specific risk (top event). They highlight the controls in place to prevent
or recover the risk and can help you understand what could cause those controls to fail
(escalation factors) – it’s a risk picture telling a story.
A Diagrammatic illustration of the hazard, the undesirable event, the trigger events/threats
and potential outcomes, and the risk controls put in place to minimise the risk.
Construction of a Bow Tie diagram involves asking a structured set of questions:
What is the hazard?
What happens when hazard control is lost?
What safety event (threat) could release the hazard?
What are the potential outcomes?
How can we avoid the undesired/hazardous event?
How can we recover if the event occurs? How can the potential outcome likelihood
or consequence severity be limited?
How might controls fail? How could their effectiveness become undermined?
How do we make sure that controls do not fail?
Bow Tie Diagram (SkyLibrary)
The Bow Tie methodology is an excellent way of visualising risk management and
communicating the context of the controls (barriers and mitigations) put in place to manage
risks. Once the model has been built, you then assess the controls for effectiveness, criticality

Unit 2 Safety Data Analysis 27
and other attributes to manage the risk.22 The use of bowtie, either its methodology or
software is rapidly growing worldwide thanks to the introduction of Safety Management
Systems (SMS) where aviation organisations are having to be more proactive in
understanding what their operational risks are. Bowtie offers a way of identifying them so
that they can be managed more effectively.
E x e r c i s e 2
2.1 Give an overview of one specific area of concern when analysing safety
data.
2.2 If safety cannot be measured directly how then can one assess whether
the level of safety is improved?
2.3 Using one of the following events:
– the terrorists events of 9-11
– Flight MH 370
– Flight MH17 OR
– the GermanWings accident
make an assessment as to whether this event was an unknown risk or
whether it ‘ought’ to have been reasonable foreseen (by the relevant
risk assessment stakeholders – airlines, regulators etc. You may need
to consider the legal notion of ‘reasonable foreseeability’ to make an
‘objective’ assessment rather than a ‘subjective’ assessment. (See:
‘Causal Nexus’ in Unit 3)
2.4 What is Bowtie analysis? Provide an example of an Australian
organisation that has used it as a means of managing risk.
2.5 How does your organisation measure risk? Or if not employed: How
important a tool do you consider the construction of a
risk hazard
matrix?
22 See: http://www.skybrary.aero/index.php/File:Bowtie.png (Viewed 1 July 2016)
Unit 2 Safety Data Analysis 28
Conclusion
In this unit, Safety Data Analysis, you have been introduced to the problems involved in
safety data analysis. The problem and difficulties associated with the analysis of safety
data was investigated. Some of the issues relating to the varying definitions of safety and
also to the scope of the aviation industry were examined.
The next section defined risk and then looked at the various issues relating to the
measurement of risk. As was suggested unless you can measure risk there is no way of
being able to determine if risk is being reduced and hence the level of safety improved.
The method of assessing or judging safety, in terms of determining the acceptability of the
level posed by a particular risk, was then examined. Safety assessment, it was seen, relies
on two methodologies, used in varying degrees, in a particular safety assessment of an
organisation.
The limitations of the design, usefulness and application of tools designed to assess safety
was investigated. A valuable insight was gained by reviewing the variety of tools available
and methods of safety assessment used in safety management. Finally, an overview of the
structure and mode of construction of a risk hazard was provided.
_____________________________

Unit 3 Accident Causation 1
Aviation Safety & Accident
Prevention
Unit 3
Accident Causation
Ronald I C Bartsch AM
2022 UNSW School of Aviation
CRICOS Provider Code 00098G
Unit 3 Accident Causation 2
Contents
Overview ……………………………………………………………………………………………………………….. 3
Unit structure ………………………………………………………………………………………………………… 4
Unit flow chart……………………………………………………………………………………………………….. 5
The nature of accidents ………………………………………………………………………………………….. 6
Types of accidents………………………………………………………………………………………………… 7
Threat and error management (TEM)……………………………………………………………………… 8
How defences are breached…………………………………………………………………………………….. 9
Active failures and latent conditions……………………………………………………………………….. 9
The nature of defences………………………………………………………………………………………… 10
Production and protection ……………………………………………………………………………………. 10
Tolerating deficiencies………………………………………………………………………………………… 12
The accident trajectory…………………………………………………………………………………………. 16
Causal nexus ……………………………………………………………………………………………………… 16
The “Swiss Cheese” model………………………………………………………………………………….. 18
Approaches to safety management ………………………………………………………………………… 19
The Person Model………………………………………………………………………………………………. 19
The Engineering Model ………………………………………………………………………………………. 20
The Organisational Model …………………………………………………………………………………… 20
Conclusion …………………………………………………………………………………………………………… 21
Unit 3 Accident Causation 3
Overview
This unit sources the theoretical basis of accident causality within large complex
organisations. Organisational accidents are not unique to aviation nor are their causes. What
is now the basis of the international aviation community’s contemporary safety philosophy
is the work of Professor James Reason. Reason has developed a conceptual and theoretical
approach to the safety of large, complex socio-technical systems.
The next section considers the nature and variety of defences involved in technological
organisations. As organisational accidents are rare events it is easy to forget to fear things
that rarely happen, particularly in the face of productive imperatives such as growth, profit
and market share. Like many other high-hazard, low risk systems, modern aircraft have
acquired such a high degree of technical and procedural protection that they are largely proof
against single failures, either human or mechanical.
Accidents represent the total breakdown of technical and human safety redundancies. They
are highly visible events where the
chain of events leading up to the accident are thoroughly
studied. The accident trajectory explains how accidents happen. With an organisation, if the
causal nexus is broken (for instance, by the occasioning of a defence) then an accident may
be adverted.
Objectives
At the end of this unit you should be able to:
describe the basis of Reason’s causation model
define the terns latent condition and active failure
describe the accident trajectory
recall the nature and importance of defences
describe, with the use of case studies, the meaning of the term causal nexus
Unit 3 Accident Causation 4
Unit structure
Unit 3, Accident Causation, provides an overview of Professor James Reason’s theory
relating to the cause of organisational accidents. In particular, this unit considers the
following questions:
What is the type and nature of accidents?
How do defences prevent accidents?
What are the elements of Reason’s causation model?
Why does an organisational occur?
These questions are addressed in the following sections of this unit:
The nature of accidents
How defences are breached
The accident trajectory
Approaches to safety management
The first section to Unit 1,
The nature of accidents, sources the theoretical basis of accident
causality within large complex organisations. Organisational accidents are not unique to
aviation nor are their causes. Professor James Reason has developed a conceptual and
theoretical approach to the safety of large, complex socio-technical systems.
The next section,
How defences are breached, discuss the nature and variety of defences
involved in technological organisations. Like many other high-hazard, low risk systems,
modern aircraft have acquired such a high degree of technical and procedural protection that
they are largely proof against single failures, either human or mechanical.
The third section,
The accident trajectory, explains accidents in terms of the total breakdown
of technical and human safety redundancies. The accident trajectory explains how accidents
happen. With an organisation, if the
causal nexus is broken (for instance, by the occasioning
of a defence) then an accident may be adverted.
The final section of this unit,
Approaches to safety management, begins with a brief account
of the development of various approaches to safety management. The three models
considered are the
person model, the engineering model and finally, the organisational
model.
Unit 3 Accident Causation 5
Unit flow chart

Section Objectives Action
The Nature of
accidents
To be able to state the definition of
an organisational accident and to
distinguish it from personal
accidents. Describe the nature of
organisations in which these type
of accident occur
Reason, J, “Defeating the
Defences”,
Managing the
risks of organisational
accident,
Ashgate
Publishing , England,
1997.
How Defences
are breached
List the various types of defences
and be able to define the terms
‘latent conditions’ and ‘active
failures’ Provide three examples of
latent conditions that occur within
the aviation industry.
Reason, J, “Defeating the
Defences”,
Managing the
risks of organisational
accident,
Ashgate
Publishing , England,
1997
The Accident
Trajectory
To be able to recall, with case study
examples, instances in which an
organisational accident has occurred
in the airline sector.
Exercise 3.
Reason, J, “Defeating the
Defences”,
Managing the
risks of organisational
accident
Approaches to
safety
management
To be able to distinguish between
the traditional approach to air safety
management and a systems based
approach.
Bartsch R, Aviation Law
in Australia (5
th edition)
Thomson Reuters,
Sydney 2019, Paragraph
[16.50]-[16.85].

Unit 3 Accident Causation 6
The nature of accidents
The search for deeper roots to accident causality began in earnest only in the past 15 years.
While elements of the aviation industry have been the acknowledged leaders in the move
towards a more enlightened consideration of the precursors to accidents and the contexts in
which they occur, aviation is not the sole source of such information.
Organisational
accidents
are not unique to aviation nor are their causes.
What is now the basis of the international aviation community’s contemporary safety
philosophy is the work of Professor James Reason, of the University of Manchester, UK,
and his colleagues. Reason and his team have developed a conceptual and theoretical
approach to the safety of large, complex socio-technical systems, of which aviation is an
excellent example. As part of the development of his model Reason analysed major accidents
in commercial aviation, shipping, rail, nuclear power, aerospace and so on.
Each of the following case studies represents catastrophic failures of such complex sociotechnical systems.
The Air Alaska MD83 accident off the coast of Los Angeles
Reports on the sinking of the Herald of Free Enterprise channel ferry;1
the King’s Cross Underground railway station fire;2
the Clapham Junction railway accident;
the March 1989 crash of an Folker F-28 at Dryden in Canada;3
Each of the above catastrophes provide testament to this comparatively recent trend. All
these findings add weight to the argument for a change in traditional yet rudimentary
thinking regarding human factors and operator error, previously exemplified within aviation
by widespread use of the term “pilot error”.
While much is still to be achieved, it is encouraging to see the depth to which some
investigations now delve when attempting to get to the bottom of accident causality. The
Australian Transportation Safety Bureau (ATSB) is one such element, and the ATSB’s
(formerly BASI) reports on the 1993 Piper Chieftain accident at Young in New South Wales
and the landing of a B747 at Sydney Airport with its nose-wheel retracted in October 1994,
are excellent examples of the growing trend towards the systemic investigation and reporting
of aircraft incidents and accidents. The work of ATSB and the use of Reason’s accident
causation approach to system safety accident investigation is considered in more detail in
Unit 11.
1 Mr. Justice Sheen, MY Herald of Free Enterprise. Report of Court No. 8074 Formal Investigation. London:
Department of Transport; HMSO, 1987.
2 D Fennell, Investigation into the King ‘s Cross underground fire. Department of Transport, London: HMSO,
1988.
3 See R Helmreich, “Human factors aspects of the Air Ontario crash at Dryden, Ontario” Technical Appendix
to V.P. Moshansky, Commission of inquiry into the Air Ontario crash at Dryden, Ontario: Final Report.
Ottawa: Canadian Ministry of Supply and Services, 1992 and also D Maurino, J Reason, N Johnston & R Lee
Beyond aviation human factors. Aldershot, UK: Avebury Aviation, 1995.
Unit 3 Accident Causation 7
In this unit we will study in some detail the work of Reason and his approach to accident
causation. Extensive extracts from his publication:
Managing the Risks of Organizational
Accidents
provides the most up-to-date authority on the subject.4 This text is highly
recommended for those interested in this area.
Types of accidents
According to Reason there are only two types of accidents: those that happen to individuals
and those that happen to organisations.
Individual accidents are by far more common. In
contrast,
organisational accidents are comparatively rare, but often catastrophic in nature.
As stated above, they tend to occur within complex modern technologies such as commercial
aviation, the petrochemical industry, chemical process plants, marine and rail transport, and
even banks and stadiums.
Reason believes that all organisational accidents entail the breaching of the barriers and
safeguards that separate damaging and injurious hazards from vulnerable people or assets —
collectively termed
losses. This is in contrast to individual accidents where such defences
are either inadequate or lacking.5
Relationship between hazards, defences and losses (Source: Reason)
The above diagram illustrates the relationship between hazards, defences and losses. Reason
sees three sets of factors that may account for how the defences within a system or
organisation may be breached. They are human, technical and organisational. All three will
be governed by two processes common to all technological organisations: production and
protection
4 J Reason, Ashgate Publishing Limited, Aldershot, England, 1997.
5 Ibid p2.
Unit 3 Accident Causation 8
Threat and error management (TEM)
The following is a definition is provided by SKYbrary:6 “Threat and Error Management
(TEM) is an overarching safety concept regarding aviation operations and human
performance. TEM is not a revolutionary concept, but one that has evolved gradually, as a
consequence of the constant drive to improve the margins of safety in aviation operations
through the practical integration of Human Factors knowledge.
TEM was developed as a product of collective aviation industry experience. Such experience
fostered the recognition that past studies and, most importantly, operational consideration of
human performance in aviation had largely overlooked the most important factor influencing
human performance in dynamic work environments: the interaction between people and the
operational context (i.e., organisational, regulatory and environmental factors) within which
people discharged their operational duties.”
The following excerpt is from an interview of Dr. James Reason in association with
VoiceMap (www.voicemap.net), a provider of live guidance applications to improve human
performance.
7
“I believe error traps may also exist due to more intangible conditions such
as conflicting priorities or requirements on staff that may create a bias toward
compromise of safety priorities. The conditions act as a trap or decision
“box” where safety compromise is either viewed as “okay” or the only viable
response and even well intentioned people can be subverted. In contrast,
the competing priorities may just
appear to be boxes and allow a lax person
to compromise safety. The bias toward compromising safety may actually
originate in people who are predisposed to making the error, making it not a
system-based error trap but a personal performance error. How should the
errors in reporting at Vermont Yankee be characterized?”
http://www.safetymattersblog.com/2010/03/this-podcast-is-excerpted-from.html
6 http://www.skybrary.aero/index.php/Threat_and_Error_Management_(TEM) viewed at 1 June 2010.
7 Dr. Reason discusses his theory of how errors occur (person based and system based) including the
existence of “error traps” within an organizational system. Error traps are evident when different people
make the same error, indicating some defect in the management system, such as something as simple as
bad or ambiguous procedures.

Unit 3 Accident Causation 9
How defences are breached
In this section we look at the nature and variety of defences involved in technological
organisations. However, as we have said before, organisational accidents are rare events. It
is easy to forget to fear things that rarely happen, particularly in the face of productive
imperatives such as growth, profit and market share. Such is the domain for complacency.
Like many other high-hazard, low risk systems, modern aircraft have acquired such a high
degree of technical and procedural protection that they are largely proof against single
failures, either human or mechanical. They are much more like to fall prey to an
‘organisational’ accident. That is, a situation in which latent failures, arising mainly in the
managerial and organisational spheres, combine adversely with local triggering events
(weather, location etc.) and with the active failures of individuals at the ‘sharp end’ (errors
and procedural violations).
Active failures and latent conditions
Active failures are defined as those errors or violations having an immediate adverse effect.
These are generally associated with the activities of ‘front line’ operators… control room
personnel, ships’ crew, train drivers, signalmen, pilots, air traffic controllers, cabin crews etc.
Active failures have long been the ‘traditional’ concern of air safety specialists, — the focus
has been on the behaviour of people at the ‘sharp end’, that is, those personnel most directly
involved at the time of the occurrence — flying the aircraft, controlling air traffic, evacuating
passengers, or carrying out maintenance.
Latent conditions are decisions or actions, the damaging consequences of which may lie
dormant for a long time, only becoming evident when they combine with local triggering
factors (such as, active failures, technical faults, atypical environmental conditions, and so
on) to breach the system’s defences.
Their defining feature is that they were present within the system well before the onset of a
recognisable accident sequence. They are most likely to be generated by people whose
activities are removed in both time and space from the direct human-machine interface:
designers, high-level decision makers, regulators, line managers.
Latent conditions are to technological organisations what resident pathogens are to the
human body. Like pathogens, latent conditions — such as poor design, gaps in supervision,
undetected manufacturing defects or maintenance failures, unworkable procedures, clumsy
automation, shortfalls in training, less than adequate tools and equipment — may be present
for many years before they combine with local circumstances and active failures to penetrate
the system’s many layers of defences.
8
Latent conditions arise from strategic and other senior management decisions made by
governments, safety regulators, aircraft and component manufacturers, aircraft designers and
organisational managers. The impact of these decisions spread throughout the organisation,
8 Ibid p10.
Unit 3 Accident Causation 10
shaping a distinctive corporate culture (see Unit 1) and creating error-producing factors
within the individual workplaces.
The nature of defences
Defences can be categorised both according to the various functions they serve and by the
ways in which these functions are achieved. Although defensive functions are universals,
their modes of application will vary between organisations, depending on their operating
hazards.
According to Reason
9 all hazards are designed to serve one or more of the following
functions:
to create understanding and awareness of local hazards;
to give clear guidance on how to operate safely;
to provide alarms and warnings when danger is imminent;
to restore the system to a safe state in abnormal situation;
to interpose safety barriers between the hazards and the potential losses;
to contain and eliminate the hazards should they escape this barrier; and
to provide the means of escape and rescue should hazard containment fail.
Defensive functions are achieved through a mixture of ‘hard’ and ‘soft’ applications.
Hard
defences
include such technical devices as automated engineered safety features such as
alarms, bells and annunciators, interlocks, keys, personal protective equipment, nondestructive testing, designed-in structural weakness (for example, fuse pins on aircraft
engine pylons) and improved system design.
Soft defences, as the term implies, rely heavily on a combination of paper and people:
legislation, regulatory surveillance, rules and procedures, training, drills and briefings,
administrative controls (for example, ATC shift handovers), licensing, certification and most
critically, front-line operators (for example, pilots), particularly in highly automated control
systems.
There are advantages and disadvantages with defences. Some of their advantages have been
outlined above. On the negative side they make systems more complex, and hence more
opaque, to the people who manage and operate them. They sometimes distract attention from
more serious hazards. For example, consider how many times an aircraft has been lost as a
result of a crew being preoccupied with a warning (perhaps even a faulty warning such as
“landing gear unsafe” indication) while another dangerous situation (for example, low fuel
situation or proximity to the ground) may have developed.
Production and protection
Reason sees all technological organisation in terms of two universals: that of production and
protection. All technological organisations
produce something — the transportation of
people, manufactured goods and the provision of financial or other services. On the other
hand, all organisations (and the larger systems within which they are embedded) require
9 Ibid p7.
Unit 3 Accident Causation 11
various forms of protection to intervene between the local hazards and their possible victims
and lost assets.
In earlier technologies, human activities were primarily productive: people made or did
things that led directly to commercial profit. However, according to Reason, due to the
widespread availability of cheap and flexible computing power, a dramatic change has
occurred in the nature of human involvement in modern technologies. These changes are
seen most starkly in design features of new generation aircraft such as the ‘glass cockpit’
and ‘fly-by-wire’ control systems.
10
Instead of being physically and directly involved in the business of production (and hence
in immediate contact with the local hazards), power plant operators and pilots act as the
planners, managers, maintainers and the supervisory controllers of largely automated
systems. A crucial part of this latter role involves the defensive function of restoring the
system to a safe state in the event of an emergency.
Production v Protection in an organisation (Source: Reason)
In an ideal world, the level of protection should match the hazards of the productive
operations — the
parity zone.11 The more extensive the productive operations, the greater
the hazard exposure and so also is the need for corresponding protection. The broad
operating area of the parity zone (lightly shaded area above) is bounded by two dangerous
extremes. The top left corner (labelled bankruptcy) is where protection far exceeds the
dangers posed by the productive hazards. Since protection consumes productive resources
(people, capital and materials) such over protective organisations would probably go out of
business in being uncompetitive.
At the other extreme, the bottom right corner in the above diagram, the available protection
falls short of that needed for productive safety. Organisations operating in the area face a
10 The application and considerations of these new technologies and design features (and automation in
general) are discussed in detail in Unit 7.
11 In simpler technologies, the productive and protective elements were often different structures but in
complex technologies, the same entity can serve both productive and defensive functions. For example, in the
case of pilots and air traffic controllers.

Unit 3 Accident Causation 12
very high risk of suffering a catastrophic accident, which could also lead to being put out of
business. Both danger zones should be avoided, if only because they are unacceptable to
both the safety regulators (for example, CASA) and the shareholders (for example, airlines).
Tolerating deficiencies
If the area of safe operations of an organisation is contained within the parity zone why do
directors or managers allow an organisation to venture into these dangerous extremes.
Obviously there are a number of reasons however, the basic problem lies with the conflicts
that develop between increasing protection and increasing profit. Each unit of corporate
resources that is directed to increased production (where accompanied by increased profits)
is not always balanced with a corresponding (or more correctly, appropriate) measure of
protection.
12 If company senior management fully understood the nature of accidents (and
the tremendous cost associated with them) they would be less likely to proceed on this shortsighted premise of false economy — that is, not spending on protection (ie safety measures)
to save money.
Being mindful of the fact that every risk has not been addressed is far
healthier than being blissfully ignorant in the belief that they have.”
Ron Bartsch
The English philosopher John Stuart Mills once said words to the effect “It is better to be
Socrates dissatisfied than a fool satisfied”. Applying this 19
th Century philosophy to the
management of safety (within this parity zone) one might say that it is far better to proceed
in the knowledge that never can every risk have been anticipated, than being naively satisfied
that a safety system has addressed every possible risk or hazard.
Case Study 1 – Rouge Drones
If 900 grams of weapons-grade anthrax were dropped from a drone at
a height of 100 m just upwind of a large city of 1.5 million people all
inhabitants would become infected. Even with the most aggressive
medical measures that can realistically be taken during an epidemic a
study estimates that approximately 123,000 people would die – 40 times
more fatalities than from the 2001 World Trade Centre terrorists attacks.
The above chilling scenario was one that was put forward more than a
decade ago by Eugene Miasnikov in his report
Threat of Terrorism
Using Unmanned Aerial Vehicles
. If such was a plausible threat of
12 There are numerous examples of this in aviation. Valu-Jet airlines, which increased their fleet of DC-9s
from four to 47 in three years is a classic, though somewhat tragic, example.

Unit 3 Accident Causation 13
drones in the hands of terrorists back in 2005 imagine the threat that
exists today. As science and technological innovation continues to
rampage we often loose sight of how much the world has changed –
and in this instance, the extent to which terrorists will go to achieve their
objectives. With this is mind, consider the following modern day
scenario.
A terrorist organisation parks a small removalist van in a crowded street
of a major city under the flight path of a nearby international airport. The
van’s canopy has an open top but the sides are high and obscured from
the view of passers-bye is its payload of half a dozed high performance
quadcopter drones. To each drone is attached an explosive device –
not dissimilar to those worn by suicide terrorists. The day and time
chosen have been well planned to coincide with the runway being used
for take-off. The targeted aircraft – an Airbus A380 – is departing with a
full payload of passengers and fuel, possibly in excess of 500
passengers and over 250 tonnes of fuel. The aircraft lifts off and the
drones are launched remotely and rapidly ascend. With the aid of the
high-resolution cameras onboard, the controllers are able to direct the
drones into the path of the A380’s four enormous engines. The
catastrophic consequences are beyond belief and immediately impact
upon the lives of families and friends of 500 fatalities and world
economies are sent into chaos.
Extract from Bartsch R,
Drones in Society (2016)
Such a situation as described above should not be uncontemplatable. Wishing that such a
deplorable act upon humanity would never eventuate is no deterrence in the minds of
terrorists seeking to inflict maximum carnage and media attention. As a society we should
not allow ourselves to be detracted from the goal of safeguarding public security just because
the thought of such acts is unconscionable. Previously inconceivable acts, such as those
inflicting grief with the 9-11 attacks, should now never occur – even if they require a more
sophisticated process of hazard identification. If such acts are conceivable to terrorists then
they should be conceivable to those charged with the responsibility of public safety and
security. In other words, when it comes to safety and security management unknown risks
should never equate to foreseeable risks – just because they were unforeseen.
Among the many roles of any organisation or culture is the determination of shared norms
regarding acceptable member practices.
13 In her examination of precursors to the Challenger
13 S Jones, “Air Traffic Control: A Starting Point”, University of Texas Aerospace Crew
Research Project, 1998, Austin, Texas.

Unit 3 Accident Causation 14
explosion, Vaughan explains the insidious effects of context and circumstance on the
development of an organisation’s cultural norms.
14 Vaughan notes that repeated successes
in achieving operational goals despite sub-optimal conditions in the years preceding the
explosion contributed to a cultural tolerance for off-normal conditions.
Mechanics at Sabre Tech (now infamous for its role in the Valu-jet tragedy) reported that
similar conditions existed in their operation; each time a used oxygen canister was handled
without consequence, concern about the dangers of such handling diminished (May, 1996).
This situation has been referred to as
the normalisation of deviance.
The tragic aftermath of the normalisation of deviance in the two above examples (ie The
Challenger and Valu-jet) underscores the critically of effective error management.
Conditioned acceptance of minor anomalies dangerously diminishes initiative for their
correction and impedes error management. Delays in identifying error as such widen what
Reason refers to as
the window of opportunity for mishap because the probability of
containment or recovery is reduced, and the variety of available recovery strategies becomes
increasingly limited.
The following diagram illustrates instances of human fallibility when faced with choices
between the resource competing universals of protection and production.
Lifespan of a hypothetical organisation (Source: Reason)
In the above illustration the history of the organisation is depicted by the black line, starting
from the left. Initially the organisation begins with a reasonable level of safety. As time
passes, the safety margin is gradually diminished until a low-cost accident occurs (shown as
an ‘explosion’ symbol). This event leads to an improvement in protection, but after time
(without any event or incident) protection is traded off for productive advantage until
another, more serious accident occurs (ie the second ‘explosions’ symbol). Again, the level
of protection is increased, but this time, after a significant uneventful period (normalisation
14 D Vaughan, “The Challenger launch decision: Risky technology, culture, and deviance at NASA”
University of Chicago Press, 1996, Chicago, USA.

Unit 3 Accident Causation 15
of deviance), protection continually erodes until a major accident (catastrophe) destroys the
organisation.
This lengthy period without a serious accident (or completely uneventful) that leads to an
erosion of protection has also been described as “the dangers of the
unrocked boat”. This
phrase was coined by Constance Perin in a paper entitled “British Rail: the case of the
unrocked boat” which gave an account of the Clapham Junction railway accident.
15
Case Study 2
A fallible policy decision made by corporate management might be to
maximise the profitability of an airline regardless of any other
considerations. This decision then places great pressure on the
company’s line managers to translate this policy into effect. A
consequence is the development in the workplace of a psychological
climate in which staff under pressure, and perhaps in fear of losing
their jobs, constantly try and cut corners to save money, and thereby
commit unsafe acts — both unintended errors and deliberate violations
— such as inadequate maintenance work, sub-standard emergency
procedures training, and so on. When the defences of the system fail
— for example, the final inspection of maintenance work by
supervisors is not properly carried out, — a ‘window of opportunity’ for
a system failure such as an
accident or a failed evacuation may result,
given the right set of circumstances.
The traditional approach of safety regulators and air safety investigation agencies has been
to
react to ‘events’. However, it is obvious that on this basis an incident or accident has to
actually occur before the information necessary for the prevention of similar occurrences in
future could be obtained.
There is a need for, not only regulators and investigators to take a more pro-active role, but
also for management to do likewise. However, to adopt such a role it is necessary to
understand the way in which an accident is likely to occur. This is what Reason refers to as
the “accident trajectory”.
15 Presented at the Managing Technological Risk in Industrial Society conference on 14-16 May 1992 in Bad
Homburg, Germany.

Unit 3 Accident Causation 16
The accident trajectory
Accidents are rare events. They represent the total breakdown of technical and human
safety redundancies. They are highly visible events where the
chain of events leading up to
the accident are thoroughly studied. After the pieces are picked up and the reports are
written it is easy to look at what happened and train managers, pilots or whoever, to avoid
the pitfalls. In this sense, the study of accidents has instructional value.
Causal nexus
In the law of negligence, the term causal nexus refers to the unbroken chain of events —
‘causation’ — that leads to some kind of damage, recognised by the law. If the chain is
broken, (between the defendant’s alleged negligent act (or omission) then liability is
avoided. With an organisation, if the causal nexus is broken (for instance, by the
occasioning of a defence) then an accident is adverted. This legal analogy serves more than
an illustrative account of an accident trajectory: it represents the basis of possible legal
liability of managers or key personnel within an organisation.
As stated, while accidents are rare, the events that lead up to the accident are quite
common. Many of these situations are encountered on a daily basis by management and
operational personnel. What makes the difference in whether the chain gets broken or
whether it proceeds to an incident or accident depends on how management and
operational personnel solves the problem.
E x e r c i s e 3
In approximately 500 words give an overview of the application of
Professor James Reason’s accident causation model to the management
of safety within a civil aviation or ADF organisation.

Unit 3 Accident Causation 17
Case Study 3
Accident Causation
Korean Air 747 Crash16
National Transportation Safety Board documents show that but for a series of “ifs,” there
might not have been a fatal crash of a Korean Air 747-300 trying to land at Guam. The
board is holding three days of hearings in Honolulu on the crash, which killed 228. Of the
more than 20 survivors, two flight attendants said there was no warning to prepare for a
crash landing on Aug. 6, 1997. At the time of the accident, the glideslope associated with
the ILS to the runway was out of service, although the localiser was working. This was the
subject of a notice to airmen, but the KAL crew apparently was unaware of this. The cockpit
voice recorder transcript shows one pilot saying the glideslope was working, and there was
confusion on this point until the aircraft crashed into high terrain 3.5 nautical miles
southwest of the airport.
Post-accident, FAA and NTSB found that the Guam ARTS-11A MSAW (minimum safety
altitude warning) was intentionally inhibited by FAA inside a 54 nautical mile ring around
the Guam airport surveillance radar (ASR) to eliminate what local air traffic controllers
perceived as nuisance warnings. The simulation showed that without the inhibit ring, a
visual and aural low-altitude alert to the control tower would have been generated 64
seconds before impact. Pull-up and terrain warnings were not issued because the aircraft
was in a landing gear/flap configuration. Post-accident simulation showed that if the aircraft
had been equipped with the Enhanced Ground Proximity Warning System, there would
have been a warning to the crew 60 seconds before impact.
The local controller said he believed the airport should have been visible to the KAL pilots
at four to five miles. He said that during the period the glideslope had been Notamed out
of service, he had received no reports from other aircraft of erroneous readings. The
controller said he knew of no reason a pilot might believe the glideslope was operational.
In the CVR transcript, one of the crew asked at 1539:55, “is the glideslope working?”
Another crewmember replied, “Yes, yes, it is working.” At 1541:45, there was the sound of
altitude alert and at 1541:46, one of the pilots asked, “Isn’t the glideslope working?” At
1541:59, one of the crew, apparently referring to the airport, asked, “Not in sight?” After
questions about the sink rate at 1542:17:15 and an assurance that it was “okay,” at
1542:19:47, one of the pilots said, “Let’s make a missed approach.” Another, at 1542:20:56,
said “not in sight.” Then calls began for “go around” and there were sounds of the autopilot
disconnect
warning.
At 1542:25:78: there was the sound of initial impact.
The “but for” test is used in law to determine if the causal nexus is broken. It would appear
it would be equally applicable here in determining the causal factors that led to the above
KAL accident.
To help explain the accident trajectory Reason has developed what is termed the “Swiss
Cheese” model. The Reason model of accident causation, and account of the accident
trajectory, has been translated into successful operational corporate safety programs by Shell
(TRIPOD), British Rail (PRISM) British Airways Engineering (MESH), and, most recently,
Singapore Airlines. Some of these programs are examined in later units.
16 Article from Aviation Daily, 26 March 1998.
Unit 3 Accident Causation 18
The “Swiss Cheese” model
According to Reason the necessary (and sufficient) condition for an organisational accident
is the rare conjunction of a set of holes in successive defences, allowing hazards to come
into damaging contact with people and assets.
17 These windows of opportunity are rare
because of the multiplicity of defences and the mobility of the holes.
The above diagram shows an accident trajectory passing through corresponding holes in the
layers of defences, barriers and safeguards. The holes can be created by either active failures
or latent conditions.
Active failures can crate gaps in two ways. First, front-line personnel may deliberately
disable certain defences in order to achieve local operational objectives. For example, when
a flight instructor ‘pulls’ the circuit breaker of the landing gear warning when demonstrating
engine failure techniques. Second, front-line operators may unwittingly fail in their role as
one of the systems’ most important line of defence. A common example is the wrong
diagnosis of an abnormal operation, for instance when the crew of the ill-fated B757 in Cali,
Colombia confused an impending stall to that of an overspeed situation.
Latent conditions can take a variety of forms: defective O-rings in the
Challenger’s booster
rockets, corroded sprinklers on the
Piper Alpha gas platform, and the lack of supervisory
checks by the FAA with the Valu-jet accident. As it is not possible to foresee all possibilities
of a disaster defensive weaknesses may be present from the very beginning of a system’s
productive life cycle, or may develop unnoticed, or at least uncorrected, during its
subsequent operations.
17 Reason, op cit, pp11-12.
Unit 3 Accident Causation 19
Approaches to safety
management
In Unit 5 we look at the role of management in the development of systems approach to
safety management and the development of Safety Management Systems (SMS).
18 Reason
stresses the fundamental need always to adopt a total systems approach to safety. While this
in itself is certainly not new, it is the manner in which Reason addresses and analyses the
system that was of special interest.
Having reviewed Reason’s approach to accident causation it is now appropriate to consider
this view in light of the three recognised approaches to safety management. It will be seen
that of the three models, that is the person, engineering and organisational models, the latter
two are more consistent with systems approach.
The Person Model
The person model is exemplified by the traditional occupational safety approach. The main
emphases are upon individual unsafe acts and personal injury accidents. It views people as
free agents capable of choosing between safe and unsafe behaviour. This means that errors
are perceived as being shaped predominantly by psychological factors such as inattention,
forgetfulness, poor motivation, carelessness, lack of knowledge skills and experience,
negligence and — on occasions — culpable recklessness. Its principal applications are in
those domains involving close encounters with hazards. As such, it is the most widely
adopted of the three models. It is also the approach with the longest history, stretching back
to the beginnings of industrialisation. It is usually policed by safety departments and safety
professionals, though — more recently — the accent has been upon personal responsibility.
The most widely used countermeasures are ‘fear appeal’ poster campaigns, rewards and
punishments, unsafe act auditing, writing another procedure, training and selection. Progress
is measured by personal injury statistics, such as fatalities, lost-time injuries, medical
treatment cases, first aid cases and the like. It is frequently under-pinned by the ‘iceberg’ or
‘pyramid’ views of accident causation.
18 See http://www.skybrary.aero/index.php/Safety_Management_System: “The implementation of an SMS
gives the organisation’s management a structured set of tools to meet their responsibilities for safety defined
by the regulator. New standards and recommendations are planned to be introduced in several Annexes to the
Chicago Convention in order to harmonise and extend provisions relating to safety management to the main
aviation service provider organisations: aircraft operators, air navigation services providers, aerodrome
operators, maintenance organisations, aircraft manufacturers and training organisations. ICAO standards and
recommended practices (SARPs)are not directly applicable within national legislative and regulatory
frameworks. Therefore States the required to establish safety programmes and, as part of such programmes,
ensure that operators/service providers implement a safety management system. The ICAO requirements for
implementation of SMS are currently applicable to air traffic service providers (Annex 11), aerodrome operators
(Annex 14, Volume 1). For aircraft operators the provisions for SMS implementation in Annex 6, Parts I and
III became effective as of January 2009.” See generally Annex 19 – Safety Management, 2nd Edition, dated
July 2016.

Unit 3 Accident Causation 20
The Engineering Model
The engineering model has its origin in reliability engineering, traditional ergonomics (and
its modern variant-cognitive engineering) risk management and human reliability
assessment. Safety is viewed as something that needs to be ‘engineered’ into the system and,
where possible, to be quantified as precisely as possible, Thus, the focus is upon engineered
system reliability, often expressed in probabilistic terms. In contrast to the person model,
human errors are not regarded simply as the product of what goes on between an individual’s
ears. Rather, they emerge from human-machine mismatches, or poor human engineering —
that is, the failure on the part of the system designers to tailor the system appropriately to the
cognitive strengths and weakness of its human controllers.
Typically, the model focuses on how the performance of front-line operators (for example,
control room operators and pilots) is influenced by the characteristics of the workplace or,
more specifically, by the informational properties of the human-machine interface. Research
in this area was originally supported by the nuclear power industry, the military, the space
agencies, the chemical process industry and aviation-domains in which the safety of a system
hinges critically on the reliability of a small number of human controllers.
The practical applications of this approach include: hazard operability studies (HAZOPS),
hazard analysis studies (HAZANS), probabilistic risk assessment (PRA), technical safety
audits, reliability and maintainability studies (RAMS), human reliability assessments
(HRA), cognitive task analyses, ergonomic guidelines, databases, and the application of
decisions support systems. Some of these applications are considered in Unit 5.
The Organisational Model
If the organisational model, the newest of the three, has a disciplinary link, then it would
probably be with crisis management. The organisation model views human error more as a
consequence than as a cause. Errors are the symptoms that reveal the presence of latent
conditions in the system at large. They are important only in so far as they adversely affect
the integrity of the defences. The model emphasises the necessity for productive measures
of ‘safety health’ and the need for continual reforms of the system’s basic processes. Indeed,
the organisational hazards. Both are seen as being implicated in organisational accidents. In
many respects, the organisational model is simply an extension of the engineering model and
is in no way incompatible with it. Human-machine mismatches are seen as being the result
of prior decisions in the upper echelons of the system.
Summarising: Reason’s approach to managing the risks of organisational accidents is a
combination of the engineering and organisational models, with a somewhat greater
emphasis on the latter.
19 Both are necessary for understanding the causes of organisational
accidents and for limiting their occurrence. As Reason has stated “where there is a conflict,
it is between both of these models and the largely person-directed approach of the traditional
occupational safety professionals. However, these differences are often more a matter of
circumstance than of substance.”
20
19 Ibid. p226.
20 Ibid.
Unit 3 Accident Causation 21
Conclusion
In this unit, Accident Causation, you have been introduced to some basic principles and
definitions of accident causality within large complex organisations. As was stated,
organisational accidents are not unique to aviation, nor are their causes. Professor James
Reason’s conceptual and theoretical approach to the safety of large, complex socio-technical
systems is explained.
The next section discussed the nature and variety of defences involved in technological
organisations. Like many other high-hazard, low risk systems, modern aircraft have acquired
such a high degree of technical and procedural protection that they are largely proof against
single failures, either human or mechanical.
The third section explained accidents in terms of the accident trajectory: a total breakdown
of technical and human safety redundancies. The accident trajectory explains how accidents
happen may be averted if the
causal nexus is broken.
Approaches to safety management looked at Reason’s account of the development of various
approaches to safety management. The three models considered were the
person model, the
engineering model and the organisational model.
______________________________

Unit 4 Safety Regulatory Authorities 1
Aviation Safety & Accident
Prevention
Unit 4
Safety Regulatory Authorities
Ronald I C Bartsch AM
2022 UNSW School of Aviation
CRICOS Provider Code 00098G
Unit 4 Safety Regulatory Authorities 2
Contents
Overview ……………………………………………………………………………………………………………….. 3
Unit structure ………………………………………………………………………………………………………… 4
Unit flow chart……………………………………………………………………………………………………….. 5
The role of the regulator…………………………………………………………………………………………. 6
The traditional approach ……………………………………………………………………………………….. 7
A model regulator ………………………………………………………………………………………………… 7
Safety system assessment ……………………………………………………………………………………… 9
World best practice………………………………………………………………………………………………. 10
Harmonisation of aviation regulations…………………………………………………………………… 10
International consensus……………………………………………………………………………………….. 15
Principles into practice………………………………………………………………………………………… 17
Contemporary aviation surveillance ……………………………………………………………………… 18
Regulatory framework …………………………………………………………………………………………. 20
Legislative structure……………………………………………………………………………………………. 20
Safety philosophy……………………………………………………………………………………………….. 21
Safety indicators…………………………………………………………………………………………………. 22
Systems and risk-based surveillance……………………………………………………………………… 22
Outcome-based legislation …………………………………………………………………………………… 23
The task of enforcement ……………………………………………………………………………………….. 25
Conclusion …………………………………………………………………………………………………………… 27

Unit 4 Safety Regulatory Authorities 3
Overview
Traditionally, regulatory authorities saw their responsibilities predominantly in terms of
surveillance of the industry and following up on accidents and incidents where breaches of
regulations had occurred. Surveillance consisted mainly of inspection of end products of the
aviation system. Little attention was given to the systems and procedures that produced them.
In accordance with CASA’s mission to “maintain, enhance and promote the safety of civil
aviation in the interests of the Australian public” it is necessary for CASA to develop
strategies and procedures that minimise the element of risk. In line with world best practice,
CASA together with safety regulatory authorities throughout the world, have adopted a
systems safety approach to safety regulation. This proactive role seeks to encourage
compliance, as a shared responsibility with industry, rather than adopting the traditional
‘policing’ function.
For there to be an effective aviation safety regulator there must be a sound basis for the
framework and infrastructure of the safety regulatory authority. Often, and most
unfortunately, it takes a number of serious accidents to initiate a reconsideration of the
appropriateness of the safety authority’s framework and structure. Australia’s current
legislative framework was introduced in 1995.
For there to be an effective aviation safety regulator there must be a sound basis of sanctions
and enforcement strategies to provide a deterrent against organisations or individuals that
refuse to comply or blatantly defy the regulatory system. Many regulatory authorities have
come under attack from the industry for adopting a ‘heavy handed’ approach to the task of
enforcement of safety regimes and security programs. CASA is in the process of amending
its enforcement policy.
Objectives
At the end of this unit you should be able to:
define the role of safety regulators;
describe the proactive initiatives of CASA in terms of safety regulation;
describe the way in which a systems safety approach is applied;
recall the legislative basis for Australia’s regulatory structure;
describe, with the use of case studies, the various approaches to enforcement.
Unit 4 Safety Regulatory Authorities 4
Unit structure
Unit 4, Safety Regulatory Authorities, provides an introduction into the function, structure
and responsibilities of air safety regulatory authorities. In particular, this unit considers the
following questions:
What is the role and objectives of CASA?
What is world best practice in safety regulation?
How are regulatory authorities structured?
When and how is enforcement required?
These questions are addressed in the following sections of this unit:
The role of the regulator
World best practice
Regulatory framework
The task of enforcement
The first section in Unit 4,
The role of the regulator, we review the traditional role of
regulatory authorities and see their responsibilities predominantly in terms of surveillance
of the industry and following up on accidents and incidents where breaches of regulations
had occurred. The role of regulatory authorities today is much more proactive and involves
more surveillance and auditing to check for compliance rather than policing and examining
to ensure compliance.
The next section,
World best practice, discusses CASA’s mission to “maintain, enhance and
promote the safety of civil aviation in the interests of the Australian public”. To help achieve
this objective CASA encourages a greater compliance by industry of its obligations to
maintain high safety standards. CASA therefore seeks to support, encourage and reward
those organisations that demonstrate a propensity to achieve this objective.
The third section,
Regulatory framework, looks at the framework and infrastructure of the
safety regulatory authority. The safety authority’s legal basis of its framework and structure
is a very important consideration and serves many important functions including the question
of accountability of the statutory authority.
The final section of this unit,
The task of enforcement, begins with a brief account of the
traditional ‘heavy handed’ and at times ‘unaccountable’ basis of regulatory enforcement.
This section examines new approaches to the task of enforcement and strategies to promote
regulatory compliance.

Unit 4 Safety Regulatory Authorities 5
Unit flow chart

Section Objectives Action
The role of the
regulator
To be able to state the role and
functions of air safety regulatory
authorities.
Bartsch R, Aviation Law
in Australia (5
th edition)
Thomson Reuters,
Sydney 2019, Ch 3.
World’s best
practice
To be able to list five features of
world best practice of safety
regulators.
Keith L, “The challenges
facing aviation safety
regulators”, 1997.
Regulatory
framework
To be able to recall, with a case
study example, the regulatory
framework and legal basis of a
safety regulatory authority.
Exercise 4. Reason J,
“The regulator’s
unhappy lot”,
Managing
Risks of organisational
accident”, Ashgate,
England, 1997.
The task of
enforcement
To be able to recall, with case study
examples, new approaches to the
task of enforcement.
“Managing Risks in
Civil Aviation”,
http://flightsafety.org/asw
/nov08/asw_nov08_p10-
14.pdf

Unit 4 Safety Regulatory Authorities 6
The role of the regulator
According to Professor James Reason, aviation regulators are uniquely placed to function as
one of the most effective defences against organisational accidents. They are located close
to the boundaries of the regulated system, but are not part of it. One of the most effective
strategies of regulatory authorities is to examine the system that controls the activity, and to
ensure that there are appropriate procedures in place to address and achieve the required
safety standard.
Public safety is improved if deficiencies are identified and immediately corrected when
discovered by the operator. Reliance upon audits by regulators, or other third parties, to
identify operational hazards increases that organisation’s exposure to risk. Australia has
joined many other international regulatory authorities in requiring organisations to establish
and maintain safety management systems to manage these risks in the pursuit of safety. From
CASA’s perspective its ongoing role once such systems have been established is
predominantly one of regulatory oversight (mostly systems audits) to monitor and evaluate
the effectiveness of such systems. At the international level ICAO’s Universal Safety
Oversight Audit Programme (USOAP) has conducted safety oversight audits in 181
contracting sates and five territories since its introduction in 1999. In 2004 the ICAO
Assembly voted to consider expanding the program to include audits of all safety related
ICAO Annexes
1 to provide a holistic approach to aviation safety oversight.
Please read your textbook at paragraphs [3.05]-[3.20]
In many respects the mandating of Safety Management Systems (SMS) legislatively within
the aviation industry has close parallels to the progressive introduction, from the late 1980s,
of Quality Management Systems (QMS) by most industry and service providers within the
broader commercial sector. Essentially, the concept of quality, in relation to aviation safety,
is synonymous with the “safety health” of an organisation.
An important aspect of improving quality is to incorporate processes within SMSs that aim
to continuously increase the level of safety within that system. This aspect of QM principles
is one of many that have been incorporated into CASR Part 119: Safety Management
Systems. Quality, in the context of safety management, means continually enhancing the
safety health of an organisation.
Safety regulatory authorities should, as part of their regulatory functions, monitor industry
safety management programs. The carrying out of surveillance is one way to verify such
programs are achieving their desired outcomes. For instance, internal quality assurance
procedures are intended to assist the regulatory authority’s monitoring process by identifying
1 Annex 9 Facilitation and Annex 17 Security are addressed by the ICAO Universal Security Audit
Programme (USAP). See also: Annex 19 – Safety Management, 2nd Edition, dated July 2016

Unit 4 Safety Regulatory Authorities 7
and resolving safety issues. The internal quality assurance documentation and records
provide a convenient point of entry to the organisation for auditing purposes.
For any regulatory surveillance program to be effective it is necessary that such a system be
dynamic and transparent. These are the dominant features of the industry it is meant to
regulate. As developments occur, new technologies emerge or trends evolve, resources
should be shifted accordingly. For instance, if surveillance indicates that certain areas or
aspects of flight operations or airworthiness are of an ongoing high standard, and that these
areas are sufficiently being monitored, then it may be appropriate to reallocate resources to
other targeted areas of greater risk. In theory if the organisation performs well the safety
authority will have less need to monitor that organisation’s system of compliance. As
confidence in the system (of which the SMS is a vital part) is gained, the level and frequency
of audits may be reduced.
The traditional approach
Traditionally, regulatory authorities, saw their responsibilities predominantly in terms of
surveillance of the industry and following up on accidents and incidents where breaches of
regulations had occurred. Surveillance consisted mainly of inspection of end products of the
aviation system. Little attention was given to the systems and procedures that produced them.
In effect, aviation regulatory authorities provided an external quality control function for the
aviation industry through a process of constant inspection and intervention. Inspections of
end products provide a snap shot view of an organisation’s activities and do not identify the
underlying causal factor of the failures that occur.
A substantial change in the perception of the role of aviation regulatory authorities has taken
place because of the Swedavia-McGregor Report of 1988. One of the recommendations of
this Report was that responsibility be placed on certificated organisations to have in place a
Quality Management System with appropriate internal quality assurance procedures that
constantly monitor, review and improve the organisation’s performance. The establishment
of quality management systems is considered in more detail in Unit 5.
Given the complexity of modern aircraft, aerodromes and organisations
engaged in aviation activities, this
hands on, interventionist approach from
regulatory authorities is no longer appropriate.”
A model regulator
James Reason, in attempting to construct a model aviation regulatory process, suggests
there are three fundamental concerns that must be addressed by any such model.
A regulatory model needs to address the following questions:
How can regulators deploy their limited resources in the most effective and targeted
manner?

Unit 4 Safety Regulatory Authorities 8
How can regulators bring about the organisational reforms necessary to achieve,
and then sustain, optimum levels of ‘safety health’ on the part of the complex well
defended organisations that they oversee?
Since the absolute criteria for safe operations are rarely known in advance, how can
we design a regulatory process that will enable the policy-maker, the regulator and
the regulated all to be integral parts of an effective learning cycle?
So that each of these concerns can be effectively integrated into ‘the model’ it is
best to express these concerns in terms of essential features of the process. One
possible restatement of these concerns is presented below.
A model aviation regulatory process needs to provide for the following:
effective allocation of resources
promotion of organisational reform or change processes
creation of a learning culture or environment
Effective allocation of resources: As there is a finite safety dollar, resources should be
focused where they can do the most good in terms of achieving the regulator’s statutory
objectives (in CASA’s case in terms of section 3A of the
Civil Aviation Act 1988). The
essence of section 3A is directed to the establishment of a regulatory framework to maintain,
enhance and promote the safety of civil aviation with particular emphasis on preventing
aviation accidents. CASA seeks to promote and enhance air safety regulation through the
development and promulgation of safety standards, the provision of comprehensive aviation
industry surveillance and effect enforcement strategies.
This objective is intended to encourage a greater acceptance by the aviation industry of its
obligation and to maintain high aviation standards by: offering comprehensive safety
education programmes; the promotion of fair and open decision making; ensuring the
efficient and effective use of resources; promoting the highest level of accountability within
CASA; and encouraging voluntary industry adherence.
Promote organisational reform: To help achieve this objective CASA will encourage a
greater compliance by industry of its obligations to maintain high safety standards. CASA
therefore seeks to support, encourage and reward those organisations that demonstrate a
propensity to achieve this objective. In this regard CASA can and does delegate significant
responsibility to compliant organisations for establishing their own QM systems, safety
management programs and safety systems. The approval by CASA of Training and
Checking systems (under CAR 217) and the promotion of developing in-house Safety
Management Programs are two such example.
Creating a learning environment: This objective is intended to encourage a greater
acceptance by the aviation industry of its obligation and to maintain high aviation standards
by: offering comprehensive safety education programmes As part of this strategy all sectors
of the aviation industry will benefit from the sharing of information and safety-related data.
Please read your textbook at paragraphs [3.25]-[3.35]

Unit 4 Safety Regulatory Authorities 9
Safety system assessment
The Australian Civil Aviation Safety Authority recognises that an effective system of aviation
safety regulation should focus on monitoring and auditing normal operations, systems and
procedures with the view to detect incipient trends and where possible to increase the safety of
the aviation system. This approach is consistent with CASA’s core principles. The first three core
principles of CASA are particularly relevant, namely:
Adoption of safety system assessment as the basis of our regulatory approach;
Selected delegation to industry in order to focus our resources on high risk areas, while
maintaining an effective monitoring ability;
Working with those in industry who accept their safety responsibility.
In accordance with CASA’s mission to “maintain, enhance and promote the safety of civil
aviation in the interests of the Australian public” it is necessary for CASA to develop
strategies and procedures that minimise the element of risk. To help achieve this objective
CASA will encourage a greater compliance by industry of its obligations to maintain high
safety standards. CASA therefore seeks to support, encourage and reward those
organisations that demonstrate a propensity to achieve this objective.
An initiative promoted by CASA is for organisations to develop ‘in-house’ aviation safety
management programs. The adoption by many operators of QM systems (for instance ISO
9000) is an example of how such a program can be developed. This is in line with world best
practice in the industry. As we shall see in the next section a well developed safety
management program will be an integral part of an organisation’s QM system.

Unit 4 Safety Regulatory Authorities 10
World best practice
In December 1995 the Honourable Peter Morris handed down the recommendations in the
Plane Safe Inquiry.2 In determining a bench mark to compare the role of the then Civil
Aviation Authority the committee asked the following question: What are the characteristics
of a world best practice regulator of aviation safety?
The following was the Committee’s response:
3
legislation that assists the regulator to carry out its tasks effectively;
a clear articulation of the objectives of regulation, strategies to develop those
objectives and performance indicators to measure achievements;
special emphasis on aviation safety indicators;
adequate information and knowledge of the aviation industry and intimate
knowledge of the characteristics of industry that can affect safety adversely;
the existence of processes that can develop a good working relations with
industry;
a cohesive well knit organisation with adequately trained and skilled personnel
and effective leadership;
adequate processes and skills in developing effective standards and in securing
compliance with those standards; and
an effective system of accountability.
Chapter 6 of
Plane Safe entitled “The Regulatory System” looks at some detail of the
structure of the CAA at the time and of some of its inherent shortcomings. There have been
initiatives, and as one of CASA’s principles, to follow international best practice whenever
possible. The next section is from a paper by James Kimpton, Manager Aviation Policy with
Ansett, that looks at the harmonisation of aviation regulations in Australia and considers
what implications this may have on safety.
4
Harmonisation of aviation regulations
As many of us are aware, a major series of review programs with respect to the Civil Aviation
Safety Authority are underway. These involve both industry and CASA, working together
in an unprecedented way, reviewing CASA’s role, (in simple terms, how it does what it does)
and the regulatory framework administered by CASA. It is this latter review that concerns
us today, in particular those elements that involve harmonisation with other regulatory
systems, most notably that of the US.
2 Inquiry into Aviation Safety: the Commuter and General Aviation Sectors, Report from the House of
Representatives Standing Committee on Transport, Communication and Infrastructure, 1995, AGPS,
Canberra, ACT, Australia.
3 Ibid, p9.
4 J Kimpton, “The Harmonisation of Aviation Regulations: Implications for Safety” presented at the ANZALA
Conference
in November 1997 in Sydney, Australia.
Unit 4 Safety Regulatory Authorities 11
When, some years ago, there was discussion of deregulation and liberalisation of the airline
industry in an economic regulatory sense, it was important to define what was meant by
these terms. Similarly, it is important to define what is meant by “harmonisation”.
At the outset, it should be pointed out that harmonisation is occurring where appropriate,
this is an aspect that I will elaborate upon shortly.
However, to define harmonisation for our purposes: there are three main features. First,
numbering of our regulations will conform with FAR part-numbers. Secondly, as with the
US system the objective will be to produce a two-tier system. This will comprise the Act and
regulations with the balance of material being advisory. Thirdly, again emphasising “where
appropriate”, specific regulatory provisions from the FARs or, in some cases, other overseas
jurisdictions will be incorporated into Australia’s regulations.
Please read your textbook at paragraphs [3.210]-[3.250]
It seemed appropriate to define what is being done at the outset so that, in discussing
harmonisation, there is at least a common understanding as to what is meant by it.
There are a number of reasons why harmonisation is important. Many of these have a direct
impact upon safety. As many of us are only too well aware, Australia’s safety regulatory
structure is extremely difficult to work with. It has grown like topsy since the initial
enactment of the Air Navigation Act. It comprises regulations reflecting different drafting
styles of successive generations of legislative draftsmen, often juxtaposed within specific
topics. Regulations having a foundation in the regulatory regime extant when they were
enacted have been preserved after that justification has been removed; most notably this
comment applies to regulations classifying operations or dependent upon that classification,
which derive from the economic regulatory role that once was played, but no more, by the
Air Navigation Act. Not least of the difficulties of the present regulatory framework is that
it is distributed across a number of instruments including the Act, Regulations, Orders and,
in some instances, the AIP.
Against this background, it is not surprising that an objective of the Regulatory Framework
Program is regulations that are clear, straightforward and easily understood. But why
harmonise? Essentially, there are four reasons:
the structure and drafting styles of the FAR’s is generally recognised as meeting
the desired regulatory objective just stated. Australian aviation industry personnel
who have had experience with the FAR’s generally commend them for their
clarity and focus on outputs. This is important both from the point of view of
those wanting to comply and those responsible for aviation safety regulatory
enforcement.
by harmonising with the FAR’s there is the opportunity to adopt world’s best
practice in aviation safety regulation. By and large, the regulatory challenges we
might face have been faced, or are being faced, in the US and elsewhere. An
example of this is the process the FAA has been through to substantially fold Part

Unit 4 Safety Regulatory Authorities 12
135 into Part 121 and create Part 119, in terms of ensuring commuter airlines
ultimately comply with standards applicable to airlines. This is a challenge we
face in Australia in response to the Seaview Commission of Inquiry
recommendations; whether we resolve it in precisely the same way remains to be
seen.
by harmonising with the FAR’s, CASA’s opportunity to participate in the
worldwide aviation safety regulatory dialogue is greatly enhanced. As long as
Australia’s regulatory framework is unique there is limited potential for CASA’s
experience and insights derived from that framework to be meaningful to others
involved with different regulatory frameworks. However, to the extent that
Australia harmonises, CASA can contribute to discussions as to the operation of
the framework and indeed knowledge and experience can be transmitted in both
directions, to an extent not now possible. This is important for CASA’s prestige
and self-esteem as well as for the direct safety benefits that result. This in turn
reinforces CASA’s effectiveness in undertaking its regulatory role as it better
attracts and retains personnel of the experience and quality required.
many other jurisdictions are harmonising on the same lines as Australia. The most
obvious of these efforts is that between Europe’s Joint Aviation Authorities and
the FAA. However, other countries in our region such as Indonesia, Malaysia and
New Zealand and elsewhere, such as Canada, are moving in the same direction.
This global shift towards uniform laws means that as operations, products and
services cross borders, as they are increasingly doing, there is less need to adjust
for changes in national regulatory frameworks.
The foregoing are hopefully benefits of harmonisation with direct, positive consequences for
aviation safety. However, there is one benefit of harmonisation which is of broader
importance to which reference should be made. As was indicated a moment ago, aviation
products and services are increasingly “traded” across national boundaries. This applies
particularly, in the case of Australia, to the manufacture of small aircraft, the manufacture
of aircraft parts and components generally, the repair and maintenance of aircraft and flying
training.
To the extent that Australia’s regulatory framework is unique, we make it difficult for
Australian individuals and firms to become involved in overseas trade in these activities.
There are, for example, instances of Australian firms involved in aircraft maintenance having
to comply simultaneously with Australian and US regulatory requirements for the sake of
becoming involved in both markets. For manufacturers of small aircraft, export sales at large
become much easier if US certification is obtained, given the uniqueness of the current
Australian aircraft certification regime.
Subject to the issue of mutual recognition, discussed below, harmonisation very substantially
overcomes these difficulties. Once Australian requirements in these and other areas are in
line with mainstream regulation overseas, Australia’s safety regulation “gets out of the way”
of the industry developing its full economic potential. Not only does consistency of
regulation with industry’s commercial aspirations of itself enhance respect for the regulator;
to the extent that the unleashing of those aspirations increases activity in an industry that is
technologically advanced, employment intensive and, more often than not, located in the
regions, there is benefit to the regional and to the national economies, as well as to safety.

Unit 4 Safety Regulatory Authorities 13
Earlier, there was reference to harmonisation “where appropriate”. It may be useful to outline
situations where an alternative approach may be preferred. They are generally as follows:
Australia has a policy preference which is not reflected in the FAR’s. An example
of this is the provisions in Part 21 (Aircraft Certification) for the recognition of
Type Certification of foreign aircraft by Recognised Authorities. These have no
direct counterpart in the FAC’s but, since the Yates Report, (“Review of Policies
and Practices for First-of-Type Certification of Imported Aircraft”, January 1990)
have been a required component of Australia’s aircraft certification regime.
Another example is that Australia’s Part 103, regulating Operations of lighter, less
complicated aircraft, will reflect the existing Australian rather than US approach.
the FAR’s cannot be directly transferred to the Australian environment. This
statement applies, for instance to Part 61, Licensing, where Australia’s existing
and proposed Licensing structures will, notwithstanding the overall harmonisation
objective, remain unique. It is interesting that Part 61 has elsewhere proved
intractable to harmonisation reflecting the uniqueness of many countries’
licensing regimes.
Other regulatory frameworks offer something better or make a worthwhile
offering where the FAR’s make none. Examples here are the Joint Aviation
Authorities’ JAR-OPS which may prove to be more attractive than the equivalent
provisions of Part 91. Another example is the New Zealander’s creation of Part
149 for accreditation of Sport and Recreational Aviation Administrative bodies
which has no counterpart in the FAR’s.
Australia believing it has a legitimate case for regulatory innovation. An example
of this is the creation in the Australian Part 21 Aircraft Certification of an
Intermediate category for aircraft of sufficient weight and complexity to be
inappropriately categorised as Primary. Another example from the same area, is a
greater range of explicitly permissible activities for Restricted category aircraft
than in the US.
Australia’s background policy and regulatory settings being different to those of
the US or other relevant offshore jurisdictions : an example here is that CASA
does not have equivalent responsibilities to those of the FAA with respect to
aircraft noise emissions. Hence, provisions in FAR Part 36 dealing with this matter
are not taken up in Australia’s harmonisation program. Another, more complex
example, is CASA’s liability exposure relative to that of the FAA. CASA does
not have the benefit of the equivalent of provisions of the US Federal Tort claims
Act and thus faces potential liability if it is negligent, or otherwise actionable, in
fulfilment of its functions. This has led to differences between Experimental
Category as proposed for Australia, compared to that category in the US.
Basically, the current Australian proposals give CASA greater involvement in
airworthiness aspects of Experimental aircraft than in the case for the FAA in the
US, on the basis that, if there is liability, CASA would regulate accordingly. A
separate NPRM on the liability issue is being prepared to address this issue, on
the basis if CASA’s liability exposure, with respect to that (and Limited) category
is the same as in the US then the requirements for the category itself can be
identical.

Unit 4 Safety Regulatory Authorities 14
In considering this list of exceptions to the harmonisation objective, it should not be assumed
that they arise at every turn. They do not and, even when they do, they do not always give
rise to much argument. While, for reasons of time, the process of the regulatory framework
review has not been discussed in detail, its structure of Technical Committees dealing with
broad regulatory areas, and Project Teams, dealing with specific issues within the
responsibility of Technical Committees, is intended to ensure that the knowledge and
experience of CASA and industry people in the relevant field are brought together to achieve
the best possible results. This work is often painstaking, time-consuming and thorough, the
benefits of the outcome making the effort worthwhile.
There was reference earlier to the question of mutual recognition. While regulatory
harmonisation is vitally important for the reasons given, achieving mutual recognition by
authorities of each others determinations is the other side of the coin. In the absence of formal
arrangements for mutual recognition, other countries’ authorities have a discretion as to how
far they recognise their counterparts’ determinations. This is, of course, a critical issue for
trade in aviation products and services. That said, regulatory harmonisation makes it easier
for foreign authorities to accept Australia’s determinations and, should they put the
Australian product or services to the test afresh, compliance with an identical foreign
requirement should be much easier, given earlier compliance with the identical Australian
equivalent.
However, mutual recognition absolutely “closes the loop”. This is generally achieved via
bilateral agreements between the countries involved. Australia has an airworthiness
agreement with the United States and relevant memoranda of understanding with France and
China. However, the modern trend is for aviation trading nations to pursue Bilateral Air
Safety Agreements (BASA) which cover a much wider range of issues, beyond mere
recognition of determination to such matters as operations, personnel licensing, exchange of
information and experience and so forth. This is a matter in which the former Minister has
taken an interest; this is essential as BASAs will involve at least the Department of Foreign
Affairs and Trade and the Department of Transport and Regional Services as well as CASA.
Efforts are being made to draft a “standard” Australian BASA as a prelude to individual
country negotiations. If BASAs with our major aviation trading partners can be achieved,
the safety and economic benefits identified above will be enhanced.
Trans Tasman mutual recognition, shortly to come into effect, will achieve these outcomes,
primarily as a result of legislation.
Hopefully, sharing views with regard to the harmonisation elements of the regulatory
framework program clarifies the role of that element in the program overall. In summarising
this aspect for the purpose of today’s discussion, the complexity and scope of this element
of the regulatory framework program and that program overall should not be underestimated.
For this reason, it is likely to take some years for the regulatory framework review to be
completed. Notwithstanding output to date in areas where the extent of harmonisation is high
or the safety and economic gains from harmonisation substantial, there is much work ahead
to apply the review process to the entirety of the safety regulatory framework. That work, as
I have said, is being done by industry and CASA working together in Technical Committees
and Project Teams. Their ability to work very constructively thus far, says much for their
collective commitment to the objectives of the Review process. Given the importance of
those objectives, as they have been outlined today, the value of their contribution is gratefully
acknowledged.

Unit 4 Safety Regulatory Authorities 15
International consensus
Early in 1996 the ICAO Air Navigation Bureau (ANB) arranged a meeting with a Group of
Experts on Aviation Safety in Vancouver. Resulting from that meeting briefing notes were
produced giving the current ICAO perspective on a number of issues that relate to air safety.
The main thrust of these notes considered what management practices should be adopted by
air safety authorities in their pursuit of risk management.
As Australia is an active member state of ICAO it is important that CASA is aware and
supportive of any new initiatives developed by ICAO to improve the level of air safety. In
relation to the modernisation of Aviation Safety Regulatory Authorities the following
comments were made:
“ICAO . . . advocates a proactive approach to safety based upon the
identification and
cancellation of system hazards and the risks that such hazards involve before they
combine with human failures to generate accidents. Within this approach, the process
to be pursued is risk management, and the outcome of this process is safety. The
management of safety is indeed the management of risk.”
Recently many countries have begun to introduce legislation requiring organisations to
establish and maintain Quality Management (QM) Systems and safety management
programs. It should be pointed out that a correctly structured QM system will encompass a
safety management program. As the whole objective of a QM system is to achieve a
company’s mission there are very few airlines that do not advocate safety as one of their
prime objectives. While many countries embrace quality as part of their culture (for example,
in Japan they have a single word that embraces the concept of continuous improvement)
many western cultures have difficulties in even coming to terms with the meaning of the
word.
In some countries (for example Australia and New Zealand) aviation regulators are
providing to operators information to develop their own QM program. Whereas the New
Zealand model is based on the ISO 9000 system, other systems may be equally successful
in their application. However, a more important factor in the equation, is for organisations
to develop a healthy safety culture as the basis of any QM system.
For a QM system or safety management program to achieve the above objectives it is
necessary that such a system to be dynamic and transparent. As new developments occur or
trends evolve, resources should be shifted accordingly. For instance, if surveillance indicates
that certain areas or aspects of flight operations or airworthiness are of an ongoing high
standard, and that these areas are sufficiently being monitored, then it may be appropriate to
reallocate resources to other targeted areas.
The catalyst for most modification of QM Systems will however result from the observation
of trends for the identification of systemic defects. This includes for example, in the case of
flying operations surveillance, the current practice of monitoring pilot training records and
the analysis of data from Quick Access Recorders (QAR) and the like.

Unit 4 Safety Regulatory Authorities 16
Public interest in aviation safety, runs very high with demands for
improvements ever present. If the public perceives that the air transport
safety is deteriorating, the demands for improvement will become
increasingly strong.”
NCARC Final Report
The National Civil Aviation Review Commission’s (NCARC) final report and
recommendations on safety issues provides a valuable insight into the current approach of
the regulatory authorities in the United States.
5 The recommendations contained in this
detailed report have received in general widespread support from industry associations, the
airlines, aircraft manufacturers and the general aviation community. It is likely that this
report will be the focus of future initiatives in the area of aviation safety of regulatory
authorities throughout the world. As such it is therefore worthwhile reviewing some of the
major findings and recommendations of this report.
The report starts with the good-news premise that the commercial aviation sector accident
rate is extraordinarily low. The bad news is that the air-carrier rate has shown virtually no
improvement over the past 30 years. This flat accident rate coupled with the anticipated
growth in both business and commercial aviation will generate a significant increase in the
absolute number of accidents. Such misperceptions could generate a public clamour for
quick fixes that could do a great deal of harm to both commercial air carriage and business
air transportation.
Public interest in aviation safety, runs very high with demands for improvements ever
present. If the public perceives that the air transport safety is deteriorating, the demands for
improvement will become increasingly strong. The answer is to reduce the accident rate, and
some safety professionals have suggested that the already low rates of air carrier and business
aviation can be reduced by up to 80 percent. Gaining these safety levels won’t be easy.
A safe and efficient domestic commercial airlift capability is vital to the U.S. economy.
However, regulators and legislators must keep site of the fact that a
healthy general aviation
segment
also is vital to domestic and international commerce. And, business aircraft
operators must stay active in the creation of these new structures lest we become overtaken
and overwhelmed by the process. Consider the National Civil Aviation Review
Commission’s (NCARC) final report and recommendations on safety issues. While these
recommendations are based on air carrier activities, ultimately they will set the agenda for
the regulatory safety oversight of all turbine aircraft operations.
The Commission said a rate reduction “will take a comprehensive and concerted program by
government and industry that will require new ways of doing business with each other and
a greater emphasis on cooperation and collaboration.” We agree. The Commission believes
that certain accident/incident types should be addressed immediately and categorically
through research, training, regulatory action, and hardware/software development as well as
enlightened safety management philosophy.
5 NCARC Safety Recommendations Are Solid” in Business & Commercial Aviation, Vol 82, No 2, February
1998, p7.

Unit 4 Safety Regulatory Authorities 17
Among these accident types are controlled flight into terrain (CFIT) (which account for
about one fourth of all air carrier jet accidents worldwide), loss-of-control mishaps, human
errors in operations, and landing approach accident, weather and turbulence related
accidents, human errors in maintenance, and crash survivability. While this list is based on
air carrier experience, it certainly has relevance to business and corporate flight operations.
In this context, it is appropriate to look at the airline experience.
In our view, the most effective response flight departments can have to the new safety
management paradigm is to stay active in the industry discussions of these changes and to
build a safety culture within the flight department and, to the extent possible, within the
parent corporation.
Principles into practice
As an example of how the above principles and processes might be put into practice in
Australia we will look at one aspect of the safety regulator’s function, namely flight
operations surveillance.
Prior to the introduction by Australia’s CASA of the Aviation Safety Surveillance Program
(ASSP) the Authority’s approach to flight operations surveillance was largely reactive.
Recommendations from the
Plane Safe Inquiry6 ICAO that surveillance should be proactive
by way of looking for trends and visible markers of potential hazards. Organisations’ Flight
Operations Quality Assurance Programs need to adopt this approach in that surveillance
should be conducted on a routine basis as an every day event.
Proactive safety information such as Quick Access Recorders provide a monitoring system
to detect incipient trends as opposed to occasional reactive “item-ticking” checks. As stated
in the previously extracted ICAO document, proaction can only take place within a corporate
environment in which the objective is to determine what is wrong with the system, to
improve it as opposed to nailing down the individual deviations or “misbehaviour”. In other
words the approach is one of attempting to identify systemic deficiencies with the aim of
continuous improvement.
The purpose of flight operations surveillance therefore is to:
observe and access the operational efficiency of flight crew in the
performance of their normal operational duties;
identify any areas in which company procedures may be improved and
where appropriate recommend any changes;
assess the operational effectiveness of other elements inter-reacting with
company flight operations procedures such as ATC services and procedures,
navigational/communication facilities, aerodrome facilities and maintenance
and servicing facilities. Also the where appropriate reporting on the
relevance or effectiveness of regulatory requirements;
the recording and monitoring of individual flights and crew performance for
the purpose of detecting incipient trends.
6 Morris Inquiry, op cit.
Unit 4 Safety Regulatory Authorities 18
Although flying operations surveillance is only one function of a regulatory body the above
nevertheless illustrates how a shift in emphasis and priorities can achieve the objectives
characteristic of world best practice. Application of similar principles and processes can be
applied to other ‘components’ of the air transport system, including airworthiness and
engineering.
Contemporary aviation surveillance
The CASA Surveillance Manual1 (Version 2.4 – April 2017) contains the policy, processes
and instructions necessary for CASA personnel conducting surveillance of the aviation
industry when carrying out the Authority’s regulatory responsibilities.
Regulatory Decision Making
Where the legislation provides for one, and only one decision—the “correct” decision—is
the only decision open to CASA. However, most of the decisions CASA makes involve the
exercise of discretion. In such cases, there may well be more than one acceptable or correct
decision. In these cases, the law requires that CASA makes the “preferable” decision, that
is, the most appropriate decision, having regard to the overriding interests of safety and the
obligation to be fair. In all such cases, CASA is bound to act in accordance with the
applicable rules of administrative law. (See AVIA5001,
Aviation Law & Regulations)
These rules govern how CASA arrives at the ‘preferable’ decision in any given case.
Adherence to these rules is a requirement, not an option. Decisions and actions taken in
contravention of these rules are unlawful, unenforceable, and in most cases invalid. CASA
is legally accountable for the decisions it makes, and CASA decision-makers are obliged to
avoid the appearance, as much as the reality, of unlawful decision-making. Sound and lawful
regulatory decision-making is generally governed by the 10 rules of administrative law
summarised below. Adherence to these rules is essential to CASA’s obligations of
accountability and good governance.
1.
Natural Justice (Procedural Fairness)
x Hearing Rule. Persons affected by CASA’s decisions have a right to be heard. To be
meaningful, the hearing rule normally requires that CASA provides persons with notice
(usually in advance) that a particular decision is going to be taken, and the reasons for
the decision CASA proposes to take. Without notice and a statement of reasons, there
may be little point to providing a person with an opportunity to be heard.
x Rule Against Bias. Decision-makers should not have a personal or pecuniary interest
in the outcome of their decisions. Neither may decision-makers prejudge (or predetermine) matters in respect of which they are called upon to make a decision.
2.
A decision-maker must not act for improper purposes
Even if the purposes for which a particular decision are lawful, the decision may only
be taken for the purposes specifically authorised by the law under which the decision
has been taken.
3.
A decision-maker must not take any irrelevant considerations into account in
coming to a decision.
4.
A decision-maker must take all relevant considerations into account in coming to a
decision. Note: Applicable Policy is Always a Relevant Consideration.

Unit 4 Safety Regulatory Authorities 19
5. A decision-maker must act on the basis of evidence, not mere supposition or
speculation.
6.
A decision-maker must not formulate requirements in vague or uncertain terms.
7. A decision-maker must not inflexibly apply policy (although departures from policy
will normally need to be justified).
8.
A decision-maker must not act under dictation (although this does not preclude
adherence to formal directions, compliance with lawful conditions in relation to the
process by which a decision is taken or the obligation to consult in the process of
considering a decision).
9. A decision-maker must decide the matter within a reasonable time.
10. A decision maker must not act in a way that is manifestly unreasonable. A
decision must not be so unreasonable that no reasonable person would make such a
decision.
E x e r c i s e 4
4.1 Compare and contrast the traditional approach to air safety regulation to
CASA’s current policy in this area.
4.2 Describe, with examples, what is meant by a
systems approach to
safety regulation. Does the checking or testing of ‘end products’ still
provide and benefits to the regulator?
4.3 Give an overview of Australia’s current regulatory framework. Do you
think that the FAA in the United States has conflicting objectives in
terms of their safety regulatory structures?
(Hint: As was the case with
Australia’s pre 1995 when CAA was split into safety regulator (CASA) and aviation
service provider (Airservices Australia).
4.4 In point 7 above re “A decision-maker must not inflexibly apply policy”
find and summarise a case appealed to the Administrative Appeals
Tribunal (AAT) in which this principle has been applied.
4.5 Do you think that CASA’s current enforcement policy is adequate? If
not, what would you change to achieve better safety outcomes?
(Note: You can overview another National Aviation Authorities’ (NAA)
enforcement strategies)

Unit 4 Safety Regulatory Authorities 20
Regulatory framework
For there to be an effective aviation safety regulator there must be a sound basis for the
framework and infrastructure of the safety regulatory authority. Later in this Unit CASA’s
Regulatory Reform Programme will be considered in detail and an examination of the effect
of a transition from a traditional highly prescriptive regime to a more “outcome-based”
legislative framework is made.
Often, and most unfortunately, it takes a number of prominent accidents (for example the
Monarch and Seaview accidents in Australia) or a major catastrophe (Valu-jet accident in
the United States) to initiate a reconsideration of the appropriateness of the safety authority’s
framework and structure.
For instance, in the United States the National Civil Aviation Review Commission’s
(NCARC) final report (see above) and recommendations on safety issues identified two
major failings of the current US system. The first, and the most fundamental, was the finding
that the way the US aviation infrastructure is managed and funded is due for a change. The
second was that the management systems and infrastructure that emerge from this proposed
change will be based almost entirely on the requirements of the scheduled air carriers.
The NCARC Report also stressed that the regulators and legislators must keep site of the
fact that a healthy general aviation segment is also a vital component of the total commercial
air transport industry. After all, aircraft share the same airspace and today’s airline captain
most probably learnt his or her fundamental principles of flying and qualities of airmanship
within a general aviation environment.
So as to gain a better insight into the basis and philosophy behind the establishment of, or
reassessment of an existing safety regulatory framework, a review of the changes to the New
Zealand aviation industry will be considered. This case study is adapted from an address
presented by Kevin Ward, Director of Civil Aviation in New Zealand.
7
Legislative structure
With such a developing industry — one which in many fields has been a world leader — the
supporting structure must not only be world class, but a leader in its own right. We need air
traffic control services to be at the pinnacle, we need our approach to flight training and
education to be leading the way, and the safety management of our aviation organisations
needs also to be at the forefront. To enable this to happen, our aviation regulatory structure
must be ahead of the field. The regulator has to lead from the front.
There were two primary foundation stones in New Zealand’s aviation development in the
modern era
. The first was the separation of the regulator from operational service
delivery activities.
In other words, the functions of air traffic control and aviation security
were split from the old department and formed into new organisations with these specific
tasks.
8 It has enabled the Airways Corporation to concentrate entirely on its role of air traffic
7 Address presented at the Woman Pilots Association Conference at Queenstown on 10 April 2015
8 This approach is identical to that taken by the Australian government with the establishment of the Civil
Aviation Safety Authority and Airservices Australia in 1995 and following the findings and recommendations

Unit 4 Safety Regulatory Authorities 21
management, allowed it to introduce the world’s most modern and sophisticated air traffic
control, radar, and air navigation systems, and look to new opportunities in terms of satellite
based processes. It has been a success story.
The New Zealand Civil Aviation Authority was established on 10 August 1992. Its objective
was to promote safety at reasonable cost to the nation. Our primary customer is the public
and we are steered by the public’s safety expectations. We provide the safety Rules by which
all aviation organisations operate, apply these standards to organisations entering the
aviation system either through licences or certificates, monitor their ongoing compliance to
those Rules, and if they step out of line take action to either return the organisation to
compliance or remove them from the system. And that’s all we do.
There is no conflict of
interest where the regulator is at times playing an operational role itself.
Safety philosophy
The second huge shift in emphasis was one of safety philosophy. In the past five years the
CAA has overseen the move from state to operator responsibility. That does not mean deregulation but re-regulation. The traditional methods of the regulator shouldering the safety
responsibility of operators through an ever—swelling army of inspectors was inherently
limiting and could not be the foundation for a major improvement in safety. It meant
operators relied on the state to make their business and safety decisions for them. The result
was an incredibly complex tangle of multi-tiered regulations and a distancing of safety
responsibility from those who had the greatest influence on operations — the operators.
There was no improvement in aviation safety. And no improvements were anticipated. The
system was costly but did not deliver benefits that matched that cost.
The system was
reactive and seldom proactive
.
The current CASA safety regulatory philosophy sets out the principles underpinning the way
we perform our functions, exercise our power and engage with the aviation community.
Consistent with CASA’s obligation to comply with the laws governing its regulatory
activities, this statement of regulatory philosophy sets out the principles that guide and direct
CASA’s approach to the performance of its regulatory functions and the exercise of its
regulatory powers.
See:
https://www.casa.gov.au/about-us/who-we-are/our-regulatory-philosophy
The philosophical watershed recognised that safety responsibility was a shared
responsibility
. The regulator’s role is providing sound rules, careful surveillance, and good
information. The operator’s share is to comply, to ensure ongoing compliance. through
appropriate systems and resources, and to promote safety knowledge and improvements
internally. These responsibilities of the CAA and the operator closely interrelate. The
building of the partnership on aviation safety matters has therefore been a major achievement
of the past five years, and strengthening this relationship will remain an important safety
objective for ourselves and industry in the years ahead.
of the Monarch and Seaview inquiries. For an overview of the way in which this legislative restructure was
accomplished see R Bartsch,
Aviation Law in Australia 2nd Edition, op cit, pp17 – 20.
Unit 4 Safety Regulatory Authorities 22
The system relies on what we call the Safety Success Formula. The CAA upholds that very
good legislation and Rules coupled to very high compliance to those Rules and standards,
plus participants having a high understanding of their responsibilities and making well
informed sound judgements, and with all of these supported and constantly improved
through the exchange of accurate information and its analysis, should lead to a world class
safety performance, and a positive contribution to the economy.
This model can be applied to each operator, to each function within an operation, and by
each individual with a safety responsibility. For example, an aviation company has its own
policies and procedures within the Rules framework, it seeks firm adherence to those by its
own people, and it strives to learn, to improve, reach higher personal standards and act
proactively on safety performance data. The outcome has to be enhanced safety
performance, and a positive impact on the operator’s balance sheet.
The drive for safety is ongoing and must be with total determination. As we often say, safety
is no accident — you have to work at it. You have to stay within the limits of your capability,
the capability of your aircraft, and the capability of your organisation. Unless conscious
decisions are made to always stay within those safe limits, both operationally and in
management, there will come a time when a step is taken outside with disaster, and all its
tragic human effects. The systems each operator has in place are there to ensure those limits
are never exceeded.
Safety indicators
There is, of course, a huge challenge embodied in each element of the safety success formula
and a variety of leadership roles must be accepted throughout aviation. So let’s look at the
results of this philosophical change. Since 1992 the number of air transport flights in New
Zealand has grown on average by nine percent a year. In 1994 there were 31 people killed
in air accidents, in 1995 there 25 killed, in 1996 there were 17 and in 1998 there were 19,
although there was a significant drop in the overall number of accidents. This indicates a
huge ongoing safety improvement, however it will be some time before the full weight of
the changes is reflected in the safety outcomes. A significant difference, is that unlike in the
past, we can see ways to improve safety performance and an improvement is not only
expected but demanded.
The public in the years to come will expect even greater safety performance. They and their
lawyers will require everyone, from the airline chairperson down, to fulfil their safety
responsibilities. They have an expectation that they will arrive in one piece. They are right
in placing the onus of that safety on industry participants.
They also have an expectation that someone will ensure on their behalf that all those
responsibilities are being met. The industry is not expected to be responsible in a vacuum —
the public expect the CAA to hold individuals and organisations to account for their
performance.
Systems and risk-based surveillance
In Chapter 4 of the CASA Surveillance Manual describes CASA’s systems and risk-based
approach to surveillance of authorisation holders and the methods for all surveillance event
types which support the continuous performance monitoring process. The objective of this

Unit 4 Safety Regulatory Authorities 23
chapter is to ensure standardised, efficient and consistent monitoring of all authorisation
holders and the introduction of this manual is extracted below..
Systems and risk-based surveillance seeks to assess an authorisation holder’s management
system and its ability to identify and keep operational risks as low as reasonably practicable
while ensuring compliance with Australian aviation legislation is maintained. Risk-based
surveillance adopts a structured process and is used by CASA in its oversight of authorisation
holders and prioritisation of its surveillance activities based on authorisation holders’ risk
profiles. It focuses on an authorisation holder’s effectiveness in managing its systems risks
and enables targeted surveillance of high-risk areas of an authorisation holder’s systems.
Safety-related processes are assessed to determine if they are functioning in accordance with
the authorisation holder’s documented systems and any applicable civil aviation legislation.
The systems and risk-based surveillance approach focuses authorisation holder’s attention
on its safety obligations by providing a visible and understandable analysis and evaluation
of the authorisation holder’s systems and the safety risks that exist in these systems with
specific emphasis on safety outcomes.
Outcome-based legislation
The challenge for all of us in the coming five years will be to build on our foundation, and
fulfil those responsibilities. Let’s look at how the CAA will lead from the front, and how
New Zealand industry will meet those challenges.
First, April 1 1997 saw the introduction of the bulk of the
new operational Rules. That was
a notable milestone but not the journey’s end. Any quality management system embodies
continual review and improvement, and we are already embarked on fine tuning where it is
seen as beneficial. A still greater challenge for the CAA and industry is the successful
implementation of those Rules and the recertification of industry. Only then will we see the
full weight of the improvements that the philosophical changes were expected to bring about.
The best Rules are useless unless they are followed. Over the next five years the CAA and
industry will be working towards an increasing level of compliance with the Rules, and
conformance with organisational processes. The CAA will not be whirling a great stick. The
CAA does rigorously apply the enforcement tool where necessary, but it is the last tool we
reach for from our regulatory tool box. Voluntary compliance through understanding and
persuasion is far more common, and more powerful in the long term.
Information is at the heart of aviation safety. We have to encourage, for example, a high
level of understanding by every participant in aviation of their responsibilities, and the CAA
brings to operators at all levels as much information as possible in the form of seminars,
workshops, and face to face discussions. We provide a wide range of safety educational
material, and we even ensure that we have all the Rules and a vast amount of other material
free of charge on our CAA webpage.
9
The CAA also requires all operators at all levels to provide us with information on their
aircraft utilisation, and on any occurrences of any kind. It’s not enough to get the details of
your latest accident. We need to know all about that near accident, that concern, that
9 www.caa.govt.nz.
Unit 4 Safety Regulatory Authorities 24
breakage, that fault your engineers found. Coupled to our safety audits, this information
allows the CAA to take steps to avert tragedy long before it arrives. The CAA uses the
world’s most advanced computerised safety analytical tools for this purpose.
We are developing systems for electronic data exchange with industry participants.
Information exchange and feedback is the basis for sound safety analysis and action and this
should be done by all operators and not just by the regulator. The management systems we
require of all operators includes the identification of incidents and risk, and the identification
and tracking of corrective actions.
This leads every operator towards a personalised safety plan, where troubles are translated
into extra training or revised procedures long before there is an accident. A key element of
this is the adoption of the safety responsibility by chief executives. The CAA has held
seminars for that top level of industry, and plans to provide further educational opportunities
to ensure that all parties have the same understanding of the responsibilities, how they should
be fulfilled, and the effects if they are not upheld.
The CAA has its own, much broader, safety plan. We analyse trends and set safety targets.
We confront problem areas with safety programmes which can include educational seminars
right through to focused surveillance. These efforts have so far been so successful that the
safety targets we set in 1995 for each industry sector to achieve by the year 2000 were
matched or exceeded in the majority of cases. We are now focusing on building on that
improvement, and on bringing the other two or three sectors into line.
Aviation is a global phenomenon, but there is a difficulty in some cases of international
standards keeping pace with the technological developments. A case in point is the use of
satellite technology for communication, navigation and air traffic management. While New
Zealand is at the forefront of these developments, and the CAA is playing its part to the full,
there is increasing divergence in rates of progress around the world.
International regulatory methods and standards are also up for debate. Membership of the
International Civil Aviation Organisation, ICAO, does not guarantee the safety quality of a
nation’s regulatory agency and carriers. The CAA is seen as a world leader in aviation safety
regulation and is often approached by agencies overseas for advice — we even get the
Australians here. We will be involved closely in the international forums overcoming
international aviation problems, particularly in the South Pacific and Asia.
We now have an unparalleled opportunity to make further significant advances in all aspects
of our business and contribution to the community, and to enhance our partnership with all
sectors of aviation. By striving to achieve each of those elements the CAA will move closer
to its ambitious safety goals without imposing undue bureaucratic or economic burdens. In
constantly seeking to improve ourselves we are doing exactly what we ask of industry. For
industry to follow that example, we have to lead from the front.

Unit 4 Safety Regulatory Authorities 25
The task of enforcement
For there to be an effective aviation safety regulator there must be a sound basis of sanctions
and enforcement strategies to provide a deterrent against organisations or individuals that
refuse to comply or blatantly defy the regulatory system. Many regulatory authorities have
come under attack from the industry for adopting a ‘heavy handed’ approach to the task of
enforcement of safety regimes and security programs. The following extract highlights some
criticism levelled at the Federal Aviation Administration.
10
Senate Commerce Committee Chairman John McCain said he is “very
concerned that once again the FAA has fallen short by not fully utilising its
capabilities to help determine potential aviation safety and security problems.”
McCain was commenting on a General Accounting Office report that he and
aviation subcommittee Chairman Slade Gorton requested. FAA said
the
“ultimate test” of its oversight system is “not a measure of how many
citations are written or how many fines are levied, but the safety of the
entire aviation system.”
GAO reported that FAA inspectors are under
reporting safety and security violations, and that FAA’s reporting system fails
to distinguish between major and minor violations. McCain said the “impact of
the FAA’s enforcement actions on compliance is difficult to assess because
the agency has not followed up on the aviation industry’s implementation of
corrective actions.” FAA said it levied $1.8 million in fines in the first quarter of
1998 and it
“will not hesitate to issue fines when necessary or ground
carriers who flout the regulations.” FAA said it is “more concerned with
ensuring that carriers comply with the rules,
and the GAO itself reported
that 96% of FAA safety inspectors believe their work keeps carriers complying
with the rules, and 93% of security inspectors considered the security-related
efforts successful.”
With regard to safety, it is important to be proactive, rather than waiting for incidents and
then reacting in a band-aid fashion. To this end, periodic safety audits can identify
weaknesses in the system. The philosophy of blame and punishment is divisive and creates
sub-group defensiveness. An integrated approach uses system-wide investigation and
remediation aimed at upholding a shared value, that is, system wide safety. To that end, the
organisation needs to encourage and reward vigilance and inquiry from all its members. This
view,
11 that of seeking to mend the system rather than killing the messenger, is consistent
with CASA’s approach to enforcement and which is at present the subject of review.
On the other hand, if something goes wrong or if the public perceives a deterioration in safety
standards then the regulatory authority is the first line of attack. This was the approach of
the Australian public after the
Monarch and Seaview accidents. The problem with
enforcement seems to be more one of degree than of substance.
10 Aviation Daily, 31 March1998, The McGraw-Hill Companies, Inc.
11 Meshkati, “Cultural context of the Safety Culture: A conceptual model and experimental study”, Presented
at International Topical meeting,
Safety Culture in Nuclear Installations, Vienna, April 1995.
Unit 4 Safety Regulatory Authorities 26
The problem is more one of enforcement — the CAA has been criticised for
being too lenient. It should not be wrong to display flexibility
.”
The Australian12
Sometimes, however, the regulatory authorities are criticised for just being regulatory
authorities. A case of “dammed if they do, dammed if they don’t.” But then there are other
times . . .
CASA’s failure to accept responsibility for
Lockhart River destroys its credibility
4 April 2007
This morning I was prepared to give the Minister and CASA the opportunity to respond to the
ATSB report in a meaningful way to restore industry and community confidence in the way
aviation safety is managed in Australia.
Bruce Byron’s statement that
“I am unable to accept the conclusion in the Australian Transport
Safety Bureau report that Civil Aviation Safety Authority contributed to factors that caused the
accident”
flies in the face of the evidence and the conclusions of the responsible investigatory
authority.
In early 2010 two years after an investigation into the blatant abuse of voluntary disclosure
by the US Federal Aviation Administration and Southwest Airlines, the FAA has ushered in
a philosophy change to dissolve any notion that airlines are the agency’s customers. The
following
Managing Risks in Aviation provides a good insight into the regulatory structure.
http://flightsafety.org/asw/nov08/asw_nov08_p10-14.pdf
The following provides a link to CASA’s Enforcement Manual.
https://www.casa.gov.au/manuals-and-forms/standard-page/enforcementmanual
12 From an article “The CAA and Air Safety” in The Australian, 12 October 1994, extracted in Aviation Law
in Australia,
op cit, p173.
Unit 4 Safety Regulatory Authorities 27
Conclusion
In this unit, Safety Regulatory Authorities, you have been introduced to the traditionally role
of regulatory authorities in terms of the inspection of end products of the aviation system.
We saw that the new approach throughout the world is to adopt a more proactive stance and
to look at the entire aviation systems.
This unit also reviewed CASA’s mission of “maintain, enhance and promote the safety of
civil aviation in the interests of the Australian public”. It was seen that this objective will
encourage a greater compliance by industry of its obligations to maintain high safety
standards. CASA, in line with world best practice, will seek to support, encourage and
reward those organisations that demonstrate a propensity to achieve this objective.
The section Regulatory framework looked at the framework and infrastructure of the safety
regulatory authority. The appropriateness of the safety authority’s framework and structure
depends on its legal basis. The regulatory structure of CASA was examined and the object
and purpose of the legislation explained.
The final section of this unit considered the task of enforcement. In was shown that in the
past many regulatory authorities had come under attack from the industry for adopting a
‘heavy handed’ approach to this task. This section looked at some enlightening approaches
to the task of enforcement in light of CASA’s decision to review its policy in this area.
______________________________