On the surface, it may seem that the absence of accidents and incidents indicates that your flight department is performing well. But even if all seems to be running smoothly, you may wonder just how “safe” the operation truly is. There’s good reason to question it, too, and here’s why.
For a long time, the aviation industry defined safety as “the absence of accidents or incidents.” This way of thinking is generally referred to as "Safety-I” (pronounced “safety one”). In other words, when bad things happen, we try to figure out what caused them so that we can help prevent them from happening again.
But the drawback with this philosophy is that in order to fix a problem, something bad must first happen. And as for safety managers, that cannot be an acceptable way of doing business.
Fortunately, as aviation safety science has matured, experts have realized that the absence of accidents and incidents does not guarantee safety. After all, an organization can be teetering at the edge of a catastrophe, but it never manifested thanks to quick, just-in-time saves by frontline employees or other built-in safety barriers.
So the question is, as safety managers, how do we learn from accidents and incidents that almost - but never - happened?
Enter “Safety-II” (pronounced “safety two”). The core concept is that safety management shifts from ensuring "as few things go wrong” to "as many things go right." This radically different approach proactively prevents incidents, accidents, and mishaps but tends to be more under-practiced.
Adopting a Safety-II mindset might come naturally to you and your flight department. But if it doesn't, don't worry! The intent is not to replace Safety-I with Safety-II but to have them as partners. We can keep doing safety the way we always have, but with a few tweaks.
Traditionally, a safety department may seem like a "cleanup crew." After an incident, accident, or minor mishap, they swoop in and begin damage control. They perform the function of a detective by finding answers to what happened, why it happened, and how to stop it from happening again. After that, they go back into hibernation until the subsequent failure.
But this reactive (Safety-I) approach to aviation safety is neither sustainable nor effective on its own. Instead, a proactive (Safety-II) approach that continuously studies the organization’s operation can yield useful information.
After all, if 9,999 out of 10,000 events go well, why should we only focus on the one negative event if the underlying causes were present during thousands of successful events? That would be like investigating what makes a happy marriage by only analyzing divorces. Instead, we should also be focussing on the everyday events, the ones we take for granted.
Without even considering the incidents and accidents, there is a minefield of data out there that can help nourish our safety programs. And under Safety-II, the goals of the safety department are not only to understand why things go wrong but also to explain how things usually go right.
Under Safety-II, the role of Safety Management is to anticipate developments and events. But aviation is a highly complex system, and putting this into practice can take a lot of work. Therefore, it will vary from one organization to another and is deserving of a blog of its own.
However, some things you can start doing today to become Safety-II minded are:
1. Embrace the ordinary
You do not have to wait for something terrible to happen to understand the issues that might lurk in the background. Look at what goes right, as well as what goes wrong. Learn from what succeeds and what fails. The goal is to understand what happens in situations where nothing out of the ordinary seems to happen.
You can gather data like this by gathering workforce insights, having an open-door policy to concerns, involving the frontlines in decision-making for policies and procedures, or conducting an anonymous culture survey.
2. Track Safety Barriers
Quantifying safety is an ever-elusive task and using the absence of accidents and incidents is a flawed approach. So we must look at what is actually doing the heavy-lifting in preventing accidents.
Safety barriers are things that have interceded to prevent an accident, incident, or occurrence. They can be anything from a terrain advisory by the onboard systems, a crew intervention, or an audit. Tracking these is of paramount importance if we are to understand how safe our flight department is.
The Accident Prevention Effort (APE) is one successful method for approaching this. Every hazard controlled or eliminated and each safety program implemented (i.e., FOQA, ASAP, safety newsletters) are used to calculate an organization’s APE [6]. For instance, an organization’s total APE can be defined by its ability to identify when safety barriers have been implemented and track their effectiveness over time.
VOCUS by Polaris Aero’s Safety Management Systems (SMS) technology includes systems that take data from safety reports, FOQA, audits, etc., allowing safety managers to identify activated barriers quickly and log and track these barriers.
3. Small Frequent Events Matter
Usually, the everyday events that frequently occur without mishaps get overlooked. Such as filing a flight plan, completing a walk-around, or a handover. After all, if they go well every day, why do we need to monitor them? On the other hand, Safety-II proposes that we spend time focusing on events based on their frequency and, most importantly, their success.
Is your team exceptional at getting the planes out on schedule? Think, why does this go well every flight? Is it training, practice, work ethic/morale, or are personnel doing any workarounds drifting closer and closer to failure?
The idea is that those minor adjustments here can dampen potentially harmful future events or prevent things from snowballing.
4. Remain open to the possibility of failure
While we often strive for perfection in aviation, no system, nor procedure we create, is perfect. While our pride might tell us otherwise, it's essential to be open to where the potential flaws lie or how certain situations are more vulnerable to mishaps.
Many adverse outcomes stem from an accumulation of short-cuts combined with inadequate supervision and hazard identification [1]. Being sensitive about what happens and how it might fail is essential for the practice of Safety-II.
5. Reframe investments in safety
Developing and implementing safety precautions requires time, resources, and money. Often, we don’t know what we have been spared from happening since we cannot prove that the safety precautions are or were the reason why an accident did not occur. And since we cannot say when an accident is likely to happen, there is a tendency to reduce the investment. This is something that is typically seen in hard times.
Under Safety-II, an investment in safety is seen as an investment in productivity because the definition - and purpose - of Safety-II is to make as many things go right as possible.
But that does not mean to say we should abandon Safety-I altogether. A marriage of Safety-I and Safety-II are key to creating a resilience organization.
Resilience engineering: “The intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions.” – Erik Hollnagel [4].
You may have heard the term "resilience engineering" and either taken an interest in it or passed it off as academic jargon. In a nutshell, resilience engineering is a technical way of saying, "I want to craft a safety program so robust that my organization can weather anything.” The goal of resilience engineering is to proactively manage safety by integrating Safety-I and Safety-II together [6].
If aviation has taught us anything, accidents will occur eventually, and they will often happen in a wholly unpredictable or novel way (cue discussions about “The Miracle on the Hudson”). Simply put, reality operates beyond the peripheries of what we train and prepare for.
But resilience engineering is not about daydreaming about all possible ways the operation can fail and making more and more rules (eventually, we would completely halt all operations). Instead, we should embrace our adaptability to become "resilient.” Most of the time, this can involve looking at the most significant component in the system - the human players.
Although the real world offers us challenges and variety, frontline employees continue to adapt to manage unforeseen situations, and our daily triumphs are key to preventing future failures.
The lesson here is that appreciating the human’s role in averting crises and excelling each day is fundamental to learning.
Another common belief in the field of resilience engineering is that blaming incidents on “human error” is counterproductive, as Sydney Dekker explains so eloquently in “The Field Guide To Understanding Human Error.” "Human error as an explanation for accidents has become increasingly unsatisfying. As mentioned earlier, there is always an organizational world that lays the groundwork for the "errors" and an operational one that allows them to spin into larger trouble." [7]
“Before you can engineer resilience, you must engineer the conditions in which it is possible to engineer resilience.” – Rein Henrichs.
Hollangel - the grandfather of Safety-II - provides us with four basic potentials for resilient performance, which will help us on the road to becoming more proactive and productive in safety.
“The potential to respond. Knowing what to do or being able to respond to regular and irregular changes, disturbances, and opportunities by activating prepared actions or by adjusting the current mode of functioning.
The potential to monitor. Knowing what to look for or being able to monitor that which is or could seriously affect the system’s performance in the near term – positively or negatively. The monitoring must cover the system’s own performance as well as what happens in the environment.
The potential to learn. Knowing what has happened, or being able to learn from experience, in particular, to learn the right lessons from the right experience.
The potential to anticipate. Knowing what to expect, or being able to anticipate developments further into the future, such as possible disruptions, novel demands or constraints, new opportunities, or changing operating conditions.” [5]
Hollnagel states that these four potentials are not independent of each other. For example, the potential to respond can benefit from, and perhaps even requires, the potential to monitor, and so forth.
The shift in perspective from Safety I to Safety II may be challenging to digest. Psychologically we are also hardwired towards negativity and naturally attracted to Safety-I. Why? Because to make sense of the world, our minds tend to:
“Pay more attention to adverse events than positive ones.
Learn more from adverse outcomes and experiences.
Make decisions and draw conclusions based on negative rather than positive information” [3].
Safety-II can undoubtedly be regarded as a more positivist version of safety management than what has been traditionally practiced. Safety-II provides useful concepts and methods for proactive safety management. However, we do not abandon the concepts behind Safety-I. Safety-I methods still need to be appropriately used when adverse events have, unfortunately but inevitably, occurred in order to make our organizations more resilient.