DATEATTACHMENT 18300.10 CHG XX
makers set the standards with which the regulatory requirements must be met. These requirements may be for procedures to return an aircraft to service or for initiating ground deicing operations. In these instances, the air carrier should apply this or a similar concept to ensure the policies and procedures it develops take into account its unique and rapidly changing environment.
Safety and Quality.
(1)Safety is typically defined on the basis of counting or classifying events where injuries or damage occurs. So defined, safety cannot be managed directly because the defining events are outcomes, rather than manageable processes. The key to safety lies in management of the quality of safety-critical processes. ATOS recognizes that this is a primary responsibility of an air carrier in meeting its statutory obligations. To evaluate air carrier operating system design (i.e., verification) and performance (i.e., validation), ATOS employs six safety attributes. The six attributes are:
Procedures—documented methods to accomplish a process.
Controls—checks and restraints designed into a process to ensure a desired result.
Process measures—used to validate a process and identify problems or potential problems in order to correct them.
Interfaces—interactions between processes that must be managed in order to ensure desired outcomes.
Responsibility—a clearly identifiable, qualified, and knowledgeable person who is accountable for the quality of a process.
Authority—a clearly identifiable, qualified, and knowledgeable person who has the authority to set up and change a process.
(2)The FAA developed these attributes in consultation with system engineering and safety experts. The attributes provide a structure to the tools FAA inspectors use in conjunction with standardized processes for (1) initial certification of an air carrier, (2) approval or acceptance of an air carrier’s operating systems when required to do so by the regulations, and (3) validation of
an air carrier’s operating systems for the purpose of continuing operational safety.
Focus on an Air Carrier’s Organization and Processes. The traditional approach of issuing certificates, monitoring compliance, investigating non-compliance and administering sanctions for non-compliance does not, in and of itself, address process deficiencies that underlie unsafe situations. FAA oversight must also focus on an air carrier’s organization and process management rather than on isolated vignettes of individual situations. This does not mean that FAA ignores individual situations, but rather that it interprets them as potentially symptomatic of organizational issues. Outputs and outcomes are still monitored, but the emphasis is on maintaining a safe process or correcting it when desired outcomes are not achieved. Assessments of process design and performance cannot be mere tabulations of anecdotal observations of deficiencies, but must address the quality of the process, and must be based upon objective evidence of adequacy that is representative of the process. The absence of negative observations cannot be regarded as a substitute for assertive evidence that the process is working as intended. Surveillance must supply objective evidence of both the adequacy and inadequacy of processes.
Open System Perspective. ATOS takes an open system perspective. An open system responds to feedback from its specific environment. A successful open system adapts itself to the needs of the environment and the resources in it. If the environment is complex and dynamic such as today’s aviation environment, an air carrier’s organization and systems must continually change to remain safe. Most hazards result from conditions that exist in an air carrier’s operational environment. It is incumbent upon an air carrier to provide defenses against these hazards and to incorporate these defenses into its systems. Before being issued an operating certificate, an air carrier must demonstrate that it is capable of controlling known hazards and associated risks in its operating environment. However, hazards and risks are likely to change over time. An air carrier must continually adapt to these changes. Systems previously approved or accepted by the FAA that no longer relate to current environmental conditions must be re-evaluated. Surveillance tools should provide information on current environmental risks and on the organization’s efforts to control them.