Organizational Safety Risk Analysis in Aviation Industry; An STP a Based Framework
Dehghan Nejad A*
Faculty of Health, Safety and Environment, Shahid Beheshti University of Medical Science, Iran
Submission: January 09, 2018; Published: April 26, 2018
*Corresponding author: Ahmad Dehghan Nejad, Faculty of Health, Safety and Environment, Department of Safety Engineering, Shahid Beheshti University of Medical, Science (SBMU), Tehran, Iran, Email: [email protected]
How to cite this article: Dehghan Nejad A. Organizational Safety Risk Analysis in Aviation Industry; An STP a Based Framework. Civil Eng Res J. 2018; 4(3): 555640. DOI: 10.19080/CERJ.2018.04.555640
ICAO recent manuals for both State Safety Policy (SSP) and Safety Management System (SMS) explicitly concentrate on the organizational roots of accidents. The Safety Risk Management (SRM) system, as the core component of both SSP and SMS, consequently are expected to manage the organizational safety risk. In view of that, this paper present a new risk analysis framework that can be feasible to apply as the analyzing logic of the formal SRM; especially, in the start line of the risk management process. For this reason, the framework is founded on the System Theoretic Process Analysis (STPA) to cope with the sociotechnical feature of aviation organization. To apply STPA as the base of the framework, a customized "Feedback Control Loop” is applied to model organizational control mechanisms and extracts their hidden hazards. Furthermore, an innovative concept and procedure are introduced for "Hazard Activation Likelihood” estimation and "HazardConsequences”analysis.
Based on Annex 19 of Convention on International Civil Aviation,each State shall establish an SSP for the management of safety in the State, in order to achieve an acceptablelevel of safety performance in civil aviation . Each State also shall require all service providers to implement and maintain an SMS . Since, Safety Risk Management is an important component of both SSP and SMS, not only States but also all aviation service providers must implement an appropriate safety risk management system to support their decision making process.Clearly, the aim of the SMS (and SSP) Safety Risk Managementprocess is to identify and handle all significant influences that may impact on aviation safety, when determining contributing factors for the analysis of consequences of a hazard and deciding on risk mitigation measures.
On the other hand, the pivotal concept of SMS and,consequently, Safety Risk Management systemof wich is concentration on organizational roots of safety hazards and accidents. In fact, in contrast to conventional safety approach,which centers on the technical aspect of the system, the SMS changesthe focus to organizational aspects. This focus changing, of course, is appropriate because many studies have proven that management short comings and organizational aspects are major factors in the occurrence of accidents in complex systems such as aviation industry [2-4].
Based on SMS main concept, which roots in epidemiological accident models, accident's initiating mechanisms do not derive from technical components; rather, originate in organisational and cultural mechanisms, especially the decision-making processes. All aviation service providers thus must tackle these issues throughan appropriate Risk Management system that is equipped with proper techniques to grasp and handle this kind of safety risks.
The main problem is that the safety risks of aviation organizations - as complex and sociotechnical systems-are not extractable only by Conventional Risk Analysis Models (like FMEA, FTA, and other reliability based approaches); especially their complex organizational-based risks. In fact, traditional safety analysis tools, which developed based on pure technical system  , are not able to cope with the complexity of sociotechnical systems. Aviation organization thus should apply systemic approach, as recommended by ICAO Doc. 9859, to address their safety issues.
According to the above, the main objective of this paper isthe proposingof an organizational-based systemic risk analysisapproach, as the central part of the Risk Management System, for preparing an appropriate framework to initiate Safety Risk Management process in aviation organizations.
Accordingly, a clear procedure for organizational hazards identification, as well as a clear logic for hazard probability/ severity analysis is presented in this paper by the following order: at first, the main concepts of Safety Risk Management are reviewed. Then, the principles of STAMP and STPA (as the base models for the presented framework) are expressed. After that, our specific organizational risk analysis framework is described. Afterward, the practicality of the framework is proved by a case study, and finally, the summary and discussion parts are presented.
The field of risk management is faced with difficulties in defining and agreeing on principles. Risks are dealt with differently across different countries, industries, and sectors . Although terms, definitions, and interpretations are as varied as the number of sources providing them, we stand our work based on this definition: The Safety Risk Management system is the overall integrated process consisting of two essential interrelated and overlapping, but conceptually distinct components - Risk Assessment and Risk Management1 .
Mullai summarize the fundamental parts of this definition as following :
"Risk assessment" combines both Risk Analysis and Risk Evaluation, providing practically useful and logically structured inputs and perspectives about risks for "Risk Management" (the decision- making process, development of policies, strategies, and measures).
"Risk analysis" is a scientific process in which, by applying a wide range of methods, techniques and tools, risks are identified, estimated, and presented in qualitative and/or quantitative terms. "Risk evaluation" is the process of comparing estimated risks with established risk evaluation criteria (e.g. criteria based on the best available technology, legal requirements, practices, processes, or achievements) in order to determine the level or significance of risks and provide recommendations for the decision-makers at various levels.
Based on the main purpose of this paper, our work is limited to "Risk Analysis" part of risk management system, which includes Hazard Identification and Risk Estimation. The "Risk Estimation" component itself comprises Likelihood Estimation, Consequent Analysis, and Risk Presentation (Present estimated risks based on a specific format such as number, index, color, etc.)
Traditional models of hazard identification, which are summarized as Chain-of-failure-event models, have major inability to handle organizational factors, managerial (social and cultural) roots, and the systemic causes in sociotechnical accidents . In contrast, Systemic approach to technical and organizational safety - which developed by group of researchers, including Rasmussen, Woods, Dekker, Leveson, and Hollnagel, most of whom come from system engineering and human factors backgrounds - is able to appropriately tackle the safety issues of the complex sociotechnical systems [2,8].
The systemic view of safety, and its related techniques, considers accident as the consequence of Hierarchical Safety Control Structures deficiency; therefore, tries to analyze the root cause of gradual deficiencies among the hierarchical control structures by applying holistic and systemic approaches . Related studies have shown that the systemic approaches could be effective tools to model organizational interaction and analyze accident causation within system's hierarchical control structures .
While several researchers have proposed the systems approaches to safety, Leveson's STAMP (Systems-Theoretic Accident Modeling and Processes) approach has an outstanding superiority and provides a perfect view of the organizational aspects of safety .
Systems-theoretic accident modellingand processes (STAMP): STAMP was created to capture more types of accident causal factors including social and organizational structures, new kinds of human error, design and requirements flaws, and dysfunctional interactions among non-failed components. Rather than treating safety as a failure problem or simplifying accidents to a linear chain of events, STAMP treats safety as a hierarchical control problem in which accidents arise from complex dynamic processes that may operate concurrently and interact to create unsafe situations .
STAMP taking into account all facets relating the social to the technical aspects, and like the general systems approach to engineering, focuses on the system as a whole, not on the parts or components individually. It assumes that some properties of systems can be treated adequately only in their entirety. These "system properties" derive from the relationships between parts of systems: how the parts interact and fit together. Concentrating on the analysis and design of the whole as distinct from the components or parts provides an important advantage for STAMP to study safety of the complex systems.
STAMP considers systems as interrelated components that are kept in a state of dynamic equilibrium by feedback loops of information and control . According to this model, accident (systemic accident) could be the result of the dysfunctional performance of adaptation feedback control loop; the controls that may be managerial, organizational, physical, operational, or manufactural. In this view, accidents can be characterized as the resulting from an adaptive feedback function that fails to maintain safety, when performance changes over time to meet a complex and changing set of goals and values .
STAMP practicality has been demonstrated by applying it to a number of real and complex systems, including a risk analysis of the organizational structure of the Space Shuttle program after the Columbia loss ; tradeoffs among safety, budget, schedule, and performance risks in the new NASA space exploration mission organization ; unmanned spacecraft design ; a safety assessment of the new U.S. missile defense system; safety in the pharmaceutical industry; and safety of outpatient surgery at Boston's Beth Israel Deaconess Hospital , and many other recent studies.
System theoretic process analysis (STPA): Leveson restated that STAMP considers a set of new causality factors for accidents that none of former risk analysis methods can analyze them . She, consequently, developed the STPA method in order to be possible to consider all accident's important aspects and features in process of hazard analysis. Experiences indicate that Leveson has gone the right way because it is admitted by researchers that STPA is significantly more powerful than failure-based techniques in the ability to capture a wider array of hazardous behaviors, including organizational aspects, requirements flaws, design errors, complex human behavior, and component failures. 
In respect to STAMP logic, STPA considers accident as result of inadequate control. In fact, STPA accepts that a set of control components and particular interactions have evolved or embedded in system as safety hierarchical control structure; these components and their interrelation mechanisms - in the form of feedback control loop - continually monitor and constrain, by use of Control Actions, the system's behavior to control its dynamicity. In this described condition, accidents occur if a specific control mechanism for restriction of a particular system hazardous behavior doesn't exist or existing control mechanism doesn't able to enforce an expected Control Action.
Basically, STPA concentrates on high-level risks and system's safety constraints to:
o Perform responsibility gap analysis by assessing control components responsibilities and analyzing the probable gap;
o Cognize systemic hazardous behaviors by identifying unsafe Control Actions;
o Accommodate high-level safety constraints into lower levels to control hazardous behaviors; and propose new control mechanisms for enforcement of the new constraints if needed.
o Identify root causes of system's hazardous behavior by analyzing the components of Feedback Control Loop to correct the loops' mechanism.
Although STPA is relatively new compared to traditional methods, it has been demonstrated successfully on a wide range of systems including aviation  , spacecraft , missile defense systems , aviation maintenance , civil infrastructure , and others.
Additionally, while STPA is a hazard analysis technique developed for analysis and design of system safety architectures, its basis in control theory and system engineering lends to the application of it to social, and non-safety related control and early risk management. Some of the most important samples of this extension include cyber security  , business systems and financial operations , and the impact of political systems on failures of public infrastructure .
Although the presented risk analysis framework mainly stands on the principles of STPA, this method is not applicable to initiate a formal risk management process in aviation organizations in its original form. This is firstly because the hazard identification process of STPA is fairly complex, detailed and comprehensive. Therefore, it is not appropriate for initiating a formal risk analysis process.
Secondly, and the most important, for the lack of "Risk Estimation Procedure" organizations are not able to use STPA as their formal Risk Analysis Framework; particularly at the initiating phase. In fact, although the STPA - and other STAMP- based methods -have been had invaluable achievement regarding revealing the hidden causes of the catastrophic accident in the complex sociotechnical system, they do not propose a procedure to estimate the risk of the identified hazards. These model, therefore, are not applicable as a formal risk analysis framework .
Certainly, the reluctance toward developing a risk estimation procedure - exactly quantification of probability and severity - in STAMP-based methods derives from both essence of the complex systems and the superior awareness of the models' architects toward the effect of the system complexity on cause- effect modeling. In fact, while modeling the cause and effect chains between initiating mechanism and the final consequence is the prerequisite step of risk quantification, anticipating and modeling the interrelation between system's components as well as the relation between system behavior (as a consequence) and its components performance is impossible in the complex sociotechnical system. In truth, after finding a specific hazardous performance of a system component, it is impossible to trace all chains of events that may start from that specific hazardous performance and be over to a probable accident scenario. As a result, the probability estimation is impossible. On the other hand, since the specific consequence of the hazardous system's component performance is not clear, the severity of associated consequence is not estimable too.
Nevertheless, if there were enough historical data for making a relation between the "presence of specific hazards" and "occurrence of a particular mishap", the risk estimation would be applicable, even without modeling the cause-effect relations. Enough pertinent data, however, is not available in such complex systems, especially for organizational malfunction mechanisms.
Some researchers have proven that there is very little scientific data validating probabilistic risk assessment or evaluating the methods for calculating it, particularly for complex engineered systems [7, 27,28]. Accordingly, there have been some studies comparing probabilistic risk assessments performed by different groups on the same system where the results indicated large differences in the frequencies calculated for the event [27,29]. In this regard, Leveson mentioned that many major, well-known accidents have occurred in systems where the probability of an accident was previously calculated to be 10-9 or less, including Chernobyl, Fukushima, Texas City, Deep Water Horizon, the Therac-25, Challenger, and Columbia, to name but a few . Follensbeealso cites five large transport aircraft accidents and one near accident where the calculated probabilities were 10-9 or less.
Still, Leveson is making a new innovative solution to overcome the problem of "likelihood" in her remarkable hazard analysis approach. Her solution is based on the "Leading Indicators" that can be identified based on the assumptions underlying safety engineering practices and on the vulnerability of those assumptions rather than on likelihood of loss events. In fact, Instead of trying to predict the likelihood that an event will occur or an assumption will fail, the similar but different concept of vulnerability can be used. Vulnerability in the world of assumption-based planning involves assessing whether an assumption could plausibly fail during the lifetime of the system, not the specific probability of that happening .
The difference is that instead of trying to assign a numerical likelihood estimate or one of a set of poorly defined categories, only two categories, possible and impossible, are used. That is, if the likelihood is not zero, then the assumption needs to be considered for inclusion in the leading indicators program.
Despite the solution that is being developed by Leveson, we still need a clear "Risk Estimation Procedure" to make it feasible to apply STPA, and its superior hazard identification logic, for organizational risk analysis; even if the estimated risk aren't mathematically meaningful and accurate. In fact, when we focus on Organizational Dysfunctional Mechanisms as the hazards, the exact estimation of failure probability is good-for- nothing. In contrast, we just need a clear Prioritizing Logic to lead the corrective action plan in its right way. So we believe that a proper Risk Estimation Procedure can still be combined with STPA without trapping us on probability estimation obstacles and problems.
Accordingly, a desirable STPA-based organizational risk analysis frameworkfor aviation safety management, which be able to extract the target hazards and prioritize the corrective actions, mustbe made of following parts:
o A framework to model the system's organizational safety control loops ( As the initial step of the Hazard Identification Process)
o A clear procedure to extract significant organizational hazards (As the main step of the Hazard Identification Process)
o A framework to estimate Likelihood and Consequence of the hazards; and
o A proper guideline for advanced analysis
In the following, these necessary parts are described to make a partially simple and clear framework for an STPA-based organizational risk analysis procedure.
Safety control loops; the roots of the hazards: Based on the STAMP and STPA main concept, accidents occur if Safety Control Structure, which made of a series of inter-connected feedback control loops, cannot be able to control the system behavior. In fact, the feedback control loops deficiency is the main cause of system’s uncontrolled behaviors. As the important result, Safety Feedback Control Loops are the "source" of the hazards.
When we add SMS pivotal concepts to the previous argument, the Deficient Safety-Related Organizational Mechanisms are the hidden hazards that we should extract them to control the system's risk. As the bottom line, when we run the STPA-based organizational risk analysis procedure, we should focus on safety-related organizational mechanisms' deficiencies, which are active among Safety Feedback Control Loops, in the hazard identification step.
In the following, the concept of Feedback Control Loop, as the source of hazards, is reviewed.
Feedback control loop and process model: Based on the control theory, the four following conditions are required inorder to control a processby a control component :
o Goal Condition: The controller must have a goal or goals.
o Action Condition (or controllability condition): The controller must be able to affect the state of the system. In engineering, Control Actions are implemented by actuators.
o Model Condition: The controller must be (or contain) a model of the system.
o Observability Condition: The controller must be able to as certain the state of the system. In engineering terminology, observation of the state of the system is provided by sensors.
These conditions are the requirements of the fundamental loop in the control theory that have been named as "Feedback Control Loop". In control theory, open systems are viewed asinterrelated components that are kept in a state of dynamic equilibrium by feedback loops of information (communication) and control mechanisms. These loops also have a paramount position in STAMP and STPA method, as the models that were based on the control theory, because STAMP and STPA consider accidents as the control problems.
Figure 1 displays a typical technical control loop for controlling information about (observes) the process state from measured variables (feedback) and uses this information to initiate action by manipulating controlled variables to keep the process operating with inpredefined limits or setpoints (the goal) despite disturbances to the process.
In this loop, Process Models have a significant role, because automate (or human) controllers must be able to simulate the under controlled process in their logic (or mind) for enforcement of Control Action to keep the process operation within predefined limits. Every controller, in fact, must contain a model of the processes that are being controlled. Accidents happen when the controller's Process Model does not match the system that is being controlled and, consequently, the controller issues inappropriate commands . Figure 2 shows a general control loop
Organizational components need the same tools to do their control duties; however, the type of the loop's components and variables may be somewhat different. For example, organizational variables and goals are not as clear as the technical variables. Furthermore, feedback and actuator channels in organizational control loops are forms and formal requests or reports; instead of signals or other technical tools that usually are used in technical loops .
Moreover, Control Processes in organizational control loops are not a mathematical function or logical algorithms. Actually, organizational loops' control processes almost are a form of unclear decision-making models that exist in decision makers' mind; the persons who are engaging in decision making in the different level of the organizational hierarchy. In fact, they may be either a technician, for technical decision-making, or a top or middle manager for strategic or executive decisions.
Organizational feedback control loop: In order to apply STPA for initiating organizational hazard analysis, as the main reason of this paper, it is needed to use a specific version of the feedback control loop that was exclusively developed for deficiency analysis of organizational safety control mechanisms. Figure 3 presents thisspecific Organizational Feedback Control Loop to gether with its customized Process Model . Based on Figure 3, five requirements shall be met to accurately enforce the Control Actions by organizational control components:
a. A Necessary Sensing Mechanism must be active in the process under control to collect, process, and prepare accurate information for the control component. This mechanism is a type of organizational processes that may be managed by either main control component of the loop or other organizational components.
b. A reliable Sensor Mechanism (or channels) must be active for delivering the prepared information to the control component. This mechanism is also a type of organizational communication channel.
c. An Analytical Mechanism must be active for accurate processing of received information to determine appropriate
Control Action. This mechanism is also a type of organizational processes. While Interior Analytical Mechanism is applied by the control component of the loop, Exterior Analytical Mechanism is applied via other organizational components (in a situation that exterior analyzing is needed).
d. A reliable Request-Receive Mechanism must be active to receive necessary information from other components (in a situation that exterior analyzing is needed). This mechanism also is a type of organizational process, which prepares appropriate context for information exchange between Interior and Exterior Analytical Mechanisms.
e. A reliable Actuator Mechanism (or channels) must be active to enforce the Control Action to under control process. This mechanism is also a type of organizational communication channel.
Modelling the system's organizational safety control loops: Based on Figure 4, for modeling the system organizational safety control loops (As the initial step of the Hazard Identification Process) a sequence of procedures are needed that are described in the following.
Identification of organizational components of safetycon- trol loop : Before modeling the safety control loops for each control action of all control components, as a main part of STPA, the control components must be identified. Since our risk analysis model concentrates on organizational roots of probable accidents, we focus on "organizational control components" and their associated control actions.
Dulac recommended three important in formation sources to identify Safety control Structure's organizational components. Additionally, he recommended two criteria to summarize this information for elicitation best set of these components . These recommendations are reviewed as follow:
a. Org charts (Source one): He mentioned that, organization’s charts are a good start line for identification of organizational components.
b. Generic STAMP structures (Source two): The generic control structure that was shown in Figure 5, can be used as an effective checklist to verify that important components have not been mistakenly left out. He noted that, for many systems, it is unneeded to follow the hierarchical structure all the way up to the Congress and Executive components.
c. Interview data (Source 3): Another source for identification safety control structure’s organizational components is the interviewing from individuals within the structure itself. Dulac stated that the emphasis should be on reviewing, improving and refining the structure, eliciting informal structural connections that are not represented in the official “party-line” organization chart.
d. Inclusion criteria (Criterion 1): He prepared eight questions in order to decide whether an organization component should be included in the model or not. However, Stringfellow has added four more questions to the list for consideration of more social features of the control structure . Figure 6 lists the complete questions.
e. Combination criteria (Criterion 2): For preventing of unnecessary complexity in control structure's model, it can be possible and desirable to combine multiple components. As a general rule, components that are structurally independent, but functionally similar, should be combined unless they receive funding from completely different or competing sources, or if they have competing.
Control actions identification: Control Actions are the actions that are enforced by control components to control the system behaviors. Clearly, Control Actions are the reason d’etre of the control components.It should be noted that, each identified control components may apply different Control Actions to control their under control processes; therefore, identifying all components' Control Actions just is possible by scrutinizing all of related documents and interviewing with organizational experts. Finally, the results should be listed in an appropriate log .
Organizational feedback control loop modelling: Now, in order to model organizational Feedback Control Loops - based on the mentioned exclusive modelling diagram - all NonControl Actions (Necessary Sensing Mechanisms and Analytical Mechanisms) must be explored for each control component. Then, all requisite mechanisms, as the Non-Control Actions, for accurate enforcement of each Control Action must be specified. Finally, all Feedback Control Loops - together with their Process Model - must be modeled according to the pattern that has been presented in Figure 3.
Organizational hazard identification: “Working around the loop” is the STPA’s principle to extract the hazards. In fact, each of control loop's component should be regarded as a potential source of systemic hazard; because any inefficient performance of them can be able to cause a degree of incompetency in the control loop. This local deficiency, consequently, eventuate to a level of inefficiency in the whole system safety control structure; and, in a bigger picture, leads to the system accost to a probable accident .
Accordingly, by using the Simplified General Causal Factors, which are adapted from STPA original model and shown in Figure 7, different statuses of "Control Component Inefficiency" could be extracted and regarded as the initiating mechanisms for systemic accidents. These initiating mechanisms thus should be recorded as a specific hazard for the probability and consequence estimation.
Hazard activation likelihood (HAL): While hazard is a dangerous dormant situation that triggers a mishap if will be activated, the likelihood of the hazard is the probability of the hazard activation. When we consider the hazard as the Deficiency in organizational safety control mechanisms, we prepare this opportunity to evaluate the Hazard Activation Likelihood (HAL) via the ratio of the imperfect performances of the mechanism and the desired performance of it at a specific period. Also, we can make a qualitative conception of HAL by regarding experts' opinions and applying Table 1, if the reliable performance data is not available .
In addition to Hazard Activation Likelihood estimation, we need a clear rule to estimate the Hazard Activation Consequences Severity (HACS), if we want to estimate the risk of any hazards.
For making an appropriate way to estimate the severity of the hazard activation consequences, we change the concept of "consequence" from the real results of hazard activation (happening the real mishap) to a new measurable quality that directly linked to control theory. Actually, instead of seeking and modeling the imperceptible results of defective mechanisms (as the hazards) on the probable accident scenarios, we focus on the negative consequence of the identified defective mechanisms on the whole Organizational Safety Control Structure’s Competency (OSCSC).
This substitution can be meaningful because based on STAMP pivotal thought, accidents in complex sociotechnical system happen when the safety control structure cannot be able to control the system’s behavior. As a result, it can be hypothesized that a defective mechanisms are able to cause a kind of deterioration on the safety control structure, and then, the dormant systemic hazards become active and initiate a complex and imperceptible chain of events that finally eventuate to a mishap; or at least, can push the system toward a more hazardous situation .
When it is impossible to estimate the role of a specific defective mechanism on the formation of accident scenarios, it can be feasible to be focused on "consequent deterioration” in safety control structure; the deterioration that can be regarded as a preceding status of a probable catastrophic accident.
The whole OSCSC is an abstract concept that shows "how well safety control structure enforces desirable system safety constraints”. This concept stands on the system theory, the control theory, and specifically, main concept of STAMP and STPA model. According to these theories and models, the main mission of "Safety Control Structure" is to enforce specific constraints to ensure that the system will be keeping in a safe zone when has to tolerate unavoidable and continuous changes. In fact, system's control structure must have an appropriate dynamicity to constrain the real dynamic system in each new position.Nevertheless, in a specific point of time, the real control structure may not completely conform to the desired control structure. This unconformity and gap may have some causes such as control structure design inappropriacy, imperfective performances of some control structure's components, or unfit adaptation of the control structure .
Accordingly, the whole OSCSC is a concept that can be able to reflect the experts’ overall opinion about the real control structure proficiency. The experts, in fact, are able to qualitatively estimate the effect of a specific deficient mechanism, which was explored in the hazard identification phase, on the Safety Control Structure's Competency. The severity of this effect, consequently, is able to take the place of the "Hazard Severity" in the risk analysis procedure .
For precise evaluation of OSCSC, certainly, we need more data to model the relation network between safety structure's components;nevertheless, in the initiating phase of organizational risk analysis we can rely on experts judgment.
Table 2 is presented to estimates the severity of a consequence that is initiated from specific organizational hazard by extracting experts' opinions.
Finally, the estimated risk is described in a qualitative term by a combination of two characters that the first demonstrates the Hazard Activation Likelihood (HAL) and the second demonstrates the Hazard Activation Consequence Severity (HACS); such as 3A, 5B and the like.
Criteria (e.g. criteria based on the best available technology, legal requirements, practices, processes, or achievements) in order to determine the level or significance of risks and provide recommendations for the decision-makers at various levels . Although "Risk Evaluation" is beyond this paper’s scope, As Low As Reasonably Practicable' (ALARP) strategy usually employs for managing the risks. In the case study section, a simple table is applied as a sample for the risk evaluation criteria.
In the following, the presented STPA-based organizational risk analysis framework is applied - in limited scale - to extract organizational safety-related hazards and estimate their risk. The case is a sample aviation industry that is responsible for maintenance and modification of Iran’s helicopter fleet.
Accordingly, only two organizational safety control components together with their related communication mechanisms, and their inter-connected non-control components (analyzing or supporting components) were selected for further analysis. These two organizational components include Quality Control (QC) unit, and Research & Technology (R&T) unit. The first one is responsible for managing the main and the most comprehensive control mechanisms in case industry. The second one controls modification projects via its ratification authority.
Based on the modeling pattern, which is illustrated in Figure 3, all control requisite mechanisms have been identified and, then, the control loops have been made (Figure 8 For QC and Figure 9 for R&T).
After modeling the control loops, all parts of the loops have been analyzed by means of the Simplified Causal Factors (Figure 7) in order to extract any probable deficiency; then, a group of experts estimated the probability of each extracted deficiencies via applying Table 1. This group of expert, then, applied Table 2. to estimate the probable consequence of the identified hazards on the whole OSCSC; after all, the risks of the hazards are evaluated by means of Figure 10; as a simple method for prioritizing the necessary control actions. Finally, the results have been summarized and depicted in Figure 11.
For initiating the process of organizational-based safety risk analysis in aviation industries, which is needed concerning ICAO's safety management system (SMS), an innovative and specific framework have been presented in this paper. This framework was built on the Control Theory and, specifically, the STPA model. Based on this model’s main concept, catastrophic accidents in complex socio-technical systems originate from the Safety Control Structure deficiency. Accordingly, the new framework is concentrated on Organizational Safety Control Loops deficiency (as the hidden hazards) and the effect of these deficiencies on the whole Organizational Safety Control Structure Competency (as the consequence of the hazards).
For presenting the main procedures of the framework, its modeling and analyzing parts were described separately. The modeling part is made of a series of steps to identify organizational control components, control actions, and model the control loops. The analyzing part is responsible for extracting defective mechanisms that are placed in control loops by use of a series of guide-words, which is named Simplified Causal Factors. This part also is responsible for evaluating the Hazard Activation Likelihood and the severity of Hazard Activation consequences.
For estimating likelihood of the hazards and severity of the consequences, two specific tables were presented as the guide tools for experts' judgment. Finally, the framework was limitedly applied in a case aviation organization to clear its sequence and procedures, as well as its applicability.
The presented framework is developed for analyzing the organizational-based safety hazards that are hidden in the operational phase of the system. We, consequently, assumed that all high-level hazards of the system had been identified and adequate control components with clear responsibilities had been embedded in the system to control them; however, it is possible that some of the control mechanisms had been eroded or outdated in the result of system dynamic behavior.
According to this assumption, we neglected some of initiating steps of STPA that are related to "System-Level Hazard Identification" and "Safety Constraints Identification". In fact, we started the hazard identification process from extracting current organizational control components and their responsibilities. Nevertheless, we admit that a comprehensive analysis, which should be done in the next rounds of a continuous risk management cycle, must start at "System-Level Hazard Identification" and continue separately for each system-level hazard.
Furthermore, a more advanced analysis should be developed based on more quantitative and precise data for "Hazard Activation Likelihood" and "Hazard Activation Consequences Severity" estimation. Increasing preciseness of these two quantities can be able to help system engineers and decisionmakers to find and concentrate critical mechanisms of the control structure for launching more appropriate improvement plans.
In addition, the evaluated risk (the combination of HAL and HACS) of each safety-related organizational mechanism has a meaningful dynamic feature. This is because both the imperfect ratio of organizational mechanisms and the whole Organizational Safety Control Structure Competency are sensitive to organizational dynamicity. As an important result, the estimated risk could help system engineers to design remarkable leading indicators as the predecessor of system hazardous behaviors.