Civil Aviation's Business Model: the way we deliver and manage our program
by Bryce Fisher, Manager, Safety Promotion and Education, System Safety, Civil Aviation, Transport Canada
Transport Canada Civil Aviation (TCCA) has adopted a business model to deliver and manage its program. It applies equally to safety as to other, broader management issues.
The business model is based on risk management. Its application will help the organization make better decisions in an environment that is forever beleaguered by competing demands for limited resources.
This article provides an overview of how this model applies to aviation safety. While regulatory authorities may find this approach worthy of closer examination, aviation companies may as well, as risk management is an integral part of a safety management system (SMS). The tactics and strategies used to mitigate risk may be different, but the processes are the same.
Inasmuch as this article refers to aviation safety, the applicability of the business model is broad: it can apply to security or environmental topics as well. It can also apply to other modes of transport or management issues.
TCCA's adoption of this business model evolved out of recognition that safety is not an absolute condition, but rather one where risks are managed to acceptable levels. By way of a backgrounder, this article begins with a brief description of how this model came about.
Transport Canada's traditional view was: "We're here for safety." But the word "safety" was not defined in Canadian aviation legislation or departmental policy documents.
The dictionary is equally unhelpful. The Concise Oxford Dictionary defines safety as: "freedom from danger or risk; being sure or likely to bring no danger; being safe."The dictionary describes an absolute condition when few, if any, situations are completely "free from danger or risk." Like all human enterprises, aviation is fraught with risk. The absence of an operational definition of safety has been problematic for civil aviation. It is susceptible to wide, subjective interpretation, which can lead to conflicting priorities and the consequent allocation of resources to lesser issues; it hinders consistency in the delivery of regulatory programs and quantitative performance measurement.
Simply put, in the absence of a formal, operational definition of safety, the dictionary's version cannot apply in an aviation context (or any other low-probability, high-consequence industry for that matter). Perhaps it was in a similar light, that William W. Lowrance defined safety as: "a judgement of the acceptability of risk, and risk, in turn, as a measure of the probability and severity of harm to human health."1 He summarizes by stating: "a thing is safe if its risks are judged to be acceptable." 2
For the reasons stated above, in Flight 2010-TCCA's strategic plan-a working definition of safety is provided: "The condition where risks are managed to acceptable levels."
The new mission
Having defined safety in risk terms, TCCA refined its mission statement, which aligns with the larger departmental mission: "To develop and administer policies and regulations for the safest civil aviation system for Canada and Canadians, using a systems approach to managing risks."
That safety is the condition where risks are managed to acceptable levels is not new. It has been implied in the aviation industry for many years. However, its wider, explicit use is a relatively recent phenomenon. Defining safety in context and expressing the mission in risk terms helps clarify the regulator's role and limitations.This new mission statement provides clarity of purpose: not only does it spell out TCCA's goal, but it also states how and for whom the organization is delivering its program.
The business model
Click on image to enlarge
All parties involved in delivering on the mission must be able to see the whole, understand how things should work, and, more importantly, how they contribute to value-creation. The business model was developed to articulate and illustrate how this works.
Some may argue that, as a government entity, TCCA does not need a business model; it is not a business, as it is not involved in value-creation. But Canadians value safety. The Canadian public and consumers of aviation services look to TCCA to act as their safety advocate, ready to intervene in the sector as necessary to ensure appropriate measures are taken to manage aviation risks. This is value-creation and TCCA's new mission statement is its value proposition.
A business model incorporates all critical activities needed to deliver the value proposition. To deliver on its new mission and focus its interventions where they can have the most impact within increasingly limited resources, TCCA has adopted a business model that governs all activities and processes in the delivery and management of its oversight program.
As shown in Figure 1,TCCA's business model incorporates five phases:
- Preliminary Analysis
- Risk Estimation and Risk Evaluation
- Risk Control and Intervention
- Measure Impact and Communicate
Initiation and preliminary analysis
Except for those circumstances requiring the immediate tactical intervention on the part of the regulator (to stop a situation that poses an immediate threat to aviation safety, or respond to an accident or significant incident), the application of the business model requires, first and foremost, the acquisition of safety intelligence before making any decisions.
Safety intelligence is defined as data that are analyzed to produce information necessary to understand the risk. As shown in Figure 2, safety intelligence incorporates data at the bottom, from which information, knowledge and wisdom are derived in hierarchical fashion. Through a process of analysis, data is transformed into information; the synthesis of information leads to knowledge; and over time, this body of knowledge becomes the accepted wisdom.
Figure 2: Safety intelligence pyramid3
Both reactive (e.g. occurrence) and proactive (e.g. hazard reports) data are collected. These are analyzed to derive meaningful information from which risk decisions can be made.
Ideally, this analysis should address all dimensions that could lead to an individual, organizational (James Reason) or system (Charles Perrow) accident. As shown in Figure 3, these accident dimensions can be broadly categorized as active failures and latent conditions (James Reason). As regulators must take the broadest view, latent conditions transcend the boundaries of a particular aviation company (individual, workplace conditions and organizational factors), and encompass the legislative, socio-economic and political dimensions. As professional, organizational, industry and national cultures may influence the decisions, behaviours and actions of the players involved, culture must also be considered in the analysis. The SMS approach is being implemented to encourage the proactive management of conditions that could lead to accidents. These dimensions can be applied to normal working situations, hazards, incidents or accidents. By analyzing data from each dimension, the output is safety intelligence regarding the actual or emerging hazard expressed in risk terms (probability, severity, and exposure).
Risk estimation and risk evaluation
Once the hazard, the likelihood of its manifestation, and its severity are understood, the question is: "Are the risks tolerable/acceptable or not?" If the answer is yes, the risks are acceptable, then no intervention is required. But, in order for the organization to enhance its monitoring capability and contribute to continuous learning, a report is produced and stored in a safety intelligence repository for future use. If the answer is no, the risks are not acceptable, then a second question must be answered: "How do we intervene to bring the hazardous conditions into the range of acceptability? "The dimension of cost-benefit is examined in the context of risk mitigation. A question that must be answered in the process is: "Will the benefits of any proposed risk mitigation strategy offset the costs of its implementation?"
Risk control and intervention
Generally, there are three strategies for managing risk: eliminate the hazardous condition, mitigate the risks, or transfer the risk. In terms of mitigation, regulators can design and execute intervention strategies that address one or more components of the risk equation (probability, severity or exposure).
Typically, aviation authorities can avail themselves of legislative or policy means to intervene, which can be used to varying degrees to mitigate the risks. Table 1 summarizes some of the more frequently-used tactics under each of these categories, which can be used in whole or in part.
Figure 3: Accident dimensions
Care should be exercised in designing an intervention strategy to mitigate the risk. It should hold promise of mitigating the risks to within acceptable levels (i.e. desired outputs, intermediate and ultimate outcomes that are observable and measurable), and be commensurate to the level of risk in terms of cost-benefit.
Aviation companies have a myriad of strategies at their disposal to mitigate risk as well. These include engineered systems; organizational, procedural, and behavioural fixes, such as training and education; and/or personal protection from hazards. Safety literature would, however, encourage aviation companies to not rely solely on one strategy, but rather a combination of strategies that achieve defences in depth (James Reason).
Measure impact and communicate
After a time, the results of the risk mitigation strategy should be ascertained. This is done to determine whether the planned interventions are achieving the desired results, whether any adjustments to the original plan need to be made, and to justify current or future resource expenditures.
If the risks are managed to acceptable levels, a report is prepared and stored in the safety intelligence repository. The team may be disbanded, but the issue at hand must be monitored continuously. The lessons learned in the execution of the risk mitigation strategy can provide further intelligence and help identify triggers that would enhance monitoring capability.
If the risk mitigation strategy failed in achieving desired results, one must ask, "why?"This invokes a diagnostic exercise to discover where in the application of the business model the failure occurred.The answer may be in the design or execution of the mitigation strategy phase, the decision-making phase (the misapplication or inappropriateness of risk criteria), or the analysis or data-capturing phases.
Regardless of the outcome, an assessment of what worked, how well it worked, and what did not work should be carried out-if for anything else, to learn from each experience and improve the processes of the business model.
Case study-runway incursions
In 1997, Transport Canada and NAV CANADA (Canada's private air navigation service provider) noticed a significant increase in the number of runway incursions. Runway incursion data was collected, validated and analyzed. The result of this analysis was a better understanding of the active failures and latent conditions behind runway incursions.
The level of risk posed by runway incursions was deemed unacceptable. To mitigate the risk, a number of both short- and long-term risk mitigation tactics were initiated, including making regulatory and procedural changes, increasing oversight activities, and embarking on an awareness campaign, to name but a few. A team known as the Incursion Prevention Action Team (IPAT), made up of a cross-section of aviation specialists, was created to manage the risk mitigation project.
After several years, the risk mitigation strategy has proven successful: the number of runway incursions has stabilized, and more importantly, the severity of runway incursions has decreased.
The making, amending, or repealing of:
The issuance/withdrawal of:
• Other item
|Promotion and Education|
• Conferences, symposia, colloquiums
• Newsletters, journals, papers
• Multi-media safety products
|Regulatory Oversight |
• Educating for compliance
|Authorizations (certification) |
The issuance, or withholding the issuance, of:
• Permits, or
• Other authorizing documents
• Public/Private Partnerships
• Industry empowerment
Table 1: Regulator's risk mitigation strategies
Challenges and benefits
The operational definition of safety and the business model it invokes do, however, raise several broad questions: "What are the risks in aviation?", "Who is at risk?", and if the risks are to be managed to acceptable levels, "What level of risk is acceptable to those at risk?" This is easier said than done; however, Transport Canada is prepared to meet this challenge. Out of necessity, it will perform the required calculations to arrive at a benchmark level of risk (or risk profile) from which it can establish goals, design and execute appropriate mitigation strategies, and measure and report on results.
The rigorous application of the business model will enable TCCA to target its interventions where they can have the most impact for the safety of consumers of aviation services and the Canadian public. It will enable better, more empirical, performance measurement, where Canadians will connect TCCA's actions with visible outcomes. In this way, it will be able to achieve its two key results of improving aviation safety and enhancing confidence in its oversight program.1 William W. Lowrance, Of Acceptable Risk, William Kaufmann, Inc., Los Altos, California, 1976, p.8
3 Tom Gorman, The Complete Idiot's Guide to MBA Basics, Alpha Books, New York, NY, 1998, p. 281