Critical Controls: What Keeps You Up at Night?

airport safety assuranceToday's post on safety assurance will focus on identifying and measuring critical controls.

Checking an entire system of controls is a big job. Reporting on those checks would be an even bigger job and not necessarily a welcome thing if your senior management is as busy as mine. The company I work for employs a criticality filter to focus our accountability on those activities that mean the most.

This article is going the explore both why you might want to use criticality and how you might apply it to your long list of controls.

How Do You Manage a Deluge?

Anyone who has dealt with a large spreadsheet knows about filters. Power users of Excel or Numbers will have used them to their advantage and, if they have done it in front of others, have probably earned themselves a few admirers.

But even the most tech-noob amongst us is using filtering all the time. Human perception filters out, supposedly, unneeded data automatically either to allow us effectively operate or because our body is suffering under stress (think, tunnel vision leading passing out when subject to G-force).

As stated above, a criticality filter can take your lists of (potentially hundreds of) controls down to 3-10 and if this list if truly your most importance risk control activities, then now you have the time go into depth on these controls and then report up to your Accountable Executive in a way that they can digest, comprehend and articulate, if required.

Pick Your Favourite Child?

Once you've accepted that you need to choose some of your control activities for special attention, now you need to pick them. This is probably the part of the process where things have the potential to become contentious and to be stalled.

The primary piece of advice given to me when I was first introduced to this approach was to consider "what controls, if not working properly would keep me up of night?" At that time, I was still new in my job, so I have a few things I wanted to change and these kept me up at night already - so it was easy.

But having been through the process now, I have developed some other guidelines to help identify the critical aspects of your operations. They are proactivity, persistence and multi-purposes.

  • Proactive Controls

Don't rely on a trigger to be enacted/implemented. Obviously, this applies to activities like habitat control (grass management) and serviceability inspections.

  • Persistent Controls

These are ones that are always there during operations. Passenger screening and approach slope guidance lights are good examples having this quality.

  • Multi-purpose Controls

These are signal activities that address two or more hazards/risks. A perimeter fence is a great example of this as it address both the safety risk of animals and the security risk from agents with intent.

Don't Forget Context

As with nearly everything in the field of safety management, a definitive answer on critical controls cannot be given. Because your context will be different to mine, and even mine is changing over time.

The matrix below shows the critical controls I've been working with for the last year but they are under review at the moment.

Example Airport Critical Control Matrix (CC) Dan Parsons

Given I think that this is a contentious topic, I'd love to hear your point of view in the comments below.

In part 3, we'll go into what you do with these critical controls through the development of a standard against which your audit/review is conducted.  Part 1 provided an overview of Safety Assurance.

Photo credits: 1 is by APilotsEye 

Rest Assured: Safety Assurance for a Good Night's Sleep

This is part 1 in a 3-part series on proactive safety assurance. This article provides a little overview on safety assurance as a process and a potential way to lighten the load to get started. Of the 4 pillars of ICAO's Safety Management System (SMS) framework, I tend to think that Safety Assurance is the biggest lost opportunity. Policy, risk management and training tend to get done in same manner but a truly proactive assurance program is, in my experience, often overlooked. And that is a shame, because I see the assurance part as the difference between doing safety and managing safety. But the challenge is where to draw the line in terms of detail and reporting. This series looks at how to tackle that problem.

Without a feedback loop, a safety manager can't provide assurance to the highest level of the organisation that safety objectives are being met. Without that assurance, accountable executives cannot provide an account (the definition of the title) of how safety is achieved.

Without that accountability, I don't know how they sleep at night.

Investigation and statistical analysis are a key part of a safety assurance program but they aren't the full story. Looking at where you have had problems in the past is important but it's not going to cover all your bases - it is not going to help in a dynamic environment, during periods of change or to help catch that insidious black swan.

To complement this reactive approach, you need to get proactive.

That means going out and looking at the operation in action, making sure it is performing as designed and that the design achieves the objectives of the system (including safety). Again, this is the difference between doing and managing.

Going out and measuring normal performance will give you a better chance of spotting deviation and catching problems before they become problems.

Information Overload

So did that just double your workload?

It did seem that I suggest you not only do your job but then you check that your job was done correctly.

Well, yes, it does mean that. It gets even worse when you consider that many operational tasks airside on an airport are checks in themselves. So I am actually asking that you check that your checks are functioning as expected by you, your stakeholders and your regulator.

Regulatory guidance tends to suggest that the expectation is that operators will check their entire system and maybe that should be the goal.

But in implementing a new or revitalised proactive assurance program it might pay to focus on what is important or in other words critical.

Let's Get Critical

Critical is such a good word in this context. It has a generally accepted meaning that does allow it to be honed in specific contexts. No one seems to get upset when you specify what critical means in a particular context like they do when you define risk in anything but ISO31000 terms.

And it is tied to that concept of risk so neatly that now you start to have the ability to assess what aspects of your operations need to be looked at closely.

The organisation I work for focuses on critical controls and they are the pivot points for a standardised approach to auditing, review and reporting.

In part 2 of this series, we'll dive into critical controls and how they can be defined and then used to get a good night's sleep every night. But before you go to bed, leave a comment below and keep the conversation going.

Editor’s Note From today we will publish bimonthly, so 2 posts a month. Our next article will be on the 26th March 2014 then on the 9th of April and so forth. We thank you for being part of our community.