The SMO model has also been accepted by the authors of prestigious textbooks. A recent text presents and explains source, mechanism and outcome quite well [Ref. 6]. In addition, the model has recently found its way into drafts of U.S. Department of Defense directives, as system safety practitioners who have been exposed to it, including the author, have found it useful for describing hazards in the process of identifying and assessing them. The SMO model is being included in system safety management plans and program plans, and it has been proposed for inclusion in Military Standard 882, Standard Practice for System Safety [Ref. 7].
The following detailed example comes from the author's experience working on the U.S. Army's RAH-66 Comanche helicopter program, which shows how the application of SMO can even clarify hazards that we think we know very well. Every helicopter pilot and helicopter system safety engineer knows the term "wire strike." So when the hazard is identified for system safety purposes, one is tempted to use just that term as the hazard description. Actually, "wire strike" is just the mechanism in the SMO model. In the case of the Comanche, when the author joined the program, the hazard description was, "The demonstration and validation aircraft will not have wire-strike protection. For the engineering and manufacturing development aircraft, the lower wire-strike protection has not been defined." However, this describes the hazard in terms of the lack of hazard mitigation, not in terms of the source, the mechanism and the outcome of the hazard. With a little encouragement from the author, the hazard description was changed to, "Flight into wires may result in catastrophic loss of aircraft and loss of life." With this description at least the mechanism and outcome were touched on. However, the full application of SMO yields a description like the following (source, mechanism and outcome are labeled):
[Source] The mission of Comanche requires it to fly close to the earth's surface using nap-of-the-earth, contour and low-level flying. Flight in this environment means the crew must detect and avoid horizontally strung mechanical, electrical transmission and communication cables (wires). [Mechanism] Crews may fail to detect wires due to degraded visibility, poor navigation or loss of situational awareness. Crews may fail to avoid wires due to not detecting them or failure to follow established procedures for crossing wires. Failure to detect and avoid the wires results in the aircraft flying into the wires. Wires of sufficient diameter will not break and may become trapped or entangled in the main rotor, the electro-optical sensor system, the turreted gun, the external fuel-armament management system and its ordnance, antennas, the landing gear if it is extended, or the weapon's bay doors and their ordnance if they are open. [Outcome] This results in serious damage to whichever of these components the wire strikes. Further, the aircraft may become caught on the wire, resulting in losing control of the aircraft and uncontrolled flight into terrain. This will result in serious damage to or destruction of the aircraft and serious or fatal injuries to the crew.
Now, one can see the source, the mechanism and the outcome of the hazard. And because these are clearly and thoroughly described, it is much easier to identify and implement mitigators to reduce the risk of this hazard. In this example, mitigation includes improved night vision devices to help the crews see the wires. Detection devices can be developed to spot wires using lasers, or infrared or electromagnetic signatures, and to alert pilots to their presence. Improved mapping of wires, combined with extremely accurate navigation systems, can also help crews avoid wires. Improved heads-up displays and controls would help pilots keep their eyes focused outside, looking for wires and other hazards to navigation. The design of the aircraft structure can be improved to allow for wires to be shed on contact instead of caught in the structure. Antennae, landing gear and other external structures can be retracted when not in use. Or, external structures can be designed to break free when they contact wires to allow the aircraft to continue flight. Wire-cutting devices can be designed and placed to optimize cutting the wire if it cannot be avoided.
The strength of the SMO model is that it can be adapted to describe hazards in such a way as to make them easier to understand and manage. The clarity that comes from applying the model is also valuable in the time it saves by eliminating extended debates over the validity of a hazard. When the source, the mechanism and the outcome have been thoroughly described, there is no question whether a hazard is truly a hazard, and whether the analyst's assessment of the outcome is reasonable.
In the application of the model, one often finds that a particular combination of source and mechanism may have the potential to cause harm to more than one asset. An effective way to deal with these multiple outcomes from one source and mechanism is to treat each outcome, each harmful impact on an asset, as a separate hazard (Figure 1).
Figure 1 — Single Source and Mechanism with Multiple Outcomes.
The importance of this becomes obvious when each potential mitigator is identified and its effectiveness in reducing the risk to each asset is weighed against the cost and feasibility of the mitigator. In some cases, however, outcomes may be tightly linked; for instance, "death or serious injury to personnel" is linked to "serious damage to or loss of aircraft" when a hazard mechanism includes aircraft impact with the ground. In this case, these two outcomes might best be treated as components of a single hazard.
Another example shows how the SMO model might deal with multiple sources but one mechanism and outcome (Figure 2). The fundamental hazard illustrated in Figure 3 is that a combination of environmental stressors (fatigue, operations tempo, high winds, lack of training, family situation, heat, noise, vibration, degraded visual environment, night vision goggles, seat discomfort, etc.) reduce a helicopter pilot's capacity to deal with the task loading (hovering and maneuvering in close proximity to obstacles, simultaneous mission operations, weapons management, selecting target coordinates, airborne target handover, firing weapons, changing radio frequencies, etc.) as the mission proceeds. This brings the crew to the point where their workload exceeds their capacity to handle the work, and they lose situational awareness (LOSA) — they become incapable of performing a safety-critical task, such as seeing and avoiding an obstacle, maintaining control of the aircraft or correctly handling an emergency. The final result is impact with the terrain or obstacles, serious damage to or loss of aircraft, and serious or fatal injury to the crew.
Figure 2 — Multiple Sources with a Single Mechanism and Outcome.
Figure 3 — Interaction of Stressors and Task Loading to Produce an Accident.
Many of the stressors are factors that the pilot or his leadership should manage using the principles of risk management. These factors include training, operations tempo, extended deployment, family and financial issues, illness or death of a family member, pass-over for promotion, etc. Other stressors can be addressed in the aircraft design. These include excessive heat or cold in the cockpit; helmet weight distribution and discomfort; seat discomfort; noise; excessive vibration in the cockpit; excessive dust; irritating odors; bulky, heavy aircrew life-support equipment; flight control geometry; restricted arm and leg movement; display screen size; display word size and color; display icon and graphic size, brightness, color, definition; needed information not displayed; information overload; glare of displays on windscreen at night; and accessing controls and displays with gloved hands.
« previous page | next page »