See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/351689314

Aviation Safety Management Theory: Three core models and the potential risk
of evolution and change on aviation operations

Article · May 2021

CITATIONS READS

0 6,683

1 author:

Troy Burling
University of Southern Queensland 
2 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Australian Aviation Systems and Frameworks View project

All content following this page was uploaded by Troy Burling on 19 May 2021.

The user has requested enhancement of the downloaded file.

Aviation Safety Management Theory: Three core models and the potential risk of evolution

and change on aviation operations.

Author: Troy Burling

Released: 17 May 2021

Safety management is an intrinsic part of aviation operations and encompasses the actions

taken to reduce hazards to reach ALARP criteria (CAAP, 2018). The purpose of this paper is to

discuss three safety management theoretical models leveraged within the airline industry.

In particular, the scope of this paper will be confined to the Australian non-military airline

industry within the international aviation domain and, in discussing the models will raise the

idea that the evolution of safety management theory could have the unintended

consequence of introducing risk into the aviation industry.

Within the Australian aviation environment, industry participants undertaking flying

operations (Operators) or delivering maintenance services as an Approved Maintenance

Organisation (AMO) are mandated to implement safety management systems underpinned

by safety policy and objectives, safety risk management, safety assurance and safety

promotion. Operators holding an AOC for either regular public transport in other than high-

capacity aircraft or in high-capacity aircraft are required under CAO 82.3 and 82.5,

respectively, to maintain a CASA approved SMS. An AMO is required to adhere to the

requirements of Part 145 of the Civil Aviation Safety Regulations. This is important to

understand as each CAO and the CASR are made under authority of the Australian Civil

Aviation Act 1988, and the Act prescribes the requirement for CASA, as the national safety
delegate, to deliver services to the Australian aviation industry in a manner that is consistent

with the Chicago Convention (CAA, 2019). Ultimately, this means that guidance and direction

as issued by ICAO is required to be implemented into CASA guidance and direction where

practicable. (CASA, 2017).

The evolution of safety management within aviation has occurred in four stages, including:

Technical Era; Human Factors Era; Organizational Era; and Total System Era (ICAO, 2018).

The focus on safety and its management has been consistent throughout each of the eras

with numerous theoretical models having also been developed and utilised by the aviation

industry, not limited to Heinrich’s “Domino Theory”, Hollangel’s “FRAM”, Svenson’s “AEB”,

Reason’s “Swiss-Cheese” model, Leveson’s “STAMP”, or SHELL and 5M (SIA, 2012). The

undertaking of critical theory commenced in the 1930s and remains a contemporary

practice, demonstrating the ongoing evolution of the theoretical models used within the

aviation industry. This evolution is recognised by CASA with guidance outlining the

requirement for operators to adopt continuous improvement measures to remain current

(CAAP, 2018). Reinforcing this is the view of Daniel Maurino who, in a paper to the OECD

International Transport Forum, posited that safety management is an evolutionary discipline

(Maurino, 2017). Notwithstanding, how people interact with systems and the effect they

have upon the system remains a focal point within safety management with human factors

continuing to be considered an integral element (ICAO, 2018).

The “SHELL” model is utilised by ICAO to illustrate human factors and the influence on

operational systems and vice-versa, and attempts to exhibit that the incongruent

relationship between the human and systems can be cause for hazard or risk. The intent of
the model, at figure 1, is to demonstrate the importance of an ongoing focus of effort

toward establishing appropriate safety frameworks within an organisation.

Figure 1: ICAO SHELL Model. From Doc 9859, Safety Management Manual (4th ed., p. 2-5),

by ICAO, 2014, ICAO (www.icao.int). Copyright 2018 ICAO

The model comprises the focal component “L” (for ‘Liveware’) at the centre representing the

human undertaking effort with four influencing factors indicated by: S – Software; H –

Hardware; E – Environment; and other humans in the workplace represented as another “L”.

Importantly, the coloured boxes around each of the components are not uniform and do not

form a congruent join with the adjoining box thereby working to emphasise the complex

relationship between all components. ICAO explains this, stating “the jagged edges of the

modules represent the imperfect coupling of each module” (2018, p, 2-5.). This complexity

focuses on the idea that the person represented at the centre of the model remains most

affected by physiological or psychological stressors therefore being the most unpredictable

(ICAO, 2018).

CASA defines human factors as “the social and personal skills (for example communication

and decision making) which compliment technical skills, and are important for safe and

efficient aviation” (CASA, 2014c, p. 1) and further explains that human factors knowledge is
applied to integrate people and the systems in which they work for the purpose of improving

safety and performance (CASA, 2014c). To illustrate this integration and explain the

relationships the SHELL model is also utilised. Figure 2 shows the current model used by

CASA.

Figure 2: CASA SHELL Model. From SMS 6 Human Factors (2nd ed., p. 1), by CASA, 2014,

Safety Promotion (safetypromotion@casa.gov.au). Copyright 2014 CASA.

Notably, the ICAO SHELL model addresses safety culture in the relationship between

Liveware – Liveware (People-to-People interaction) whereas the CASA model addresses

safety culture in the Liveware – Environment (People-to-environment) relationship.

Furthermore, the ‘jigsaw puzzle’ image used by CASA to represent the SHELL model implies a

strong integration between each of the elements with this interpretation of the model being

contrary to the guidance of ICAO (2018). Reason (1997) describes the hierarchal nature of

national aviation safety management culture and accordingly, it is proposed that the image

used by CASA could negatively influence an operator’s understanding of the intent behind

the “SHELL” model and consequently trigger a reduced level of effort toward adopting a

proactive and deliberate focus on what ICAO terms as the “imperfect coupling of each

module” (2018, p. 2-5). In short, this change to theory may have an unintended consequence
on operational application and could potentially trigger the creation of latent conditions

that, under certain circumstances, could lead to an accident.

Such conditions can exist throughout an organisation and are generally the result of human

(Liveware) influence on various organisational elements such as culture, policy and

procedure, equipment, systems, or business decision cycle and they may exist well before

damage is realised by way of combination with circumstance or active failure (Reason,

1997). Adopted by ICAO as the leading theory relating to accident causation, the “Swiss-

Cheese” model proposes that latent conditions and active failures, represented by the holes

in the cheese slice, can align and breach defence measures, represented by each slice of

cheese, thereby creating a situation where hazards can become an incident. Defence

measures are described by Reason (1997) as ‘hard’ or ‘soft’ with ‘hard’ defences not limited

to physical barriers, personal protective equipment or engineered safety features, and ‘soft’

defences not limited to legislation, policies, and procedures etc. Reason (1997) further

explains that it would be ideal to have the layers intact and clarifies the reality that each

layer has weakness and gaps. Rodrigues and Cusick (2012, p. 162) explain it well by stating

the “defenses are controls built into the system by management to protect against the

inevitable human error that cannot be completely avoided”. The intent of safety

management within aviation is to create robust layers of defences, in effect reducing the

holes and potential for accident. Reason (1997) proposed a simple image to illustrate the

resultant effect of gaps aligning, or active failures and latent conditions combing, and is at

figure 3.
Figure 3: Reason Swiss-Cheese Model. From Managing the Risks of Organizational Accidents

(p. 34) By J. Reason, 1997, Ashgate. Copyright 1997 James Reason

The ICAO and CASA version of this image is at figure 4 and figure 5, respectively.

Figure 4: ICAO Concept of accident causation. From Doc 9859, Safety Management Manual

(4th ed., p. 2-7), by ICAO, 2014, ICAO (www.icao.int). Copyright 2018 ICAO
Figure 5: CASA Concept of accident causation. From SMS 1 Safety Management System

Basics (2nd ed., p. 13), by CASA, 2014, Safety Promotion (safetypromotion@casa.gov.au).

Copyright 2014 CASA

Fundamentally, the “Swiss-Cheese” model proposes that multiple events, actions, or

conditions will align to create an accident, and the strength of the defences established

within the organisation will influence the probability of alignment and therefore level of risk

exposure. CASA recognises the potential of multiple contributing factors as the basis of

accident causation and promotes ongoing review and analysis of organisational frameworks

(CASA, 2014a).

Similarly, the “5M” model recognises that accident causation is influenced by contributing

factors and identifies five focal areas under which these factors can be grouped, including:

Man, Machine, Medium, Mission, and Management. The “5M” model, shown at figure 6 and

7, is useful for preliminary analysis as part of any risk assessment prior to the conduct of any

action or, as is the predominant use, it can be utilised to identify the causes of accidents and

serves as means to capture information relating to an accident. Using the model also enables

the understanding of the deviation from intended design and the magnitude of that
deviation. This deviation is what Snook (2000) refers to as “Practical Drift” and using the

“5M” model supports deviation analysis and identification of root cause across the

organisation. The model can also be used as a tool during routine assurance activities to

provide lead indicators of the degree that organisational activities are moving away from the

designed level of function (ICAO, 2018).

Figure 6: Stolzer and Goglia 5M Model. From Safety Management Systems in Aviation (2nd

ed., p. 164), by Alan J. Stolzer and John J. Goglia, 2014, Ashgate. Copyright 2015 Alan J.

Stolzer and John J. Goglia

Figure 7: Rodrigues and Cusick 5M Model. From Commercial Aviation Safety (5th ed., p. 166),

by Clarence C. Rodrigues and Stephen K. Cusick, 2012, McGraw-Hill. Copyright 2012 The

McGraw-Hill Companies

“Man” includes all personnel from design and management to operation and flight. Aviation

Safety (n.d.) explains the inclusion of a wide range of personnel to remove pilot-error as the

only element. Rodrigues and Cusick (2012) support the approach determining that the origin

of hazards should not be limited when addressing accident prevention. Accordingly, focal

areas addressed can include physiological and psychological aspects influencing the

individual/s and can also the qualification and proficiency of said individual/s.

That which is covered by “Machine” includes the aviation technology, and it is important to

note that aircraft and their components have a finite useful life. Analysis of the causal factors

in this area can include reviewing airworthiness standards and any maintenance

management plans. Whilst airworthiness standards work to ensure an appropriate level of

safety is applied to any design, the intent of analysis is to confirm the design and whether

the “Machine” was working within design specifications. The same approach is adopted for

maintenance programs, which require close oversight and continued development to

maintain required levels of safety (Rodrigues & Cusick, 2012).

Natural and artificial environmental conditions are addressed under the “Medium”, or

“Media”, component enabling an array of conditions to be considered. Predictably, analysis

of the natural environment includes weather, topography, and temperature within the

natural environment. Analysis of the artificial environment is ideally partitioned into physical
and non-physical parts with physical elements including manmade controls (airports,

navigation aids, landing aids etc) and the non-physical including legislation, regulations and

operating procedures and sometimes referred to as system software (Rodrigues & Cusick,

2012).

The “Mission” being conducted is reviewed and analysed to determine the operating

parameters influencing the flight. This is important noting the variation in flight profiles that

could exist between the services provided by operators (Rodrigues & Cusick, 2012). The use

of flight data recorders and cockpit voice recorders, along with flight computers, make the

task easier as deviations outside expected tolerance can be more easily identified.

Each of the focal areas above are brought together and influenced by the “Management”

within the organisation. Management holds the AOC and by requirement is responsible for

safety and all measures implemented to prevent accidents. Analysis of an organisations

CASA accepted Operations Manual will provide insight into the expectations and accepted

operating conditions. Importantly, through analysis of “Management” an understanding of

an organisations investment in safety frameworks, policy and procedures and resources for

operation and maintenance will be established (Stolzer & Goglia, 2015).

An analysis of the “5M” diagrams shown if figures 6 and 7 will highlight the differences

between each. Not only is there differing terminology, albeit having the same meaning,

there is a difference in the Venn diagram itself. As noted with previous variation, it is

proposed that the difference could influence priority of effort within organisations thus

potentially creating latent conditions.

In summary, safety management within Australian airline industry is governed by CASA as

the delegated safety authority, and under the Civil Aviation Act CASA is obligated to ensure

that all guidance and direction provided to Operators and Approved Maintenance

Organisations is aligned to that issued by ICAO. Three safety management theoretical

models have been discussed with two of them being prescribed by ICAO and adopted within

relevant CASA documentation. Whilst the third is not prescribed by either ICAO or CASA, it is

a tool widely used within the aviation industry to understand accident causation and can

identify “Practical Drift” (Snook, 2000). All three models remain relevant and provide a

strong basis from which to understand what constitutes safety management. All three

continue to undergo change over time or as they are adopted by different agencies, and it is

proposed that this change could be the cause for misunderstanding and creation of latent

conditions within an organisation. Conscious change of governing material injects confusion

into a technically complex environment, constituting an active failure within the governing

system (Reason, 1997). Understanding this potential impact and adopting the principles of

the models discussed will likely result in improved industry conditions and safety

frameworks.
 References

Aviation Safety. (n.d.). Accident Causation. Retrieved April 10, 2021, from

https://www.aviationsafetyplatform.com/pedia/understanding-

safety/general/accident-causation

CASA (2014a), SMS 1 – SMS for Aviation – A Practical Guide: Safety Management Basics (2nd

ed.). CASA. https://www.casa.gov.au/files/2014-sms-book1-safety-management-

system-basicspdf

CASA (2014b), SMS 2 – SMS for Aviation – A Practical Guide: Safety Policy and Objectives

(2nd ed.). CASA. https://www.casa.gov.au/files/2014-sms-book2-safety-policy-

objectivespdf

CASA (2014c), SMS 6 – SMS for Aviation – A Practical Guide: Safety Policy and Objectives

(2nd ed.). CASA. https://www.casa.gov.au/files/2014-sms-book6-human-factorspdf

CASA (2017) Overview of CASA rule making principles and obligations. Civil Aviation Safety

Authority, Retrieved March 12, 2021, from https://www.casa.gov.au/standard-

page/casas-rule-making-principles-and-obligations

CASA (2018), CAAP SMS-01 v1.1: Safety Management Systems for Regular Public Transport

Operations, sms@casa.gov.au

CASA (2019). Safety behaviours: human factors for pilots. (2nd ed.)

https://www.casa.gov.au/sites/default/files/safety-behaviours-human-factor-for-

pilots-2-safety-culture.pdf

Civil Aviation Act 1988, No. 63, 2019 (Austl.)

International Civil Aviation Organizatrion Safety Management Manual (4th ed.), 2018,

www.icao.int
 Maurino, D. (2017). Why SMS: An introduction and overview of safety management

systems. Discussion Paper 2017.16 https://www.itf-oecd.org/sites/default/files/why-

sms.pdf

Reason, J. (1997). Managing the Risks of Organizational Accidents. Ashgate

Rodrigues, C.C., & Cusick, S.K. (2012). Commercial Aviation Safety (5th ed.). McGraw-Hill

Safety Institute of Australia (2012), Models of Causation: Safety. Safety Institute of Australia

Ltd

Snook, S.A. (2000). Friendly Fire, The Accidental Shootdown of U.S. Black Hawks over

Northern Iraq. Princeton University Press

Stolzer, A.J. and Goglia J.J (2016), Safety Management Systems in Aviation (2nd ed.), Ashgate

View publication stats