In a recent post I wrote about a young stowaway who managed to penetrate security at a California airport and somehow survived a flight to Honolulu in the aircraft wheel well. This prompted a message from my friend and colleague Jeff Whitman from Air Safety Group.Jeff is an expert on aviation safety and security and I thought his comments might be of interest to you:
I think of safety and security as the obnoxious twins. Both can be annoying and certainly require effort to manage. These siblings are nearly identical. The primary difference is security protects us from others, while safety protects us from ourselves.
You spoke of layers of defense in your recent blog. I break these layers into two high-level categories, avoidance barriers and recovery barriers.
I find people need help understanding how/where to apply their barriers.
Avoidance barriers need to be applied well upstream of the potential consequence. In simplest terms, avoidance barriers defend against the triggers that cause the undesirable operational states (UOS). Recovery barriers are how we minimize the effects of reaching the UOS, after the avoidance barriers fail.
In the example of the 15 year-old breaching airport security, the teen reaching the aircraft could be considered one of many UOS, the consequence in this case, was a stowaway. There are other consequences that could have been much worse!
In order to defend against the UOS, we need to understand the hazard components (triggers) that allowed the teen to reach the aircraft (UOS). In this case, one of the hazard components is unauthorized access to the ramp. In theory, a person with authorized access to the ramp could have also reached the same (or similar) UOS, so this analysis tree has growth potential.
Pop quiz: What is the hazard in this scenario?
This is a very important question, because without accurately identifying the hazard, the potential for reducing risk is limited, at best.
Continuing with the stowaway example, adding the fence is clearly an avoidance barrier. Unfortunately, it failed. Why?
This is where the recovery barriers should kick in and protect against the fact that we’ve reached the UOS. In this case, there were recovery barriers in place, (security cameras), but they failed too. Why?
The classification of hazards, triggers, UOS, and consequence may shift, depending on where the analyst sits in the business process. For example, the persons responsible for the fence may identify the UOS as unauthorized ramp access and the hazard component as fence height. Without dragging on too long, the hazard and risk analysis tree can get pretty complicated.
Comments
You can follow this conversation by subscribing to the comment feed for this post.