**2. Safety Reporting Background**

### *2.1. International and European Regulatory Context*

Safety information databases containing appropriate details of events with potential and latent ancillary contributors are available and can be considered with the assistance of continuous analysis. In the United States a combined e ffort by the aviation industry, organisations and individuals, known as the Aviation Safety Reporting System (ASRS) [8] collect reports that are submitted on a voluntary basis. The outputs from this initiative set out to identify system deficiencies and raises correspondence directly with the responsible people. The intention is to a ffect learning and improvements that correlate with corrective actions that avert event recurrence.

On a wider scale through the diligent o ffices of the International Civil Aviation Organization (ICAO), standards and recommended practices that define contracting state reporting and analysis obligations, have been developed as a result of the collective e fforts of participating states. For example, Annex 13 Aircraft Accident Investigation [9] to the Chicago Convention [10] defines the standards that require states to report accidents involving aircraft with a maximum take-o ff weight (MTOW) of 2250 kg and above. The document also contains details of reportable incidents (MTOW 5700 kg) that are considered important in terms of safety and accident prevention. An accident/incident data reporting system (ADREP) is operated and managed by ICAO. Safety data from (ICAO) member states are received, verified and retained in the ADREP system. The repository contains an aggregate of occurrences/incidents/accidents reported by the contracting states. The Accident/Incident Reporting Manual [11] document defines the report content, its composition and means of transmittal to ICAO. A common group of general codes known as a taxonomy is used to standardise the inputs for reporting. In an e ffort to improve harmonisation and exchange of information, most European aviation competent authorities have already migrated to the ICAO common ADREP taxonomy.

The EU, in recognition of its duty of care to the travelling public acknowledges that it must continue to improve levels of aviation safety. Based on a global expectation [12] of the imminent increase in aviation activity, significant challenges are evident if EU is to only preserve current levels of safety. Presently, air passengers enjoy the benefits of a safe industry based on the technological advancements, recognition of human performance and limitations, compliance primarily with prescriptive regulations and the learning potential arising from past accidents and incidents. The EU regulation 376/2014 [6] was developed to enable the collection, analysis, and follow-up of reportable incidents and occurrences. It mandates provisions for reporters to submit mandatory occurrence reports (MOR's) and voluntary occurrence reports (VOR's). There are discriminating conditions that must be met in order to determine which 'conduit' is required to report a hazard or incident. The regulation also defines reporting timelines for initial reporting (within 72 h of discovery) and for reporting to the competent authority (within a further 72 h). Organisations are also required to have a process in place to implement timely follow-up and notification of their analysis to their competent authority.

In Europe, reporting entities are encouraged to submit reports through a reporting portal moderated by the European aviation safety agency (EASA). Civil aviation competent authorities have access to the portal and the incidents and accidents are categorised in accordance with a standard aviation data reporting program (ADREP) taxonomy. They are then uploaded to a European coordination for accident and incident reporting systems database (ECCAIRS). This multi-modal European transport database can facilitate the collection, analysis and sharing of transport safety data.

### *2.2. Learning from Incidents: Underpinning Theory*

According to Leveson [13], a holistic view of an organisation's capability in terms of learning from incidents can be enhanced by shifting the focus from the individual to what is happening across the system. In the world of 'operational aviation' the concept of Safety Management Systems (SMS) has been for the most part successfully embraced and applied where mandated. Deming [14] the respected purveyor of quality assurance methodologies asks the question, 'what is a system?' He continues to answer, 'a system is a network of interdependent components that work together to try to accomplish the aim of the system'. This description of the system suggests that the process (in safety managemen<sup>t</sup> parlance) is 'a network of interdependent components'. Safety managemen<sup>t</sup> philosophy requires specific points to be formally addressed so that the safety managemen<sup>t</sup> process of operational risk can be explicitly expressed and therefore e ffectively managed. One of these points is preventing the recurrence of incidents and occurrences through learning from past events to achieve an acceptable level of safety.

Today, in many jurisdictions it is a requirement for aircraft maintenance and continuing airworthiness managemen<sup>t</sup> organisations to maintain an occurrence-reporting system. European regulatory requirements [6] and organisation procedures [4] normally require the event to be investigated, documented and the causal factors considered. Additionally, corrective and/or immediate actions are often necessary to prevent re-occurrence. Learning from these incidents can often provide potential solutions to preventing safety crises in the future by looking back at what has happened and deriving lessons learned and predicting probable future challenges, [15].

'Learning from incidents' (LFI) is a valuable tool in many domains. Much research has been devoted to understanding how this process can be expressed and measured, how worthwhile lessons can be learned through more e fficient and e ffective learning, as pro ffered by Drupsteen and Guldenmund [16], Hovden et al. [17] Jacobsson et al. [18]. A main tenet of this reporting system is the ability to report any error or potential error in a 'free and frank' way. This philosophy is intended to be supported by what is termed a just culture, where the outcome for the individual is not based on punitive measures or being inappropriately punished for reporting or co-operating with occurrence investigations. The occurrence reporting system is also intended to be a 'closed-loop' system where feedback is given to the originator and e ffective actions are implemented within the organisation to address the embryonic or evident safety hazards. The concept is progressive in terms of its potential for contribution to identifying and addressing less than optimal performance of human, organisational and technical systems. Understanding that adverse and unwelcome events can be minimised through diligent reporting, event analysis and learning and subsequent necessary intervention is a positive trait with respect to improving acceptable levels of safety.

Argyris and Schön [19] (pp. 20–21) highlight the importance of learning to detect and address e ffective responses to errors. Their 'theory in action' concept is the focal point for this determination. The first of its two components, 'theory in use' is one that guides a person's behaviour. This is often only expressed in tacit form and is how people behave routinely. Very often these observed habits are unknown to the individual. The second element is known as 'espoused theory', namely what people say or think they do. Drupsteen and Guldenmund [16] mention that espoused theory comprises of 'the words we use to convey what we do, or what we like others to think we do'.

Enabling this learning channel, ICAO Doc 9859 [19] defines a template for aviation operators and regulators to support the application of a variety of proactive, predictive and reactive oversight

methodologies. In addition to routine monitoring schemes, voluntary and mandatory reporting, post incident follow-up; there are regular safety oversight audits. These audits and inspections often set out to establish if there is a di fference between espoused theory and the theory in use, e.g., is the task being correctly performed in accordance with the documented procedure/work instruction or is there a deviation from approved data and practice? However, Drupsteen and Guldenmund [16] caution auditors not to 'focus too much on the documentation of procedures' alone. In such cases the audit oversight may be ine ffective because of its sole focus on espoused theories of the organisation only and not the theory-in-use. They progress to translate this idea of poor focus on theory in action and recommend a solution by suggesting a valid learning component arising from the incidents. They also highlight the 'espoused' aspect where those attempting to learn from incidents often fail to experience the desired learning because outcomes are not fully aligned with the practical objectives of an LFI initiative. For learning to be most effective, espoused theory and theory in use should be reasonably well aligned.

Aircraft maintenance and continuing airworthiness managemen<sup>t</sup> activities that are performed in European member states are moderated by rules that mandate reporting of defined incidents and occurrences. Repositories of reported data tend to be populated only from sources predominantly aligned with mandatory incident/occurrence reporting requirements. Conventional safety oversight models only verify the presence of reporting media and repositories in this segmen<sup>t</sup> of the industry. Traditionally there has been a focus amongs<sup>t</sup> organisations to ensure details of reports are submitted in line with state's mandatory reporting obligations. However, it is possible such a narrow focus on a single element (i.e., reporting alone) of an incident in its lifecycle could negate the potential learning benefits that might accrue from considering other likely related sources. As a result, the absence of clear regulatory requirements capable of augmenting learning from incidents could be considered an impediment to e ffective learning in the domains a ffected by EU regulation 1321/2014 [4]. The featured industry sector is regulated by the application and upkeep of numerous requirements in each jurisdictions of operation. In general, oversight duties tend to be carried by regulating states and operators in support of safe and profitable activity. However, a growing tendency to just increase some regulatory requirements across the segments may not always o ffer the same safety returns necessary for states in the future.

Up until some years ago, basic risk mitigation methods had remained unchanged. The previously reactive initiatives had largely been based on post-event analysis of accidents and incidents. At present, learning from past incidents, occurrences and accidents must be credited with playing a major part in helping evolve the paradigm to the more proactive means of risk managemen<sup>t</sup> in many aviation segments we know today. Accident models (Heinrich and Reason) can sometimes inadvertently contribute to an over-simplification of how accident and incident contributing factors are perceived. This can result in striving to establish a singular root cause. Understandably the propensity for those tasked with accident and incident investigation is sometimes to establish a linear view based only on apparent causal factors. Proactively identifying precursors to events or potential conditions can greatly assist in averting latent or undiscovered conditions. Since the early 1990s, the potential for organisations to learn from incident precursors and conditions has been worthy of attention. Cooke [20] endorses a suggestion that increased reporting of incidents enhances continuous improvements in high reliability industries. In the continuing airworthiness segmen<sup>t</sup> of the industry, here is often a regulatory driven focus on establishing a single root cause. The importance of adequate resources and e fforts to determine accurate incident causation and the measures to prevent reoccurrence should be a primary concern. Until ED 2020/002/R [21] is fully implemented, it is possible that the custodians of current regulatory requirements are satisfied once a root cause is established. Could it be that the current popular practice of pursuing (singular) root cause focus can be a lost opportunity when additional related sources exist?

The harvesting of information from incident reporting systems is a necessary input to continuously develop appropriate and e ffective recurrent training material. The inclusion of basic qualification criteria for

human factor trainers in the regulatory requirements should also be addressed. However, it is questionable if the perpetuation of these measures alone would support more effective delivery and application of lessons learned throughout the segment. One means of addressing this impending issue is to remodel regulatory, operational and training requirements to consider a new approach in the segment. Reflecting a combination of actions, events and conditions in a new basic model supporting human factor continuation training, may lay the foundations to better elucidate event causation and yield improved and sustainable safety recommendations in the featured segment.

### **3. A Model Supporting Learning from Incidents**
