Lodge (2015), in discussing the failure of regulation, suggests that authorities differ to the extent that they see their purpose as primarily to avoid harm or to liberalise markets. In a letter to the Secretary of State, the chair of the UK Civil Aviation Authority (CAA) (CAA, 2019), discussing general aviation, commented on the need to be ‘proportionate in the exercise of statutory functions’ and, later, talks about ‘regulating innovatively’. Aviation regulators are no less resource-constrained than other entities. For example, on 25 December 2002, a King Air 100 crashed on approach to Eveleth Airport, Minnesota (NTSB, 2003). The company was overseen by the FAA Minneapolis flight safety district office. The inspector who had oversight of the operator was also responsible for eight similar air taxi companies, 37 crop-spraying operators, one flight school and 12 designated training pilots and examiners according to his terms of reference. Because of budget cuts and a hiring freeze, the office was 50% undermanned. At the time of the accident, the inspector was overseeing 37 charter companies, 155 agricultural companies, 4 heavy-lift helicopter operations, 11 flight schools, 96 designated training pilots and examiners and, finally, 168 non- certified operators. To cope with these resource constraints, there is an increasing trend to move away from prescriptive methods of regulation towards performance- based models with greater delegation to the regulated entity to provide evidence of compliance. Safety management systems (SMSs), international audit standards such as the IATA Operational Safety Audit and new models of training delivery (AQP/ ATQP, EBT/CBT) are representative of such trends.
Lodge identifies a number of ways in which regulation can fail. First, a flawed analysis of the current situation will result in inadequate oversight. Interventions may be inappropriate or can fail because of issues around jurisdiction. Second, regulation may fail because an intervention might not be politically feasible. Finally, the statutory basis and, particularly, the resources available to the regulator may be insufficient, as we have just seen. There is no agreed definition of ‘regulatory failure’, but Hutter and Lloyd-Bostock (2017) suggest that a significant risk to any regulator is that failure represents a challenge to its own legitimacy. In short, if a regulator cannot effectively regulate, why should it exist? Linked to failure is the concept of ‘regulatory capture’. Shapiro (2011) identifies two aspects of capture: first, the interests of the regulated entity unduly influence the behaviour of the regulator, and second, the regulator fails to act in the manner intended by the constituting authority, usually the state. Typically, a failure to act would be seen in terms of the manner in which the general public is adequately protected. Capture, it could be argued, is both a state of failure, in that the process is no longer fit for purpose, and also a precursor to catastrophe.
The need for regulation was clearly recognised early on in the development of aviation, and the scope of regulation has both broadened and changed in nature over time. Because the risks to be managed are not a constant but, rather, reflect the environment within which aviation is conducted, the technologies employed and the prevailing social attitudes, regulation is constantly challenged. Similarly, the tension between safety and market liberalisation creates the circumstances in which there is a possibility for failure. In the next section, I want to explore the dynamic tension between oversight, cost/effectiveness and safety by looking at the introduction of SMSs in Canada.
Change Management and Regulatory Failure
I mentioned above that responsibility for oversight is increasingly being delegated to the operational level with the authority maintaining control through a ‘system of systems’ concept. The implementation of the SMS policy is just one example. The experience of implementing SMSs in the USA is summarised in a report from the Government Accountability Office (2014):
ICAO first mandated SMS worldwide for air traffic service providers in 2001. ICAO later specified that member states should mandate SMS implementation for airports, air carriers, and others by 2009. FAA began SMS implementation in 2005, but FAA officials informed ICAO that the agency and industry would not be able to meet the 2009 deadline. The United States filed a “difference” with ICAO—indicating that it does not yet completely comply with the standard—with the understanding that implementation is under way and that FAA is in the midst of a rule making to require SMS for commercial air carriers and certificated airports. There have been other actions within the United States to encourage SMS implementation. For instance, in 2007, NTSB recommended that FAA require all commercial air carriers to establish an SMS and in 2011 added SMS for all modes of transportation to its Most Wanted List. [The] NTSB identified SMS as one of the most critical changes needed to reduce the number of accidents and save lives.
Transport Canada was, in fact, the first authority to act on the SMS requirement with an initial target of having all aircraft operators that perform maintenance on their own aircraft compliant by May 2005, with a permissible extension to September 2009. This represented 74 of the 2324 approved operators in Canada. The implications of SMSs for the work of the authority are illustrated in Table 10.1. In an audit of aviation safety (Auditor General of Canada, 2008), it was found that Transport Canada had failed to consider the maintenance of the conventional oversight of safety during the transition. Resources had shifted from traditional oversight to SMS activities with no consideration of the implications, such as reduced inspections. The number of inspectors and engineers needed under the new regime had not been identified, and short- and medium-term performance indicators had not been developed. As a result, the Canadian Transportation Safety Board added SMS implementation to its risk ‘watch list’ in August 2010.
The roll-out of SMS was just one of many changes being managed by Transport Canada. On 1 January 2003, oversight of ‘private’ operators was delegated to the Canadian Business Aviation Association (CBAA). This class of operators included not only corporate flight departments but also forest fire suppression aircraft, helicopters and the Royal Canadian Mounted Police. The incentive to delegate was to save money on the part of Transport Canada. In order to achieve or renew a license
Implications of SMS (based on Office of Auditor General of Canada)
to operate, companies had to comply with an audit process designed by the CBAA that included elements of the proposed SMS regulations. In addition to the shift to a new model of oversight, then, this segment of the industry was also implementing the new approach to safety management. The CBAA was keen to expand its membership but felt that it did not have the authority to compel the adoption of these new codes and all that it implied in terms of change management. Because of their own internal lack of resources, individual operators could delegate implementation to independent third-party contractors approved by the CBAA. As a result, regulation, and the associated level of control, was being diluted. In fact, the CBAA said that ‘some [...] operators may never reach full SMS compliance’.
On 11 November 2007, a Bombardier Global 5000 business jet touched dowm short of the runway at Fox Harbour, Nova Scotia (TSB, 2009). The aircraft suffered major structural damage, and all the occupants were injured to varying degrees. The subsequent report found shortcomings in the implementation of the company’s SMS. The accident report notes that some 320 operators certificates had been issued by the CBAA and 750 audits completed. Unfortunately, the process established required only the audit cover sheet to be submitted to the CBAA and, therefore, it was impossible to assess the quality of the audit and the work done by the auditors. The subcontracting of the audit process to third parties was justified by the CBAA in terms of cost saving. So, ironically, in an attempt to save money, oversight was delegated by Transport Canada to the CBAA who, in turn, delegated to third parties and, in the meantime, effective control was lost.
We discussed forms of safety drift in Chapter 2, and I proposed ‘rationalisation’ as one mode of drift. If we accept that rationalisation is usually driven by a pressure to find savings and ‘efficiencies’, then, the specific implementation of SMSs in the Canadian business aviation community is probably a variation on this theme. We can see something similar in the case of the ‘girting’ of a tug on the River Clyde, in Scotland, coincidentally also in 2007. Girting happens when the vessel being towed overtakes the bow tug and pulls it over, thereby causing it to capsize. The subsequent investigation report (MAIB, 2008) described how, after a previous grounding of a vessel in 2009, the responsible UK Government department pulled together various pieces of guidance and regulation into the ‘Port Marine Safety Code’ (PMSC), which required Port operators to compile hazard lists and to implement SMSs. Ports were required to submit a statement of compliance w'ith the code, w'hich Clydeport, the company that ran harbour operations on the Clyde, had done. Prior to the introduction of the PMSC, Clydeport was certified by the Lloyds Register under the ISO9001 quality management process. The ISO9001 framework was used as the basis for the PMSC SMS system, and the process was run by a part-time consultant employed by Clydeport. When the PMSC was introduced, the role of ‘designated person’, who was responsible for providing the duty holder with independent assurance that the SMS was working properly, was undertaken by two members of the Port Board. This responsibility was lost at some point and, by the time of the accident, the ISO9001 quality plan had been nominated as the ‘designated person’ for the PMSC SMS. A document was now standing in for a person, and that document was overseen by a part-time consultant. Three crews lost their lives in the accident.
These attempts to implement the SMS concept in two very different modes of transport are cases of, primarily, intervention failure, using Lodge’s taxonomy, in that the proposed solution and its implementation were inappropriate. The intent of the regulation and the circumstances of its implementation had become disconnected. We can also see that there was an element of design failure in that the resources allocated to regulatory activity were inadequate. The examples illustrate how organisations seek to implement a process, and demonstrate compliance, in a cost-effective manner. Hence, we see subcontracting being put in the place of direct oversight. The nature of control, through regulation and guidance, was not always fully understood by those responsible for its implementation, and the feedback loops, represented by audit and statements of compliance, were unreliable.
Of course, the framing of regulation and its implementation do not directly cause accidents. Instead, modes of regulatory failure combine to create the context for inadequate risk management. We saw earlier the chair of the UK CAA talking about regulation being ‘proportionate’. Lodge observes that the regulator’s risk tolerance is reflected in the degree to which regulation is deemed to be burdensome. In the United Kingdom, the financial meltdown of 2006-2007 has been blamed on the then government’s ‘light touch’ approach to financial regulation. In the next example, we will also see how ‘capture’ can shape outcomes, ultimately leading to a state of crisis for the regulator.