"Compliance Doesn't Equal Safety"

I've heard this saying quite a bit over the last few months and in at least one aspect, I agree with the statement. It tends to be true that regulations have failed to keep pace with industry. As such, blind compliance with the regulation no longer ensures an accident-free existence.

Apparently, there is a Venn diagram making the rounds. I've been told it looks like this:

Safety Doesn't Equal Compliance

So what is the solution?

In most conversations, I heard "systems-based" or "risk-based" auditing touted as the answer. Unfortunately, that, in my opinion, is not the answer.

Now, don't get me wrong. Please. Old check-box auditing is not the answer either.

So what is? Let's break it down into pieces...

Firstly, we need to define "compliance". Often, people infer from compliance, a high level of prescription within the legislation, regulation or standard. In the past this was true but nowadays, it's becoming less the case. Regardless, when auditing, especially in a highly-regulated environment, the standards are everything. Issuing findings outside of the standards is unacceptable and you can forget about enforcement action.

We have no choice but to move the "compliance" circle to match up with the "safety" circle. Easier said than done.

The above Venn diagram is mis-leading. Safety is not a neat circle. It's not the same for each industry sector, or even between operators within the same sector. And it's not stable. Not only is aviation a, generally, growing industry, it's diverging as well. "Safety" could probably be drawn like this instead:

The safety profiles of various operators differ

That leaves old-school compliance with two options. Be a well-rounded set of requirements aimed at achieving a generally good level of safety or becoming a complex monster of requirements aimed at ensuring safety across all areas - see below. In the first case (C), gaps between safety and compliance still exist (just to refresh - that means an operator could comply with the rules and still not "be" safe). And in both cases (C & D), all operators are burdened by requirements which have nothing to do with safety in their environment.

The different ways to apply old-school compliance

I mentioned above that the standards are becoming less prescriptive. The still fairly new concept of safety management systems is a different kind of regulation. Instead of telling operators how to address known safety risks, it requires operators to establish a system to identify, assess and mitigate risk within its own environment1. This approach can fill the gaps between traditional compliance and safety. It also goes a long way to supporting "systems-based" and "risk-based" auditing.

Diagram E is probably a good indication of where we are at the moment. In most cases, an SMS requirements has been added to the existing regulatory regime and a "fill the gaps" approach has been taken. This is a valid approach. SMS is relatively new and the industry needs time to grow into the philosophy.

The way compliance looks now and may look in the future

In the future, I imagine it will be possible to reduce the prescriptive side of the compliance equation. A greater level of flexibility is obviously good for the industry as it would reduce the nugatory regulatory burden on some operators but ensure a level of safety acceptable to the regulator.

That retreat will require careful planning and sure-footed execution. A lot of work will need to be done before then, but I'll hold on to it as my "I have a dream" concept2.

1. It actually requires more than a risk management system but lets keep things simple for the sake of this short but rambling post. Check out the link above for more information. 2. I know it's nowhere near the level of nobility of the original but each of us hopes to influence the world in our own way.