Understanding Aviation Safety Risk Management


Safety Risk Management pillar of SMS is a significant working pillar of SMS. This is where the identification of a hazard begins, which is a crucial initial step towards implementing safety. The following activity happens under the Safety Risk Management pillar of SMS in the order listed below:

  1. Identification of a hazard
  2. Hazard Analysis
  3. Risk Assessment
  4. Risk mitigation

1. Identification of a hazard:

It is essential that we understand what a hazard is before we take a step forward in identifying hazards around us in the workplace or in our organizational activities or operations.

ICAO Doc 9859 Safety Management Manual states “Hazard is a condition or an object with the potential to cause or contribute to an aircraft incident or accident”. Gravity is an example of a hazard. It is a condition that has the potential to cause an aircraft accident. However, over the last century, this hazard has been effectively addressed through aircraft design, structure, flight controls, propulsion, systems safety, system redundancy, and other methods.

Every hazard has three components that come together to form a hazard triangle. They are:

  1. Hazardous condition or object
  2. Initiating mechanism
  3. Target/threat

Image 1: Hazard Triangle

In the TWA 800 aircraft accident, following elements fell under the components of hazard triangle:

  1. Hazardous condition or object – flammable fuel/air mixture in the central wing tank
  2. Initiating mechanism – excess voltage in electrical wiring because of a short circuit
  3. Target/threat – The occupants in the aircraft

In summary, a hazard exists if all the three components of the hazard triangle exist. In the TWA 800 accident, if there was no excess voltage in wiring/no flammable fuel/air mixture, then there was no hazard.

2. Hazard Analysis:

Hazard analysis is the process of identifying the actual undesired/unintended consequences that could result from an identified hazard and/or to identify a list of hazards that caused/contributed to a known undesired/unintended consequence. Hazard analysis process can be conducted in two ways i.e., top-down analysis (if an undesired event already took place) and bottom-up analysis (to identify undesired events that could result from a known hazard). In the top-down analysis method, the undesired event is placed at the top and the analysis process works downward to determine the hazards that caused it. Below is an example of top-down hazard analysis.


Description automatically generated

Image 2: An example of top-down hazard analysis process

In the bottom-up analysis method, the failure mode of a system/human performance/procedure/process is placed at the bottom and the analysis process works upward to determine the undesired consequence that could result out of it. Below is an example of bottom-up hazard analysis.

Aircraft will have to conduct emergency diversion due to fuel starvation

Flight crew fails to verify that the circuit breakers for ventral fuel pumps were pulled and collared

Maintenance technician forgets to reseat ventral fuel pumps circuit breakers after maintenance

Ventral Fuel pumps will fail to transfer fuel from ventral tank to wing tank

Fuel depletion in wing tanks will prevent sustained flight to destination

Image 3: An example of bottom-up hazard analysis process

In summary, hazard analysis is a process of identifying hazards and their consequences. In the aviation environment, incident/accident investigation, audits, inspections, surveillance, hazard reports, and safety data analysis are all different activities that help in identifying hazards and their consequences.

  1. Risk Assessment

In the hazard risk assessment, the severity of the consequence(s) identified from hazard analysis and the probability of that consequence happening, considering all risk controls/prevention strategies that already exist, is determined. The risk (probability and severity of the hazard) is then categorized in a matrix to help the management understand if that risk is at an acceptable level or does it need to be reduced further using additional risk controls to bring it to an acceptable level.

Image 4: Illustration of a safety risk matrix

A common norm in the aviation industry is that a risk in the red region is considered high risk and associated activities cannot continue if the risk is immediately not reduced to an acceptable level. A risk in the yellow region is considered medium risk and associated activities may continue provided the senior/executive management accepts this risk until tasks are accomplished to bring down the risk to the green region. A risk in the green region is considered low and acceptable level of risk. Rarely does a risk in the green region needs additional risk controls.

4. Risk Mitigation

Risk mitigation is the process of accomplishing actions to bring down the initial assessed risk of a hazard to an acceptable level of safety. These actions may be detective, corrective, and/or preventive in nature. Risk mitigation of any hazard needs to be attempted in the following hierarchical manner.

  1. Elimination of the hazard – ex: removing FOD from the airport apron/cleaning an oil spill
  2. Substitution – ex: Ability to inflate passenger life vest through two different methods
  3. Engineering Controls – ex: Engine fire extinguisher button in the flight deck is usually protected with a transparent cover to prevent accidental pressing of the button
  4. Administrative Controls – ex: Standard Operating Procedures, checklists, memory items and training
  5. Labeling – ex: “Don’t smoke”, “choking hazard” etc.

In summary, Safety Risk Management comprises all the activities starting from the identification of a hazard until the implementation of risk controls to ensure risk associated with that hazard is reduced and maintained at an acceptable level of safety.

Safety Assurance pillar of SMS follows the Safety Risk Management pillar of SMS. The major purpose and intent of the Safety Assurance pillar is to verify whether the implemented risk controls in the Safety Risk Management pillar have been effective in reducing the risk associated with the hazard to an acceptable level.

Featured Image by Soumya Ranjan