For School of Aviation and Transportation Technology updates regarding COVID-19 (coronavirus), visit this webpage.

Safety Management System

4. Safety Risk Management


  1. General

    1. This process is used to understand critical characteristics of systems and their sub-systems including activities, resources, and operational environments and to use this knowledge to identify hazards, analyze and assess risk, and design risk controls. Reviews such as operational meetings, review boards provide a venue to channel identified risks along with change management producers. The SRM form will be used to document and track safety risks identified during changes or modification to the operational processes within the school. The SRM process can be used in 3 ways: reactive, proactive and predictive.

      • The reactive use of SRM is in response to a hazard or ineffective risk control found through the Safety Assurance (SA) process, often an investigation, or that has led to a negative outcome or consequence within the operation (Ex: aircraft damage or injury).

      • The proactive use of SRM includes SA inputs to identify changes in the operation that could lead to new hazards and to identify controls that are no longer effective for correction prior to a negative outcome, and to analyze proposed changes to identify potential hazards for correction prior to implementation.

  2. SRM Processes

    1. A. System Description and Task Analysis (used for proposed changes)

      B. Hazard Identification

      C. Safety Risk Analysis (C and D are referred to as “SRA”)

      D. Safety Risk Assessment

      E. Safety Risk Control or Mitigation

  3. SRM Triggers

    1. The SRM Process is initiated by the following “triggers”.

      A. New or revised process or procedures

      B. New or revised operation or environment

      C. New or revised system, organization or resources

      D. New or revised product or service

      E. New hazards (identified in the SA functions)

      F. Ineffective risk controls (identified in the SA function)

    2. The changes listed below often do not constitute an SRM “trigger”. If they are not changing the system. SRM triggers will be considered for the following changes to determine if they affect the work being performed by members of the school, their environment and resources. If there is no impact, SRM will not be performed for the changes that are isolated to the list below.

      A. Editorial changes to correct typographical errors with no safety impact (ex. Spelling or grammatical)

      B. Changes to add, delete, update or correct electronic links

      C. Changes to standardize title of personnel, forms, etc.

      D. Editorial/format changes that do not affect the intent of the document

      E. Changes to data or text that do not impact the process or actions performed

  4. System Description and Task Analysis and Hazard Identification

    1. System Description/Task Analysis and Hazard Identification will be performed for the triggering events listed in section 4.3. Perform these steps to ensure an understanding of the current scope of the system being changed, the impact of the change on the function, resources and environment, and the hazards that could be introduces as a result.

    2. The System Description and Task Analysis will be detailed enough to

      A. Identify hazards

      B. Develop operational procedures

      C. Develop and implement risk controls

    3. The System Description and Task Analysis answers the following three questions.

      A. What is the current system/sub-system, tasks (process/procedures, environment, resources needed) and their interface with each other?

      B. What is being changed or introduced?

      C. What is the impact? (leads to hazard identification)

  5. Identify Hazards

    1. Hazard identification is the output of the System Description and Task Analysis and Task Analysis (for proposed changes) or the output of the System Assessment within the Safety Assurance (SA) process (where a new hazards or ineffective risk controls is identified).

      Definition of a hazard is a condition that might cause (is a prerequisite to) an incident or accident.

  6. Risk Analysis, Assessment and Control

    1. The purpose of these steps is to estimate the severity and likelihood of an outcome (incident or accident) associated with each identified hazard, acceptability of the risk level and the need for risk control.

    2. Analyze and Assess Safety Risk

      1. The analysis will consider the credible outcome associated with the hazard to determine “how likely?” it is to occur and “how bad?” it would be. The assessment will quantify the outcome in terms of severity and likelihood and determine acceptability.

      2. Individuals who are authorized to perform safety risk analysis, assessment and acceptance decisions are defined in the training requirements section.

    3. Safety Risk Analysis determines the severity and likelihood of the potential outcome) incident or accident) associated with each hazard. This step considers the condition that is being created, introduced or is present from the System Description/Task Analysis or from the System Assessment, and what could reasonably result. Considerations include existing risk controls and their effectiveness, triggering mechanisms that could affect the hazardous condition and result in a negative outcome, as well as a credible outcome that could result. The severity and likelihood associated with the credible outcome are evaluated.

      1. The outcome should be credible. If multiple outcomes are possible, the worst credible outcome (not worst case scenario) should be used. For example, while there is a rare potential for a bird strikes to result in critical or catastrophic incidents, that is worse – case scenario, not a credible outcome. The worst credible outcome is often aircraft damage. Considerations to determine this would include types and number of birds at the location. It is important to identify they credible outcome that could reasonably occur to ensure that we are adequately protected against it. Do not assume a worst case scenario since that would mean that all controls have failed. In most cases, this would not result in a credible outcome. It is equally important to not assume that what has always happened will continue to happen, especially if a change is being introduced.

      2. Consider rate of exposure to the hazard. Analysis can be qualitative and/or quantitative, based on a combination of experience, judgment, and data from within the school and the industry (when needed). It is important to not only look at the past, but also to look at what we anticipate in the future based on operational performance. Consider whether we have avoided outcomes because we are good (strong procedures/controls) or lucky.

    4. Safety Risk Assessment uses the SMS Risk Matrix to select severity and likelihood that describe the outcome of the hazard and to determine whether the risk is acceptable

      1. Risk assessment is a core component of SMS and is used to assist management in making decisions that impact safety. The purpose of conducting a formal safety risk assessment is to prioritize items competing for limited resources and to identify hazards requiring special handling.

  7. Control/Mitigate Safety Risk

    1. Once hazards and their risks are fully understood, risk controls/mitigation plans are developed for each risk that is unacceptable (levels 3 and higher). Mitigation strategies shall be developed no later than 30 days after designated as risk level 3 or higher. For lower risks, the goal is to reduce risk to “As Low as Reasonably Practical” (ALARP). Areas for consideration for mitigation plan are risk controls and procedural changes.

    2. Revised Risk (Predicted Residual Risk and Substitute Risk)

      1. Prior to implementation of new Risk Controls or the mitigation plan, the revised risk will be assessed to determine if the risk will be reduced to an acceptable level if added to the current environment. The risk control and mitigation plan will be ready to use in its intended environment when evaluating what the revised risk will be following implementation. The revised risk considers the impact of the mitigation plan/controls to address the initial risk (predicted residual risk) and whether any new risks substitute risks) will be introduced unintentionally. The components that determine the revised risk, are the current operation, predicted revised risk and substitute risk.

    3. Implementation and Monitoring Plan

      1. The change is placed into the operation when the predicted revised risk level is acceptable, considering the mitigation plan with controls in the intended environment. The SA processes are used to monitor the risk controls to ensure they continue to be implemented as designed and continue to be effective.

    4. Promotion and Lessons Learned

      1. Safety Promotion and Improvement, consider any safety promotion opportunities and way to share lessons that have been identified as a result of the SRM. The lessons learned can provide valuable insight across the School that will help explain the ‘why’ to affected students, faculty, staff.

    5. Approval

      1. Present the following to the individual with the authority to accept the initial risk level within the School prior to implementation. This may be accomplished by directing the individual to the record within the SRM documentation.