Open access peer-reviewed chapter

Safety and Risk Assessment of Civil Aircraft during Operation

Written By

Asif Mostafa

Submitted: 07 June 2020 Reviewed: 06 July 2020 Published: 23 December 2020

DOI: 10.5772/intechopen.93326

From the Edited Volume

Safety and Risk Assessment of Civil Aircraft during Operation

Edited by Longbiao Li

Chapter metrics overview

1,086 Chapter Downloads

View Full Metrics


Risk and safety are always considered to be the most critical operational characteristics of civil aircraft. Typically, they relate to the possible occurrence of air traffic collisions that could result in loss of life, damage to infrastructure, and damage to property by third parties. Consequently, in addition to other adverse effects such as noise, air pollution, they were deemed externalities. Risk and protection became topics of continuous study, ranging from purely technical/technological aspects to explicitly administrative ones, due to their inherent very high importance. Such concerns require the establishment of appropriate regulations regarding designs and operations of device technology. In order assess the risk, there are several methods which include: identification of safety concerns, analysis of the risk factors likelihood, analysis of the risk factors severity, and assessment and the admissibility of risk factors. And finally, reducing of the risk should be performed by three general strategies which are: avoidance of the risk, reduction of risk, and isolation of the exposure. These strategies are implemented based on efficiency, technical measures, controlled measures, staffing measures, cost/benefit, practicality, acceptability of each party, durability, residual risk factor for flights safety, and new challenges. With the advancement of technology, new methods of risk deduction and safety concerns are being developed to ensure safe and risk-free flight operation.


  • civil aircraft
  • risk assessment
  • safety assessment
  • risk and safety methods
  • operation

1. Introduction

The rapid worldwide growth in air traffic and aircraft technology requires a rapidly changing and adaptable aviation environment in which borders are hardly restricted single countries. Along with this ongoing change, safe aviation operations are crucial. Absolute safety does not exist. However, eliminating accidents and serious incidents is unachievable. Failures always occur, despite the most accomplished safety efforts, since all risks cannot be totally eliminated. No human-made system/innovation can be risk free. However, risk and error are acceptable in an inherently safe system. So, how to ensure that aircraft operations are safe if all risks cannot be eradicated? What is safety? What is risk? Safety is the condition in which the danger of harm to persons or property damage is minimized to and retained at or below an appropriate level by an ongoing process of hazard detection and risk management. In civil aviation, risk has been assessed as the probability of the occurrence of an air accident in terms of two aggregate indicators, the accident rate and the fatality rate. Thus, if new operations are to be undertaken, equipment is required to ensure that an acceptable level of safety is guaranteed and the upcoming risks are taken into consideration [1].

Safety and risk assessment are the two fundamental terms utilized in avionics to address the degree of safety of aircraft tasks [2]. The reason for this assessment is to distinguish the degree of safety related with a particular activity/activity by recognizing the normal risk(s) by giving direction in dynamic jobs to either acknowledge or not acknowledge the risk(s) to which the activity is required to be uncovered. Through this assessment, in light of a predecided adequate degree of risk, moderation procedures/remedial activities can and ought to be actualized dependent on explicit safety risks so as to decrease their potential impact(s). The phrasing of safety assessment and risk assessment has now converged into each other so that it has gotten hard to get whether they speak to two distinct techniques. In the event that it is unmistakable, in which circumstances we should utilize every one of them; or in the event that they supplement one another and the presentation of one command includes the accomplishment of the other. By the by, given these complexities, it is usually perceived that their definitive target is basic decide when and where estimates should be taken to guarantee the normal proper safety level.


2. Safety and risk concept in civil aviation

Aviation regulators and industry experts have continually developed and updated strategies and resources over the years for the evaluation of ongoing developments in the aviation industry in order to ensure appropriate standards of safety while enhancing flight operating capabilities, increasing the utilization of airspace, and reducing operational costs.

The concept of aviation safety and risk can have different perceptions: zero deaths or serious incidents, free from hazards, aviation employee attitudes toward unsafe acts and conditions, avoidance of error, and regulatory conformity.

Safety is defined as the “State where the potential for harm to persons or property damage is minimized to and preserved at or below an appropriate level by an ongoing process of hazard recognition and safety risk management. For technological systems, risk is related to the possibility of part failure or the whole system causing hazard exposure and related consequences. In economic structures, risk may be exposed to the threat of losing market prospects and/or resources due to unpredictable circumstances. In social systems, risk is the chance of being exposed to injury hazard and/or life loss. Therefore, risk could be viewed as a combination of the probability (or frequency of occurrence) and the magnitude (or severity) of a hazardous event.”

When new equipment is developed, or for instance a new flight operational procedure is designed, the requirement for a safety assessment or risk assessment is very common in the aviation industry before the new technology or procedure is put into place. Very often, this is triggered by the operator/manufacturer through recommendations made by aviation associations/working groups or regulatory requirements.. An assessment usually includes an overall evaluation of something called a framework that may include a thorough review of particular subsystems. The assessment aims to identify the level of safety associated with a certain action/operation by identifying the expected risk(s) through guidance on the decision-making roles to either accept or not accept the risk(s) to which the operation will be exposed. This assessment, based on a predetermined acceptable level of risk, can and should implement mitigation strategies and corrective actions based on specific safety risks to reduce the potential effects of mitigation. Safety and risk assessments are the terms most commonly used for this assessment. Table 1 gives the definite of aviation safety and risk terms.

Definitions term Meaning
Consequence An event’s performance. A consequence may be definite or uncertain with positive or negative effects on goals
Control (also can be called mitigation) Risk-modifying measure
Establishing the context Defining external and internal requirements for risk management and defining the scope and risk standards for risk management policy
Event Defining the external and internal parameters to be taken into account when managing risk and setting the scope and risk criteria for the risk management policy
Level of risk Risk magnitude or mixture of risks expressed in terms of balancing consequences and probability
Likelihood Chance of something happening
Monitoring Repetitive screening, tracking, vital observation, or status determination to identify deviations from the necessary or planned output
Residual risk Remaining risk after therapy
Risk The impact of uncertainty on events’ potential goals and their consequences, or a combination thereof
Risk analysis System to grasp risk nature and assess risk level
Risk assessment In this context, the overall process of risk identification, risk analysis, risk evaluation, and identification of controls (mitigation)
Risk criteria Reference terms against which risk significance was evaluated
Risk identification Process of finding, recognizing, and describing risks
Risk management Coordinated efforts to guide and monitor risk-related tasks
Risk management plan The scheme within the department’s risk management system defining the strategy, management elements, and tools to contribute to risk management
Risk management process Systematic application of management policies, procedures, and practices to communicating, consulting, and context-setting, identifying, analyzing, evaluating, monitoring, and risk review activities
Risk owner Person or entity with the accountability and authority to manager risk
Risk profile Description of any set of risks.
Risk source Element, which alone or in combination, has the intrinsic potential to give rise to risk

Table 1.

Definition of aviation safety and risk terms.

Level Event assessment priority criteria
Hazard level Severity How bad is the situation?
Risk level Severity + probability How bad are the situation and the possibility for it to happen?
Fleet risk level Severity + probability + exposure How bad is the situation, the possibility for it to happen, and what is the size and utilization of the affected fleet

Table 2.

Event assessment criteria.

2.1 Safety assessment

A safety assessment mainly aims to identify which risks are expected to be exposed to a new operation/system or to be acceptable or not on the basis of the safety criteria normally established by aviation regulators.

2.1.1 Safety assessment process

The ongoing safety assessment process continues the initiative that has begun during the design phase and ends with the launch of the new model of aircraft and continues until the aircraft is removed from service.

Three priorities are set in the ongoing safety assessment process: 1. Maintain airworthiness (certification) of the aircraft: in-service incidents are evaluated based on the safety standard of the certification process. 2. Maintain aircraft safety: in-service incidents are measured against the company’s internal health objectives. 3. Improve airplane safety: in-service incidents are analyzed to find potential for minimizing their number or exceeding the company’s protection objectives. It is intended that the safety assessment process will be continuous, iterative, and closed. When an incident is identified, assessed, and actions are taken, the surveillance continues to validate the action’s effectiveness. The safety of the aircraft depends on a variety of factors, including original design, development, aircraft crew and maintenance behavior, operational effects, parts quality, modifications, the atmosphere, and aging of the aircraft. The safety assessment consists of five steps: 1. Establish Monitor Parameters, 2. Monitor for Events, 3. Assess Event and Risk, 4. Develop Action Plan, and 5. Disposition Action Plan. Figure 1 shows the steps involved.

Figure 1.

Safety assessment steps.

Establish Monitor Parameters” begins by identifying the company’s basic safety framework, priorities, and objectives. This process also sets out the parameters for monitoring and their values.

Monitor for Events” is a continuous process of searching for events of concern. This monitoring is based on the monitoring parameters set in the previous step.

Assess Event and Risk” is a process that is initiated when an event is detected. This includes the assessment of an event that is sufficient to determine whether the event is of real concern. It also includes the preliminary determination of risk for use in prioritizing the initial extended evaluation and the development of the Action Plan. A more detailed and comprehensive risk assessment may be carried out on the basis of the seriousness of the event and the initial risk assessment.

Develop Action Plan” is a process that provides for correction or improvement, such as a change in design or a change in operation, maintenance, or training procedures for the event identified. An action plan may not be needed if the event is determined to be sufficiently initiated.

Disposition Action Plan” means the evaluation and/or implementation of the Action Plan. This may include determining whether or not the action will be taken and prioritizing, scheduling, and implementing the action. Once the action is completed or the determination is made not to implement the action, the process returns to the normal status of event monitoring. In some cases, revision or updating of the monitor parameters may occur as a result of an event or action taken.

Now let us begin an in depth research on the safety assessment process. Figure 2 shows an in detail the flowchart of the ongoing safety assessment process.

Figure 2.

Safety assessment process.

Establish Monitor Parameters: The “Establish Monitor Parameters” phase shown in Figure 1 is divided into “Establish Expectations” and “Establish Monitor Parameters” activities.

Establish Expectations: There are two simple “Establish Expectations” steps. The first is establishing organizational frameworks and principles before beginning this process. This will involve defining the organization’s safety goals and guidelines. The second establishes operating requirements for each fleet. This activity involves determining what day-to-day operating expectations are and what types of operations and performance will or will not be accepted within the fleet.

“Establish Expectations” includes establishing the company’s safety philosophy, assessing the role of safety within the company’s structure, and defining acceptable levels of risk and performance. It may vary from a structured formal security organization to an informal structure. The safety organization must be adequately autonomous to ensure it can affect the safety philosophy.

There are at least two expectations levels. The first is standards levied by regulatory body, aimed at establishing minimum operational health. The second is the user’s own standards, which can surpass regulatory agency requirements. These expectations imposed internally may include parameters or requirements not covered by regulations or lower-than-required risk levels. Requirements and expectations can be dependent on many factors, including the following:

  1. Basic aircraft requirements

  2. Safety analysis

  3. Requirements for regulatory reporting

  4. Operational features (e.g., cargo vs. passenger carriers)

  5. Aircraft maintenance programs

  6. Operating environment conditions (e.g., operations, tropical vs. arctic operations)

  7. Experiences identified by earlier process use (i.e., continuous improvement)

  8. Industry-related accidents and incidents (where available)

  9. Lessons learned

Fleet-specific expectations are passed on to the phase of the process “Establish Monitor Parameters.”

Establish Monitor Parameters: Phase “Establish Monitor Parameters” builds on previously set expectations. This step develops the information or data to be collected, how it will be collected, and how it will be compared to expectations. This can range from minor reportable compliance issues to comprehensive data collection and review programs. The actual parameters to be chosen are the company’s option depending on the level of ongoing safety assessment process that management wants. Selecting different parameters will be affected, among others, by data availability. Communication between organizations is helpful in setting correct parameters.

Monitoring Effectiveness of Previous Actions: After developing the initial maintenance plan for a given aircraft, the operator continues to monitor the program’s effectiveness for the desired reason of keeping the aircraft secure. The following are one of several ways to achieve this.

Once actions are undertaken to address a problem, a follow-up testing process should be developed to track implementation and assess action effectiveness. This follow-up method can be achieved by comparing pre- and post-conditions of correction-affected systems. Comparison frequency should be based on probability and severity factors. During this post-implementation review, initial findings (e.g., teardown reports) may be reexamined. This verifies the action implemented eliminates the problem, and the assumptions used in the analysis are valid.

After the expectations and monitoring parameters are defined, they are then used during the “Monitor for Events” phase.

Monitor for Events: This phase consists primarily of the “Collect and Analyze Data” process. An event may be of interest by itself, for example, engine shutdown, or it may only be of interest in conjunction with other events that may or may not have occurred concurrently, for example, one navigation receiver failure. An event may be an operation or maintenance error. An event may or may not be relevant to aircraft safety. (An event may be a single incident or set or compilation of separate and distinct occurrences considered as a single event for discussion and analysis convenience).

Event monitoring includes two related but distinct elements. Collect and analyze data concerned with “new” events of concern and monitoring the effectiveness of previous actions that monitor events already evaluated through the process.

Collect and Analyze Data: The aim of the “Collect and Analyze Data” phase is to provide continuous monitoring of actual operations to determine expectations. In this step, data available for monitoring any parameters specified in the step “Establish Monitor Parameters” should be obtained and analyzed. While collecting and analyzing this data, possible problems and patterns will be established. Compared to the potential cost of lost assets and equipment, data collection and analysis is relatively low.

Where no issue or pattern is identified, the process continues in the phase “Collect and Analyze Data.” Whenever the analysis identifies a possible issue or trend, the data will be summarized for process phase “Asses and Event Risk.”

Assess Event and Risk: Once a potential problem or trend has been identified, internal data collection and analysis or the “Assess Event and Risk” is initiated from an external source. This process develops a sufficient level of understanding of the event and its cause(s) to assess the possible consequences and the associated risk. If these are known, it can be determined if the incident needs further action. If the incident is determined not to warrant further action, the process shifts to “Register and Close.” If an event warrants further action, the appropriate organization(s) should be determined. If the problem requires external action, the party responsible should be informed of such action in a reasonable time. If internal action is established, proceed to “Develop Action Plan.”

The “Assess Event and Risk” phase shown in Figure 2 is divided in to “Assess Event and Risk, “Determine Internal or External Issue Resolution” and “Notify Responsible Party.”

Assess Event and Risk Task: Event assessment and subsequent risk offers information identifying the severity of a particular safety concern. It also offers risk reduction and optimization of inspection and alteration services for in-service security-related issues. This assessment is conducted to determine whether an issue is a safety problem or to provide awareness of major risks. Risk assessments may be qualitative or quantitative and should involve assessing magnitude and likelihood of occurrence.

Determine Internal/External Issue Resolution: If the company reporting the incident has the capacity and ability to take the action, it must follow the “Develop Action Plan” process. If not, exterior organization is determined.

Notify Responsible Party: Once the responsible organization is identified, they are contacted and start evaluation with the “Assess Event and Risk” step in their process. The investigation often continues, involving more than one organization. Consider an incident in the field, for example. Operator must assess the event and danger and can contact OEM. It is necessary to note that the processes between the originator and the organizations are now intertwined. The originator will want to organize and monitor the progress of the company toward timely action resolution. Communication skills involved between all organizations. Through the “Action Applicability Review” step, actions formulated by the external organization will reenter the originators safety assessment process.

Develop Action Plan: The phase proceeds with the responsible organization addressing the event in their respective “Develop Actions Plan,” “Select Action,” and “Review Selected Action for Approval” processes.

The “Develop Action Plan” phase involves more analysis on event triggers and the creation of one or even more potential actions. This will include future behavior of risk assessment. Developing actions for all problems simultaneously due to limited resources may not be practical. Hence, the company must assign priorities based on its internal issue tolerance and potential regulatory oversight. Both priorities require resource allocation first to concentrate on safety-critical items and later to identify and monitor operator-sensitive issues. When developing an action, understanding the root cause is important.

Select Action: “Select Action” consists of evaluating options and identifying those with acceptable safety levels. This stage typically includes providing organizational approval action(s). Typically, technical expert(s) presentations to a review board or management position should include a statement of the issue or concern, historical background, results and assumptions of risk analysis, actions already taken, and recommended future actions.

Review Selected Action for Approval: Based on technical expert reports, management or review board accepts or refuses the planned action. As a practical matter, the management of the organization would also consider the economic impacts of certain acts approved by the review board or management, and the implementation approach depends on the form of organization.

If the decision is to approve the proposed action(s), the process proceeds into the “Disposition Action Plan” phase and begins the “Prioritize and Schedule” and “Implement” steps. If the company does not accept the suggested action, they must decide how to proceed. If more research is necessary, then either the “Assess Event and Risk” step to reevaluate the significance of the recommended action or the “Develop Actions Plan” step to refine potential action may be returned. If the recommended action is not accepted and no further review is deemed appropriate, the process moves to “Register and Close” stage. The decision is then reported and sent for future reference.

Action Applicability Review: “Action Applicability Review” is conducted by the potentially affected entity to decide how an externally generated action impacts any aircraft in their fleet. Once external action has been produced to fix a problem found earlier by the reviewing entity, it will be closely reviewed by relevant technical experts to ensure that it is resolved. Any dissatisfaction with the proposed action should be expressed as soon as possible.

When it is the decision is to implement, the “Disposition Action Plan” phase and the “Prioritize and Schedule” and “Implement” steps begin. When the decision is not to enforce the action, the process shifts to “Document and Close.” The decision is then documented and stored for future reference.

Prioritize and Schedule: “Schedule” is unique to each organization, showing its specific processes and approval cycles. The combined effect of danger, likelihood of occurrence, risk exposure, and availability of parts and other tools help to assess priorities for action. During normal process execution, multiple possible issues can be assessed simultaneously. This usually results in prioritizing the order in which problems will be corrected.

The process includes determining relative priorities (e.g., risk reduction, cost, and implementation ease) of this and other actions and scheduling implementation. And once an implementing plan is developed and approved organizationally, implementation process is initiated.

Implementation: After identifying and checking the action plan to better address the issue or concern, it can be enforced in the fleet or organization. Issue remedies should be tracked to ensure success in reducing or removing the issue. The monitor performance requirements and data collection and assessment method should be established in the “Disposition Action Plan” phase and forwarded to the “Monitor for Events” part of the process. If this monitoring concludes the intervention is unsuccessful, the issue reenters the ongoing safety assessment process where further data collection and root cause analysis may be needed. The question is then readdressed via the usual safety evaluation process, leading to updated action plans and implementation.

Actions to Other Level: Where service bulletins, ADs or activities that may affect other organizations have been made, they should be forwarded for implementation consideration. Many manufacturers’ contractual agreements with operators include monitoring for SB implementation, while others do not provide a closed-loop operation.

Document and Close: Usually, issues can be solved by releasing an official technical document from the company implementing the transition. Examples of documents that can be modified include the following:

  1. Flight Operations Manual

  2. Engineering Orders

  3. Maintenance Alerts

  4. Maintenance Manuals

  5. Flight Operations Bulletins

For a manufacturer, the document issued may:

  1. be focused toward the operator in the form of a Service Bulletin, Service Letter, All Operator Telex, Maintenance Tips, etc.

  2. be directed toward its own organization which may include new process instructions, production guidelines, new drawings, etc.

If the sequence of documents, procedures, and changes have been completed and monitoring indicates that the problem has been successfully solved, the company will then go back to a mode of tracking criteria and perhaps assess lessons learned from the resolution process.

If no action has been taken, the decision and the reasoning are maintained here.

Lessons Learned: A Lessons Learned process seeks to use in-service experience to enhance all aspects of aircraft operations and design. Introducing a Lessons Learned process allows the systematic reuse of factual information in an efficient manner to improve performance characteristics, such as the following:

  1. Safety, reliability, quality, and cost-effectiveness.

  2. Product quality and business processes efficiency.

  3. Amount and cost of product modifications.

  4. Human/machine-interface compatibility.

  5. User satisfaction needs.

The steps mentioned above are the detail explanation of what happens in a safety assessment process during civil aircraft operation. Now a detail explanation of what happens in risk assessment process will be mentioned below.

2.2 Risk assessment

Before assessing a risk, different procedures are to be performed to identify an event. Aircraft safety depends on various factors including the original design, flight crew, manufacturing and maintenance activities, operational results, parts quality, modifications, surroundings, and aircraft being old. Departmental aviation risk assessments will follow a standard model. The model identifies the task and context, risks and possibility, present and future mitigation approaches, and the resulting amount of risk. The evaluator considers all possible realistic risk controls, determines those that already exist, assesses the current level of risk, and then selects additional risk measures to reduce the level of risk to one that would usually be appropriate to the organization.

2.2.1 Preliminary risk assessment

Safety and risk assessment have merged into one another in such a way that it is impossible to explain both of them distinctively. There, in order to perform a preliminary risk assessment, we need the help of ongoing safety assessment. In this assessment, the primary focus is risk and the steps that are defined will be similar to safety assessment.

Figure 3 describes a suggested high-level method for ongoing safety assessment, part of the initial risk assessment phase. This standardized method involves five high-level steps:

  1. Establishing Parameter: Defines the control criteria of a company’s organizational structure, priorities, and goals.

  2. Monitor for Events: Continuous process of searching for events of concern. In other words, it is the process of tracking events and failures.

  3. Assess Event and Risk: The cycle begins when an event is detected. This method decides whether the incident is troubling or a minor failure. This involves initial risk-to-use determination in prioritizing initial extended assessment and implementation of action plan. However, it depends on the situation’s priority, and a more thorough and full risk assessment can be done in case of major issue.

  4. Develop Action Plan: It is a process that sets out corrections or improvements, such as design changes or changes to operations, maintenance, or training procedures for identifying events. The action plan may not be needed if the event is defined not to be a threat.

  5. Disposition Action Plan: Evaluating and/or implementing the action plan. This process decides whether to consider, select, and implement the action. Depending on the urgency of the situation, it means deciding whether or not the event will qualify as a threat and require further investigation. If the action is done or decided not to execute the action, the mechanism returns to the usual tracking status for incidents. In some cases, the monitor parameters may be revised or updated as a result of the event or action implemented.

Figure 3.

Preliminary safety assessment.

Now let us begin an in depth research on the risk assessment process. Figure 4 shows an in-detail flowchart of the risk assessment process.

Figure 4.

Risk management hierarchy.

When its extent, triggers, and magnitude are identified and the event is detected, risk assessment will begin. As investigation progresses, the next phase is generally to determine the problem’s likelihood. Risk assessment is conducted to identify the risk scale and determine if steps are required to manage it within separate boundaries. Risk assessment is not an end in itself but could control risks to a reasonable or bearable level. It is also the way of evaluating potential losses from a hazard using a combination of known circumstance information, knowledge of the primary process, and judgment of unknown or well-understood information. For understanding the risk management process, the definition used in the aviation industry must be clearly understood. Table 1 describes such terminology used in aircraft industries.

A work profile and risk assessment is included in every aviation activity. Where a task can relate to a defined task profile and risk assessment, the task preparer will refer to the profile of the task and follow it. If a task profile and risk assessment is covered and no deviations are reported, the task may proceed without further permission, although the pilot and any crew member should provide continuous operational risk assessments during a flight. The corresponding risk evaluation must be reviewed if any job profile changes. Where the planning and task personnel determine that the proposed activity does not fit within a current task profile, a new task profile is created in coordination with the correct designated individual. Danger and regulation awareness is essential to departmental aviation management. Risk management does not end with a risk assessment but is a continuous process for all people who are interested in air use and security. Aviation operators will provide risk evaluation and reduction services. The aviation risk management system of the department follows a qualitative rather than quantitative approach, while historical data are suitable for determining the probability of an incident and provide some indication of the potential effects. The risk assessment process involves looking for hazards, assessing their implications, probability, and identifying risk mitigation plans. This technique is used to assist in developing aviation risk assessments.

Risk assessment is an important part of the processes for concentrating and profiling tasks. We are tightly related and should be twice reviewed to ensure that there are no irregularities or contradictions. Suitable aspects of a job profile can be used to determine the risk management context, and the creation of a role profile can be used for further consideration. Current or expected risk controls may be part of the history, but these must also be assessed in the risk assessment. Both people engaged in aviation services planning and administration must use this aviation risk assessment process during the training and organization. Models of accidents and accidents show the importance of managing risks at all rates. The risk evaluation and judgment development shall include individuals within organizations and the individual aircraft operator responsible for flight and mission actions. Danger is calculated in order to assess the total risk ranking. The Local Control Center can establish evaluated levels of low risk negligence as a general policy, low to high, for acceptance by the Policy Coordinating Center or government. Only the Director General or delegate and aircraft operator can approve extreme risks, therefore, controls must be implemented to reduce risk or the task is not performed.

The consequence is a loss or disadvantage incident demonstrated in qualitative instead of quantitative terms. As a result, the possible adverse effects of task-related incidents are evaluated in the sense of security, economic, organizational and public opinion is shown to the subcontractor and the agency. Selection of magnitude depends on risk parameters and design of risk. Subcontractor, aircraft, or equipment expert advice or background information can be used to determine an event’s implications, including information on actual accidents, incidents, or events. For opportunity, probability or possibility the agency uses conceptual concepts. That is the measurement of the likelihood of an incident with a certain outcome, along with a total of the exposure to the incident during the mission. The exposure can be defined as the frequency of the event and the time of the incidence during the behavior.

Factors like crashworthy seats and PPE such as helmets and fire resistant clothes can handle the consequences. Likelihood may be classified according to planning, architecture, expectations or functions. The system of controls will also be considered when determining on controls for determining efficacy. The least efficient risk management tool (PPE) is at the bottom of the map displaying more controls available to reduce risk, preferably using a number of controls to make the risk mitigation more efficient. The findings should be checked in an evaluation and debate process to ensure that no additional risks and hazards have been identified or properly managed. Section 4 shows the hierarchy of risk control.

Figure 5 represents the process risk assessment cycle. This helps visualize the process although, while the process may seem complex, the actual way should be relatively simple. Using standard format should support the risk process. Standard format reproduces typical aviation considerations. These are included to center the total aviation task picture. Without normal aviation operations, no activity can be considered. The process shows how to treat risk assessment step by step and how to arrange it so that errors can be understood clearly but more importantly.

Figure 5.

Risk assessment cycle.

2.2.2 Risk assessment process

Figure 6 explains how the risk assessment process works and how interventions and activities are considered. The method requires skillful expertise and a detailed analysis to avoid making mistakes and prevent further risks.

Figure 6.

Risk assessment process.

  1. Establish the context and gather data: To focus the analysis, avoid overdesign, and define roles and tasks, general idea of the security limit is required. Some initial components of a risk analysis should be security, scope of analysis, functional perimeter, operational use cases, perimeter of architecture, initial security countermeasures, edges environmental, and user-related assumptions, external needs and agreements. Use a graphical representation to gather border information, highlight functional interfaces, and communicate.

    Establishing the task context allows consideration of risk reduction. For example, if the task is to be performed in summer, icing is unlikely to be a significant risk in low-level operations. However, if the task under consideration is performed throughout the year, icing becomes consideration in certain areas of the state. The assessor should establish both external and internal perspectives. The external background can be political, social, environmental, financial, and human. Internal context considerations may contain specific project objectives and their importance to the department that is the department’s internal policies, standards, and guidelines. Department must identify risk factors including impact and probability measures.

  2. Identify the event and risk:Table 2 shows how to assess an event risk. These are the three main classes demonstrating how to assess an incident when addressing crucial issues.

    Risk sources, their impact zones, causes, and possible impacts need to be identified. The traditional format or template provides certain criteria, but in a particular way, the evaluator must look past the obvious while considering a new task or common task. For starters, spray operations typically occur far away from built-up or blocked areas. The spray area may be situated in a low-jet route from which military aircraft fly at a very low altitude. The risks of a mid-air crash can be high if the pilot does not search (Airmen Notice) to warn may routes and where are involved. Significant causes and effects should be taken into consideration. It should also be pointed out that the “race” in aviation starts at the scheduling and planning stage, so issues of fatigue and adequate access to information should be addressed, as well as the calculation of power margins and the availability of landing areas. Risk assessment factors may include modalities for failure, failure classification, distribution of probability and conditional probability, probability for inspection detection, operational/maintenance restrictions, and candidate actions.

  3. Analyze the Risk: When a potential problem is detected, either as a result of an internal data collection and analysis or from an external source study, it is difficult to address all known situations. It is important to quantify their likelihood and safety impact, determine whether or not risks are acceptable, and measure the effort to prevent most likely and dangerous threats. For example, the qualitative possibility that an attack being successful provided the Typical ED-202 model with five probability levels: “highly improbable,” “extremely remote,” “very distant,” “probable,” and “frequent,” and “risk analysis” involves developing comprehension that danger. The work covers risks and factors, positive and detrimental outcomes, as well as the possibility of consequences. In aviation, regulatory requirements require certain degrees or procedures to reduce risk, such as the registration of aircraft, but different levels of regulation concern various parts of the industry. Chapter 3 offers a number of methods for risk and safety assessment. The initial use of a risk assessment helps to understand the extent of a particular problem. The risk assessment should however be reviewed later on to help determine whether potential action plans are adequate. Considerations of both impact and likelihood may be based on historical data, but use of historic data should be reinforced by ensuring that they are relevant to the mission in question. Historical analysis will also involve consideration of existing NSW DPI controls in conjunction with controls present or probably existed in historical details. It is a call for judgment, but retrospective research is useful when searching for a realistic picture of the probability of the case. Ideally, consideration should be given without substantially reducing the circumstances. NSW DPI Aviation has a standard category definition. The Table 3 below shows the categories of consequences.

  4. Develop Action and Evaluate the Risk: This is also part of the “risk analysis” which is understandable, defined and evaluated for likely performance. No calculation is commonly considered to be accurate. It is important to provide several safety therapies. If there is only one therapy at a specific risk, without reduction of risk, the therapy must be improperly handled. When assessing or implementing therapy to reduce a specific risk, it must be guaranteed that treatments themselves do not undermine or actually introduce a new risk to other therapies. For example, if a suspected therapy was performed only in the winter to minimize heat-related exhaustion, a new risk could be added for freezing or icing exposure.

    Understanding the idea of implementing an action plan is important, because it helps explain the root cause of an issue. It can help identify frequently occurring failures, and with time these problems have led to more serious causes. When the resolution is recognized, it should be developed in detail, tested to verify and validate the action. Records should include the rationale and benefits of recommended actions.

  5. Disposition Action Plan and Further Treatment: Disposition Action Plan is divided into various aspects such as prioritization and scheduling, implementation, actions at other levels, document, and close.

Prioritize, Schedule: Schedule is unique to every company that has its own way of managing the schedule. The process determines qualified emergencies, for example, risk reduction, cost, and implementation ease. This process involves setting up tasks and resources to create and issue a service bulletin to organize the system.

Implementation: When identifying and evaluating the action plan to correctly address the issue or concern, it can be extended to the fleet or organization. Problem management should be tracked to ensure the efficacy of the action in lowering or removing the issue.

Actions to Other Levels: When service bulletins, ADs, or actions that may impact other organizations have been created, they should be sent for execution consideration. Some manufacturer’s contractual arrangements with operators provide tracking for SB implementation, while others do not have a closed-loop process.

Document and Close: The problems are usually solved by issuing an official technical document from the change-making organization.

If the current checks found do not reduce the risk to appropriate standards or where there is consensus that further checks are needed in order to accomplish the job safely, further checks should then be incorporated into the evaluation. Additional checks cannot be applied without the mission priorities being taken into account. This will also be a delicate balancing act, so returning to the project can often help to keep risk management in mind.

Reevaluate the Risk: Once therapy is necessary, it is important to reassess the risk in order not to add any additional risks. For example, if a decision were taken to fly a different form of door aircraft, there will have been a new chance of items falling out of the plane. This should be considered as a new vulnerability and an appropriate diagnosis or solution if there is a potential door issue. The above example shows the criticality of continuous risk analysis.

Further steps and evaluation are required where risk is already deemed intolerable or whether the function will benefit from further risk management.

Ultimately, the appraisal and analysis process continues until one of the two consequences is reached, the task risk remains too high and then the assignment is denied or input from senior departmental management is required, the assignment risk is lowered to the acceptable level, and the work profile and risk assessment is accepted.

Submitting for Approval: The planner/worker individual shall send the final job profile and risk assessment to the Director of Operations for approval. The document is then forwarded to the Emergency Management Unit to be placed on the Internet to be easily available to aircraft planning and operations personnel.

This chapter describes step by step, or in detail, how risk assessment and safety assessment is initiated and processed in aviation. The initial assessment and major assessment are divided into two different aspects. It describes how to detect and process an event. If an event is not too serious, use basic process to eliminate the threat. But if the event is complicated, a major risk and safety assessment is considered and implemented. In the next chapter, we will discuss about the methods or tools required to carry out these assessment.


3. Methods/tools that are used in the safety and risk assessment process

Any analysis is as valid as its conclusions, data, and analytical techniques. Therefore, the underlying assumptions, data, and analytical techniques should be identified and justified to ensure validity of analysis conclusions. Variability can be inherent in elements such as failure modes, failure results, failure levels, failure probability distribution functions, failure exposure times, failure detection techniques, failure independence, human interfaces (e.g., crew behavior and procedures), and limitation of analytical approaches, processes, and assumptions. The rationale of the conclusions on the above things should be an important part of the analysis.

Assumptions can be checked using experience with identical or similar systems or components with due allowance for design, duty cycle, and climate variations. Where the adequacy of the analysis cannot be entirely explained and where evidence or conclusions are crucial to the conclusion’s acceptability, extra conservatism should be incorporated into either the research or intervention. Additionally, all data and conclusions ambiguity should be analyzed to the degree required to show that the research results are indifferent to this ambiguity. Any assumptions and other uncertainties related to a safety analysis must be identified and documented in order to judge their effect on the conclusions of such an analysis and to conduct sensitivity analysis. Ongoing field experience should be tracked to continue validating conclusions and reducing risks, or to collect the data required to minimize the effects of the extra conservatism built into the initial study. Finding any flaws in the assumptions requires reviewing the safety analysis.

However, the need to calibrate the safety analysis with past experience helps ensure that the future forecast is realistic, ensuring that operational parameters (deadlines, etc.) remain constant. If the analysis does not calibrate, further evaluation is required to determine which safety analysis assumptions may be in error. The safety analysis will not predict accurately unless it can calibrate to actual experience.

3.1 Hazard identification methods

In the airline industry, understanding and defining what a hazard is has changed over the years and continues to be the subject of discussion and discussion in the world of aviation. Throughout the early 1950s, safety enhancements were attributed to resolution of technical issues, with an event/accident often defined as human error in the late 1960s as the underlying causal factor(s). Organizational factors started to be identified as possible threats in the 80s, adding to or triggering a safety standard in an activity. It is widely recognized that their natural root is a combination of various areas when determining threats or contributing factors.

Hazard can be any factor within the following four main aspects:

  1. Technical

  2. Human

  3. Organizationa

  4. Environmental

Consequence definition
Catastrophic Safety and well-being: Fatalities involving subcontractor and/or department personnel and/or persons working on behalf of the department or the general public. Long lasting well-being issues. The failure to complete the task has a significant detrimental effect of the saving of human life
Economic: Loss of an aircraft (repairable). Complete failure to achieve the contracted task. Significant increases in insurance payments by the department and/or subcontractors, prosecution legal costs (e.g., for catastrophic breach of pesticides/threatened species/animal welfare or any other act)
Organizational capability: Department may lose control or management of contracts associated with aviation support of department operations
Department and/or contractor’s capability significantly affected through circumstances completely within the relevant organizations control
Objectives mostly not achieved
Reputation and image: The public and/or government could completely lose confidence in the department’s emergency management and/or subcontractor and their ability to carry out present or future aviation tasks in support of the department objectives and legislative responsibilities
Litigation actions may occur
Major Safety and well-being: Serious injuries involving subcontractor or department personnel and/or persons working on behalf of the department, or the general public that may result in permanent disability or chronic health
issues. Significant ongoing well-being issues
Economic: Loss of an aircraft for an extended time due to substantial repairs required. Failure to achieve some significant and minor aspects of the contracted task causing significant detrimental effect on the saving of property (including crops/pasture/animals). Increases in insurance payments by the department and/or subcontractors. Litigation may occur in response to failure (also damaging reputation)
Organizational capability: Department and/or contractor’s capability significantly affected through circumstances within the relevant organizations control. Important objectives not achieved
Reputation and image: Widespread (multi-region) significant and adverse questioning by the public, government, parliament, or media of the competence of the department’s aviation control or management in support of department objectives
Moderate Safety and well-being: Serious injuries involving subcontractor or department personnel and/or persons working on behalf of the department or injuries to the general public that would result in temporary disability and impacts on well-being
Economic: Serious damage to an aircraft that could render it incapable of further operations for more than 1 month. Failure to achieve a significant aspect of the contracted task causing a detrimental effect on the saving of property (including crops/pasture/animals). Possible increases in insurance payments by the department and/or subcontractors
Organizational capability: Department and/or contractor’s capability affected through circumstances within and outside the relevant organizations control. Some important and minor objectives or aspects of the task not achieved
Reputation and image: Regional adverse reporting and questioning by the media of the competence of the department’s aviation control or management in support of department objectives

Table 3.

NSW DPI aviation risk assessment and management consequences definition [3, 4].

Other definitions can be found in the aviation industry (Table 4).

Source Hazard definition
CAA UK, and
Euro control
Any condition, occasion, or situation which could incite a mishap
CAA UK A physical circumstance, frequently following from some starting occasion that can prompt a mishap
FAA Any current or potential condition that can prompt injury, disease, or passing to individuals; harm to or loss of a framework, hardware or property; or harm to the earth. A peril is a condition that is an essential to a mishap or occurrence
CAA Canada A wellspring of possible mischief, or a circumstance with a potential for causing hurt as far as human injury; harm to wellbeing, property, nature, and different things of significant worth; or a mix of these
Condition, article, or movement with the capability of making injury work force, harm to gear or structures, loss of material, or decrease of capacity to play out an endorsed work

Table 4.

The definition of hazard.

Risk detection is historically a subjective task and therefore its effectiveness relies on individual or team knowledge to determine it. In the industry, various analytical tools and information sources are available for the risk detection process, such as organizational observations or process analysis.

Interviews with organizational experts and key informants: This method is very selective and limited because it is based exclusively on individual information and restrictions.

Brainstorming hazard sessions: Specialists in all operating fields found it to be helpful and successful in recognizing as many hazards as possible. This approach is largely based on knowledge and experience. Guidance on how these sessions and techniques can be used easily in the public domain on the Internet.

Hazard and operability tool (HAZOP): brainstorming technique used to identify hazards and operability problems when the process design or scheduled changes are completed during brainstorming sessions. This strategy depends on the expertise and experience of the team and must be as interdisciplinary as possible to identify any deviations from the planned process, plan, or activity. It is considered very useful in new operations, when other approaches that focus on experienced personnel are less effective, as the team uses a range of standard questions to construct a list of possible deviations by integrating word (Table 5) with a variable parameter or process terms.

No This is the complete negotiation of the design intention. No part of the intention is achieved and nothing else happens
More This is a quantitative increase
Less This is a quantitative decrease
As well as All the design intention is achieved together with additions
Part of Only some of the design intention is achieved
Reverses The logical opposite of the intention is achieved
Other than Complete substitution, where no part of the original intention is achieved but something quite different happens
Early Something happens earlier than expected relative to clock time
Late Something happens later than expected relative to clock time
Before Something happens before it is expected, relating to order of sequence
After Something happens after it is expected, relating to order of sequence

Table 5.

HAZOP guide words.

Fault hazard analysis (FHA): This is a standardized and detailed approach used for the analysis of roles to identify and describe the potential nature of failures. If desired, it can only be used as a qualitative or quantitative analysis. A comprehensive top-down configuration analysis is required in order to evaluate computer danger modes, danger causes and potential system/operational performance. I would like to respond to the following questions:

  • What’s wrong with this?

  • How is it possible to fail?

  • How many times is it going to fail?

  • What will happen if it fails?

  • How important are the safety effects?

External intelligence sources of the company: Efficient to track and review current activities in order to recognize potential threats, analyze identified risks and recognize patterns. Examples are the following: dispatch logs, maintenance reports, manufacturing reports, and security reporting database of aircraft flight data (flight data extracted from equipment such as FDR or QAR).

External public information sources: Useful for showing operators temporarily or permanently recognized dangerous conditions. NOTAMs, AIPs, and rules for aviation.

FACS: Method of detecting human fault in accidents, major injuries, injuries, and other safety-related activities (based on the concept of Professor James Reason) and their inquiry and study. It also helps to determine where corrective measures and mitigation measures are required to eliminate the risk.

3.2 Risk assessment methods

Methods/tools for risk analysis provide means for the analysis of formal or informal risk information as a result of a proposed action or the risk involved in failure to take a certain action. Support in determining the severity of risks posed by incidents which are or may be subjected to an aircraft operator; they help also to determine what events are most susceptible to a serious incident or accident.

Risk assessment techniques were originally designed for the nuclear sector and a range of uses, from chemistry to aeronautical, have undergone many approaches and tools over the years.

There are currently a wide range of different risk assessment models in all types of business industries and the methodology used around the world is inconsistent.

Quantitative and qualitative evaluations coexist and organizational risk mitigation approaches must all be considered. Much effective risk management never perform systematic risk analyses and continue their use only for certain risks that need analytical reasoning or the acceptance of a contingency strategy. A qualitative risk analysis (designation of high, medium, or low probability or impacts) is deemed sufficient for the selection of the most important risks.

Regardless of the specific description, regulatory inclination is to break the risks down in two components of the hazard, but discrepancies are again noted on the designation of the two components: probability (or probability) of occurrence if the risk is caused by a risk, intensity (or magnitude) of the hazard-caused adverse effect. Likelihood is based on exposure to quantify the possibilities in stages, periods, men, etc. Thus, exposure may or may not be integrated depending on how the probability is calculated. Raised risk of adverse effects is raised by exposure to unhealthy conditions. Therefore, danger is described as follows:

Risk = Likelihood x Severity E1

Equation 1 – ICAO Risk equation.

The ARMS working presents risk as a breakdown of each one of the four components:

Risk = Likelihood x Frequency of Avoidance x Frequency of Recoverability x Severity E2

Equation 2 - ARMS Risk Equation.

The stability of an action without taking into account risk exposures, the effectiveness of barriers to the materialization of the risk, and the efficacy of barriers to recovery and without enabling the accomplishment of a worse-case situation, as seen in the ARMS bow-tie diagram, cannot be adequately assessed. However, as such factors require a high degree of subjectivity; they do not necessarily need to be included in the risk formula.

The protection of an action cannot be adequately measured without taking into account hazard detection, the productivity of the barriers preventing the danger of materializing, or the efficacy of the barriers to recovery and inability to accomplish the worst case scenario (the worst scenario), as seen in the diagram, Weapons bow-tie. But as these factors require a high degree of subjectivity, they do not necessarily have to be included in the dangerous formula.

Similar methodologies are described in a risk matrix for both elements, each of which has different acceptance rates (Figure 7). Authorities recommend that each operator develop its own matrix and criteria that best reflect its operating environment.

Figure 7.

Risk assessment sample matrix.

If both the severity of the consequences and their likelihood of occurrence are expressed qualitatively (e.g., by words like high, medium, or low), the risk assessment is called a qualitative risk assessment. Table 6 provides an example of an aircraft operator’s qualitative criteria.

Severity of consequences Likelihood of occurrence
Severity Level Definition Value Likelihood level Definition Value
Catastrophic Hardware annihilated; different passings 5 Frequent Likely to occur many times 5
Hazardous Enormous decrease in safety edges, physical trouble or a remaining burden to such an extent that administrators cannot be depended upon to play out their undertakings precisely or totally. Genuine injury or demise to various individuals. Significant gear harm 4 Occasional Likely to occur sometimes 4
Major Huge decrease in safety edge, decrease in the capacity of administrators to adapt to unfriendly working conditions hindering their effectiveness. Genuine occurrence. Injury to people 3 Remote Unlikely but possible to occur 3
Minor Nuisance. Operating limitations.
Use of emergency procedures. Minor incident
2 Improbable Very unlikely to occur 2
Negligible Little consequence 1 Extremely improbable Almost inconceivable that the event will occur 1

Table 6.

Sample of severity and likelihood criteria [4].

Follow-ups are numerically described in a quantitative risk assessment or probabilistic risk assessment (e.g., number of persons who may have been hurt or killed) and are expressed as probabilities or frequencies (e.g., number of occurrences, probability of occurrence per unit time), as shown in Figure 8 and Table 7.

Figure 8.

Probability and severity relationship for failure condition effects.

Failure condition Definition Qualitative probability Quantitative probability—Average probability per flight
No safety effect Failure conditions that would have no effect on safety; that would not affect the operational capability of the airplane or increased workload No probability requirement No probability requirement
Minor Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that is well within their capabilities. May include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some physical discomfort to passengers or cabin crew Probable—that can be anticipated to occur one or more times during the entire operational life of each airplane Probability >1 × 10−5
Major Disappointment conditions which would lessen the capacity of the plane or the capacity of the group to adapt to antagonistic working conditions to the degree that there would be, for instance, a critical decrease in safety edges or useful abilities, a huge increment in team outstanding task at hand or in conditions debilitating group effectiveness, or inconvenience to the flight team, of physical trouble to travelers or lodge group, conceivably including wounds Remote—unlikely to occur to each airplane during its total life, but which may occur several times when considering the total operational life of a number of airplanes of the type 1 × 10−7 < Prob. < 1 × 10−5
Hazardous Disappointment conditions, which would decrease the capacity of the plane or the capacity of the group to adapt to unfriendly working, conditions to the degree that would be:
  1. A huge decrease in safety edge or practical capacities

  2. Physical trouble or over the top outstanding burden with the end goal that the flight group cannot be the depended upon to play out their errands precisely or totally

  3. Serious or deadly injury to a generally modest number of the inhabitants other than flight group

Extremely remote—not anticipated to occur to each airplane during its total life but which may occur a few times when considering the total operational life of all airplanes of the type 1 × 10−9 < Prob. < 1 × 10−7
Catastrophic Failure conditions which would result in multiple fatalities, usually with the loss of the airplane Extremely improbable—unlikely that they are not anticipated occurring during the entire operational life of all airplanes of one type Probability <1 × 10−9

Table 7.

Failure condition definition and relationship with probability [5].

Quantitative criteria are determined by the historical architecture and assessment of systems engineering. Aircraft regulators have long established quantitatively acceptable levels of quality for all aircraft construction equipment or systems in the certification specifications. Failure to comply with these criteria does not authorize unique certification of equipment.

Risk evaluation and risk control for each hazard or category are standardized, comprehensive hazard detection and risk assessment. The acceptability of risk is assessed by matching the measured risk level with defined requirements or safety objectives.


4. Conclusion

This chapter includes the concept of safety and risks in civil aviation during operation and focuses only on the actual safety and risk assessment process that is carried out by different organizations in order to maximize the safety while trying to avoid possible risks. The steps and analysis that are carried out are actually based on facts and data. It is hard to determine whether these results are actually “safe and risk free” to be carried out. Lack of real-time data and real environment fact-findings make it difficult for this section of civil aviation to prosper. But day by day, results are getting better with the inclusion of new technologies and methods. This study shows that these assessments might not have too much impact on civil aviation but serve as a probability to avoid minimum risks and increase the safety concerns.

The chapter also provided a review of some methods/models for civil aviation risk and safety assessment. The key findings provided insight into the efforts already made to improve such methods/models; their inherent difficulty and lack of sufficient versatility; lack of available data for calibration and testing; and lack of sufficient predictive capabilities to encourage the implementation of new technical, procedural, and operational concentrations to assess risk and safety. On the one hand, they aimed at increasing the system capacity and, on the other hand, at reducing the acceptable risk and safety thresholds. The need to develop “specialized” or “dedicated” methods/models for particular system parts has been discovered in many cases. Moreover, difficulties such as lack of real-life data were overcome by including expert judgment despite awareness of its uncertainty and biases. Also noted was the systematic need for balance and compromise between sophistication of methods/models, development time and expense, and consistency of performance. Prospective research needs to be considered to further improve the existing models in line with recommendations that generally implied risk and safety assessment capabilities during development and after implementation of new technologies, with generality on the one hand and dedication on the other hand, predictive capabilities, flexibility and easier understanding, and handling of modular system structures.


  1. 1. Federal Aviation Administration [FAA]. Introduction to Safety Management Systems for Air Operators (AC 120-92), June 22th, USA; 2006
  2. 2. International Civil Aviation Organization [ICAO]. Safety Management System (Doc 9859). 2nd ed. Montreal, Canada: International Civil Aviation Organization, ICAO; 2009
  3. 3. NSW Department of Primary Industries Reference: TRIM INT11/73583
  4. 4. Boeing, Air Traffic Alliance. Air Traffic Alliance – Boeing Required Navigation; 2005
  5. 5. European Aviation Certification Specification [EASA]. Certification Specifications for Large Airplanes CS-25 (Annex to ED Decision 2009/017/R), Amendment 8, December 18th; 2009

Written By

Asif Mostafa

Submitted: 07 June 2020 Reviewed: 06 July 2020 Published: 23 December 2020