Risk-based Oversight

Risk-based Oversight

Definitions

Risk-based Oversight (RBO): A way of performing oversight, where:

  • planning is driven by the combination of risk profile and safety performance; and
  • execution focuses on the management of risk, in addition to ensuring compliance.

Risk Profile: The elements of risk that are inherent to the nature and the operations of the regulated entity, this includes:

  • the specific nature of the organization/operator;
  • the complexity of its activities;

the risks stemming from the activities carried out.

Safety Performance: The demonstration of how effectively can a regulated entity (e.g. operator) mitigate its risks, substantiated through the proven ability to:

  • comply with the applicable requirements;
  • implement and maintain effective safety management;
  • identify and manage safety risks;
  • achieve and maintain safe operations;

the results of past certification and/or oversight also need to be taken into account.

Performance-based Oversight

EASA explains the relationship between Performance-based Oversight (PBO) and Risk-based Oversight (RBO) as:

The concept of "performance" conveys the idea of tangibly measuring the health of the system under scrutiny and ultimately assessing its overall performance. Performance indicators, as a means to measure, may specifically help to either identify risks within that system or measure safety risks or monitoring actions mitigating these risks. This means that a PBO can also support the identification of areas of greater risk and serve the risk assessment and mitigation exercise. This is where PBO meets RBO. [1]

Discussion

The implementation of Safety Management Systems signals a shift from reactive and compliance based oversight to a new model that includes proactive and performance-based tools and methods.

Recognising that compliance alone cannot assure safe operations, and that effective and affordable regulatory oversight needs to be targeted, most regulators have altered the relationship between the operators and the Competent Authorities to ensure that greater oversight is applied to those that need it. To achieve this, Inspectors need to be able to assess safety performance and the key factors that influence it. If an Operator's Compliance Monitoring Function demonstrates that regulatory and procedural compliance is being monitored effectively internally then it will attract less external oversight.

A risk-based approach to oversight entails the assessment of the performance influencing factors, organisational changes and other safety performance indicators that make up an operator's risk profile. An operator's risk profile will inevitably be dynamic. The regulator must have a process that acquires and analyses different sources of intelligence that provide insight into the changing risks in an operation such as:

  • reported occurrences;
  • reorganisation and restructuring (e.g new management and reporting structures, new operating bases, new aircraft types, changing working practices);
  • retirement/departure of a key employee (e.g new accountable managersafety manager, or operations director);
  • financial health of the organisation;

Those operators with a high-performing SMS and clear safety leadership will attract less oversight.

Accidents and Incidents

The following events in the SKYbrary database of Accident and Incident reports feature Ineffective Regulatory Oversight as a contributory factor:

On 16 September 2019, an ATR 72-200 diverted to Itaituba when landing at its intended destination Manaus was prevented by its unexpected closure due to an aircraft accident. During this diversion, intermittent indications of low fuel quantity were annunciated and one engine subsequently ran down on final approach and the other whilst backtracking after landing. It was found that due to a series of undetected faults in the aircraft’s fuel quantity sensing system, the flight deck indications of fuel tank contents were over reading and the low fuel indication system was also malfunctioning for the same reason.

On 18 December 2020, a Bombardier Challenger descending on an ILS approach into Sion in VMC within the Sion TMA was advised of unknown VFR traffic on a potentially conflicting track and working a different frequency. Minimum separation was 100 feet vertically and just over 1 nm laterally before the Challenger response to a TCAS RA increased vertical separation despite the other traffic also initially attempting visual separation by climbing. The Class ‘D’ airspace Sion TMA was inactive and therefore downgraded to Class ’E’. The Investigation concluded that procedures which prevented activation of the TMA at short notice were outdated.

On 22 March 2021, the pilots of a Boeing 747-8F which had just reached its initial cruise level after departing Dubai observed smoke and sparks coming from the window heating system and declared a PAN advising their intention to dump fuel and return to Dubai. With the faulty system switched off, this was accomplished without further event. It was found that the cause of the system malfunction was a design-related vulnerability with a history of recurrence which had not been adequately addressed by the aircraft manufacturer and the FAA as safety regulator following relevant NTSB Safety Recommendations made in 2007.

On 18 November 2022, the crew of an Airbus A320neo about to become airborne as it departed Lima were unable to avoid a high-speed collision with an airport fire appliance, which unexpectedly entered the runway. The impact wrecked the vehicle, killing two of its three occupants, and a resultant fuel-fed fire severely damaged the aircraft, although with no fatalities amongst its 107 occupants. The vehicle was found to have entered the runway without clearance primarily as a consequence of inadequate briefing for an exercise to validate emergency access times from a newly relocated airport fire station.

On 10 August 2019, the left Rolls Royce Trent 1000 engine of a Boeing 787-8 just airborne from Rome Fiumicino suddenly malfunctioned and was shut down. A MAYDAY was declared, and the flight returned for an overweight landing during which all four left main gear tyres deflated. The underlying cause of the engine failure was found to have been intermediate-pressure turbine blade detachment attributable to previously identified serviceability issues. Wider concerns were identified in relation to underlying engine certification standards and to the hazard created by ejection of large quantities of engine debris into a densely populated area.

Related Articles

Further Reading

References

  1. ^ "Practices for risk-based oversight"; Edition 1, published by EASA 22 November 2016
Categories

SKYbrary Partners:

Safety knowledge contributed by: