Risk-based Oversight
Risk-based Oversight
Definitions
Risk-based Oversight (RBO): A way of performing oversight, where:
- planning is driven by the combination of risk profile and safety performance; and
- execution focuses on the management of risk, in addition to ensuring compliance.
Risk Profile: The elements of risk that are inherent to the nature and the operations of the regulated entity, this includes:
- the specific nature of the organization/operator;
- the complexity of its activities;
the risks stemming from the activities carried out.
Safety Performance: The demonstration of how effectively can a regulated entity (e.g. operator) mitigate its risks, substantiated through the proven ability to:
- comply with the applicable requirements;
- implement and maintain effective safety management;
- identify and manage safety risks;
- achieve and maintain safe operations;
the results of past certification and/or oversight also need to be taken into account.
Performance-based Oversight
EASA explains the relationship between Performance-based Oversight (PBO) and Risk-based Oversight (RBO) as:
The concept of "performance" conveys the idea of tangibly measuring the health of the system under scrutiny and ultimately assessing its overall performance. Performance indicators, as a means to measure, may specifically help to either identify risks within that system or measure safety risks or monitoring actions mitigating these risks. This means that a PBO can also support the identification of areas of greater risk and serve the risk assessment and mitigation exercise. This is where PBO meets RBO. [1]
Discussion
The implementation of Safety Management Systems signals a shift from reactive and compliance based oversight to a new model that includes proactive and performance-based tools and methods.
Recognising that compliance alone cannot assure safe operations, and that effective and affordable regulatory oversight needs to be targeted, most regulators have altered the relationship between the operators and the Competent Authorities to ensure that greater oversight is applied to those that need it. To achieve this, Inspectors need to be able to assess safety performance and the key factors that influence it. If an Operator's Compliance Monitoring Function demonstrates that regulatory and procedural compliance is being monitored effectively internally then it will attract less external oversight.
A risk-based approach to oversight entails the assessment of the performance influencing factors, organisational changes and other safety performance indicators that make up an operator's risk profile. An operator's risk profile will inevitably be dynamic. The regulator must have a process that acquires and analyses different sources of intelligence that provide insight into the changing risks in an operation such as:
- reported occurrences;
- reorganisation and restructuring (e.g new management and reporting structures, new operating bases, new aircraft types, changing working practices);
- retirement/departure of a key employee (e.g new accountable manager, safety manager, or operations director);
- financial health of the organisation;
Those operators with a high-performing SMS and clear safety leadership will attract less oversight.
Accidents and Incidents
The following events in the SKYbrary database of Accident and Incident reports feature Ineffective Regulatory Oversight as a contributory factor:
On 17 August 2023, a privately operated Hawker Beechcraft 390 Premier 1 on final approach to Subang suddenly departed controlled flight in benign weather conditions and crashed. The aircraft was destroyed by the impact and post crash fire and the eight occupants and two persons on the ground were killed. Control of the aircraft was lost after the aircraft lift dump spoilers were inadvertently deployed. The context for this inappropriate action was found to have been deviations from standard operating procedures, inadequate pilot training, regulatory grey areas and deficiencies in communication and decision-making between the two pilots during the flight.
On 19 October 2022, an unstable approach to Sandy Lake by a de Havilland DHC8-300 was followed by a mishandled landing attempt by the First Officer involving excessive pitch up and a tail strike and when the Captain recognised a go-around was intended, he took over and completed the landing. The Captain had recently been promoted after 3,000 hours as a First Officer and the First Officer had just been released on his first two-pilot aircraft type after over 70 hours line training. Regulatory oversight appeared not to have detected that the operator’s safety management system was comprehensively unfit for purpose.
On 6 October 2022, a solo student pilot departing Seville in a PA28 was instructed to hold short of the active runway on reaching it, but without the controller noticing then entered the runway. An Airbus A320 already cleared to land then called that there was a light aircraft on the runway and after initially just repeating the clearance, the controller then saw it. The context for the conflict was assessed as the controller’s use of English for PA28 communications and Spanish for A320 communications and the absence of any requirement to activate controllable stop bars in visual daylight conditions.
On 16 September 2019, an ATR 72-200 diverted to Itaituba when landing at its intended destination Manaus was prevented by its unexpected closure due to an aircraft accident. During this diversion, intermittent indications of low fuel quantity were annunciated and one engine subsequently ran down on final approach and the other whilst backtracking after landing. It was found that due to a series of undetected faults in the aircraft’s fuel quantity sensing system, the flight deck indications of fuel tank contents were over reading and the low fuel indication system was also malfunctioning for the same reason.
On 18 December 2020, a Bombardier Challenger descending on an ILS approach into Sion in VMC within the Sion TMA was advised of unknown VFR traffic on a potentially conflicting track and working a different frequency. Minimum separation was 100 feet vertically and just over 1 nm laterally before the Challenger response to a TCAS RA increased vertical separation despite the other traffic also initially attempting visual separation by climbing. The Class ‘D’ airspace Sion TMA was inactive and therefore downgraded to Class ’E’. The Investigation concluded that procedures which prevented activation of the TMA at short notice were outdated.
Related Articles
- Predictive Risk Management
- Safety Accountabilities and Responsibilities
- Just Culture
- Safety Oversight
- Safety Culture
- Management System Assessment Tool (MSAT)
Further Reading
- EASA: Practices for risk-based oversight; Edition 1, EASA, published 22 November 2016.
- UK CAA: CAP1092: Strategic Plan 2011-16, updated June 2014