If you wish to contribute or participate in the discussions about articles you are invited to join SKYbrary as a registered user

 Actions

Risk-based Oversight

From SKYbrary Wiki

Article Information
Category: Safety Management Safety Management
Content source: SKYbrary About SKYbrary
Content control: SKYbrary About SKYbrary

Definitions

Risk-based Oversight (RBO): A way of performing oversight, where:

  • planning is driven by the combination of risk profile and safety performance; and
  • execution focuses on the management of risk, in addition to ensuring compliance.

Risk Profile: The elements of risk that are inherent to the nature and the operations of the regulated entity, this includes:

  • the specific nature of the organization/operator;
  • the complexity of its activities;

the risks stemming from the activities carried out.

Safety Performance: The demonstration of how effectively can a regulated entity (e.g. operator) mitigate its risks, substantiated through the proven ability to:

  • comply with the applicable requirements;
  • implement and maintain effective safety management;
  • identify and manage safety risks;
  • achieve and maintain safe operations;

the results of past certification and/or oversight also need to be taken into account.

Performance-based Oversight

EASA explains the relationship between Performance-based Oversight (PBO) and Risk-based Oversight (RBO) as:

The concept of "performance" conveys the idea of tangibly measuring the health of the system under scrutiny and ultimately assessing its overall performance. Performance indicators, as a means to measure, may specifically help to either identify risks within that system or measure safety risks or monitoring actions mitigating these risks. This means that a PBO can also support the identification of areas of greater risk and serve the risk assessment and mitigation exercise. This is where PBO meets RBO. [1]

Discussion

The implementation of Safety Management Systems signals a shift from reactive and compliance based oversight to a new model that includes proactive and performance-based tools and methods.

Recognising that compliance alone cannot assure safe operations, and that effective and affordable regulatory oversight needs to be targeted, most regulators have altered the relationship between the operators and the Competent Authorities to ensure that greater oversight is applied to those that need it. To achieve this, Inspectors need to be able to assess safety performance and the key factors that influence it. If an Operator's Compliance Monitoring Function demonstrates that regulatory and procedural compliance is being monitored effectively internally then it will attract less external oversight.

A risk-based approach to oversight entails the assessment of the performance influencing factors, organisational changes and other safety performance indicators that make up an operator's risk profile. An operator's risk profile will inevitably be dynamic. The regulator must have a process that acquires and analyses different sources of intelligence that provide insight into the changing risks in an operation such as:

  • reported occurrences;
  • reorganisation and restructuring (e.g new management and reporting structures, new operating bases, new aircraft types, changing working practices);
  • retirement/departure of a key employee (e.g new accountable manager, safety manager, or operations director);
  • financial health of the organisation;

Those operators with a high-performing SMS and clear safety leadership will attract less oversight.

Accidents and Incidents

The following events in the SKYbrary database of Accident and Incident reports feature Ineffective Regulatory Oversight as a contributory factor:

  • B38M, en-route, northeast of Jakarta Indonesia, 2018 (On 29 October 2018, a Lion Air Boeing 737-MAX 8 crew had difficulty controlling the pitch of their aircraft after takeoff from Jakarta and after eventually losing control, a high speed sea impact followed. The Investigation found that similar problems had also affected the aircraft’s previous flight following installation of a faulty angle-of-attack sensor and after an incomplete post-flight defect entry, rectification had not occurred. Loss of control occurred because the faulty sensor was the only data feed to an undisclosed automatic pitch down system, MCAS, which had been installed on the 737-MAX variant without recognition of its potential implications.)
  • SF34 / PA27, Nassau Bahamas, 2018 (On 22 September 2018, a Saab 340B taking off in accordance with its clearance at Nassau came close to a midair collision over the main runway after a light aircraft began an almost simultaneous takeoff in the opposite direction of the same runway contrary to its received and correctly acknowledged non-conflicting takeoff clearance for a different runway without the TWR controller noticing. The light aircraft passed over the Saab 340 without either aircraft crew seeing the other aircraft. The Investigation noted that the light aircraft pilot had “forgotten” his clearance and unconsciously substituted an alternative.)
  • A320, Malé Maldives, 2018 (On 7 September 2018, an Airbus A320 was inadvertently landed on an under- construction runway at Malé in daylight VMC but met no significant obstructions and sustained only minor damage. The Investigation attributed the error to confusion generated by a combination of pilot inattention to clearly relevant notification, controller distraction, the failure of the airport operator to follow required procedures and the failure of the safety regulator to ensure that sufficient arrangements to ensure safety were in place and complied with.)
  • AT76, Fez Morocco, 2018 (On 6 July 2018, an ATR 72-600 followed an unstable approach at Fez with a multiple-bounce landing including a tail strike which caused rear fuselage deformation. The aircraft then continued in operation and the damage was not discovered until first flight preparations the following day. The Investigation found that the Captain supervising a trainee First Officer as handling pilot failed to intervene appropriately during the approach and thereafter had failed to act responsibly. The context for poor performance was assessed as systemic weakness in both the way the ATR fleet was being run and in regulatory oversight of the Operator.)
  • AS50, manoeuvring, East River New York USA, 2018 (On 11 March 2018, an Airbus AS350 engine failed during a commercial sightseeing flight and autorotation was initiated. The pilot then noticed that the floor-mounted fuel cut-off had been operated by part of the tether system of one of the five passengers but there was insufficient time to restore power. On water contact, the automatic floatation system operated asymmetrically and the helicopter submerged before the occupants could evacuate. Only the pilot was able to release his harness and escape because the unapproved adapted passenger harnesses had no quick release mechanism. The Investigation found systemic inadequacy of the operator’s safety management system.)
  • A320 / Vehicle, London Gatwick UK, 2018 (On 3 February 2018, a runway inspection vehicle was cleared onto the active runway at London Gatwick ahead of an aircraft which had just touched down and driven towards it having been cleared to do so because the aircraft crew’s confirmation that they would clear the runway before reaching the vehicle was considered by the controller as a clearance limit. The Investigation found that the associated runway inspection procedure had not been adequately risk-assessed and noted that many issues raised by it had still not been addressed by the time it was completed eighteen months later.)
  • B733, Aqaba Jordan, 2017 (On 17 September 2017, a Boeing 737-300 requested and was approved for a visual approach to Aqaba which involved a significant tailwind component and, after approaching at excessive speed, it touched down late and overran the 3000 metre runway onto sandy ground. The Investigation found that despite EGPWS Alerts relating to both the high rate of descent and late configuration, the Captain had instructed the First Officer to continue what was clearly an unstabilised approach and when touchdown had still not occurred with around 1000 metres of runway left, the Captain took over but was unable to prevent an overrun.)
  • L410, vicinity Lukla Nepal, 2017 (On 27 May 2017, a Let 410 attempting to complete a visual approach to Lukla in rapidly deteriorating visibility descended below threshold altitude and impacted terrain close to the runway after stalling when attempting to climb in landing configuration. The aircraft was destroyed by the impact and two of the three occupants fatally injured. The Investigation concluded that the Captain had lost situational awareness at a critical time and had been slow to respond to the First Officer’s alert that the aircraft was too low. Safety Recommendations included the establishment of an independent and permanent Air Accident Investigation Agency.)
  • L410, Isle of Man, 2017 (On 23 February 2017, a Czech-operated Let-410 departed from Isle of Man into deteriorating weather conditions and when unable to land at its destination returned and landed with a crosswind component approximately twice the certified limit. The local Regulatory Agency instructed ATC to order the aircraft to immediately stop rather than attempt to taxi and the carrier’s permit to operate between the Isle of Man and the UK was subsequently withdrawn. The Investigation concluded that the context for the event was a long history of inadequate operational safety standards associated with its remote provision of flights for a Ticket Seller.)
  • C402, Virgin Gorda British Virgin Islands, 2017 (On 11 February 2017, a Cessna 402 failed to stop on the runway when landing at Virgin Gorda and was extensively damaged. The Investigation noted that the landing distance required was very close to that available with no safety margin so that although touchdown was normal, when the brakes failed to function properly, there was no possibility of safely rejecting the landing or stopping normally on the runway. Debris in the brake fluid was identified as causing brake system failure. The context was considered as the Operator’s inadequate maintenance practices and a likely similar deficiency in operational procedures and processes.)
  • RJ85, vicinity Medellín International (Rionegro) Colombia, 2016 (On 29 November 2016, a BAe Avro RJ85 failed to complete its night charter flight to Medellín (Rionegro) when all engines stopped due to fuel exhaustion and it crashed in mountainous terrain 10 nm from its intended destination killing almost all occupants. The Investigation noted the complete disregard by the aircraft commander of procedures essential for safe flight by knowingly departing with significantly less fuel onboard than required for the intended flight and with no apparent intention to refuel en route. It found that this situation arose in a context of a generally unsafe operation subject to inadequate regulatory oversight.)
  • RJ1H, vicinity Gothenburg Sweden, 2016 (On 7 November 2016, severe airframe vibrations occurred to an Avro RJ-100 which, following ground de icing, was accelerating in the climb a few minutes after departing from Gothenburg. The crew were able to stop the vibrations by reducing speed but they declared an emergency and returned to land where significant quantities of ice were found and considered to have been the cause of the vibrations. The Investigation concluded that the failure of the de icing operation in this case had multiple origins which were unlikely to be location specific and generic safety recommendations were therefore made.)

... further results

Related Articles

Further Reading

References

<references>