Hazard Identification (HazID)

Hazard Identification is the foundational step of the Safety Risk Management (SRM) cycle. ICAO Annex 19, Appendix 2, paragraph 5 defines a hazard as "a condition or an object with the potential to cause or contribute to an aircraft incident or accident." ICAO Doc 9859 (SMM, 4th ed.) Chapter 5 distinguishes three identification methodologies that together form the complete HazID posture: reactive, proactive, and predictive. Reactive methods analyze events after they occur — accidents, incidents, and mandatory occurrence reports already filed. Proactive methods systematically search for latent hazards before events manifest, using audits, inspections, and structured observation programs. Predictive methods analyze operational data and trends to surface hazards before a triggering event exists. A mature SMS must demonstrate all three types to satisfy EASA competent authority audit and FAA SMS validation.

Key structured techniques include the Failure Reporting, Analysis and Corrective Action System (FRACAS), widely used in maintenance and type-design programs, which creates a closed-loop record linking every identified failure mode to a corrective action. The Maintenance Error Decision Aid (MEDA), developed by Boeing, applies to maintenance human-factors hazard identification and is referenced in EASA Part-145 AMC 145.A.47 (Human Factors). The Line Operations Safety Audit (LOSA), defined in ICAO Doc 9683 (LOSA Manual, 1st ed.), is a structured threat-and-error management observation method in which trained observers fly as jump-seat observers and code crew behaviors against a validated taxonomy. LOSA data is de-identified before analysis, linking directly to just-culture principles. Flight Data Monitoring (FDM/FOQA) under EASA Part-ORO ORO.AOC.130 uses recorded aircraft parameters to detect systematic deviations — exceedance events — without requiring any crew report. Each exceedance event is a candidate hazard that must enter the hazard log.

All identified hazards must be formally captured in a Hazard Register (also called hazard log). ICAO Doc 9859, Chapter 5, Section 5.3 defines the minimum hazard register content: a unique hazard identifier, the description of the hazard, the associated risk(s) (potential consequences), the likelihood and severity classification under the organization's risk matrix, the resulting risk index, and the risk control measure(s) applied. Every risk control measure must be assigned an owner and a review date. A hazard identified but not recorded in the register, or recorded but not reviewed, constitutes an incomplete SRM process — a finding under EASA SMS audits and, for Part 5 operators in the US, under FAA Safety Assurance system checks.

The relationship between HazID and Safety Risk Assessment (SRA) is sequential and mandatory: no risk assessment can begin without a prior hazard identification, and no risk control can be selected without a risk assessment. ICAO Doc 9859, Figure 5-1, illustrates the SRM cycle as: Identify Hazard → Analyze Risk → Assess Risk → Control Risk → Monitor Risk Control Effectiveness. The hazard log is the persistent artefact that records every step. EASA Part-ORA ORA.GEN.200 (for ATOs) and Part-ORO ORO.GEN.200 (for AOC holders) both require the SMS to include SRM processes that collectively satisfy this sequence. EASA AMC1 ORO.GEN.200(a)(3) explicitly requires that the operator "establish and maintain a process for identifying hazards associated with its aviation activities."

FAA Part 5 (14 CFR Part 5), effective March 2015 and mandatory for Part 121 operators, frames the equivalent requirement under §5.51 (Safety Risk Management policy) and §5.53 (System Analysis and Hazard Identification), which requires that each person responsible for SRM must identify hazards associated with each aviation system element. For training organizations operating under Part 141, FAA AC 120-92B (Safety Management Systems for Aviation Service Providers, 2015) provides non-mandatory but widely referenced guidance that parallels the ICAO Doc 9859 methodology, including the three-method typology (reactive, proactive, predictive) and the hazard register concept.

The dominant failure mode in flight school and ATO hazard identification is what regulators call "nominal compliance" — the organization has a hazard register template and an SMS Manual section describing HazID, but no systematic data pipeline feeding it. Paper-based or email-based occurrence reporting means hazards reported by instructors or students are stored in inboxes or filing cabinets rather than in a structured register. As a result, pattern analysis is impossible: five separate instructors may report the same runway surface condition in five separate months, but because no aggregation exists, the hazard is never formally identified and no risk control is implemented. This is a specific audit finding pattern noted in EASA NPA 2019-05 and echoed in multiple competent authority audit reports.

A second failure mode is classification drift: the organization captures events but applies inconsistent likelihood/severity classifications across reviewers and review periods, rendering the risk index meaningless for trend analysis. Without standardized risk matrices applied consistently, the Safety Review Board cannot determine whether risk is increasing or decreasing — making the Safety Performance Targets and SPIs associated with the hazard log unverifiable. For combined ATO/AOC operators, the additional complication is scope segregation: the ATO hazard register and the AOC hazard register must either be formally integrated or explicitly separated with defined interfaces, and auditors increasingly look for evidence that hazards originating in one operational environment (e.g., student training flights on an AOC-operated aircraft) are correctly routed to the appropriate register.

Aviatize's safety management module implements the hazard register as a structured database object. Each hazard entry captures all mandatory ICAO Doc 9859 fields — unique ID, description, associated risk scenarios, likelihood and severity scores against the organization's configured risk matrix, composite risk index, assigned risk owner, control measures, and review date. Occurrence reports submitted by instructors, students, or ground staff through the platform's reporting interface are automatically queued for hazard classification by the safety manager; the system enforces that no report can be closed without a hazard determination (either a new hazard entry or linkage to an existing one), eliminating the inbox-discard failure mode. FDM exceedance imports and squawk-derived maintenance hazards can be ingested via CSV or API and flow into the same triage queue.

The platform's KPI reporting and dashboards module surfaces hazard register health as a first-class metric: open hazards past review date, hazards without assigned risk owners, and hazards with risk controls not yet verified effective. For combined ATO/AOC operations, the compliance and auditing module enforces register scope tagging — each hazard is tagged to the relevant certificate or operational scope, enabling split reporting while maintaining a unified interface for the accountable manager's Safety Review Board. When a hazard's residual risk index exceeds the tolerable threshold defined in the SMS Manual, the platform triggers an automated escalation task to the accountable manager and logs the escalation timestamp for audit evidence.