Safety Risk Assessment (SRA)

A Safety Risk Assessment is the structured analytical step that converts an identified hazard into a managed risk. ICAO Doc 9859 (SMM, 4th ed.) Chapter 5 defines the full Safety Risk Management cycle as: Identify Hazard → Analyze Risk → Assess Risk → Control Risk → Monitor Control Effectiveness. The SRA covers the Analyze, Assess, and Control steps. The input is a documented hazard; the output is a risk record with an assigned risk level, applied controls, residual risk classification, and an accountability trail.

The analytical tool universally employed is the risk matrix, typically configured as a 5×5 grid. The vertical axis is severity: Catastrophic (hull loss, multiple fatalities), Hazardous (severe injury, major damage, significant loss of safety margins), Major (serious injury, significant damage, large reduction in safety margins), Minor (minor injury, minor damage, reduction in safety margins), Negligible (nuisance value only). The horizontal axis is likelihood: Frequent (expected to occur many times), Occasional (expected to occur sometimes), Remote (unlikely but possible), Improbable (very unlikely), Extremely Improbable (almost inconceivable). ICAO Doc 9859 Appendix 1 to Chapter 5 provides the 5×5 reference matrix with three acceptability zones: Intolerable (risk must be reduced regardless of cost — typically Catastrophic/Frequent through to Hazardous/Remote), Tolerable (ALARP — risk may be accepted if further reduction is impracticable, with active controls and monitoring), and Acceptable (risk is managed within normal procedures without additional controls). Each organization defines its own matrix thresholds in its SMS Manual.

The SRA process under EASA AMC1 ORO.GEN.200(a)(3) requires: that every identified hazard is entered into the risk assessment process; that risk analysis considers all foreseeable risk scenarios associated with the hazard (not just the most likely); that risk levels are determined systematically and consistently; that risk controls are selected based on the hierarchy — elimination > substitution > engineering controls > administrative controls > personal protective measures; that residual risk after control is re-assessed through the matrix and confirmed acceptable; and that the full SRA record is documented and retained. EASA specifies no mandatory retention period for SRA records in Part-ORO directly, but the general oversight record requirement under ORO.GEN.220 applies, and the SRA record is primary audit evidence for the Safety Assurance pillar.

FAA Part 5 addresses the equivalent through §5.51 (Safety Risk Management policy — the operator must have and follow an SRM process), §5.53 (System Analysis and Hazard Identification — identifying hazards for each operational system element), and §5.55 (Safety Risk Assessment and Control — analysing and controlling identified hazards). FAA AC 120-92B Section 6 provides guidance on the 5×5 matrix methodology and ALARP application consistent with ICAO Doc 9859.

SRAs are required in three distinct operational triggers: change management (any proposed change to the organization, its operations, its fleet, its key personnel, or its approved procedures must be risk-assessed before implementation); incident/accident investigation (each identified causal and contributing factor generates a hazard that must be formally assessed); and periodic review (the hazard register is reviewed on a schedule defined in the SMS Manual — typically annually — and existing SRAs are revalidated against current operating conditions). The change-management SRA is the highest-stakes application: organizations that implement operational changes without completing a prior SRA — new simulator, new aircraft type, new operating base, new senior post-holder — are exposed both to unmanaged safety risk and to immediate regulatory findings upon audit.

The most common SRA failure mode in flight schools and ATOs is not the absence of an SRA process, but calibration inconsistency. Two safety managers applying the same 5×5 matrix to the same hazard may produce risk indices that differ by two cells — one assessing a runway excursion risk from student solo circuit training as Tolerable, the other as Intolerable — because likelihood definitions are subjectively interpreted. This inconsistency invalidates trend analysis across the hazard register: if risk indices shift between review periods due to assessor variation rather than genuine risk change, the SPI associated with that hazard is meaningless. ICAO Doc 9859 recommends that organizations develop calibration examples — reference hazards with pre-determined risk indices — as anchors for consistent application of their matrix.

A second failure pattern is SRA scope compression: the organization assesses the hazard as presented rather than the full consequence scenario space. A hazard logged as "bird strike during circuit training" may generate an SRA focused on single-engine landing from circuit height, but the same hazard also implicates windshield penetration, engine ingestion with total power loss, and instructor incapacitation — each a distinct risk scenario requiring its own severity/likelihood assessment. EASA auditors following AMC1 ORO.GEN.200(a)(3) expect evidence that the full consequence space of significant hazards was explored, not just the most obvious scenario.

Aviatize's safety management module embeds the SRA as a structured workflow attached to each hazard record. When a hazard is identified and logged — whether from an occurrence report, an audit finding, a maintenance squawk, or a proactive observation — the system opens an SRA task assigned to the designated risk owner. The SRA interface presents the organization's configured risk matrix, enforces that at least one risk scenario is assessed per hazard, requires selection of at least one risk control from the control hierarchy, and recalculates residual risk through the same matrix before the assessment can be closed. The resulting risk record is versioned: each subsequent review creates a new SRA entry linked to the same hazard, building a full temporal record of how risk has been managed.

For change-management SRAs — the highest-stakes application — Aviatize's compliance and auditing module includes a change notification workflow. A proposed operational change (new aircraft registration added to the fleet, new route or base, key post-holder change) triggers a mandatory SRA task before the change is approved in the system. The change cannot be activated until the SRA is completed and the residual risk is within the organization's Acceptable or Tolerable threshold. For Tolerable residual risk, the system requires an additional sign-off from the Accountable Manager before change activation — creating the documented senior-management awareness that ICAO Doc 9859 requires for ALARP-accepted risks.