RISK MANAGEMENT CYCLE

HAZARD IDENTIFICATION
Dr. Alfred Roelen

HvA Safety & Human Factors

NLR Air Transport Safety Institute

alfred.roelen@nlr.nl

1
 CLOSED LOOP CONTROL SYSTEM

input output

control measurement

feedback
 CLOSED LOOP CONTROL SYSTEM

HAZARD
output

control measurement

feedback
RISK MANAGEMENT CYCLE
• Estimate
likelihood and
• Hazard identification impact of hazards
Hazard Risk • Qualitative or
identification assessment quantitative

Monitoring Risk
and review treatment
• Continuous • Actions and
monitoring of risks and mechanisms to
risk control measures reduce risks

4
HAZARD
A hazard is a condition or an object with the potential to
cause death, injuries to personnel, damage to equipment or
structures, loss of material, or reduction of the ability to
perform a prescribed function.

For the purpose of aviation safety risk management, the

term hazard should be focused on those conditions which
could cause or contribute to unsafe operation of aircraft or
aviation safety-related equipment, products and services.

(ICAO Safety management manual)

5
HAZARD IDENTIFICATION
Reactive. Analysis of past outcomes or events. Hazards are identified
through investigation of safety occurrences. Incidents and accidents are
clear indicators of system deficiencies and therefore can be used to
determine the hazards that either contributed to the event or are latent

Proactive. Analysis of existing or real-time situations, which is the primary

job of the safety assurance function with its audits, evaluations, employee
reporting, and associated analysis and assessment processes. This
involves actively seeking hazards in the existing processes.

Predictive. Data gathering in order to identify possible negative future

outcomes or events, analysing system processes and the environment to
identify potential future hazards and initiating mitigating actions.

6
LIST THE HAZARDS YOU CAN IDENTIFY
IN THE PICTURE

© Yann Forget / Wikimedia Commons

TOOLS FOR HAZARD IDENTIFICATION
SHELL MODEL
Hazards may exist in interactions
between:
• Liveware and Hardware
• Liveware and Environment
• Liveware and Software
• Liveware and Liveware

The SHELL model is particularly useful

for the identification of hazards related to
human factors

8
TOOLS FOR HAZARD IDENTIFICATION
5M MODEL
Management

Man Media
Mission

Machine
Many hazards
hidden in the
interactions
9
DECOMPOSITION OF THE SYSTEM
Decomposition helps to structure the hazard identification and to
ensure completeness.

• Components – can be used for hazard analysis of systems

• Processes – can be used for hazard analysis of activities
• Functions – can be used for hazard analysis during design

10
COMPONENTS

Copied from www.helicopterpage.com

under the terms of the GNU Free 11
Documentation License.
PROCESSES

12
FUNCTIONAL HAZARD ASSESSMENT
FHA
Identify potential hazards resulting from system function
degradation.
Advantage: Can be used early in the design phase.

Essential prerequisite: Description of high level functions of the system.

• Description of system functions and the relationships between these

functions (system bloc diagrams or functional flow diagrams to clarify
system description, if available).

• Definition of the system boundaries.

13
FHA
Systematic application of a set of keywords to each function of the
system

Consideration of external events

14
FHA - IDENTIFICATION OF FAILURE
MODES
Failure to start Failure to stop
Delayed operation Premature operation
Total loss Partial loss
Inadvertent operation Violation of operation
Error of input Error of output
Misheard Misunderstood

15
FHA – EXTERNAL EVENTS
Geologic Example: Avalanche
Seismic Example: Earthquake
Hydraulic Example: Flooding
Meteorologic Example: Wind, temperature, lightning
Ecologic Example: Fungus
Activities in vicinity Example: Vandalism

16
EXERCISE
What are the hazards of small drone operations for commercial
aircraft?

17
EXERCISE
What are the hazards of small drone operations for commercial
aircraft?

To be more specific:
Conditions which could cause or contribute to collision of a commercial
aircraft with a small drone.

18
EXERCISE
What are the hazards of small drone operations for commercial
aircraft?

To be more specific:
Conditions which could cause or contribute to collision of a commercial
aircraft with a small drone.

NB small drones are not allowed in controlled airspace.

19
SMALL DRONES AND COMMERCIAL AVIATION
ELEMENTS AND ESSENTIAL FUNCTIONS

Communication (airspace limitations,

e.g. remain below specified level)

Air Traffic Control

Drone pilot
20
FIRST LIST OF HAZARDS
• Failure of drone
• Failure of drone commend and control instructions
• Failure of drone pilot
• Failure of ATC airspace limitations
• Failure of air traffic control
• Failure of ATC trajectory instructions
• Failure of aircraft pilot
• Failure of aircraft

21
RISK MANAGEMENT CYCLE
HAZARD IDENTIFICATION
Dr. Alfred Roelen

alfred.roelen@nlr.nl

22