DASP Policy and Guidance Portal
Click here to see this page in full context

Chapter 14 Annex H - Risk Management Levels and Definitions Matrix

Within the Defence aviation community, generic operational risks are usually characterised and communicated via a Risk Matrix tool mandated by their relevant service or organisation that suits their circumstances or broader organisation requirements.

Matrix H-1: DFSB Risk Management Matrix

To improve communication of residual risk to downstream organisations, any risk characterisation methodology employed by a design organisation or Military Type Certificate (MTC) holder should seek to implement a set of criteria to communicate risk that can be understood effectively. A minimum set of information that would be beneficial to inform operational risk assessment and treatment includes:

Hazard description. A description of the hazard or undesirable event that may occur. This will sometimes be different from the base hazard that was not fully treated by design. For example, consider a ground proximity warning system that erroneously produces false altitude alerts. In this circumstance, the description should focus on the effects of a false altitude alert (and not controlled flight into terrain).

Possible consequences. Technical staff should describe how a hazard might manifest during flying operations. Technical staff should cover the range of possible outcomes, from the worst-credible to the most-likely outcomes. Where possible, this information should be informed by operational advice to improve understanding. If this advice was not available, technical staff should make clear any assumptions that were made in developing consequence advice.

Consequence and likelihood. The consequence and likelihood of the hazard or undesirable event occurring may be expressed, where possible, in Defence Harmonised Risk Matrix terms for the purpose of informing operational stakeholders, however, this should also be presented alongside the consequence and likelihood expressed via the risk characterisation methodology that best suits the design deficiency.

Treatments implemented. A list of design treatments that have already been applied to the hazard should be provided. Identify which elements in the safety order of precedence have been addressed by proposed treatments. That is, each treatment should be identified as being a: design treatment, safety device, warning device or procedural treatment. This ensures operational understanding of the controls that have already been implemented within the technical domain, and their effect. This will also assist to clarify the extent of any gap between design treatments implemented and risk remaining that requires further assessment and operational treatment.

Assumptions and constraints. A list of assumptions and constraints that were applied during risk assessment and treatment should be provided. This is particularly important, where assumptions made during risk analysis about how the aircraft is operated, aircrew response times, crew workload, and so forth may not be evident in the description.