RISK MANAGEMENT IN (AIR) TRANSPORT WITH EXEMPLARY RISK ANALYSIS BASED ON THE TOLERABILITY MATRIX

This article is a continuation of the authors’ study on the ways to ensure safety in the Air Traffic Management (ATM) system. It directly refers to the processes of risk management involving, in particular, risk management in (air) transport. The main aim of this paper is to present and indicate the hazard identification and risk assessment tools that can be used in air transport and to apply one of them for a risk analysis of a specific ATM originating case. This is why, after a short introduction, describing the background of the research as well as literature review, the risk management process as such is characterized. It is shown in a schematic way and its main components are identified. At the same time, from the entire management process, the risk assessment procedure is highlighted as its most crucial part. Then, general hazards identification techniques, risk analysis and assessment tools are described, with an indication that they can also be implemented in air transport, if compatible with ICAO Standards and Recommended Practices (SARPs). In the following part, the process of risk assessment in air transport, based on the Safety Management Manual, using a safety risk tolerability matrix, is characterized. Finally, in this article, an exemplary risk analysis is carried out, focusing on a selected case arising from the ATM field. For the analysed case, safety risk hazards and their possible effects are identified and then assigned to the Intolerable, Tolerable and Acceptable regions. The entire paper is summarized and conclusions are drawn in relation to the publication’s main goal. Attention is also paid to the potential causes of appearance of hazards including, first of all, lack of adequate verification procedures, as well as people’s competence and last but not the least human errors, being the reason for 70-80% of unwanted transport accidents.


INTRODUCTION
The history of creation of risk management standards dates back to 1995, when the technical committees of standardization organizations from Australia and New Zealand merged, at the same time publishing the first AN/ANS 4360 standard -Risk Management. Two years later, Canada published its own version of this document, while, in 2001, Japan did so. Finally, the following year, the ISO organization published the IEC Guide 73 Risk Management -terminology, a glossary of terms used in the risk management process and, in 2004, the ISO 31000 Risk Management standard, which, slightly modified, is still in effect today as a second edition dated 2018. The ISO organization, in its standards, recommends developing a risk management strategy to describe how this process will be included in the activities of a given undertaking.
Risk can be expressed in terms of the frequency or probability of hazardous events or losses caused by non-occurrences over a specified period of time. The same safety criterion, which isa formula that calculates the level of risk that a particular community accepts, is used. Understanding the level of risk and development of safety criteria are carried out through a so-called risk assessment including the likelihood of occurrence category. Along with the degrees of risk, one can define them as unacceptable, undesirable, acceptable under control and acceptable. Collection of reliable information from various sources to enable safety analysis to prevent aviation incidents is referred to as a safety management strategy. A chance to reduce the risk understood as a threat appears thanks to corrective, preventive and improving actions application. This happens as part of the implementation of a proactive safety management strategy, where it is necessary to take continuous actions in the field of hazard identification and risk analysis, and take preventive actions adequately according to the results of analyses [17].
Aviation faces a variety of risks on a daily basis, many of which can pose a threat to the continued existence of users. In fact, risk is a by product of doing business. Not all risks can be eliminated and not all risk-mitigation measures are financially feasible. The risks and costs specific to aviation create the need for a rational decision-making process. Everyday decisions are made in real time, where the probability and severity of any negative risk consequences and the expected benefits of taking risks are weighted. This process is known as risk management.
The development of research on the prevention of adverse aviation events has given managers of aviation organizations tools that allow the determination of variables that favour the occurrence of dangerous situations. Awareness of the existence of risk provides a chance to take action that is appropriate to mitigate it and control the risk factors. In this case, the dynamics and scope of preparation and implementation of air operations, as well as their environment, make full control over risk factors impossible. In a situation where it is impossible to completely eliminate danger in aviation, measures should be taken to minimize its frequency and its effects. This means that security should be considered on the basis of probability theory [15].
EUROCONTROL defines the human factor as a multidisciplinary effort to develop and introduce knowledge of how people work and to apply this knowledge to improve the relationship between employees, technologies and the tasks that they are assigned, as well as the work environment to work effectively in safe conditions. It is a complex discipline that considers issues affecting the performance of people and systems. This is reflected in the study of the genesis of research on the human factor: their goal is to improve system -man cooperation. The introduction of the results of these tests into the ATM system provides a broader view on all aspects of the human factor, increases work efficiency and the level of security, and reduces the costs of using the system in the long run.
An interesting issue was highlighted in a publication From Safety-I to Safety-II: A White Paper [9], where the authors noticed an evolution in risk perception. While in Safety-I vision there was a belief that accidents or incidents occur because something goes wrong and one can thoroughly examine the cause and identify a solution, in Safety-II, the purpose of investigations shifts towards an understanding of how things usually go right.
In the literature review, there is a clear and strong focus on risk management in aviation. Both service providers and regulatory institution are aware that there is a need to continuously improve safety levels in ATM (Air Traffic Management). EUROCONTROL developed a reporting framework aligned with EU and ICAO regulations, the Toolkit for ATM Occurrence Investigation (TOKAI), which allows structured and unified reporting for Air Navigation Service Providers (ANSPs) [19]. Rios Insua et al. show a framework for risk management decisions in aviation safety at the state level with a novel and systematic methodology for risk management based on the principles of decision and risk analysis [21]. A procedure of strengthening air traffic safety management by moving from outcome-based towards risk-based evaluation of runway incursions is described by Stroeve et al. in [23]. Also, a quantitative model for assessing aviation safety risk factors as a means of increasing the effectiveness of a safety risk management system by integrating the fuzzy linguistic scale method, failure mode, effects and criticality analysis principle was shown by Wen-Kuei Lee [25]. Similarly, Hadjimichael [7] presented the Flight Operations Risk Assessment System (FORAS). The author defined it as a risk modelling methodology that represents risk factors and their interrelationships as a fuzzy expert system. FORAS is supposed to systematize the process of eliciting human expertise, provide for a natural representation of the knowledge in an expert system and automate the process of Risk management in (air) transport with… 145. risk assessment. Fortunately, scientists also identified a possibility to forecast and assess the consequences of aviation safety occurrences [22].
For the sake of assessment of the significant influence of the human factor on safety in general, many publications are directly devoted to this topic. They are even sociological in nature. Xuecai & Deyong introduced a new method to assess and manage human factors [27]. A new procedure called Human Factor Risk Management (HFRM) was developed in [2] by Bevilacqua & Ciarapica or an innovative prognostic risk assessment tool for the manufacturing sector based on the management of the human, organizational and technical/technological factors in [5] by Djapan et al. Risk assessment is also used to detect the hazards associated with dangerous workplaces in aviation, reported in [1] or [18].
Generally, the issue of risk management in transport can be found in various literature publications e.g. Di Gravio et al. [4], Tamasi and Demichela [24], and those already mentioned before. However, taking into account the multitude of available methods as well as continuous modifications in the ATM system, further analysis and publications are required, especially in reference to safety (human safety as well as the safety of systems and infrastructure) and practical operational problems. This is why the main aim of this paper is to present and describe the hazard identification and risk assessment tools that can be used in air transport and to apply one of them for a risk analysis of a specific ATM case -the recent implementation of free route airspace in Poland -POLFRA, which has direct impact on flight operations safety and is currently up to date. This article is structured as follows: analysis of the process of risk management and assessment are presented in chapter 2, an exemplary risk analysis with the initial conclusions drawn are described in chapter 3 and summary and conclusions are presented in chapter 4.

RISK MANAGEMENT AND ASSESSMENT
Risk management is one of the basic components of a safety management system; it plays an important role in the entire process of safety assurance. Safety risk management, according to its definition [11], is a generic term that encompasses the assessment and mitigation of the safety risks of the consequences of hazards that adversely affect the capabilities of an organization, to a level as low as reasonably practicable (ALARP). In other words, risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. Its main purpose is the creation and protection of value. According to [14], risk is the "effect of uncertainty on objectives" and an effect is a positive or a negative deviation from what is expected. The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A level of risk can be assigned to a single risk or to a combination of risks.
Although this approach is not necessarily new, still, due to the fact that nowadays organizations of all types and sizes face a number of threats (which may affect the achievement of their basic goals), it has become clear that all those risks must be managed somehow.

Risk management process
Risk management processes as such are based on ISO international standards series 31000. Two main documents worth mentioning in this context are (1) ISO 31000:2018: Risk management -Guidelines [14], which provide guidelines on managing the risk faced by organizations as well as a common approach to managing any type of risk that is not industry or sector specific, and (2) IEC 31010:2019: Risk management -Risk assessment techniques [12], which provide summaries as well as guidance on the selection and application of techniques for assessing risk in a wide range of situations. Based on those two standards, the process of risk management may be presented in the form of a diagram shown in figure 1. The risk management process consists of the following basic components: 1. communication and consultation on risk management, 2. establishing internal and external context, as well as the context of risk management, which, in practice, means the analysed system's or process' (and its environment) identification, 3. defining of risk criteria, 4. risk assessment, consisting of hazards' identification, risk analysis and evaluation, 5. determination of a risk management strategy, in terms of its effectiveness, 6. risk mitigation (if necessary), 7. monitoring and review and 8. risk management process documentation.
Each part of the risk management process is important and should be integrated with all the other stages of the process. They all form a complete systemic approach and each of them is important for the proper functioning of the others. For example, defining of risk criteria enables the correct assessment of the analysed situation, while risk assessment provides basis/ideas for risk mitigation procedures. However, the most essential factor and the one that is indicated the most often is the risk assessment process.

Risk assessment
Risk assessment identifies how objectives may be affected (hazard's identification), and analyses the risk in terms of consequences, probability and potential cause (risk analysis) before deciding whether further action is necessary (risk evaluation). Proper identification of hazards, determination of their consequences and probability of occurrence as well as potential causes are the basis of appropriate risk management. This is why some fundamental questions need to be answered [12]: 1. What can happen and why? 2. What can the consequences be? 3. What is the probability of occurrence? 4. What is the potential cause? 5. What can be done to mitigate the consequence of incompatibility and/or reduce the probability of its occurrence and/or eliminate its potential causes? 6. Is the level or risk tolerable or acceptable or is further treatment required?
The bases for risk assessment are historical knowledge, observation of similar systems, expert knowledge, experience of analysts and last but not the least dedicated techniques developed along with technical progress. It is the 31010 standard [12] that provides a summary of the tools used for risk assessment classified in terms of their suitability for risk identification, valuation of frequency and effects, effectiveness of deployment as a control tool as well as risk evaluation. Each described tool is characterized by it applicability, inputs, process description, outputs and limitations. On this basis, the most popular tools have been assigned to be useful in the subsequent processes of risk assessment: hazards' identification, risk analysis and risk evaluation as shown in figure 2. The question that arises is whether the methods presented in figure 2 and assigned to the mentioned stages of the risk assessment process can be used in transport (most of all in air transport) or is there some other specific approach dedicated to air transport?
It is known that air transport is a discipline with strong legal regulations. What must also be taken into account, while answering the question, is the rule in force in aviation to proceed only in accordance with specific standards or recommended practices (SARPs ICAO) or acceptable means of compliance (AMC EASA); the purpose of establishment and acceptance is uniform safety assurance. However, the methods and tools described above, originating from international ISO standards, are not in conflict the mentioned principle. This is why the answer to the first part of the question is yes, that is, the presented methods can be deployed in air transport. Moreover, a look at the current literature confirms this statement as FMEA and HAZOP, for example, were used to analyse risk in the authors' other publications [6,16].

Risk tolerability matrix
Nevertheless, the answer to the second part of the question, focusing on special risk management methods in air transport, is also confirmative, as there is an approach based on the ICAO Safety Management Manual [11] of risk analysis based on the safety risk tolerability matrix. Moreover, strict air transport procedures require that safety management is proactive, systematic and transparent [11]. According to the Polish State Safety Program [20], risk management covers two aspects: § processes of hazards identification and § processes of risk assessment and mitigation, which partly cover the approach from fig. 2 and form the core of the entire process, presented in fig. 3. The idea of risk management in the SMS concept can be explained based on its visual representation -as a triangle in an inverted position (figure 3) -"top-heavy" from a safety risk perspective [11]. Most risks of the consequences of hazards fall initially into the intolerable (unacceptable) region -NA, which, in practice, means that they are unacceptable under any circumstances and mitigation actions are immediately required. A smaller number of risks are assessed as falling into tolerable region -T, which means that risk is acceptable, but the probability and severity of the consequences of those hazards must be permanently controlled. The fewest numbers of risks fall into the acceptable region -A; therefore, no further action to mitigate them or of control is required at the moment.
The research conducted on aeronautical safety manuals and standards (such as SMM -ICAO Doc. 9859 [11] or Annex 19 [10]) confirms that safety risk in an air transport system should be expressed as a combination of the following two variables: the probability P and the effect (severity) S of an event.

Safety risk -intolerable!
Mitigate the risk or stop the action being executed Safety risk -tolerable. Further analysis and management decision required.

Safety risk -acceptable.
Good as it is but rare in practice. No further mitigation actions required.
The biggest region -the likelyhood of occurrence and/or the severity of consequences are very large.

NA T A
Risk management in (air) transport with… 149.
To correctly assess analysed risks against the consequences of a hazard, it is necessary to qualify assessment scales for both the values mentioned. The criteria for estimating the safety risk occurrence probability on a five-point scale, according to [11], are as follows: 1 -Extremely improbable, meaning that it is almost inconceivable that the event will occur, 2 -Improbable, meaning very unlikely to occur or not known to have occurred, 3 -Remote, meaning unlikely to occur, but possible or has occurred rarely, 4 -Occasional, meaning likely to occur sometimes or has occurred infrequently, and 5 -Frequent, meaning likely to occur many times or has occurred frequently.
Similar a five-point scale, based on [11], may be presented for the safety risk severity of an event as follows: 1 -Negligible, meaning no influence on safety, little consequences, 2 -Minor, meaning inconsiderable influence on safety such as minor incident, operating limitations and/or use of emergency procedures, 3 -Major, meaning significant safety threat such as serious incident and/or injury to persons, 4 -Hazardous, meaning serious safety threat such as serious injuries and/or major equipment damage, and 5 -Catastrophic, meaning huge safety threat, such as multiple deaths and/or equipment destroyed.
Determination of these criteria enables risk evaluation and assignment of the hazards to the risk levels shown in table 1. At the same time, it enables the identification of the influence of each hazard on process' safety in reference to the entire air traffic management process.  Improbable  2  T  T  T  A  A  Remote  3  NA  T  T  T  A  Occasional  4  NA  NA  T  T  T  Frequent  5  NA  NA  NA  T  T

EXEMPLARY RISK ANALYSIS
As earlier in this article the adequate tools, processes and procedures were shown, here, an exemplary risk analysis is presented. It was decided to present a case from the Air Traffic Management (ATM) system, as this area is of interest to the authors and the changes implemented in the system are up to date. One of the new functionalities added recently to the ATM system is Flexible Airspace Management and Free Route [3]. Free Route Airspace (FRA), known as POLFRA in Poland, according to its definition [26], is a specified airspace within which users may freely plan a route between a defined entry point and a defined exit point, with the possibility to route via intermediate (published) waypoints, without reference to the ATS route network, subject to airspace availability. Within this airspace, flights remain subject to air traffic control. In other words, the idea of free routing is to allow airspace users to fly as close to their preferred trajectories as possible, so that their flight routes are the shortest, the quickest and the most efficient. A more detailed description of this new functionality can be found in [3,6,26]. Here, the main idea is to conduct risk analysis of its implementation in Poland, based on the risk tolerability matrix, described in Section 2.3. Poland was selected as a natural exemplary location. However, it must be noted in a similar manner, identification and analysis of hazards can be conducted for any another European country, as the modifications to the ATM system are based on EU regulations. Moreover, they represent the background for the Single European Sky Air Traffic Research and Development (SESAR) project as well as the idea of Single European Sky (SES). The risk tolerability matrix method was chosen in this example to show the risk assessment process because of its simplicity. Nevertheless, the assessment must include all three stages: hazards' identification, risk analysis and risk evaluation.

Hazards' identification
The first stage has already been addressed in one of the author's previous publications [5]. The approach presented and application of the results were different, but a similar method was applied. Bearing the potential incompatibilities identified in [6] in mind, it can be considered that the hazards related to POLFRA implementation may be divided into three basic groups (figure 4) as follows: § aeronautical data and information preparation, § operational use of published aeronautical data and information, and § compatibility. The question that may arise after the recognition of safety hazards is why do they all focus on analysing data and information preparation and final use? The reason for this is simple: deployment of POLFRA does not require changes to the existing material assets such as infrastructure or aeronautical systems' components, and even if required, the changes are minor. However, changes in airspace structure and functioning require the publication of modified data and information (such as departing/arrival connecting points, FRA boundaries for specific flight levels, etc.), which must be available for all airspace users and are published in Aeronautical Information Publication AIP Polska. This is why the identification of hazards focuses on these as well as the subsequent risk assessment. The third group, compatibility, refers to the arrangements with other (neighbouring) countries (Baltic FAB for example), according to the cross-border character of air transport, as well as the relationships with other ATM functionalities and systems.

Risk analysis and evaluation
As the first risk management component, identification of hazards, is already completed, it is time to focus on the other areas: risk analysis and evaluation. It is necessary to estimate the values of the probability of occurrence of hazards, P, and the severity of their consequences, S, according to the presented criteria. In the risk evaluation process, three levels of risk were identified [11]: acceptable -A, tolerable -T and intolerable (unacceptable) -NA. The hazards identified must be assigned into one of those three groups.
The first aspect that may be noted is, in the authors' opinion, the fact that the assignment of hazards' to risk levels is not very accurate, as the division scale consists of three regions only. More allowable assignment regions would allow a more precise division, but can make the analysis more complicated. The method based on the safety risk tolerability matrix seems to be a simple and quite quick method of identification of hazards' criticality. However, due to its not so high accuracy, it would be advised to use it as a preliminary study. If a more precise division is necessary, it is recommended to apply one of the more complex risk analysis methods such as FMEA/FMECA with a quantitative result or a method from a different pool of solutions such as fuzzy sets.
Nevertheless, the risk tolerability matrix and criteria for probability and severity determination were applied to assess the risks of POLFA implementation. Three independent experts were asked to present their opinion and assess the parameters P and S according to the rules presented in Section 2.3. It must be taken into account that the results obtained may be subjective, as in any risk analysis. If they were to be used operationally, it should be considered whether or not to increase the number of evaluating experts, for a more balanced assessment. The results of the analysis carried out in this paper are presented in table 2. Table 2 Risk assessment for POLFRA based on the safety risk tolerability matrix (own work)

Discussion of the results
To draw proper conclusions, the results obtained are summarized in table 3.  (see table 3). § In case of selected results (case 6c for example), the experts' opinion varied and the results themselves could have been assigned to two different regions. For example, P = 3 and S = 5 assign the result into the NA region. However, changing the P value to P = 2 while keeping S = 5 Risk management in (air) transport with… 153.
(as one of the experts proposed) would assign the result into the T region. In case of experts' divergent assessments, the more rigorous selection was chosen. § In each NA situation detected, the S variable is very high (in all cases, it is the maximum value -5), while the P variable has a medium (3) value. Each time NA detected concerns related to aeronautical data and information publication, mostly AIP Polska, which is relevant as this publication is the main basis for safe planning and conduct of flights, and information published therein must always be up to date and correct. Failure to comply with this results in "catastrophic" consequences in practice and is assigned the number 5 in table 2. § In the entire table, regardless of the line, severity is generally assigned a bigger number than probability, which means that it is easier not to allow a situation to happen than to mitigate its consequences, which is in agreement with the proactive safety approach. § Safety hazards belonging to the third group -compatibility are all assigned to the A region, which seems to be relevant as the hazards mentioned therein do not affect flight safety in a direct way.
Risk analysis, based on the risk tolerability matrix, focuses on the assessment of the appearance of incompatibilities and their possible effect. It does not concentrate on identifying the risk/hazards mitigation activities Such approach is a standard procedure in HAZOP or FMEA analysis. Nevertheless, analysis conducted in the third chapter of this paper and summed up in table 2 allows indication of some corrective actions. Corrective or preventive actions = risk mitigation of the expected hazards. For the first group of identified hazards, in terms of aeronautical data and information creation, it would be recommended to (1) implement verification procedures in the subsequent stages of the entire aeronautical data and information chain, which means during data request, creation, publication, etc.; (2) carefully study the documentation before data preparation; and (3) designate a competent person according to the task to be done (as most incompatibilities appear as human errors).
For the second group of described hazards, Operational use of published aeronautical data and information, the identified recommendations are as follows: (1) implementation of verification procedures once again, (2) correct route planning and traffic management, (3) perfect knowledge of published information and (4) implementation of applicable tools, if necessary. For the third group, compatibility, the risk mitigation activities recommended are as follows: (1) proactive approach and active operation, and (2) implementation of other required functionalities.
The next topic, which should be summed up, is the evaluation procedure. As mentioned before, in some cases, the experts' opinions varied, which is natural as risk evaluation is subjective by nature. Despite this, it was proposed that some reference values be prepared for the frequency of appearance of incompatibilities and, at the same time, the probability of their appearance, to increase the objectivity of the entire assessment. The reference values, presented in table 4, are authors' suggestions based on a literature review. However, it is noteworthy that specific values in a risk analysis evaluation process are rather rare. The other parameter, safety risk severity, seems to be defined clearly on the five-point scale, attributing possible effects (such as serious injuries and/or major equipment damage) to each of the scale numbers.

SUMMARY, CONCLUSIONS
Risk is an integral part of our lives. It appears in various situations and must be evaluated, and then accepted or mitigated. Risk management provides a consecutive set of activities and methods to control the unwanted impact of appearing hazards. The same procedures may be used in different applications. In this article, the method of dealing with risks was shown in a schematic way, in the form of an expanded risk management process diagram, and then widely discussed in relation to air transport. The tools used for risk assessment were also identified and divided into three main assessment parts: hazards' identification, risk analysis and risk evaluation. All the methods presented in the paper can be applied in any type of transport including air transport. At the same time, the case, analysed in the second part of the publication, aims at facilitating the understanding of one of the described methods thanks to its practical implementation. In the third chapter, a selected case arising from the ATM field was examined, which means that potential hazards were identified and risk was evaluated and assigned to one of the three tolerability regions. As a result, the possible effects of hazards' occurrence were described and risk mitigation activities, derived from the analysis were highlighted. Finally, the reference values for the frequency of occurrence of incompatibilities were suggested. Moreover, on the basis of all these considerations, the main aim of this article, presented in the introduction, is achieved.
It must be emphasized that, above all, risk assessment is a process that is closely related to hazard identification. For each hazardous situation, the degree of risk should be determined taking into account the probability of occurrence and possible consequences: losses. In risk assessment, the use of a scheme in which possible consequences and the probability of occurrence of the given events are determined can be helpful. To manage the operational risk of aviation facilities, process approach may be applied, in which the universal models used in quality management systems are used. Most importantly, risk should be recognized, assessed, neutralized and monitored throughout the entire life cycle of the object.
Discussion on the risk assessment results has already been reported in paragraph 3.3. Now, it is time to summarize the entire work. The focus of attention is the proactive safety approach, widely implemented in air transport. It is easier and safer (for human and equipment) not to allow a situation to happen than to mitigate its consequences. However, such an approach requires identification and recognition of hazards before they can even occur in real life. This makes the identification process of hazards a challenge. It is also worth mentioning that risk assessment based on a risk tolerability matrix does not directly identify the potential causes or the corrective actions proposed. A detailed analysis of the results presented in table 2 leads to the conclusion that the main reasons for the appearance of the identified hazards are as follows: (1) lack of adequate verification procedures, which should be done not only at the end of the mentioned processes (such as aeronautical data and information preparation) but also in the subsequent stages, not to allow the incompatibilities to remain in the following stages; (2) people's competence or rather its absence since, irrespective of the transport mode, the quality of personnel training processes is a key element affecting human-machine interactions and decisionmaking processes later on during the operational phase; moreover, trained reactions are especially important in air transport, as due to operations dynamics, decision time is sometimes limited to seconds; and (3) human errors (unintended as well as intentional), indolence and ignorance of the current situation -all three expressions are treated as synonyms, as statistically, these have been proven to be the main reasons affecting transport safety.