Traditionally, safety and security have been considered two distinct domains. Risk assessments based on identified hazards and threats were conducted in isolation and often not shared between the relevant practitioners. Recent events have caused a paradigm shift towards integrated risk management, that considers both safety and security elements in a cohesive manner. ICAO began promoting this concept in recognizing the need for providing further guidance and assistance to States.
The definitions of safety and security are complex, given that they can be debated from many disciplines and a variety of angles. As standard practice, ICAO defines terms in the Annexes to the Chicago Convention when the terms used are not self-explanatory or they do not have accepted dictionary meanings. Annex 17 defines security as “safeguarding civil aviation against acts of unlawful interferences”, whereas safety is defined in Annex 19 as “the state in which risks associated with aviation activities, related to, or in direct support of the operation of aircraft are reduced and controlled to an acceptable level”.
According to these definitions, safety is limited to the consequences of safety risk, whereas integrated risk is the combination of security and safety factors. To provide accurate foundations for developing integrated risk management principles, both approaches should be considered.
In recent years safety management principles have evolved to rely more and more on data-driven, quantitative risk analysis. This was possible because systems failures are the result of quantifiable hazards, even in cases of human error. To this end the first amendment of ICAO Annex 19 includes Standards and Recommended Practices for the collection, analysis, protection, sharing and exchange of safety data and safety information. Guidance supporting these provisions is contained in relevant ICAO guidance material such as the Safety Management Manual (Doc 9859).
In the security domain the correlation to hazards are threats. Whereas hazards are somewhat quantifiable, threats tend to be less so since they are a function of capability and intent. Threats have a strong sociological component to them and are often better defined in qualitative ways. Furthermore, based on the qualitative assumptions of their components, a threat may be defined as confirmed, credible or non-credible. The frequently confidential nature of threats makes a wider sharing of information related to security concerns tougher, and duty of care must be applied when analyzing their data. The aggregation and de-identification of security data is a necessary prerequisite for any wider and more public analysis.
The inherent difference between hazard and threats is the element of intent. What they have in common is that both can result in consequences that present potential risks. This risk is defined as the predicted likelihood and impact of the consequences of hazards or threats, taking into account mitigation measures and vulnerabilities. Based on these commonalities, it can be argued that it is better to combine the sectorial risks in order to evaluate an overall operational risk. This thinking allows for a better analysis of cross-interference between safety and security measures that could result from competing mitigation measures.
A recent scenario that would have benefited from an integrated approach to the management of risk involved the implementation of reinforced cockpit doors to address security concerns – which eventually led to a safety discussion.
The intent of integrated risk management is to look at the overall risk of an activity, and to determine if this risk is acceptable to the user. In simple terms this means that it doesn’t matter if an unintentional (safety) or intentional (security) component is compromising the integrity of the air transport system.
This thinking was introduced by ICAO in the fourth edition of the Safety Management Manual (Doc 9859) (International Civil Aviation Organization, 2018), as well as the second edition of the Risk Assessment Manual for Civil Aircraft Operations Over or Near Conflict Zones (Doc 10084) (International Civil Aviation Organization, 2018), and found its way into the ongoing development of a global cybersecurity strategy, which is expected to be published during the 40th Session of the ICAO General Assembly in 2019.
Communication is an important factor in integrated risk management given that it needs to be presented in an easily understandable format and must be readily accessible. Furthermore, the integrity and confidentiality of the communicated information is paramount to the building of trust and credibility. One technical solution to meet these requirements involves the application of Blockchain technology.
One tool that would include all these requirements and support integrated risk management mechanisms, would involve the development of a comprehensive Hazard and Threat Register. Such a register could initially display real-time information on hazards contained in the global NOTAM database, meteorological hazards reported through METARS, as well as threats from an early warning cybersecurity system. Each of these types of information could be further analysed and tagged according to a set of specific taxonomies to provide a more granular first level analysis.
In addition to this real-time data, the Hazard and Threat Register could also include information that may not be real-time but is still considered valuable (i.e. reported security incidents and safety oversight results). Since all the data would be associated with a specific airport, it could be aggregated to develop a risk profile for each airport. Furthermore, the airport risk profile could be used to develop a risk index and provide a simple, but meaningful way of to make risk comparisons with other airports and facilitate benchmarking at the national, regional and global levels. This system, with the intention to eventually develop an integrated risk information solutions, is currently being prototyped by ICAO.
About the authors
Andreas Meyer, Aviation Cybersecurity Officer in the Aviation Security Policy section of the ICAO’s Air Transport Bureau, is specialized in risk management, having working on both safety and security files since 2013. He has previously worked in the field of operational safety and security and has an academic and military background in risk management.
Catalin Radu has been the Deputy Director of the Air Navigation Bureau at ICAO responsible for Aviation Safety, since September 2014. He held a number of executive and managerial positions at the Romanian Ministry of Transport and at the European level with over 20 years’ experience in aviation safety. He also served as President of ECAC, Vice President of EUROCONTROL and ECAC’s Focal Point for Safety Matters.