Legal Issues Related to Developing Safety Management Systems and Safety Risk Management at U.S. Airports (2013)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

4 The most difficult problem confronting airport opera- tors that undertake an SMS will likely be the gathering and protection of data. Nearly all of the approximately 570 commercial service airports in the United States that are certificated by the FAA (Part 139 airports) are owned and operated by governmental entities. These entities take many forms, including state departments of aviation, city or county enterprise funds, and quasi- governmental authorities. All these public entities are subject to applicable state and local public records laws, also known as “sunshine laws,” governing records main- tained by public entities.8 These laws, which are mod- eled on the Federal Freedom of Information Act (FOIA),9 generally broadly define what constitutes a public record and then require that, with certain very limited and enumerated exceptions, public records must be made available to any person requesting them. Sun- shine laws create a presumption that information in the hands of a public entity will be made available to the public. Thus, without further legislative or regulatory action, the huge amount of safety data that will be gen- erated by the SRM process that is central to SMS may all be subject to disclosure under state sunshine laws. The dissemination of SMS data in accordance with state and local sunshine laws could result in unwanted pub- licity, provide evidence in tort claims cases, and, as a result, could create disincentives for reporting safety information. SMS is founded on the principle that by collecting and analyzing safety data, trends can be spotted and accidents avoided. For this process to work as envi- sioned, however, there must be a regular and robust flow of data into the system. Studies and experience in comparable settings have amply demonstrated that the less protection there is from disclosure of safety data, the less likely it is that persons will report that data. As noted by the Flight Safety Foundation with respect to safety data gathered under certain aviation safety pro- grams described below, the majority of information on which safety enhancements now depend would not have surfaced at all if not voluntarily disclosed. Airport op- erators will need to become familiar with the law re- garding disclosure of public records and they would be wise to develop their SMS programs, to the greatest extent possible, to prevent disclosure of such data. Be- cause the vast majority of Part 139 airport operators are governmental entities, and therefore subject to state sunshine laws, SMS safety data will not be likely to be maintained confidentially. Nevertheless, airport opera- tors could take steps, such as de-identifying safety data, implementing elements of just culture, and providing for anonymous reporting, that will encourage reporting of safety data. 8 See, e.g., California Public Records Act, CAL. GOV’T CODE §§ 6250–6276.48 (West 2012), Florida Public Records Act, FLA. STAT. §§ 119.01–119.15 (2012), Massachusetts Public Records Law, MASS. GEN. LAWS ch. 66, § 10 (hereinafter, state public records laws are referred to as “sunshine laws”). 9 5 U.S.C. § 552. As will be discussed herein, one of the hallmarks of effective safety systems in comparable contexts is that safety data are not only kept confidential, but such data are subject to a privilege preventing disclosure in litiga- tion. The recently adopted FAA reauthorization act in- cludes protection from disclosure of SMS data provided to the FAA,10 but this protection does not expressly ap- ply to protecting data from disclosure under state sun- shine laws. This digest begins with a summary of the basics of SMS in Section II. It then discusses the concept of “just culture” (a regime that encourages reporting by not punishing individuals in most circumstances) with re- spect to SMS in Section III. It then summarizes certain recent efforts to implement SMS at airports in other jurisdictions and in other fields, including maritime, patient safety, and the oil and gas industry in Sections IV and V. The theories under which SMS could lead to increased liability for airports are then examined, along with certain immunities from liability that may be available to airports, in Section VI. Section VII provides a review of sunshine laws from three selected jurisdic- tions as well as Federal FOIA, and a discussion of cer- tain available means of protecting SMS data from dis- closure or discovery. The digest concludes with Section VIII, which suggests potential strategies for managing the legal issues that may arise due to implementation of SMS. II. BASICS OF SMS A. Description of SMS and SRM SMS is predicated upon the belief that a proactive analysis of data concerning hazards and their potential severity can be applied to identify the causes that may lead to accidents and, thus, to mitigate the personal injury and property damage resulting from such acci- dents by avoiding these causes. SMS comprises the fol- lowing four elements: • Development and adoption of safety policy and ob- jectives by senior management, including staff respon- sibilities, and dissemination of the safety policy throughout the organization. • Development of an SRM process, which describes each such system or activity at an airport, identifies hazards associated with such system or activity, deter- mines and analyzes the risk associated with each such hazard, and treats or mitigates and monitors the risk. SRM is also a continuous process so that the effective- ness of mitigation strategies and the classification of risks are regularly reviewed. • Safety assurance, through oversight and auditing to ensure that the safety programs are implemented and effective. 10 FAA Modernization and Reform Act of 2012, § 310, Pub. L. No. 112-95, 126 Stat. 11 (Feb. 14, 2012) (adding new § 44735 to Title 49 of the U.S. Code).

5 • Safety promotion, through the development of a positive safety culture, including training, within the organization.11 SMS, through the SRM function, at a minimum should 1) establish a system to identify actual and po- tential safety hazards; 2) establish a systematic process to analyze hazards and their associated risks; 3) provide for regular assessment to ensure that safety objectives are being met; and 4) establish and maintain records that document the Part 139 airport’s SMS processes.12 SMS should clearly define the lines of safety account- ability throughout the airport operator’s organization, including a direct accountability for safety on the part of senior management.13 ICAO has provided guidance on SMS in the ICAO Safety Management Manual14 (SMM) and in the Man- ual on Certification of Aerodromes (Doc. 9774).15 Other guidance on SMS for airports is available on the FAA’s Web site.16 These materials include the Airport Coop- erative Research Program’s (ACRP) two-volume Report 1: Safety Management Systems for Airports and links to the FAA’s Proposed Rule regarding SMS for airports and the docket, including comments and results of pilot SMS studies commissioned by the FAA. ICAO recommends that a single, identified individ- ual, known as the “accountable executive,” oversee and be responsible for implementation and maintenance of the SMS at each airport.17 He or she should have final authority over operations conducted at an airport and have final responsibility for all safety issues.18 The ac- countable executive must also be given extraordinarily broad powers, including full control of the human and financial resources required to implement and maintain the SMS.19 In implementing SMS, airport operators will need to gather and analyze a great deal of data. Following the initial identification of airport hazards and risks as part of the SRM process, as part of the safety assurance process airport operators will continue to gather data on risks associated with new activities, newly identified 11 See AC 150/5200-37, ch. 2 (Elements of a Safety Man- agement System). 12 Id. 13 See ICAO SAFETY MANAGEMENT MANUAL, 2d ed., 2009 (SMM), Doc. 9859 (a third edition of the SMM was issued in advance draft form in May 2012). 14 Id. 15 See Annex 14 to the Convention on International Civil Aviation (CICA), § 1.4 (Certification of aerodromes). 16 http://www.faa.gov/airports/airport_safety/safety_ _management_systems/. 17 See SMM. See also Annex 14 to CICA, § 1.5.4 (“an ap- proved safety management system shall clearly define lines of safety accountability throughout a certified aerodrome opera- tor, including a direct accountability for safety on the part of senior management”). 18 See SMM. 19 Id. hazards, changes in the degree of risk assigned to haz- ards, and the results of mitigation activities. Airport operators are also required to audit the SMS program to ensure that the airport operator is complying with its SMS. Many airports will develop a “Predictive Risk Ma- trix,” a database system that records the identified haz- ards, the means of mitigating certain hazards, and a table of the risks following such mitigation. The FAA recommends that airports categorize the acceptability of risks through development of a Predictive Risk Matrix, which will categorize risk based upon the severity and likelihood of identified hazards.20 Theoretically, the more data that can be included in an SMS analysis, the better the likelihood that hazards can be identified and mitigated and accidents avoided. As a practical matter, however, it is this critical matrix of risk information that presents many of the legal issues that are associ- ated with SMS. B. ICAO Requirements The ICAO adopted an amendment to its Interna- tional Standards and Recommended Practices that re- quires member states, which include the United States and Canada, to require that operators of international airports implement an SMS.21 ICAO has adopted simi- lar requirements applicable to operators of commercial aircraft, aircraft maintenance organizations, and air traffic services.22 According to ICAO, SMS is “a system- atic approach to managing safety, including the neces- sary organizational structure, accountabilities, policies and procedures.”23 ICAO’s SMM defines “safety” as “[t]he state in which the possibility of harm to persons or of property damage is reduced to, and maintained at or below, an acceptable level through a continuing process of hazard identifica- tion and safety risk management.”24 ICAO has taken the position that elimination of all accidents and serious incidents, while desirable, is not possible.25 Thus, the SMM states, “safety risks and operational errors that are controlled to a reasonable degree are acceptable in an inherently safe system.”26 The SMM and ACRP Report 1: Safety Management Systems for Airports both provide valuable guidance regarding the development and implementation of SMS at airports, but neither addresses the legal issues that the development of SMS may raise at U.S. airports. 20 See AC 150/5200-37, § 3.3, at 11–12. 21 See Annex 14 to CICA, § 1.4 (Certification of aerodromes). 22 See Annex 6, pt. I, ch. 3 (aircraft), ch. 8 (aeroplane main- tenance), pt. III, ch. 1 (commercial air transport), and Annex 11 (air traffic services) to the CICA. 23 CICA, Annex 14, vol. I, § 1.1. 24 SMM, § 2.2.4. 25 Id. § 2.2.2. 26 Id. § 2.2.3.

6 C. FAA Actions Concerning SMS As discussed below, the FAA has undertaken safety programs and rulemakings relating to SMS for several discrete sectors of the aviation industry, including Part 139 airports. FAA has established separate SMS pro- grams for its air traffic control function27 and the FAA’s Office of Airports, as well as a separate SRM process for review of changes to airport standards or certain pro- ject-specific approvals.28 The FAA is also undertaking a separate SMS rulemaking process for air carriers.29 In addition, for many years prior to its more recent focus on SMS, the FAA, in partnership with the National Aeronautics and Space Agency (NASA), developed and has maintained safety reporting programs that incorpo- rate data gathering and analytical elements that are now central to SMS. As a result, there is a diversity of FAA-mandated standards, terminology, and approaches applicable to SMS programs operating or to be operated within the U.S. aviation system. FAA has stated that it will synchronize its SMS ef- forts both internally and externally to the extent practi- cable.30 Notwithstanding the separate approach to SMS rulemaking it has undertaken, the FAA has also stated that it is committed to an integrated approach to SMS, including common definitions and understanding of risk, consistent methods for analyzing and assessing safety risks, common safety risk management tech- niques, consistent safety assurance procedures, and common approaches to defining acceptable levels of risk.31 1. Airport SMS In part to comply with the ICAO requirements, the FAA issued a Proposed Rule on October 7, 2010, regard- ing implementation of SMS at commercial airports.32 The Proposed Rule would amend the FAA’s primary regulatory guidance applicable to commercial airports, 14 C.F.R. Part 139 (Part 139), to require all Part 139 airports to develop and maintain an SMS that is ap- proved by the FAA.33 Part 139 regulates the certification and operation of all airports within the United States that have sched- uled or unscheduled passenger service, other than air- ports served by very small aircraft.34 Part 139 does not, 27 See FAA Air Traffic Order JO 1000.37, Air Traffic Or- ganization Safety Management System (Mar. 19, 2007), and Air Traffic Organization SMS Manual, Version 2.1 (May 2008). 28 See FAA Order 5200.11, FAA Airports (ARP) Safety Management System, Aug. 30, 2010. 29 See Safety Management Systems for Part 121 Certificate Holders, 75 Fed. Reg. 68, 224 (Nov. 5, 2010) (to be codified at 14 C.F.R., pts. 5 and 119). 30 FAA Order 5200.11, § 1-6. 31 Id., § 2-2. 32 Proposed Rule, 75 Fed. Reg. 62,008. 33 Id. at 62,022. 34 14 C.F.R. § 139.1 (applicability). There are approximately 570 Part 139 certificated airports in the United States. however, currently require Part 139 airports to imple- ment an SMS program. The Proposed Rule follows the ICAO model and emphasizes the four critical elements of SMS described above. As described above, the Proposed Rule places ac- countability for the implementation and maintenance of each airport operator’s SMS in the hands of an identi- fied accountable executive. The commentary to the Pro- posed Rule states that the accountable executive must be a high-level manager who can influence safety- related decisions and who has authority to approve op- erational decisions and changes.35 In general, the ac- countable executive will be the highest approving au- thority at the airport for operational decisions and changes.36 Unlike the ICAO and other FAA models, the Pro- posed Rule is applicable only to Part 139 airports and not to other participants in the national aviation sys- tem. Unlike other FAA SMS guidance,37 the Proposed Rule does not address either confidentiality and protec- tion of safety data or just culture. This can be con- trasted with the proposed guidance applicable to air carriers that relies on the existing confidential report- ing programs, including the Aviation Safety Action Pro- gram and the Aviation Safety Reporting System (ASRS), discussed below, which are not applicable to Part 139 airports. In addition to the Proposed Rule, the FAA has al- ready implemented a policy regarding SMS that affects airports. Order 5200-11 became effective August 30, 2010, and is applicable to the FAA’s Office of Airports (ARP). Effective on June 1, 2011, for large hub air- ports,38 Order 5200-11 requires that an SMS review be undertaken in connection with FAA’s review of revi- sions to Airport Layout Plans, construction project co- ordination, noise compatibility program measures that could affect safety (such as noise-abatement departure procedures), approval of requests for project-specific modifications of standards, certain nonconstruction changes (such as runway or taxiway designations), ma- terial changes from a previous SRM assessment, or de- velopment of or updates to FAA standards published in ACs.39 Although Order 5200.11 initially was to apply on a phased basis to all airport within the National Plan of Integrated Airport Systems, due to a lack of resources, the FAA has postponed full implementation of Order 5200.11 to airports other than large hub airports until further notice.40 For the majority of the matters re- viewed under Order 5200.11, the airport operator will 35 Proposed Rule, 75 Fed. Reg. 62.008, 62011. 36 Id. 37 See, e.g., 75 Fed. Reg. 68224, 68233 (referencing the data protection of ASRS, ASAP, and FOQA with respect to the pro- posed SMS regulations applicable to certificated air carriers). 38 Order 5200.11, § 1-4(b). 39 Id., § 4-3. 40 See FAA Order 5200.11, Change 1, effective May 31, 2011.

7 be a part of the safety review process overseen by the ARP, along with other subject matter experts. To un- dertake a project, the airport operator will be required to accept and undertake any mitigation determined by a review panel established by the ARP to be necessary to achieve an acceptable level of risk.41 In preparation for the Part 139 SMS rulemaking process, the FAA has sponsored several pilot SMS pro- grams, summaries of which are available in the docket for the Proposed Rule and through the FAA’s Web site.42 In addition, the ACRP of the Transportation Re- search Board has produced a report containing an over- view of SMS,43 and has issued an SMS user guidebook for airport operators.44 The initial airport SMS pilot studies concluded that, although Part 139 addresses safety at airports in many areas, the existing safety regulations at Part 139 are not a comprehensive SMS.45 Part 139 does not cover all areas of a commercial air- port, or even all airside areas of the movement or non- movement areas, nor does it address all aspects of safety management. 2. Air Carrier SMS On October 29, 2010, the FAA issued a Notice of Proposed Rulemaking (NPRM) that would amend 14 C.F.R. by adding a new Part 5 (Part 121 SMS NPRM).46 The Part 121 SMS NPRM would require all air carriers certificated under Part 121 to implement an SMS that meets the requirements of the new regulations and is acceptable to the FAA within 3 years of the effective 41 Id., §§ 4-8, 4-9. 42 See FAA Web site: http://www.faa.gov/airports/airport_ safety/safety_management_systems/. 43 See AIRPORT COOPERATIVE RESEARCH PROGRAM, REPORT 1: SAFETY MANAGEMENT SYSTEMS FOR AIRPORTS, Vol. 1: OVERVIEW OF SAFETY MANAGEMENT SYSTEMS FOR AIRPORTS (2007), http://onlinepubs.trb.org/onlinepubs/acrp/acrp_rpt_ 001a.pdf. 44 AIRPORT COOPERATIVE RESEARCH PROGRAM, REPORT 1: SAFETY MANAGEMENT SYSTEMS FOR AIRPORTS, Vol. 2: GUIDEBOOK (2009), http://onlinepubs.trb.org/onlinepubs/acrp/ acrp_rpt_001b.pdf. 45 See FAA summary of initial pilot SMS studies, concluding that it is [a]pparent that [Part] 139 is not SMS in and of itself…. Evi- dence that SMS is something larger, more comprehensive, than is currently found in the act of complying with 139 require- ments. Evidence that 139 compliance may eventually become part of airport SMS program…contrary to the idea that SMS would eventually become part of 139. Reference made to the idea that SMS could be used to ensure 139 compliance…but that 139 by itself could not ensure that SMS was functioning. Presentation at joint FAA/Airports Council International– North America/American Association of Airport Executives SMS Conference, Baltimore, Md., Oct. 2008, available by membership at http://events.aaae.org/sites/080703/index.cfm. 46 See Safety Management Systems for Part 121 Certificate Holders, 75 Fed Reg. 68,224 (proposed Nov. 5, 2010), Docket No. FAA-2009-0671; Notice No. 10-15 (the “Part 121 SMS NPRM”). date of the final rule. The Part 121 SMS NPRM con- trasts in several notable ways with the Proposed Rule. Like the Proposed Rule, the Part 121 SMS NPRM requires that a Part 121 certificate holder’s SMS follow the familiar four-prong approach of the ICAO guidance: 1) safety policy, 2) SRM, 3) safety assurance, and 4) safety promotion.47 Unlike the Proposed Rule, however, the commentary to the Part 121 SMS NPRM addresses the concerns raised about protecting data submitted through the SMS. Like the Proposed Rule, the Part 121 SMS NPRM would not require SMS data to be provided to the FAA; instead, the FAA may inspect the carrier’s records, and existing protections for voluntary pro- grams such as the Aviation Safety Action Program (ASAP) would still apply.48 One critical difference is apparent, however; unlike the vast majority of Part 139 airport operators, the carriers holding Part 121 certifi- cates are private entities not subject to the disclosure requirements of state or federal sunshine laws. Only by providing safety data to the FAA (or another govern- mental entity) would such data become public under such laws. The Part 121 SMS NPRM also provides that a desig- nated accountable executive must be responsible for the certificated carrier’s SMS, but the proposed regulations provide much more detail regarding that person’s re- sponsibilities and duties for a Part 121 carrier.49 In ad- dition, the accountable executive must designate a management representative to manage the SMS on a day-to-day basis, including facilitating hazard identifi- cation and safety risk analysis, monitoring the effec- tiveness of safety risk controls, ensuring safety promo- tion is carried out, and reporting to the accountable executive.50 The accountable executive and manage- ment representative would also be tasked with develop- ing an emergency response plan for the carrier.51 The Proposed Rule does not provide for a management rep- resentative, although airports with larger and more complex SMS programs may choose to adopt this model. 3. NASA/FAA Programs Although the U.S. government has not yet required that SMS be adopted by most participants in the U.S. aviation system, two programs that anticipate elements of SMS have been operated successfully by NASA and the FAA for many years: the ASRS and the ASAP. In the Part 121 SMS NPRM, the FAA notes that these programs can be incorporated as elements of an air car- rier’s SMS. ASRS and ASAP have generated significant amounts of safety data that have led to improvements in the na- tional aviation system. As an independent review team examining ASAP concluded, “the majority of the infor- 47 75 Fed. Reg. 68,224, 68242 (§ 5.3(a)). 48 Id. at 68,233. 49 Id. at 68,243 (§ 5.25). 50 Id. (§ 5.25(c)). 51 Id. (§ 5.27).

8 mation on which [safety] enhancements now depend would not surface at all if not voluntarily disclosed.”52 a. Aviation Safety Reporting System.—ASRS has been operated by NASA since 1975 and gathers data from multiple sources, including pilots, air traffic con- trollers, flight attendants, and maintenance personnel, that is intended to identify actual or potential discrep- ancies and deficiencies involving the safety of aviation operations that are the precursors of accidents and fa- talities in the airline industry.53 As a result of informa- tion generated by ASRS, the FAA takes corrective ac- tion to remedy defects or deficiencies in the national airspace system. The data is also used to both improve the current system and assist in planning for the future national airspace system.54 By all accounts, ASRS has been a significant success, generating thousands of re- ports leading to many improvements in aviation safety.55 Notably, ASRS incorporates significant confidential- ity provisions and restrictions on the use of reports. ASRS reports are de-identified—that is, they are stripped of data identifying the person reporting as well as data that could identify other parties.56 ASRS reports may not be used in any disciplinary action, except for information concerning criminal offenses or accidents (which are promptly referred to appropriate federal authorities by NASA before the identifying information is removed).57 In the more than 34 years of the ASRS program under NASA’s management, there has not been a single breach of confidentiality.58 The ASRS was originally undertaken by the FAA. The FAA quickly determined, however, that the effec- tiveness of ASRS would be greatly enhanced if NASA processed the data, ensuring the anonymity of the re- porter and all parties involved.59 The FAA believed that such confidentiality protections would increase the flow of information necessary for the effective evaluation of 52 Linda Werfelman, Rebuilding ASAP, 4 AEROSAFETY WORLD, 40, 42 (Feb. 2009), quoting Independent Review Team, Managing Risks in Civil Aviation: A Review of the FAA’s Ap- proach to Safety, Sept. 2, 2008. 53 See FAA, AC No. 00-46E, Aviation Safety Reporting Pro- gram, Dec. 16, 2011, at ¶ 1, link available at http://www.faa.gov/regulations_policies/advisory_circulars/ index.cfm/go/document.information/documentID/1019713. 54 Id. 55 See, e.g., Brian Raymond & Robert Crane, Design Consid- erations for a Patient Safety Improvement Reporting System, Institute for Health Policy, Kaiser Permanente, Apr. 2001, at 6 (hereinafter, the “Kaiser Report”) (“Members of the aviation community have visible evidence that they are helping to im- prove aviation safety by reporting to ASRS. The ability of ASRS to convert aviation incident reports into constructive output is demonstrated by the variety of products made avail- able to the aviation community.”), http://www.kpinstitute forhealthpolicy.com/kpihp/CMS/Files/safety_improvement.pdf. 56 FAA, AC No. 00-46E, at ¶ 8, Dec. 16, 2011. 57 Id. at ¶ 5(b); 14 C.F.R. § 91.25. 58 Id. at ¶ 5(a). 59 Id. at ¶ 3. the safety and efficiency of the national airspace sys- tem.60 As an additional incentive to encourage the report- ing of incidents, the FAA has stated that it considers the filing of an ASRS report with NASA concerning an incident or occurrence involving a violation of the law or regulations applicable to air operations “to be indicative of a constructive attitude.”61 Accordingly, if the reported violation 1) was inadvertent and not deliberate, 2) did not involve a criminal offense or accident, 3) involved a violator who has not previously violated federal avia- tion law within the preceding 5 years, and 4) if the ASRS report was filed promptly after the violation or awareness of such violation, the FAA will not impose a civil penalty or suspend certification.62 b. Aviation Safety Action Program.—Under an ASAP, “safety issues are resolved through corrective action rather than through punishment or discipline.”63 The ASAP is administered by the FAA and provides a means for individual certificate holders (both air carri- ers and repair stations) to voluntarily report safety in- formation that may be critical to identifying potential precursors to accidents.64 An ASAP typically involves three parties: the FAA, the certificate holder, and a third party, often a labor organization, representing the group of employees involved in the ASAP.65 These par- ties enter into a memorandum of agreement (MOA) setting forth the terms and conditions of the ASAP.66 ASAP provides for the collection, analysis, and re- tention of safety data concerning a specific air carrier or repair station, much of which would otherwise be unob- tainable.67 In a report issued in 2008, an independent review team examining ASAP concluded that “the ma- jority of the information on which [safety] enhance- ments now depend would not surface at all if not volun- 60 Id. 61 Id. at ¶ 9(c). 62 Id. 63 See FAA, AC No. 120-66B, ¶ 1, Aviation Safety Action Program, Nov. 15, 2002, link available at http://www.faa.gov/regulations_policies/advisory_circulars/ index.cfm/go/document.information/documentID/23207. 64 Id. 65 Id. at ¶ 1. 66 Id. at ¶ 1(c). 67 Werfelman, supra note 52. The U.S. Government Ac- countability Office (GAO) has noted that the data that FAA obtains through voluntary reporting pro- grams afford insights into safety events that are not available from other sources and are critical to improving aviation safety, but participation in these programs has been limited by con- cerns about the impact of disclosure and, especially in the case of smaller carriers, by cost considerations. GOVERNMENT ACCOUNTABILITY OFFICE, AVIATION SAFETY– IMPROVED DATA QUALITY AND ANALYSIS CAPABILITIES ARE NEEDED AS FAA PLANS A RISK-BASED APPROACH TO SAFETY OVERSIGHT, Report 10-414, at 31–32 (May 2010), http://www.gao.gov/new.items/d10414.pdf.