01

Quick answer

See the highlighted block above the contents list. The rest of this article walks through each layer of the loop.

02

Why occurrence reports alone are not enough

Occurrence reporting is foundational to a Safety Management System. ICAO Annex 19, EU Regulation 376/2014, EASA Part-ORO and FAA Part 5 all require it. Most airlines have it. None of them run a safety system on it alone.

An occurrence record captures discrete data: time, place, type, severity, reporter, classification. It answers what happened. It does not on its own answer four questions safety leaders need to act on weekly:

  • Which barriers held and which failed?
  • Is this event part of a pattern across the operation?
  • What does the Safety Risk Profile look like this week?
  • Are the corrective actions we have closed actually effective?

Each of these answers requires linking the occurrence to other artefacts. Without the linkage, the safety team is left with a queue. With the linkage, the team has a running safety system. The platform shape that ships the linkage as one model — rather than four databases connected by APIs — is the bar this article describes.

03

CAPA as the action layer

CAPA (Corrective and Preventive Action) is the action layer that closes the loop between detecting a safety issue and improving the system. The CAPA pipeline runs open → in progress → verify → closed, with effectiveness verification as a hard gate before closure.

Origin.A CAPA arises from one of three triggers: an occurrence's classification implicates a hazard or barrier; an audit finding identifies a gap; an SPI breach reveals a trend. In a connected system, the origin is recorded as a link, not a free-text note.

Owner and verifier. Every CAPA has a typed owner (a named person, not a department) and a named verifier (different from the owner). The owner closes the action; the verifier signs effectiveness.

Effectiveness verification.The gate that separates a CAPA from a checklist. The verifier reads the operational evidence — subsequent occurrences, audit re-tests, training records — and signs whether the action achieved its intended outcome. If yes, the CAPA closes and the related barrier's effectiveness is restored. If no, the CAPA reopens with a revised approach.

Downstream propagation.When a CAPA closes successfully, the relevant barrier's effectiveness state updates. The SPI counter for the top events that depend on the barrier reflects the change. The Safety Risk Profile entry for the relevant hazard refreshes. The accountable manager sees the change in the next safety review board pack without anyone re-running an export.

04

SPI as the measurement layer

Safety Performance Indicators (SPIs) are the measurement layer that detects when the operation is moving outside the expected envelope. ICAO Doc 9859 Section 4 defines the discipline; an operator's SPI library applies it.

What an SPI looks like.Numeric. Time-bound. Tied to a hazard or top event. With an alert threshold (when investigation triggers) and a target (where the operation should be). “Unstable approaches per 1000 sectors” is an SPI. “Improve safety culture” is not.

Leading vs lagging. Most airlines run a mix. Lagging SPIs count realised events (occurrences, near-misses) and are easy to define. Leading SPIs count precursors (training expiries, audit findings, procedure deviations detected by FOQA) and are harder to define but more useful operationally. A balanced library has both.

Ownership. Every SPI has a named owner who reviews it at the safety review board cadence. SPIs without owners drift, and an SPI that nobody owns is a metric, not an indicator.

How SPI connects upstream and downstream. Upstream: an occurrence is classified and ticks the SPI counter for the related top event. Downstream: an SPI threshold breach updates the Safety Risk Profile entry for the hazard and triggers an investigation that may open a CAPA. The SPI is the measurement layer between events and oversight.

05

SRP as the oversight layer

The Safety Risk Profile (SRP) is the oversight layer the accountable manager reads. It is not a synonym for the risk register; it is the live operational picture rendered on top of all the other artefacts.

What the SRP holds.Every hazard, with its current risk state, derived from the bowtie barriers' effectiveness, the SPI counters that track its top events, the recent occurrences linked to it, and the open CAPA in scope. The SRP is a rendered view, not a hand-curated document.

Cadence.Read weekly by the accountable manager and the safety review board. The current eAviora platform is designed so the SRP view is live the moment a record changes — no overnight batch required.

What changes the SRP. A new occurrence that bypasses a barrier. An audit finding that degrades a barrier. An SPI threshold breach. A CAPA closure with effectiveness signed. A training expiry on a barrier-relevant competency. The SRP is the audit of the linked records; the connected operation is the audit of the underlying records.

Why this matters. The accountable manager exercises oversight through the SRP. An SRP that is six weeks stale is a story; an SRP that updates in near real-time is a system. The regulator audits the story; the operation runs on the system.

06

How eAviora connects them

eAviora is the aviation safety intelligence and oversight platform built around exactly this loop, and the loop is live today. The four artefacts share one connected operation, so cross-module propagation is structural, not narrative.

In practice:

  • Occurrenceintake routes to classification — a specialist safety agent proposes, a human approves — and links to a hazard.
  • The hazard's top events render in bowtie diagrams. Each barrier carries a per-record effectiveness rating — effective, partially effective, ineffective or missing — derived from open audit findings, recent occurrence-driven bypasses, and relevant training records.
  • The SPI counters for the top events recompute the moment an occurrence is classified. Threshold breaches surface as alerts.
  • CAPAarises from occurrence findings, audit findings and SPI breaches. Effectiveness verification is enforced as a hard gate — a corrective action moves from not-required to required to verified-effective, and a workflow that cannot skip a step holds closure until the verification is signed.
  • The Safety Risk Profile is then recomputed: an eight-component, ICAO Doc 9859 four-level score that fuses base risk, trend, barrier health, active signals, corrective-action exposure, data confidence, surveillance coverage and audit load.

The full chain — occurrence to barrier assessment to corrective-action effectiveness gate to Safety Risk Profile recompute — runs as one connected operation, and it is proven end to end by a 13/13 live-cluster scenario suite, not asserted on a slide.

The relevant surfaces: SMS module, Actions (CAPA), Safety analytics. See the Buyer's Guide or contact us to discuss your operation.

07

Frequently asked questions

How are occurrence reporting, CAPA, SPI and SRP connected in a safety management system?

A connected safety management system links the four artefacts as one connected operation. An occurrence is classified against a hazard. The hazard either reinforces an existing risk or surfaces a new one. The hazard's top events appear in bowtie diagrams with preventive and recovery barriers. Each barrier links to the SPI counter that tracks the related top event. SPI threshold states feed the Safety Risk Profile. CAPA actions arise from occurrences, from barrier degradation, and from SPI breaches, and close only when effectiveness is verified. The links are what turn four artefacts into one safety system.

Why is occurrence reporting alone not enough for a safety system?

Occurrence reporting captures discrete events but does not on its own answer the operational questions safety leaders need to act on: which barriers held and which failed, whether this event is part of a pattern, what the Safety Risk Profile looks like this week, and whether closed CAPA are actually effective. Each of these requires linking the occurrence to other artefacts. Without the linkage, occurrence reporting is a queue, not a picture.

What is the role of CAPA in connecting occurrences to SPI and SRP?

CAPA (Corrective and Preventive Action) is the action layer that closes the loop between detecting a safety issue and improving the system. An occurrence triggers a CAPA. The CAPA targets a hazard or a degraded barrier. The CAPA closes only when effectiveness verification is signed. The effectiveness verification updates the barrier's effectiveness, which updates the SPI counter for the related top event, which updates the Safety Risk Profile entry the accountable manager reads. Without CAPA closing this loop, the system records events but does not improve.

How does eAviora connect occurrence, CAPA, SPI and SRP?

eAviora runs this as one connected operation, live today. An occurrence classification attaches to the relevant hazard, propagates to the affected bowtie barriers, recomputes the SPI counter, opens a corrective action against the degraded barrier, and recomputes the Safety Risk Profile entry. The effectiveness gate, once signed, restores the barrier and refreshes the SPI counter and SRP. The four artefacts share one model, not four databases linked by APIs — and the full loop is proven by a 13/13 live-cluster scenario suite.

What does an accountable manager read in a connected safety system?

A connected safety system renders an operational picture the accountable manager reads weekly: the Safety Risk Profile state across hazards, the SPI counters approaching thresholds, the open CAPA backlog with effectiveness verification dates, the recently degraded barriers, the weak-signal candidates surfaced by AI agents under human review. The picture is rendered live by the underlying records, not assembled from quarterly exports.