SAF-SAM Course Slides

NSA-SOSM Copyright 2012 EUROCONTROL 1

Introduction to the Safety Assessment Methodology

A centre of excellence in ATM Training

SAF-SAM

05 - Supervision and Safety Oversight

© Copyright 2012 EUROCONTROL

Any use of this training material is subject to prior written consent by EUROCONTROL.

Requests shall be addressed to: Head of the Institute of Air Navigation Services, 12, rue Antoine de Saint-Exupéry, L-1432 Kirchberg, Luxembourg.

The EUROCONTROL Institute of Air Navigation Services aims to provide the services that you want and to make your stay in the Institute as enjoyable as possible. All Institute personnel are there to ensure that your stay at the Institute is successful. However, if you do have a complaint (or a compliment) please tell us. If you are not satisfied with the service we provide or you would like to propose an improvement then please fill out the form at http://www.eurocontrol.int/ians/complaint.html, or contact [email protected] directly.

SAF-SAM Course

Table of content

Course Programme Glossary 01 Introduction to Safety Management in ATM 02 ATM Safety Regulatory Framework 03 Key concepts of Risk Assessment and Mitigation 04 Traffic Risk Exercise 05 Safety Assessment Methodology Overview 06 Initiation of ATM change safety assessment 07 Hazard Identification, Risk Assessment and Determination of Safety Objectives 08 Hazard Identification, Risk Assessment and Determination of Safety Objectives – Exercise 09 Risk Mitigation Strategy of ATM Change Design for Operations 10 Risk Mitigation Strategy of ATM Change Design for Operations – Exercise 11 Safety Verification and Validation 12 Risk Assessment and Mitigation of ATM Change Implementation – Exercise 13 Risk Assessment and Mitigation of ATM Change Transfer into Operations – Exercise 14 Safety Argument / Case Principles 15 Practicalities

12:00

Session 13

Risk Assessment and Mitigation of ATM Change Transfer into Operations

–Exercise

Session 09

Risk Mitigation Strategy of ATM Change Design for

Operations

Session 06

Initiation of ATM Change Safety Assessment

-Example

Session 02

ATM Safety Regulatory Framework

13:30

Session 10

Risk Mitigation Strategyof ATM Change Design

for Operations–

Exercise

Session 16

Practicalities

Session 14

Safety Argument / Case–

Principles

Session 04

Road traffic Exercise

Session 18

Course Debrief

Session 17

Test & Debrief

Session 12

Risk Assessment and Mitigation of ATM Change Implementation

–Exercise

Session 05

Risk assessment and mitigation –Overview of SAM &Fish tank Example

Session 01

Introduction to Safety Management in ATM

DAY/TIME 09:00 10:00 12:30 17:00

Monday

Session 00

Course Intro

Session 03

Key Concepts of Risk Assessment and

Mitigation

Tuesday Debrief 1st day

Session 07

Hazard Identification, Risk Assessment and

Determination of Safety Objectives

Wednesday Debrief 2nd day

Session 08

Hazard Identification, Risk Assessment and Determination of Safety Objectives

–Exercise

Thursday Debrief 3rd day

Session 11

SafetyVerification and

Validation

Friday Debrief 4th day

Session 15SAM

Assistant12:00

Session 13

Risk Assessment and Mitigation of ATM Change Transfer into Operations

–Exercise

Session 09

Risk Mitigation Strategy of ATM Change Design for

Operations

Session 06

Initiation of ATM Change Safety Assessment

-Example

Session 02

ATM Safety Regulatory Framework

13:30

Session 10

Risk Mitigation Strategyof ATM Change Design

for Operations–

Exercise

Session 16

Practicalities

Session 14

Safety Argument / Case–

Principles

Session 04

Road traffic Exercise

Session 18

Course Debrief

Session 17

Test & Debrief

Session 12

Risk Assessment and Mitigation of ATM Change Implementation

–Exercise

Session 05

Risk assessment and mitigation –Overview of SAM &Fish tank Example

Session 01

Introduction to Safety Management in ATM

DAY/TIME 09:00 10:00 12:30 17:00

Monday

Session 00

Course Intro

Session 03

Key Concepts of Risk Assessment and

Mitigation

Tuesday Debrief 1st day

Session 07

Hazard Identification, Risk Assessment and

Determination of Safety Objectives

Wednesday Debrief 2nd day

Session 08

Hazard Identification, Risk Assessment and Determination of Safety Objectives

–Exercise

Thursday Debrief 3rd day

Session 11

SafetyVerification and

Validation

Friday Debrief 4th day

Session 15SAM

Assistant

1

Abbreviations and Acronyms useful for IANS SAF-SAM Training Course

AC, Ac Aircraft

A-SMGCS Advanced Surface Movement Ground Control Systems

ACAS Airborne Collision Avoidance System

ACAS-IR Commission Regulation (EU) No 1332/2011 of 16 December 2011 laying down common airspace usage requirements and operating procedures for airborne collision avoidance

ACC an Area Control Centre (an en-route ATC unit)

ACID-IR Commission Regulation (EU) 1206/2011 of 22 November 2011 laying down requirements on aircraft identification for surveillance for the single European sky

ADQ-IR (I) Commission Regulation (EU) No 73/2010 of 26 January 2010 laying down requirements on the quality of aeronautical data and aeronautical information for the SES – this regulation covers the production and distribution of such data/ info)

AGL Aerodrome Ground Lighting

AIC Aeronautical Information Circular

AIP Aeronautical Information Publication

AIS Aeronautical Information Service, a part of the air navigation services (ANS), meaning a service established within the defined area of coverage responsible for the provision of aeronautical information and data necessary for the safety, regularity, and efficiency of air navigation

ALARP As Low As Reasonably Practicable

AMAN Arrival Manager

AMC Acceptable Means of Compliance

ANS Air Navigation Services, meaning air traffic services; communication, navigation and surveillance services; meteorological services for air navigation; and aeronautical information services

ANSP an organisation providing or offering to provide air navigation services

AO Airport Operator

APP an ATS Approach Unit (an ATSU)

Arg Argument

ARR Arrival

Art article (such as in a Regulation etc)

ASBU ICAO Aviation System Block Upgrades (coordinated approach to the introduction of ATM solutions)

ASM Airspace Management, a planning function with the primary objective of maximising the utilisation of available airspace by dynamic time-sharing and, at times, the segregation of airspace among various categories of airspace users on the basis of short-term needs

A-R (EC) Regulation No 551/2004 of the European Parliament and of the Council of 10 March 2004 on the organisation and use of the airspace in the single European sky (the airspace Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009

ATC Air Traffic Control, meaning a service provided for the purpose of:

(a) preventing collisions:

— between aircraft, and

— in the manoeuvring area between aircraft and obstructions;

and

(b) expediting and maintaining an orderly flow of air traffic

ATCO(s) air traffic controller(s)

ATFCM Air Traffic Flow and Capacity Management (EUROCONTROL concept)

2

ATFM Air Traffic Flow Management, an ATM function established with the objective of contributing to a safe, orderly and expeditious flow of air traffic by ensuring that ATC capacity is utilised to the maximum extent possible, and that the traffic volume is compatible with the capacities declared by the appropriate air traffic service providers

ATFM-IR Commission Regulation (EU) No 255/2010 laying down common rules on air traffic flow management

ATIS Automatic Terminal Information Service

ATM Air Traffic Management, meaning the aggregation of the airborne and ground-based functions (air traffic services, airspace management and air traffic flow management) required to ensure the safe and efficient movement of aircraft during all phases of operations

ATM/ANS Depending on the context:

- Air Traffic Management (ATM) and Air Navigation Services (ANS) as defined in Article 2(4) and 2(10) of the SES framework Regulation (F-R) – see ‘ATM’ and ‘ANS’ definitions separately

- In accordance with EASA Basic Regulation: ‘the air traffic management functions as defined in Article 2(10) of Regulation (EC) No 549/2004, air navigation services defined in Article 2(4) of that Regulation, and services consisting in the origination and processing of data and formatting and delivering data to general air traffic for the purpose of safety-critical air navigation’

ATM/ANSP an organisation providing ATM/ANS

ATS Air Traffic Services (a part of ANS as well as of ATM), meaning the various flight information services, alerting services, air traffic advisory services and ATC services (area, approach and aerodrome control services)

ATSP An organisation providing or offering to provide air traffic services

ATSU an operational unit of an organisation providing air traffic services (e.g. an APP unit, an aerodrome tower unit etc)

AVISO Aide à la Visualisation Sol (a ground surveillance system used in France)

BALTIC FAB the BALTIC FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Poland and Lithuania

BLUE MED the BLUE MED FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Cyprus, Greece, Italy and Malta. Other non-EU States are associates and observers to this FAB

BOS Boston International airport (USA)

BR EASA Basic Regulation (see EASA BR)

CA Depending on the context, CA can refer to:

- Conformity assessment (linked with interoperability)

- Competent authority (an EASA concept)

CA-IR Commission Regulation (EC) No 2042/2003 of 20 November 2003 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in these tasks

CAA a Civil Aviation Authority (e.g. as established in many States originally to fulfil the legal obligations incurred by that State under the 1944 Chicago Convention)

CANSO Civil Air Navigation Services Organisation

CATF Conformity Assessment Task Force; a EUROCONTROL forum which, inter-alia, produced a widely coordinated Guidance Material for Conformity Assessment in the context of SES interoperability

CATF GM The EUROCONTROL Guidelines on conformity assessment for the interoperability Regulation of the single European sky, version 3.0, available at http://www.eurocontrol.int/ses/public/standard_page/conf_assessment.html

CCA Common Cause Analysis

3

CCS-IR Commission Regulation (EC) No 1794/2006 of 6 December 2006 laying down a common charging scheme for air navigation services; as amended by Commission Regulation (EU) No 1191/2010 of 16 December 2010

CE (CE marking) a mandatory conformity mark for products placed on the market in the European Economic Area (EEA). With the CE marking on a product the manufacturer ensures that the product conforms with the essential requirements of the applicable EC directives/regulations. The letters CE stand for ‘Conformité Européenne’ (European conformity). Under the SES IOP-R, systems and their constituents are exempted from CE marking (or CE affixing)

CEN European Committee for Standardisation, one of three recognised ESO

CENELEC European Committee for Electrotechnical Standardisation, one of three recognised ESO

CFIT Controlled Flight Into Terrain

COM Communication services, one of CNS services and a part of ANS; or, depending on context, an abbreviation used in the references to Communications of the European Commission (such as COM(2008)750 final, etc)

Cont’d continued

COTR-IR Commission Regulation (EC) No 1032/2006 laying down requirements for automatic systems for the exchange of flight data for the purpose of notification, coordination and transfer of flights between air traffic control units

CNS Communications, Navigation and Surveillance (services and/or systems & procedures), a part of ANS

CRD Comments Response Document (e.g. following consultation on an EASA NPA etc)

CRs the common requirements for the provision of ANS iaw CR-IR

CR-IR Commission Regulation (EU) No 1035/2011 laying down common requirements for the provision of air navigation services and repealing Regulation (EC) No 2096/2005 and amending Regulations (EC) No 482/2008 and (EU) No 691/2010

CCS-IR Commission Regulation No 1794/2006 of 6 December 2006 laying down a common charging scheme for air navigation services, as amended by Commission Regulation (EU) No 1191/2010 of 16 December 2010

CS Depending on the context:

- a Community Specification in relation to the interoperability regulation (No 552/2004); or

- a Certification Specification in relation to the EASA framework;

CTR Control Tower Region

CWP Controller Working Position

DANUBE FAB the DANUBE FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Bulgaria and Romania

DEP Departure

DFW Dallas/Ft Worth international airport (USA)

DK-SE FAB The Danish/ Swedish FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Denmark and Sweden

DLS-IR Commission Regulation (EC) No 29/2009 of 16 January 2009 laying down requirements on data link services for the single European sky

DoC an EC Declaration of Conformity iaw Article 5 IOP-R

DoV an EC Declaration of Verification of systems iaw Article 6 IOP-R

DSU a Declaration of suitability for use iaw Article 5 IOP-R

EAD the European Aeronautical Information System Database

EASA the European Aviation Safety Agency

EASA BR the EASA ‘Basic Regulation’, Regulation (EC) No 216/2008 as variously amended

EASP European Aviation Safety Programme

EATMN The European air traffic management network, a concept of eight systems in relation to interoperability as defined in Annex 1 of IOP-R

4

EC Depending on the context:

- the European Community (as in ‘Regulation (EC) No. xxx/…’)

- the European Commission (in all other cases)

ECAA European Common Aviation Agreement

ECAC European Civil Aviation Conference (usually used to refer to the ECAC Region, comprising those States members of ECAC)

ECCAIRS the European Co-ordination Centre for Aviation Incident Reporting System, a software platform developed by the EU; also adopted for ADREP use in 2004

ECTRL EUROCONTROL

ED EUROCAE document; a series of technical standards issued by EUROCAE

e.g. for example

EN European Norm (Standard)

EoSM the Effectiveness of Safety Management; a KPI developed under the PS-IR and measured by a methodology based on the ATM Safety Framework Maturity Survey

EP the European Parliament

ER, ERs Depending on the context:

- essential requirements (as defined in IOP-R)

- essential requirements (as defined in the EASA basic regulation)

ERND European Route Network Design (one of the three network functions iaw NF-IR)

ESARR one of six EUROCONTROL Safety Regulatory Requirement documents adopted under the EUROCONTROL Revised Convention; Following the adoption of the SES I legislative package, most of the contents of the six ESARRs has been transposed into the SES legislation

ESARRs a collective reference to the six ESARR documents

ESARR 1 Safety Oversight in ATM, current edition 2.0 of December 2009

ESARR 2 Reporting and Assessment of Safety Occurrences in ATM, current edition 3.0 of December 2009

ESARR 3 Use of Safety Management Systems by ATM Service Providers, current edition 1.0 of July 2000

ESARR 4 Risk Assessment and Mitigation in ATM, current edition 1.0 of April 2001

ESARR 5 Safety Regulatory Requirement for ATM Services' Personnel, current edition 2.0 of April 2002

ESARR 6 Software in ATM Functional Systems, current edition 2.0 of May 2010

ESO European Standardisation Organisation; a recognised regional standardisation body under Annex 1 of Directive 98/34/EC

ESSIP The European Single Sky ImPlementation plan; a EUROCONTROL performance-oriented process that describes common implementation actions required to improve the European ATM network over the next five to seven years

ETSI European Telecommunication Standards Institute, one of three recognised ESO

EU European Union

EUIR the foreseen European Upper Flight Information Region, a SES concept

FAA the Federal Aviation Administration of the United States

FAB(s) Functional Airspace Block(s) established iaw Article 9a of SP-R

FAB-IR Commission Regulation (EC) No 176/2011 on the information to be provided before the establishment and modification of a functional airspace block

FAB CE FAB Central Europe, one of nine FAB initiatives, comprising defined airspaces within responsibility of the seven FAB CE States: Austria, Bosnia & Herzegovina, Croatia, Czech Republic, Hungary, Slovak Republic and Slovenia

FABEC FAB Europe Central, one of nine FAB initiatives, comprising defined airspaces within responsibility of six FABEC States: Belgium, France, Germany, Luxembourg, Netherlands and Switzerland

5

FAQ Frequently Asked Questions

FAROS Final Approach Runway Occupancy Signal

FAT Factory Acceptance Tests

FC-IR Commission Regulation (EU) No 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew pursuant to Regulation (EC) No 216/2008 of the European Parliament and of the Council, as amended by Commission Regulation (EU) No 290/2012 of 30 March 2012

FDPS flight data processing system (and procedures), referring to a sub-category of EATMN system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)

FFPG FAB Focal Points Group, one of the two SES Coordination Platforms organised by the European Commission with support from EUROCONTROL (the 2nd one is NCP)

FHA Functional Hazard Assessment

FIR Flight Information Region (ICAO)

FIS Flight Information Service, a part of ATS

FL Flight Level

FLS Field Lighting System

FMTP Flight Message Transfer Protocol; FMTP is based on industry-standard Transmission Control Protocol / Internet Protocol (TCP/IP) provisions; a community specification associated to FMTP-IR

FMTP-IR Commission Regulation (EC) No 633/2007 of 7 June 2007 laying down requirements for the application of a flight message transfer protocol used for the purpose of notification, coordination and transfer of flights between air traffic control units

FOD Foreign Object Debris

FPL Filed Flight Plan submitted by an aircraft

F-R Regulation (EC) No 549/2004 of the European Parliament and of the Council of 10 March 2004 laying down the framework for the creation of the single European sky (the framework Regulation of the SES legislation); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009

FUA (The concept of) flexible use of airspace

FUA-IR Commission Regulation (EC) No 2150/2005 laying down common rules for the flexible use of airspace

FTA Fault Tree Analysis

GA General Aviation (one of the two categories of civil aviation), meaning all flights other than military and scheduled airline and regular cargo flights, both private and commercial. General aviation flights range from gliders and powered parachutes to large, non-scheduled cargo jet flights (source: wikipedia).

GAT General Air Traffic

GM Guidance Material

GPS Global Positioning System

GSN Goal Structuring Notation

HAL Human Assurance Level

HMI human machine interface (systems and procedures), referring to a sub-category of EATMN system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)

HF Human Factors

HW hardware

Hz Hazard

IA-IR Commission Regulation (EC) No 1702/2003 of 24 September 2003 laying down implementing rules for the airworthiness and environmental certification of aircraft and related products, parts and appliances, as well as for the certification of design and production organisations

IANS the EUROCONTROL Institute of Air Navigation Services in Luxembourg

IAW (iaw) in accordance with

6

ICAO The International Civil Aviation Organization

ICB The Industry Consultation Body established by the European Commission iaw Article 6 of the SES framework Regulation to advise the Commission on the implementation of the SES. The ICB comprises representatives of the ANSPs, associations of airspace users, airport operators, the manufacturing industry and professional staff representative bodies

Id, ID Identifier

i.e. that is…; from the Latin ‘id est’

IFPL refers to the procedures and requirements for the provision, processing and distribution of FPLs in the pre-flight phase (preceding the 1st delivery of ATC clearance); a community specification associated to IFPL-IR

IFPL-IR Commission Regulation (EC) No 1033/2006 laying down the requirements on procedures for flight plans in the pre-flight phase for the single European sky

IFR Instrument Flight Rules (ICAO Annex 11); a flight may be conducted in accordance with VFR or IFR; an IFR flight is a flight conducted in accordance with instrument flight rules

IMC Instrumentent Meteorological Conditions

IOP Interoperability

IOP-R Regulation (EC) No 552/2004 of the European Parliament and of the Council of 10 March 2004 on the interoperability of the European Air Traffic Management network (the interoperability Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009

IOP-IRs a collective reference to the implementing rules for interoperability (Commission Regulations and Decisions adopting implementing rules within the framework of IOP-R)

IR(s) implementing rule(s); in the SES and/or EASA context, these are usually implementing measures adopted in the form of Commission Regulations or Decisions, complementing or refining specific legal obligations and requirements laid down in the SES main regulations, the EASA Basic Regulation or, depending of the legal basis, other EP and/or Council acts such as regulations, directives, decisions

Km/h kilometers per hour

KPA Key Performance Area, a concept in relation to ATM performance and the performance scheme iaw PS-IR

KPI Key Performance Indicator

L/U Line Up

LAX Los Angeles international Airport (USA)

LDG Landing (usually used

LoA(s) Letter(s) of Agreement (such as between two ATSUs)

LoC Loss of Control

LSSIP the Local Single Sky ImPlementation documents coordinated by EUROCONTROL in the ESSIP common framework

LVO Low Visibility Operations

LVP Low Visibility Procedures

MAC Mid Air Collision

MET Meteorological service, an air navigation service

METP An organisation providing or offering to provide MET services

MIT Massachusetts Institute of Technology

Mode S-IR Commission Regulation (EC) No 262/2009 of 30 March 2009 laying down requirements for the coordinated allocation and use of Mode S interrogator codes for the SES

MoC Means of Compliance; a generic reference to (usually) voluntary standards of which application may ensure that specific binding requirements are met or fulfilled by an activity, product or function

MS Member State(s) of the European Union

MSAW Minimum Safe Altitude Warning (a safety net in the ATC system)

7

MTBF Mean Time Between Failure

MUAC Maastricht Upper Area Control Centre

NAA National Aviation Administration (as in the EASA framework)

NAV Navigation services, one of CNS services and of ANS

N.B. nota bene

NBs notified bodies, iaw IOP-R and IOP-IRs; NBs are accredited under the ‘New Legislative Framework’

NCP the NSA Coordination Platform, one of the two SES Coordination Platforms organised by the European Commission with support from EUROCONTROL (the 2nd one is FFPG)

NEFAB the North-European FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Estonia, Finland, Iceland, Latvia, Norway; Denmark and Sweden opted out of the NEFAB initiative in early 2011

NF the network functions, as defined in NF-IR

NF-IR Commission Regulation (EC) No 677/2011 of 7 July 2011 laying down detailed rules for the implementation of air traffic management (ATM) network functions and amending Regulation (EU) No 691/2010 (the performance Regulation)

NM The nominated Network Manager of the SES iaw NF-IR

NOP The Network Operations Plan developed by the Network Manager iaw NF-IR

NOTAM Notice To Airmen

NPA Notice of Proposed Amendment; in the EASA rule-making procedure, an NPA is issued following the drafting of new or amended regulatory material, for the purpose of consultation

NRA a collective, generic reference to national regulatory authorities/ agencies

NSA a National Supervisory Authority nominated or established iaw Article 4 of the F-R

NSP The Network Strategy Plan developed by the Network Manager iaw NF-IR

OAT Operational Air Traffic; in other words, other than General Air Traffic (GAT) – air traffic which is not operated in accordance with the ICAO SARPs and procedures

ODS Operational Display System

OJEU the Official Journal of the European Union

OJTI On the Job Training Instructor

OLDI On-Line Data Interchange, a community specification in association to COTR-IR; OLDI specifies the facilities and messages to be provided between FDPSs serving ATC units for the purpose of, inter-alia, notification of flights, coordination prior to transfer of flight to next unit, civil-military coordination, situational awareness, transfer of communication of such flights, support to A/G datalink etc

OPS (ops) depending on context, operations (e.g. flight operations), operational, or relating to operations/ operational

OR operational requirements, as defined in NF-IR

OSED Operational Service and Environnment Description

PAL Procedure Assurance Level

PANS ICAO Procedures for Air Navigation Services

PANS-ATM ICAO Doc 4444, Procedures for Air Navigation Services – Air Traffic Management

PAPI Precision Approach Path Indicator

PBN Performance Based Navigation

PBN-IR Commission (EU) Regulation (under development) laying down the requirements for performance based navigation within the SES

PP performance plan, in accordance with PS-IR

PRB The designated Performance Review Body of the SES in accordance with Article 11(2) of the SES framework Regulation (in relation with the performance scheme, PS-IR)

PRC The Performance Review Commission established under the EUROCONTROL Revised Convention; The PRC and the PRB of the SES conduct their activities in close consultation and synergy.

8

PS The SES Performance Scheme, as per Article 11 F-R and PS-IR

PS-IR Commission Regulation (EC) No 691/2010 laying down a performance scheme for air navigation services and network functions and amending Regulation (EC) No 2096/2005

PSC Project Safety Case

PSSA Preliminary System Safety Assessment

QE a Qualified Entity to which an NSA may decide to delegate in full or in part supervisory tasks (e.g. iaw Article 3 of SP-R or SO-IR); QEs were formerly referred to as ‘recognised organisations’ in SES I

QMS Quality Management System

R&D research and development

R/T Radio telecommunications

RAT Risk Analysis Tool, in relation to one of the KPIs for safety in the implementation of the performance scheme (PS-IR)

RCS Risk Classification Scheme RDPS Radar Data Processing System

Reg, Reg. Regulation (as in Regulation (EC) No 550/…)

REL Runway Entry Lights (a concept of the Runway Status Light – RWSL system)

RIL Runway Intersection Lights (a concept of the Runway Status Light – RWSL system)

RIMCAS Runway Incursion Monitoring and Conflict Alert System

RoP rules of procedure (of a group, task force, committee etc)

RP, RP1 etc a ‘reference period’ in the frame of the performance scheme (PS-IR). RP1, the 1st reference period, is set from 01 January 2012 until 31 December 2014. RP2 and following reference periods will be of five calendar years each, unless decided otherwise through amendments to PS-IR

RWSL Runway Status Light

RWY Runway

SAFA Safety Assessment of Foreign Aircraft; an EU programme coordinated by EASA for the assessment of the safety of foreign aircraft operations at EU airports

SAM Safety Assessment Methodology

SARPs a collective reference to the ICAO Standards and Recommended Practices laid down in the 18 Annexes to the 1944 Chicago Convention on international civil aviation

SAT Site Acceptance Tests

SC Depending on the context:

- Safety Case

- Severity Class (usually followed by a number ranging from 1 to 5)

SCDM Safety Case Development Manual

SERA-IR Commission Regulation laying down standardised European rules of the air (under development)

SES the Single European Sky, an initiative introduced by the SES I legislative package

SES I the first legislative package of the single European sky (2004) of four EC Regulations of the European Parliament and of the Council (see F-R, SP-R, A-R and IOP-R)

SES II the 2nd legislative package of the single European sky (2009) comprised of

- Regulation (EC) No 1070/2009 of 21 October 2009 of the European Parliament and of the Council amending the four regulations of the 1st SES package in order to improve the performance and sustainability of the European aviation system; and

- Regulation (EC) No 1108/2009 of 21 October 2009 amending Regulation (EC) No 216/2008 (the EASA Basic Regulation) in the field of aerodromes, air traffic management and air navigation services and repealing Directive 2006/23/EC

SESAR the Single European Sky Aviation Research programme

SESAR JU, SJU the SESAR Joint Undertaking, the single managing entity for the SESAR development phase (2008-2013), established by Council Reg. (EC) No 219/2007 of 27 Feb 2007

9

SMI Separation Minima Infringement

SMR Surface Movement Radar

SMS Safety Management System

SO depending on the context:

- safety objective (in most of the cases)

- safety oversight

SO-IR Commission Regulation (EU) No 1034/2011 on safety oversight in air traffic management and air navigation services, replacing Commission Regulation (EC) No 1315/2007 and amending Commission Regulation (EU) No 691/2010

SOCS Safety Objective Classification Scheme

SOP Standard Operating Procedures

SP-R Regulation (EC) No 550/2004 of the European Parliament and of the Council of 10 March 2004 on the provision of air navigation services in the single European sky (the service provision Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009

SPR Safety and Performance Requirements

SPI-IR Commission Regulation (EC) No. 1207/2011 laying down requirements for the performance and the interoperability of surveillance for the single European sky

SR Safety Requirement

SRR(s) safety regulatory requirement(s), as defined in Article 2 SO-IR

SSA System Safety Assessment

SSC the Single Sky Committee, the comitology forum which assists and oversees the European Commission’ implementing measures under the SES framework

SSP a State’s Safety Programme (ICAO); also related to the application of the PS-IR in the safety KPA

STCA Short Term Conflict Alert (a safety net in the ATC system)

STL Saint Louis international airport (USA)

SUR surveillance services, one of CNS services and of ANS

SW software

SW FAB the South-West FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Portugal and Spain

SWAL Software Assurance Level

SWIM System Wide Information Management

T/O Take Off

TCAS Traffic Collision Avoidance System

TEU Treaty on the European Union, one of several founding treaties of the European Union and of the European Communities

TF a technical file accompanying a DoV iaw Article 6 IOP-R

TFEU Treaty on the Functioning of the European Union; The title of the 'Treaty establishing the European Community' was replaced by 'Treaty on the Functioning of the European Union (iaw Treaty of Lisbon article 2§1, as of 1st December 2009 date of entry into force of the Lisbon Treaty)

THL Take-off Hold Lights (a concept of the Runway Status Light – RWSL system)

TLS Target Level of Safety

TMA Terminal control area (ICAO Annex 11, Air Traffic Services)

ToR Terms of Reference (e.g. of a group, forum, committee, body etc)

TWR (aerodrome) tower unit (an ATS unit)

TWY Taxiway

UIR Upper Flight Information Region (ICAO)

10

UK-IE FAB The United Kingdom/ Ireland FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of the United Kingdom of Great Britain & Northern Ireland and Ireland

UCS Unit Competence Scheme

USC Unit Safety Case

UTP Unit Training Plan

VCS-IR Commission Regulation (EU) No 1265/2007 of 26 October 2007 laying down requirements on air-ground voice channel spacing for the single European sky

VFR Visual Flight Rules (ICAO); a flight may be conducted in accordance with VFR or IFR

WTA Wake Turbulence Induced Accident

1Copyright 2011 EUROCONTROL

Introduction to Safety ManagementIntroduction to Safety Management

Session 01


Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT

KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES

SAFETY ARGUMENTS SAM ASSISTANT


StructureStructure

What is the role of ATM? What is Safety? Why are ATM Services safe? How does ATM contribute to Safety? Why do we need Safety Assessment? What are the future challenges?


Role of ATM?Role of ATM?

To prevent Air and Ground Collision

To manage traffic in an orderly and efficient way

“ATM is the aggregation of ground based (comprising ATS, ASM, ATFM) and airborne functions required to ensure the safe and efficient movement of aircraft during all phases of operations”


Safety and SecuritySafety and Security

Safety: Freedom from the unacceptable risk of unintended harm

Harm means accident with fatalities or serious injuries to human, or structural damage to aircraft

Security: Freedom from the unacceptable risk of intended harm


Why is your ANS / ATM safe?

Question:


Why Safety Management System?Why Safety Management System?

Video of Überlingen accident


Swiss Cheese ModelSwiss Cheese Model

Model developed by J. Reason


Swiss Cheese ModelSwiss Cheese Model

HHAAZZAARRDDSS

AACCCCIIDDEENNTT

LATENTLATENT CONDITIONSCONDITIONS

Model developed by J. Reason

IINNCCIIDDEENNTT


What is Safety ManagementWhat is Safety Management

Formalised, explicit and proactiveapproach to systematic safety

Process for managing safety risks


SMS ComponentsSMS Components

Risk Assessment and Mitigation

CompetencyOccurrences

Ext. services

Surveys

RecordsMonitoring

Lesson Dissemination Safety

Responsibilities

SMS

QMS Internal Audits, Documentation Control System, external services, elimination of causes of non conformities, etc.


Why is your ANS / ATM safe?

Question:

On-going ATM Services / Systems Changes to ATM Services / Systems New ATM Services / Systems


ATM ChangesATM Changes

Operational Environment is changing!

Systems / Services are changing!

Shall we remain acceptably safe?

If Change #1 is acceptably safe and Change #2 is acceptably safe, are Changes #1 & #2acceptably safe?


.

.

Figures

2000

8.0 Million Flights8.0 Million Flights 16.0 Million Flights16.0 Million Flights

Traffic tripled over last 25 years Traffic may double over next 20 years

Traffic Growth in ECAC RegionTraffic Growth in ECAC Region.

2020


Traffic & AccidentsTraffic & Accidents

One accident per week!

Traffic grows

Accident rate is stable


ATC Tools ChangeATC Tools Change

From Paper Flight Strips


ATC Tools ChangeATC Tools Change

… to Electronic Flight Strips


ANS/ATM Evolution ChangeANS/ATM Evolution Change

Past

Procedural Control

the current and planned a/c positions

Today

Radar Control

Know the current andestimate planned a/c

positions

Future

TrajectoryManagement

Know & share the current & planned a/c positions


Reg. 1032/2006 - Requirements for automatic systems for exchange of flight data for notification, coord. & transfer of flights between ATC units

Reg. 1033/2006 - Requirements. for flight plans in the pre-flight phase

Reg. 633/2007 - Requirements for the application of a FMTP used for […] notification, coordination and transfer of flights between ATC units

Reg. 1265/2007 - Requirements on A/G voice channel spacing

Reg. 29/2009 - Requirements on datalink services for the SES

Reg. 30/2009 amending Reg. 1032/2006 re the req. for automatic systems for exchange of flight data supporting datalink services

Reg. 262/2009 - Requirements for the coordinated allocation and use of Mode S interrogator codes for the SES

Reg. 73/2010 - Requirements on the quality of aeronautical data and aeronautical information for the SES (Part I)

Reg. 1207/2011 – Reqs. on Surveillance Performance and IOP (SPI)

Reg. 1206/2011 - Requirements on Aircraft Identification (ACID)

Reg. xxx/201x ADQ II & PBN (under development)

SES Interoperability RegulationsSES Interoperability Regulations

Framework Reg.EC 549/2004 & 1070/2009

Service Provision Reg.EC 550/2004 & 1070/2009

Airspace Reg.EC 551/2004 & 1070/2009

InteroperabilityReg.

EC 552/2004 & 1070/2009


SESAR ATM SystemSESAR ATM System


SESAR Operational Concept 2020SESAR Operational Concept 2020

More automation

support

More automation

support

Business trajectoriesBusiness

trajectories

Change of roles

Change of roles

Enhancedinformation

management

Enhancedinformation

management

Increased flexibility

Increased flexibility

More strategic planning

More strategic planning

SESAR


Enabling EU skiesto handle 3 times

more traffic

Improving safety by a factor of 10

Reducingthe environmental

impactper flight by 10%

Cutting ATM costs by 50%

SESAR Performance TargetsSESAR Performance Targets


Defragmentation Defragmentation -- FABsFABs


ATM ChallengesATM Challenges

Single European Sky

Fragmentation

Cost-efficiencyFlight efficiency

Safety

Environmental Impact

Security

Capacity

New Technologies

Delays


SummarySummary

What is the role of ATM? What is Safety? Why are ATM Services safe? How does ATM contribute to Safety? Why do we need Safety Assessment? What are the future challenges?


Questions?Questions?


Safety Regulatory FrameworkSafety Regulatory Framework

Session 02



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES



StructureStructure

SES, Eurocontrol and EASA frameworks EASA Total Aviation System Approach in Safety EASA Basic Regulation

– Essential Requirements for ATM/ANS

Performance scheme– Safety Key Performance Indicators (KPIs)

Common Requirements on:– SMS– Risk assessment and mitigation of changes

Safety Oversight Requirements related to changes


Foundation of SES

ATM Master Plan

National Supervisory Authority (NSA)

Concept of Implementing Rule

Industry Consultation Body (ICB)

Single Sky Committee (SSC)

EUROCONTROL

Performance scheme

EASA

List of systems

Essential Requirements

Implementing Rules

Community specifications

Conformity assessment (DoC/DSU & DoV)

Alternative Verification of Compliance

Notified bodies

NSA Tasks

Qualified Entities

Common requirements

Certification of ANSPs

Designation of ATSPs, possibly of METPs

FAB Requirements

Charging Scheme for common projects

Airspace Classification

European Upper Flight Information Region (EUIR)

Electronicaeronautical information

Rules of the Air

Network Management (incl. ATFM, route design and scarce resources)

Flexible use of airspace

Single European Sky IISingle European Sky II (2009)(2009)

Framework Reg. (F-R)

Reg. 549/2004 & 1070/2009

Service Provision Reg. (SP-R)

Reg. 550/2004 & 1070/2009

Airspace Reg. (A-R)

Reg. 551/2004 & 1070/2009

InteroperabilityReg. (IOP-R)

Reg. 552/2004 & 1070/2009


EASA Total Aviation System Approach in SafetyEASA Total Aviation System Approach in SafetyA

irw

orth

ine

ss

Flig

ht C

rew

Lic

ensi

ng

AT

M/A

NS

Aer

odro

mes

Flig

ht O

pera

tions

Former EASA Remit (Reg. 216/2008)

Current EASA Remit (Reg. 1108/2009)


New Tasks of EASA in ATM/ANSNew Tasks of EASA in ATM/ANS Development of implementing measures with regard to

ATM/ANS and aerodromes

Safety Oversight of

– 3rd country ATM/ANSPs

– Pan-European ATM/ANSPs

– MS Competent Authorities (through standardisation inspections)

Certification of

– 3rd country ANSPs

– Pan-European ANSPs

– ATCO Training organisations located outside EU


EASA TerminologyEASA Terminology

Certification Specifications (CS) *

Acceptable Means of Compliance (AMC)

Basic Regulation (BR)

Implementing Rules (IR)

Guidance Material (GM)

Non

-Bin

ding

Bind

ing

Implementing MeasuresImplementing Measures

* CS are made binding through certification basis

http://easa.europa.eu/regulations/regulationshttp://easa.europa.eu/regulations/regulations--structure.phpstructure.php

““Soft LawSoft Law””


EASA BR (Reg. 216/2008

amended by Reg. 1108/2009)

SP-R (Reg. 550/2004


F-R (Reg. 549/2004


A-R (Reg. 551/2004


IOP-R (Reg. 552/2004


SES FrameworkEASA

Framework

SES and EASA Frameworks in ATM/ANS

Decision –

Nom

ination of EC

TR

L as network m

anager

FA

B-IR

(Reg. 1765/2011)

SW

-IR (R

eg. 482/2008)

Decision setting E

U-w

ide performance targets and alert

thresholds (21/02/2011)

AT

CO

-IR (R

eg. 805/2011)

Decision –

Designation of G

eorg Jarzembovski as

FA

Bs system

coordinator (12/08/2010)

CC

S-IR

(Reg. 1794/2006 am

ended by Reg. 1191/2010)

PS

-IR (R

eg. 691/2010 amended by R

eg. 1216/2011)

NF

-IR (R

eg. 677/2011)A

TF

M-IR

(Reg. 255/2010)

AC

-IR (R

eg. 730/2006)F

UA

-IR (R

eg. 2150/2005)

VC

S-IR

(Reg. 1265/2007)

FM

TP

-IR (R

eg. 633/2007)IF

P-IR

(Reg. 1033/2006)

CO

TR

-IR (R


eg. 30/2009)

Decision –

Exem

ptions under Art. 14 of D

L-IRA

DQ

I-IR (R

eg. 73/2010)M

ode S-IR

(Reg. 262/2009)

DL-IR

(Reg. 29/2009)

CR

-IR (R

eg. 1035/2011 repea

ling R

eg. 209

6/200

5)S

O-IR

(Reg. 1034/2011 rep

ealin

g Re

g. 1315

/2007)

CA

-IR (R

eg

. 2042

/2003 a

s variou

sly am

ended

)IA

-IR (R

eg

. 1702

/2003 a

s variou

sly am

end

ed)

Decision –

Designation of

EC

TR

L as PR

B (29/07/2010)

AC

AS

-IR (R

eg. 1332/2011)

FC

-IR (R

eg

. 1178/2011

)




SP-R (Reg. 550/2004


F-R (Reg. 549/2004


A-R (Reg. 551/2004


IOP-R (Reg. 552/2004


SES FrameworkEASA

Framework


Decision –

Nom

ination of EC

TR

L as network m

anager

FA

B-IR

(Reg. 1765/2011)

SW

-IR (R

eg. 482/2008)

Decision setting E

U-w



AT

CO

-IR (R

eg. 805/2011)

Decision –

Designation of G


FA

Bs system


CC

S-IR

(Reg. 1794/2006 am


PS

-IR (R


eg. 1216/2011)

NF

-IR (R

eg. 677/2011)A

TF

M-IR

(Reg. 255/2010)

AC

-IR (R

eg. 730/2006)F

UA

-IR (R

eg. 2150/2005)

VC

S-IR

(Reg. 1265/2007)

FM

TP

-IR (R

eg. 633/2007)IF

P-IR

(Reg. 1033/2006)

CO

TR

-IR (R


eg. 30/2009)

Decision –

Exem


L-IRA

DQ

I-IR (R

eg. 73/2010)M

ode S-IR

(Reg. 262/2009)

DL-IR

(Reg. 29/2009)

CR

-IR (R

eg. 1035/2011 repea

ling R

eg. 209

6/200

5)S

O-IR

(Reg. 1034/2011 rep

ealin

g Re

g. 1315

/2007)

CA

-IR (R

eg

. 2042

/2003 a

s variou

sly am

ended

)IA

-IR (R

eg

. 1702

/2003 a

s variou

sly am

end

ed)

Decision –

Designation of

EC

TR

L as PR

B (29/07/2010)

AC

AS

-IR (R

eg. 1332/2011)

FC

-IR (R

eg

. 1178/2011

)


ERsERsforfor

ATSATS(from (from EASA EASA BR)BR)


ERsERs for CNS (from EASA BR)for CNS (from EASA BR)


ERsERs for ATM/ANS Systems & Constituents (1)for ATM/ANS Systems & Constituents (1)(from EASA BR)(from EASA BR)


ERsERs for ATM/ANS Systems & Constituents (2)for ATM/ANS Systems & Constituents (2)


ERsERs for ATM/ANS Systems & Constituents (3)for ATM/ANS Systems & Constituents (3)




SP-R (Reg. 550/2004


F-R (Reg. 549/2004


A-R (Reg. 551/2004


IOP-R (Reg. 552/2004


SES FrameworkEASA

Framework


Decision –

Nom

ination of EC

TR

L as network m

anager

FA

B-IR

(Reg. 1765/2011)

SW

-IR (R

eg. 482/2008)

Decision setting E

U-w



AT

CO

-IR (R

eg. 805/2011)

Decision –

Designation of G


FA

Bs system


CC

S-IR

(Reg. 1794/2006 am


PS

-IR (R


eg. 1216/2011)

NF

-IR (R

eg. 677/2011)A

TF

M-IR

(Reg. 255/2010)

AC

-IR (R

eg. 730/2006)F

UA

-IR (R

eg. 2150/2005)

VC

S-IR

(Reg. 1265/2007)

FM

TP

-IR (R

eg. 633/2007)IF

P-IR

(Reg. 1033/2006)

CO

TR

-IR (R


eg. 30/2009)

Decision –

Exem


L-IRA

DQ

I-IR (R

eg. 73/2010)M

ode S-IR

(Reg. 262/2009)

DL-IR

(Reg. 29/2009)

CR

-IR (R

eg. 1035/2011 repea

ling R

eg. 209

6/200

5)S

O-IR

(Reg. 1034/2011 rep

ealin

g Re

g. 1315

/2007)

CA

-IR (R

eg

. 2042

/2003 a

s variou

sly am

ended

)IA

-IR (R

eg

. 1702

/2003 a

s variou

sly am

end

ed)

Decision –

Designation of

EC

TR

L as PR

B (29/07/2010)

AC

AS

-IR (R

eg. 1332/2011)

FC

-IR (R

eg

. 1178/2011

)


Performance Scheme & Safety Performance Scheme & Safety KPIsKPIs(PS(PS--IR Reg. 691/2010)IR Reg. 691/2010)

4 Key Performance Areas (KPAs) including safety

3 Safety KPIs1. Effectiveness of Safety Management

2. Risk assessment of ATM occurrences (RAT)

3. Reporting of Just Culture

No EU-wide quantitative targets set States can set targets for themselves and/or add new Safety KPIs

EASA AMC/GM on implementation and measurement of Safety KPIshttp://www.easa.eu.int/agency-measures/acceptable-means-of-compliance-and-guidance-material.php#SKPI




SP-R (Reg. 550/2004


F-R (Reg. 549/2004


A-R (Reg. 551/2004


IOP-R (Reg. 552/2004


SES FrameworkEASA

Framework


Decision –

Nom

ination of EC

TR

L as network m

anager

FA

B-IR

(Reg. 1765/2011)

SW

-IR (R

eg. 482/2008)

Decision setting E

U-w



AT

CO

-IR (R

eg. 805/2011)

Decision –

Designation of G


FA

Bs system


CC

S-IR

(Reg. 1794/2006 am


PS

-IR (R


eg. 1216/2011)

NF

-IR (R

eg. 677/2011)A

TF

M-IR

(Reg. 255/2010)

AC

-IR (R

eg. 730/2006)F

UA

-IR (R

eg. 2150/2005)

VC

S-IR

(Reg. 1265/2007)

FM

TP

-IR (R

eg. 633/2007)IF

P-IR

(Reg. 1033/2006)

CO

TR

-IR (R


eg. 30/2009)

Decision –

Exem


L-IRA

DQ

I-IR (R

eg. 73/2010)M

ode S-IR

(Reg. 262/2009)

DL-IR

(Reg. 29/2009)

CR

-IR (R

eg. 1035/2011 repea

ling R

eg. 209

6/200

5)S

O-IR

(Reg. 1034/2011 rep

ealin

g Re

g. 1315

/2007)

CA

-IR (R

eg

. 2042

/2003 a

s variou

sly am

ended

)IA

-IR (R

eg

. 1702

/2003 a

s variou

sly am

end

ed)

Decision –

Designation of

EC

TR

L as PR

B (29/07/2010)

AC

AS

-IR (R

eg. 1332/2011)

FC

-IR (R

eg

. 1178/2011

)


Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––SMSSMS

Annex II (Specific Requirements for the Provision of Air Traffic Services)

3. SAFETY OF SERVICES3.1. Safety management system3.1.1. General safety requirementsA provider of air traffic services shall, as

an integral part of the management of its services, have in place a safety management system (SMS) […]


Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes

Annex II3. SAFETY OF SERVICES3.1. Safety management system3.1.2. Requirements for safety achievementEnsure that risk assessment and mitigation is

conducted to an appropriate level to ensure that due consideration is given to all aspects of the provision of ATM (risk assessment and mitigation).

As far as changes to the ATM functional system are concerned, the provisions of part 3.2 of this Annex shall apply.



3.2. Safety requirements for risk assessment and mitigation with regard to changes

3.2.1. Section 2The hazard identification, risk assessment and

mitigation processes shall include:(a) a determination of the scope, boundaries

and interfaces of the constituent part being considered, as well as the identification of the functions that the constituent part is to perform and the environment of operationsin which it is intended to operate;



(b) a determination of the safety objectives to be placed on the constituent part, incorporating: - an identification of ATM-related credible hazardsand failure conditions, together with their combined effects,- an assessment of the effects they may have on the safety of aircraft, as well as an assessment of the severity of those effects, using the severity classification scheme set out in Section 4,- a determination of their tolerability, in terms of the hazard’s maximum probability of occurrence, derived from the severity and the maximum probability of the hazard’s effects, in a manner consistent with Section 4;



(c) the derivation, as appropriate, of a risk mitigation strategy which:- specifies the defences to be implemented to protect against therisk-bearing hazards,- includes, as necessary, the development of safety requirementspotentially bearing on the constituent part under consideration, or other parts of the ATM functional system, or environment of operations, and- presents an assurance of its feasibility and effectiveness;

(d)verification that all identified safety objectives and safety requirements have been met:- prior to its implementation of the change,- during any transition phase into operational service,- during its operational life, and- during any transition phase until decommissioning.



3.2.3. Section 3The results, associated rationales and evidence of the risk

assessment and mitigation processes, including hazard identification, shall be collated and documented in a manner which ensures that:- complete arguments are established to demonstrate that the constituent part under consideration, as well as the overall ATMfunctional system are, and will remain tolerably safe by meetingallocated safety objectives and requirements. This shall include, as appropriate, specifications of any predictive, monitoring or survey techniques being used,- all safety requirements related to the implementation of a change are traceable to the intended operations/functions.


Requirements on SMS and Risk Assessment and Requirements on SMS and Risk Assessment and Mitigation of Changes Mitigation of Changes –– Summary Summary

CR-IR (Reg. 1035/2011) require Service Providers to:

– Implement a Safety Management System (SMS)

– Perform safety assessments on any change to the ATM system

– Document these safety assessments (argument + evidence)


Safety Oversight Requirements Related to Safety Oversight Requirements Related to Changes (Reg. 1034/2011)Changes (Reg. 1034/2011)

Article 9 (Safety Oversight of Changes to Functional Systems)1. Organisations shall only use procedures accepted by relevant competent

authority when deciding whether to introduce a safety-related change to their functional systems. […]

2. Organisations shall notify the relevant competent authority of all planned safety related changes.[…]

Article 10 (Review Procedure of the Proposed Changes)1. Competent authorities shall review the safety arguments associated

with new functional systems or changes to existing functional systems proposed by an organisation when:(a) the severity assessment conducted in accordance with Annex II, point 3.2.4 of Implementing Regulation (EU) No 1035/2011 determines a severity class 1 or a severity class 2 for the potential effects of the hazards identified; or(b) the implementation of the changes requires the introduction of new aviation standards.

3. The introduction into service of the change under consideration in the review shall be subject to acceptance by competent authorities.


SummarySummary

SES, Eurocontrol and EASA frameworks EASA Total Aviation System Approach in Safety EASA Basic Regulation

– Essential Requirements for ATM/ANS

Performance scheme– Safety Key Performance Indicators (KPIs)

Common Requirements on:– SMS– Risk assessment and mitigation of changes

Safety Oversight Requirements related to changes


Key Concepts for Safety AssessmentsKey Concepts for Safety Assessments

Session 03



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES



StructureStructure

What is a risk? What is a Risk Classification Scheme? Safety criteria ATM-related categories of accidents ATM-related hazards How safe do we need to be? Success and failure perspective


Risk in various areasRisk in various areas

What types? – Safety– Financial– Environmental– Legal– Security– …

Who is exposed?– Individuals– Companies– Society– …


Hazard and Safety RiskHazard and Safety Risk

HAZARD

Hazard Effects

with Severity

Likelihood

of effects

RISK of incidents / accidents

Likelihood

of hazards


RiskRisk of of whatwhat??

Likelihood / Probability

AccidentSerious

Incident

Major

Incident

ATM

Hazard

Initiating Event / Failure

Hazard Prevention Hazard Protection / Recovery

Severity increases


Severity of EffectsSeverity of Effects

INC

RE

AS

ING

SE

VE

RIT

Y

ACCIDENTS

SERIOUS INCIDENTS

MAJOR INCIDENTS

SIGNIFICANT INCIDENTS

SEVERITY 1

SEVERITY 2

SEVERITY 3

SEVERITY 4

SEVERITY 5 NO IMMEDIATE EFFECT ON SAFETY


Severity Classification Scheme Severity Classification Scheme (Reg. 1035/2011 Repealing 2096/2005)(Reg. 1035/2011 Repealing 2096/2005)


Frequency of Occurrence of EffectsFrequency of Occurrence of Effects

How often? “Once every …”

Decreasing Frequency

10-3/h 10-4/h 10-5/h

month year decade

10-6/h

century

Frequent Likely Rare Extremely Rare

10-2/h

3 days

Very frequent

Illustrative only


Per Movement

Per month,year

Per Flight Hour

DEPENDENT ON SYSTEM

Per mission

Per operational

hour

Per operational

hour per sector

Use of Appropriate UnitsUse of Appropriate Units


A Typical Transportation Risk ComparisonA Typical Transportation Risk Comparison

deaths per 106 journeys deaths per 1010 psgr - km

30

30

60

540

11

4

Air

Train

BusUnited Kingdom 1970-1989


A Typical Transportation Risk ComparisonA Typical Transportation Risk Comparison

0,035 0,04 Train

0,035 0,08 Air (civil aviation)

0,07 0,08 Bus and coach

0,25 0,33 Ferry

0,7 0,8 Convey

5,4 6,3 Bicycle

6,4 7,5 Pedestrian displacement

13,8 16 Motocyclette/cyclomotor

2001-2002 1999

Killed passengersby 100 million

passenger-kilometers Means of transport

2 2 Train

2 2 Bus and coach

8 10,5 Ferry

16 36,5 Air (civil aviation)

25 30 Convey

25 30 Pedestrian displacement

75 90 Bicycle

440 500 Motocyclette/cyclomotor

2001-2002 1999

Killed passengersby 100 million

passenger-hours Means of transport


Some Individual Fatality RisksSome Individual Fatality Risks

Hazardous situation

road user

car driver

while at work

falling aircraft 0.02 2*10-8

resident near chemical plant

smoking 20 cigarettes/day

Probability of fatality per year

Fatalities per million per year


Some Individual Fatality RisksSome Individual Fatality Risks

Hazardous situation

road user

car driver

while at work

falling aircraft

resident near chemical plant

smoking 20 cigarettes/day

100

150

10

0.02

35

5000

10-4

1.5x10-4

10-5

2x10-8

3.5x10-5

5x10-3

Probability of fatality per year

Fatalities per million per year


Risk AcceptabilityRisk Acceptability


Factors Affecting Risk PerceptionFactors Affecting Risk Perception

Visibility of benefits News headlines Harm caused by accident Personal experience Personal control Uncertainty Time-delayed effects Human vs natural causes Confidence in operator / regulator


Risk Perception ExerciseRisk Perception Exercise

A way of representing the way

people feel about risk is to place

the risk on a matrix which shows

if they rate as fear or not fear,

known or unknown.

This is shown here for the risks

posed by asbestos, food

colouring, fireworks and crime.

The exercise is to place on the

matrix your perception of the

risks posed by:

1) Nuclear power

2) Commercial aviation

3) Mobile Phones

4) Pesticides in Food

Food colouringX

X Asbestos

Not Fear Fear

XFireworks

Known risk

CrimeX

A B

CD

Unknown


Common Risk Acceptability LevelsCommon Risk Acceptability Levels

FREQUENCY OF OCCURRENCE OF EFFECTS

ACCEPTABLERISKS

UNACCEPTABLERISKS

RISK

SignificantIncident

ATM Accident

Serious Incident

MajorIncident

Target Level of Safety 1

(TLS1)TLS4TLS2 TLS3

SEVERITY OFEFFECTS


Example of Risk Matrix / RCSExample of Risk Matrix / RCS

SC 5

ACCEPTABLESC 4

SC 3

SC 2

UNACCEPTABLESC 1Effect Severity

FrequentLikely(TLS4)

Occasional(TLS3)

Unlikely(TLS2)

Extremely Unlikely (TLS1)

Frequency of Occurrence of Effect


Safety CriteriaSafety Criteria

Absolute– Against an absolute Target Level of Safety

(TLS)

Relative– As safe as before or safer than before

Reductive– As Low as Reasonably Practicable (ALARP)


How safe do we need to be and remain?How safe do we need to be and remain? ICAO Target Levels of Safety (TLS)

ATM 2000+: “risk of an accident not to increase (with time) and preferablydecrease “

ESARR 4: “risk of an accident with ATM contribution not higher than 1.55e-8 per fligh-hour” (up to 2015)

SES CIR 1035/2011: – To minimize the risk of aircraft accident as far as reasonably practicable– Safety objectives based on risk shall be established in terms of the hazard’s

maximum probability of occurrence, derived both from the severity of its effect, and from the maximum probability of the hazard’s effect

National RCS

ANSP Safety Performance Targets and Safety KPI

E.g. MUAC (from Annual Safety Report 2010): – Objective: Minimize MUAC contribution to the risk of a air traffic accident– Primary goal (SPI): Zero Accident and Separation Minima Infringements (SMI)– 5 SMI (Severity A & B) per year


Safety Performance Targets and IndicatorsSafety Performance Targets and Indicators

SES Safety KPI (from Reg. 691/2010):1. Effectiveness of Safety Management

2. Risk assessment of ATM occurrences (RAT)

3. Reporting of Just Culture

Safety Performance Targets by Member States

Future SES Safety Performance Targets?

ATM Master Plan: To improve the safety performance by a factor of 10


Flight Guidance: Controlled Flight Into Terrain (CFIT)Loss of Control (LoC) in Flight Loss of Control (LoC) on Runway

Traffic Management: Mid-Air Collision (MAC)Wake Turbulence-induced Accident (WTA)Runway Collision (RC)

Phases of Flight and Accident Phases of Flight and Accident CategoriesCategories


Wrong Runway use

Runway Incursion

Bird Strike Encounter

Runway Excursion

Runway Overrun

Loss of Directional Control

Runway Undershoot

Loss of Separation

Airspace Infringement

Level Bust

Wake Vortex Encounter

Adverse Weather Encounter

Flight Control Deficiency

Controlled Flight TowardsTerrain

ExamplesExamples of ATM of ATM HazardsHazards


Operational Environment

Airborne & Ground‐based

System (Pe,Pr, EQ)Service

HazardsHazards

HazardsHazards

What we WANT system to do

What we DON’T want system to do

Pre‐existing

System‐generated

ATM/ANS Contribution to SafetyATM/ANS Contribution to Safety

ANS/ATM


Success and Failure PerspectiveSuccess and Failure Perspective

Risk R

Risk without Airbag

Minimum-achievable

Risk

~ Functionality & Performance

0

~ 1/(Reliability &Integrity)

Airbag contribution to driver’s safety

Risk with Airbag

What we wantthe airbag to do

What we don’t want the system to do


Safety Barrier View of ATM/ANSSafety Barrier View of ATM/ANS

Pilot Recovery

Collision m

iss without control

Pre-tactical

Conflicts

Collision Collision AvoidanceAvoidance

Airspace Design

Flow & Capacity Managem

ent

Planning & Coordination

SeparationInfringement

ATC

Recovery

Separation Separation ProvisionProvision

Strategic Strategic Conflict Conflict

ManagementManagement

Pilot Tactical Control

ATC

Tactical Control

Trajectory tactical conflicts

Communication, Navigation, Surveillance

Aeronautical Information

Meteorological Information

Aircraft-induced conflicts

ATC-induced conflicts


ATM/ANS Safety Performance for DesignATM/ANS Safety Performance for Design

Risk R

Pre-existing Risk

Current Level of Risk

0

Separation Provision

Collision Avoidance

Strategic Conflict Mgt

Conflict Geometry

/ luck

Design targets must not rely on Safety Nets ! (STCA, ACAS, …)


SummarySummary

What is a risk? What is a Risk Classification Scheme? Safety criteria ATM-related categories of accidents ATM-related hazards How safe do we need to be? Success and failure perspective




Risk Assessment and Mitigation Risk Assessment and Mitigation ––Overview of SAMOverview of SAM

Session 05



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES



StructureStructure

Safety assessment logic Safety assessment steps Change lifecycle Overall SAM process Safety assessment approach Safety assessment and possible deliverables


Risk ManagementRisk Management

Hazard

Severity ofEffects

Risk ofEffects

Acceptable?Yes/No

Safety Criteria

Likelihood/Frequencyof Effects

Identification of Hazards

NOAdditional

RiskMitigation

MeansYES

Risk-based Decision


ATM/ANS Elements to ConsiderATM/ANS Elements to Consider

PROCEDURESHUMAN ACTORS

“SYSTEMS”

ATC

Maintenance

Operating

Surveillance

CommunicationsNavaids

Information

ATCOs

Support

Engineers

Managers

Pilots

Airspace

ENVIRONMENT


Change Implementation

Operation / Maintenance

Transfer into Operations

Change Design

Change Definition

Decommissioning

ATM/ANS Change Development LifecycleATM/ANS Change Development Lifecycle


Safety Assessment LogicSafety Assessment Logic

What needs to be done about it?

What can go wrong?

Is the risk acceptable?

How likely is it to

happen?

What effect can it have?

Risk assessment Risk mitigation

Risk Monitoring


Safety Assessment StepsSafety Assessment Steps Safety Assessment initiation:

– Review of Concept of Operations – Review of Operational Service and Environment

Characteristics– Scoping and Change Assessment– Safety Considerations– Safety Criteria– Safety Assessment Organization

Hazard Identification, Risk Assessment and Safety Objectives Risk Mitigation Strategy and Safety Requirements Safety Verification and Validation Safety Assessment of Change Implementation and Transfer

into Operations Safety Performance Monitoring Safety Argumentation and Case


What is SAM?What is SAM?

“SAM” = Air Navigation System Safety Assessment Methodology

Developed by EUROCONTROL and ANSP to reflect best practice in this domain

A process derived from Aircraft System SafetyAssessment: FHA, PSSA, SSA

3 levels: Method, Guidance Material, Examples

Acceptable Means of Compliance (AMC) to ESARR 4

A set of techniques to develop ATM/ANS safety assessment


SAM & Change LifecycleSAM & Change Lifecycle

FHA

SSA

PSSA

SAFETY ASSURANCESYSTEM LIFECYCLE

Change Implementation



Change Design

Change DefinitionHow safe does the

system need to be?

Is the proposed architecture able to

achieve an acceptable level of safety?

Does the system achieve an acceptable

level of safety?

Decommissioning


Inputs/Outputs of a Safety AssessmentInputs/Outputs of a Safety Assessment

Safety Assessment

Concept of Operations

System Functions Interfaces /

Stakeholders

Safety Objectives, Requirements and Evidence

Environment Description

Related SMS Procedures


S.A Steps and SAM processS.A Steps and SAM process

FHA

SSA

PSSA

Safety Assessment initiation:– Review of Concept of Operations – Review of Operational Service and

Environment Characteristics– Scoping and Change Assessment– Safety Considerations– Safety Criteria– Safety Assessment Organization

Hazard Identification, Risk Assessment and Safety Objectives

Risk Mitigation Strategy and SafetyRequirements

Safety Verification and Validation Safety Assessment of Change Implementation

and Transfer into Operations Safety Performance Monitoring Safety Argumentation and Case SCDM


Plan the WorkPlan the Work

For each step, define– Scope– Who? (roles and responsibilities)– What? (activities and deliverables)– When? (schedule)– How? (tools and techniques)



Pilot Recovery

Collision m

iss without control

Pre-tactical

Conflicts


Airspace Design


ent



ATC

Recovery





ATC

Tactical Control








Success approach: seeks to assess the achieved level of safety when ATM/ANS is operated as specified

Failure approach: seeks to assess the achieved level of safety in the event of faults and failures of ATM/ANS

Success & Failure ApproachSuccess & Failure Approach


Safety Considerations

Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation

Transfer into Operation

Safety Plan

Project

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration

Operation & Maintenance


Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation


Safety Plan

System

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration


EUROCONTROL SAM EUROCONTROL SAM overalloverall processprocess


Safety Assessment and Possible DeliverablesSafety Assessment and Possible Deliverables

Safety ConsiderationsSafety PlanSafety Assessment ReportSafety Case (Report)

Possible SafetyDeliverables

Safety CriteriaHazardsSafety ObjectivesSafety RequirementsSafety Arguments and Evidence

SafetyAssessmentOutputs

Project PlanConcept of Operations (CONOPS)Operational Service and Environnment Description (OSED)Validation PlanValidation Report…

Possible Project Deliverables


SummarySummary

Safety assessment logic Safety assessment steps Change lifecycle Overall SAM process Safety assessment approach Safety assessment and possible deliverables




Aquarium system safety assessmentAquarium system safety assessment


Introduce a fish tank with tropical fish

Aquarium systemAquarium system

Required inputs before starting the safety assessment?


Inputs/Outputs of a Safety AssessmentInputs/Outputs of a Safety Assessment

Safety Assessment

Concept of Operations

System Functions Interfaces /

Stakeholders

Safety Objectives, Requirements and Evidence

Environment Description



System AnalysisSystem AnalysisFood

qualityWaterquality

Waterquantity

Watertemperature

Cleaning

FoodquantityOxygen

level

…Structured brainstorming,reports, studies, etc.

Common understanding on how the system works

and what the main functions are !


OUTPUTS

INPUTS

FHA

Functional Hazard Assessment (FHA)Functional Hazard Assessment (FHA)

HAZARD IDENTIFICATION

HAZARD EFFECT I.D.

SEVERITY CLASS

RELATED SMS PROCEDURES

EXTERNAL INTERFACES /

STAKEHOLDERS

CONCEPT OF OPERATIONS

SYSTEMFUNCTIONS

SYSTEM SAFETY

OBJECTIVES

SAFETY OBJECTIVESPECIFICATION

ENVIRONMENT DESCRIPTION


Overall Operational Objective

Maintain Health of Tropical Fish

System Functions• Maintain Water Quantity

• Maintain Water Temperature

• Maintain Water QualityFood LevelPollution LevelOxygen Level

For example:QuantityTotal LossPartial Loss 75%

50% 5%

TemperatureToo HighToo Low

Quality - FoodToo Low <1 week

>1 week

Quality - PollutionToo High >3 days < 1 week

>1 week < 2 weeks>2 weeks

OxygenToo Low

Failure Modes

Functions & failure modes

What can go wrong ?


Severity Definitions

(in terms of effects on operations)

Severity definitions

1 All fish within the tank die.

2 All Fish become unhealthy, many fish will die.

3 Many fish become unhealthy, some fish will die.

4 Uncomfortable environment, some fish maybecome unhealthy.

5 No effect on the fish.INC

RE

AS

ING

SE

VE

RIT

Y


AquariumAquarium System FHA System FHA ResultsResults (1)(1)

SeverityEffect on operationsSystem Functions Failure mode

Pollution Level

Maintain WaterQuality

(+ Exposure Time)

Too High >3 days<1 week

>1 week <2 weeks

>2 weeks

Too Low

Maintain WaterQuantity

Total Loss

Partial Loss 75%

50%

5%

Maintain WaterTemperature

Too High

Too Low

Food Level Too Low <3 days

>3 days

All fish within the tank die

Many fish become unhealthy, some die

Uncomfortable environment, some may become unhealthy

All fish become unhealthy, many die



Uncomfortable environment, some may become unhealthy






1

2

3

4

1

1

4

3

3

1

2

2

Oxygen Level


Aquarium System SOCSAquarium System SOCS

5

4

3

2

1

NumerousLikelyOccasionalRareExtremely Rare

Severity of the Effect

Frequency of Occurrence of Hazard

Acceptable

Unacceptable


System Functions Failure mode Severity AcceptableFrequency

SafetyObjectives

Ext rare

Ext Rare

Occasional

Rare

Ext Rare

The frequency of occurrence of water T° exceeding 28°C shall be no

greater than Extremely Rare.

The frequency of occurrence of pollution level exceeding dangerous level for more than 3 days shall be

no greater than occasional.

The frequency of occurrence of pollution level exceeding dangerous level for more than 1 week shall be

no greater than rare.

The frequency of occurrence of pollution level exceeds dangerous

level for more than 2 weeks shall be no greater than extremely rare.

Maintain WaterTemperature

Too High

Too Low

1

1

Maintain WaterQuantity

Pollution Level

Total loss

Too High >3 days<1 week

>1 week <2 weeks

>2 weeks

3

1

2

1

The frequency of occurrence of water T° droping below 20°C shall be

no greater than Extremely Rare.

Ext Rare The frequency of occurrence of a total water loss shall be no greater

than Extremely Rare.

AquariumAquarium System FHA System FHA ResultsResults (2)(2)


OUTPUTS

PSSA

INPUTS

Preliminary System Safety Preliminary System Safety Assessment (PSSA)Assessment (PSSA)

EVALUATE PROPOSED

ARCHITECTURE(S)

PROPOSED SYSTEM

ARCHITECTURE(S)

FHA RESULTS –HAZARDS & SO

ENVIRONMENT DESCRIPTION

SAFETY REQUIREMENTS

FOR SYSTEM ELEMENTS

DERIVE SR FROM SO


Plastic tank

Heater, Thermostat

Feed weekly

Pump&filter

Big Bubble maker

Proposed System ArchitectureProposed System Architecture

Water Containmentsub-system

Heating sub-system

Feeding sub-system

Filtration sub-system

Oxygen sub-system


Aquarium System PSSAAquarium System PSSA

D4

D3

D2

D1Effect A

Sev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Effects

PSSA

Safety Objective

Saf

ety

Re

quire

me

nts

D4

D3F41

F42

D4

D3F21

F22

Evaluate the proposed architecture, mitigate the remaining

unacceptable risks and iterate if necessary


Modified System ArchitectureModified System Architecture

ProceduresObserve Fish DailyFeed dailyTest Pollution every 2 daysClean WeeklyTesting Procedures

People

Train Kids for Feeding & Cleaning

EquipmentAllocate Safety Requirements tosystem/sub-system elements

Validate SystemArchitecture

Water Containmentsub-system

Heating sub-system

Feeding sub-system

Filtration sub-system

Oxygen sub-system

Identify RiskReduction Measures

Glass tank

Heater, Thermostat(Alarms+display)

Feed daily

Pump&filter

Tiny Bubble maker


Aquarium System Design SolutionAquarium System Design Solution


OUTPUTS

SSA

INPUTS

System Safety Assessment (SSA)System Safety Assessment (SSA)

DEVELOPMENT STRATEGY

FHA RESULTS –HAZARDS & SO

PSSA RESULTS -SAFETY

REQUIREMENTS

SYSTEM DESCRIPTION

SAFETY EVIDENCE

ASSURANCE AND EVIDENCE

COLLECTION AND MONITORING


Aquarium System SSAAquarium System SSA

ProceduresObserve Fish DailyFeed dailyTest Pollution every 2 daysClean Weekly

People

Train Kids for Feeding & Cleaning

Equipment Evidence:FAT, SAT, etc.Safety Survey.

Equipment:Is the risk mitigation in place?Meeting design specification?

Procedures:Are the procedures in place?Are they carried out effectively?

People:Are staffing levels correct?Have they been trained?Is the training effective?


SAM is iterative:

Hazards may only appear during PSSA or SSA:

External Events, Common Cause Failures,

Design induced hazards, etc.

Aquarium SystemAquarium System


SAM Process SummarySAM Process Summary

FHA

SSA

PSSA

SAFETY ASSURANCESYSTEM LIFECYCLE

System Implementation


Transfer into operations

System Design

System DefinitionHow safe does the

system need to be?

Is the proposed architecture able to

achieve an acceptable level of safety?

Does the system achieve an acceptable

level of safety?

Decommissioning


Questions?


Hazard Identification, Risk Assessment and Hazard Identification, Risk Assessment and Determination of Safety ObjectivesDetermination of Safety Objectives

SAM FHA PrinciplesSAM FHA Principles

Session 07



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES



StructureStructure

Purpose Scope Inputs Core Activities Outputs Brainstorming


FHA PurposeFHA Purpose

Define how safe the change needs to be

Identification of hazards

Assessing the operational risk

Define safety objectives for performance and failure prevention

Hazards, Risks and Safety Objectives


Bow TieBow Tie

D4

D3

D2

D1Effect A

Sev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Effect

FHAPSSA

SSA

Safety Objective

Saf

ety

Re

quire

me

nts

Barriers


ScopeScope

At the level of operational functions

Scope of FHA should be consistent with scope defined for the safety assessment


Generic ATM Functional DescriptionGeneric ATM Functional Description

Sequencing&

Metering

IFR ArrivalsIFR DeparturesVFR ArrivalsVFR DeparturesHoldingTransitsRadar to Non-Radar

TacticalSeparation

ConflictDetection

ConflictResolution

IFR/IFRIFR/VFR Class “B, C"IFR/VFR Class "D“IFR/VFR Class “E, F, G”VFR/VFR Class “B, C, D”VFR/VFR Class “E, F, G”

Coordination&

Transfer

Adjacent Units:ACCAPPTWR

MilitaryGA AirfieldsTransfer of ControlAssume Control:

Non-RadarRadar with correlationRadar without correlation

CollisionAvoidance

Between Aircraft:IFR/IFR & IFR/VFR

Between Aircraft:VFR/VFR

Between Aircraft & Ground

AirspaceManagement

Strategic Airspace ManagementTactical Airspace ManagementRunway ChangesTactical Management of Unusual Occurrences

Flow &Capacity

Management

Manage Flow RegulationSector ManagementRouting Management

FlightInformation

Service

Airspace InformationMeteorological InformationAerodrome InformationStatus of Services & SystemsProcedures & Regulations

AlertingService

Problem DetectionCoordination with Rescue ServicesHigh Risk Causal Link

CommsSystems

NavSystems

SurveillanceSystems

MetServices

AIS

Supporting Services

Situational AwarenessATCO

Create Maintain

Situational AwarenessPilot

Create Maintain



Pilot Recovery

Collision m

iss without control

Pre-tactical

Conflicts


Airspace Design


ent



ATC

Recovery





ATC

Tactical Control








FHA InputsFHA Inputs

System functions

Concept of operations

Environment description

Interfaces / Stakeholders



BrainstormingBrainstorming FUNCTIONALFUNCTIONAL

FHA Core ActivitiesFHA Core Activities

HAZARD EFFECTS IDENTIFICATION

EFFECTS SEVERITYCLASSIFICATION

SAFETY OBJECTIVESSPECIFICATION

HAZARDIDENTIFICATION

HOW SAFE DOES THE SYSTEMNEED TO BE?

WHAT CAN GO WRONG ?

WHAT ARE THE POTENTIALCONSEQUENCES?

HOW SEVERE ARE THE CONSEQUENCES?


Hazard IdentificationHazard Identification

Function 1

Function 2

Hazard 1

Hazard 2

Hazard 3

Failure Mode1.1

Failure Mode1.2

Failure Mode2.1

Failure Mode2.2

Ext EventE.1

• Common understanding?

• Scale


ExamplesExamples of of FailureFailure ModesModes

Out of time synchronisation

Used beyond intentErroneous updating

MisunderstoodInconsistent information

MisheardMisdirection of data

Violation of operation (Routine or unintentional)

- out of range

Modified operation- out of sequence

Intermittent or erratic operation- spontaneous data

Inadvertent operation- undetected erroneous/corrupted data (credible error/corruption)

Premature operation (too early)- detected erroneous/corrupted data (not credible error/corruption)

Delayed operation (too late)- missing data (partial loss, total loss)

Failure to switchError of input/ output:

Failure to stopPartial loss

Failure to startTotal loss / Inability to provide a function


Hazard Effect DeterminationHazard Effect Determination

Barrier A Barrier C

1. Common understanding of the hazard

2. Identify the barriers

3. Consider exposure time and hazard detection

Effect ASev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

H

Hazard

Effect

Barrier B Barrier D


Severity ClassificationSeverity Classification

Identify the factors or protective barriersinfluencing the effects of each hazard

Assess the effectiveness of the barriers, and determine the possible scenarios and their end-effects

Allocate a severity class to each effect, in accordance with the Severity Classification Scheme from Reg. 1035/2011


Severity Classification Scheme Severity Classification Scheme (Reg. 1035/2011 Repealing 2096/2005)(Reg. 1035/2011 Repealing 2096/2005)


List of examples of serious incidents from Reg. 996/2010 Near collision requiring an avoidance manoeuvre to avoid a collision or an unsafe situation or

when an avoidance action would have been appropriate, Controlled flight into terrain only marginally avoided, Runway incursions classified with severity A according to the Manual on the Prevention of runway

Incursions (ICAO Doc 9870) which contains information on the severity classifications, Take-off or landing incidents. Incidents such as undershooting, overrunning or running off the

side of runways Take-offs from a closed or engaged runway, from a taxiway, excluding authorised operations by

helicopters, or from an unassigned runway Aborted take-offs on a closed or engaged runway, on a taxiway, excluding authorised operations

by helicopters, or from an unassigned runway, Landings or attempted landings on a closed or engaged runway, on a taxiway, excluding

authorised operations by helicopters, or from an unassigned runway,

— Gross failures to achieve predicted performance during take-off or initial climb, — Fires and smoke in the passenger compartment, in cargo compartments or engine fires, even though such fires were extinguished by the use of extinguishing agents, — Events requiring the emergency use of oxygen by the flight crew, — Aircraft structural failure or engine disintegration, including uncontained turbine engine failures, not classified as an accident,

Multiple malfunctions of one or more aircraft systems seriously affecting the operation of


ESARR 4 Severity SchemeESARR 4 Severity Scheme

Severity class

1 [Most Severe]

2

3

4 5 [Least Severe]

Effect

on Operations

Accidents Serious incidents Major incidents Significant incidents No immediate effect on safety.

Examples of effects on operation include:

One or more catastrophic accidents,

One or more mid-air collisions

One or more collisions on the ground between two aircraft

One or more Controlled Flight Into Terrain

Total loss of flight control

No independent source of recovery mechanism, such as surveillance or ATC and/or flight crew procedures can reasonably be expected to prevent the accident(s).

Large reduction in separation(e.g., a separation of less than half the separation minima), without crew or ATC fully controlling the situation or able to recover from the situation.

One or more aircraft

deviating from their intended clearance, so that abrupt manoeuvre is required to avoid collision with another aircraft or with terrain (or when an avoidance action would be appropriate).

large reduction (e.g., a separation of less than half the separation minima) in separation with crew or ATC controlling the situation and able to recover from the situation.

minor reduction (e.g., a

separation of more than half the separation minima) in separation without crew or ATC fully controlling the situation, hence jeopardising the ability to recover from the situation (without the use of collision or terrain avoidance manoeuvres).

increasing workload of the air traffic controller or aircraft flight crew, or slightly degrading the functional capability of the enabling CNS system.

minor reduction (e.g., a

separation of more than half the separation minima) in separation with crew or ATC controlling the situation and fully able to recover from the situation.

No hazardous condition i.e. no immediate direct or indirect impact on the operations.


Slight reduction of the ability to cope withadverse operational and environmental conditions

Significant reductionof the ability to copewith adverse operational and environmentalconditions

Large reduction of the ability to copewith adverse operational and environmentalconditions

Unable to copewith adverse operational and environmentalconditions

ATCO and/or Flight Crew Ability to Copewith Adverse Operational and EnvironmentalConditions

Slight reduction of functional capabilities

Significant reductionof functionalcapabilities

Large reduction of functionalcapabilities

Total loss of functionalcapabilities

Effect on ground ATM System and/or AircraftFunctionalCapabilities

Workload, stress or working conditions are such that their abilitiesare slightly impaired

Workload, stress or working conditions such that theirability is significantlyimpaired

Workload, stress or working conditions are such that theyare unable to perform their taskseffectively

Workload, stress or working conditions are such that theycannot performtheir tasks at all

ATCO and/or Flight Crew WorkingConditions

Ability to provide or maintain safe but degraded service

Partial inability to provide or maintainsafe service

Serious inability to provide or maintainsafe service

Total inability to provide or maintainsafe service

Effect on Air Navigation Service within the area of responsibility

SEVERITY INDICATORS SET1: EFFECTS ON AIR NAVIGATION SERVICE

Significant IncidentsMajor IncidentsSerious IncidentsAccidentsEffects on Operations

4321[Most Severe]

Severity Class


•Plenty of time available.

•Slow•Similar•Fast•Sudden. It does not allow recovery

•Rate of development of the hazardous condition, compared to the time necessary for annunciation, detection, diagnosis and application of contingencymeasures

•Highly reliable, automatic, comprehensivecontingency measures

Reliable, automatic, comprehensivecontingency measures

•Contingencymeasures available, providing most of required functionality. Fall back equipmentusually reliable. Operator intervention required, but a practised procedurewithin the scope of normal training

•Limited contingencymeasures, providingonly partial replacement functionality. Operatorsnot familiar withprocedures or mayneed to devise a new procedure at the time.

•No existingcontingency measuresavailable. Operatorsunprepared. Limited ability to intervene.

•Contingency measures(other systems or procedures) available

•Clear annunciation. Easily detected and very reliable diagnosis

•Clear annunciation. Easily detected, reliable diagnosis

•May require someinterpretation. Detectable. Incorrect diagnosis possible

•Ambiguous indication. Not easily detected. Incorrect diagnosislikely

•Undetectedmisleading indication.

•Annunciation, Detection and Diagnosis *

•SEVERITY INDICATORS SET 3: RECOVERY

•No aircraft affected•Single aircraft•Aircraft within a smallgeographic area or an area of low trafficdensity

•All aircraft in severalATC Sectors

•All aircraft in the area of responsibility

•Number of aircraft exposed / area of responsibility

•Too brief to have anysafety-related effect

•Hazard may persist for a short period of time such that no significantconsequences are expected.

•Hazard may persist for a moderate period of time.

•Hazard may persistfor a substantial periodof time

•The presence of the hazard is almostpermanent. Reductionof safety marginspersists even afterrecovering from the immediate problem.

•Exposure time

•SEVERITY INDICATORS SET 2: EXPOSURE


Safety Objectives SpecificationSafety Objectives Specification

Safety Objective: Maximum Acceptable Frequency of Occurrence of Hazard

Safety Objective

Classification Scheme

Safety Objective

Severity Class

Risk Classification

Scheme


FHA OutputsFHA Outputs

Hazards

Effects

Severity class

Rationale / Barriers

Assumptions

SAFETYOBJECTIVES


Risk Assessment Template Risk Assessment Template Factors,

Protective Barriers and Effectiveness

Context andExposure

Time

Rationale/Remarks

SeverityClass

Effect on operationsHazardFunctionHazardId


BrainstormingBrainstorming

Participants/Functions– End users (ATCO, pilots, technicians)

Background, mindset, independence

– Moderator Optimise effectiveness

– Safety expert Safety process, challenger

– Secretary To make notes

Preparation is key


SummarySummary

Purpose Scope Inputs Core Activities Outputs Brainstorming

1


Risk Mitigation Strategy of ATM Change Risk Mitigation Strategy of ATM Change Design for OperationsDesign for Operations

SAM PSSA PrinciplesSAM PSSA Principles

Session 09



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES


2


StructureStructure

Purpose Inputs Scope Core Activities Safety Requirements Assurance levels Outputs


PSSA PurposePSSA Purpose

Assess whether the proposed architecture of Change to functional System is (are) able to achieve an acceptable level of safety

Safety Requirements

Assurance Levels

3


PSSA InputsPSSA Inputs


List of hazards

List of Safety Objectives

Proposed design

architecture(s)


PSSA Core ActivitiesPSSA Core Activities

EVALUATE PROPOSEDCHANGE ARCHITECTURE

DERIVE SAFETY REQUIREMENTS

CAN THE PROPOSED ARCHITECTURE(S)CAUSE OR CONTRIBUTE TO HAZARDS?

HOW?

HOW TO ALLOCATE SAFETY REQUIREMENTS TO EACH INDIVIDUAL SYSTEM ELEMENT?

4


Questions for Change Design PhaseQuestions for Change Design Phase

Will the performance of functionalities be sufficient?

Will it work properly, under all normal conditions of the operational environment that it is likely to encounter?

What happens under abnormal conditions of the operational environment?

What happens in the event of a failure or error?

Are the Safety Requirements realistic – i.e. could they be achievable?


Evaluate Proposed Change ArchitectureEvaluate Proposed Change Architecture Change architecture modelling

– Functional / Logical Level– Task analysis– HF assessment

Design analysis 1 – Normal conditions (Performance)– Safety Benefits analysis– Real Time Simulations

Design analysis 2 – Abnormal conditions (Robustness)– Robustness analysis

Design analysis 3 – Failure conditions (Integrity, Reliability)– FTA (Fault Tree Analysis),– CCA (Common Cause Analysis)– HF assessment

5


Bow TieBow Tie

D4

D3

D2

D1Effect A

Sev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Effect

FHAPSSA

SSA

Safety Objective

Saf

ety

Re

quire

me

nts

Barriers


Safety RequirementsSafety Requirements

6


Derive Safety RequirementsDerive Safety Requirements

Specify the safety requirements necessary to meet the safety objectives

Provide assurance of the effectiveness and realism of the safety requirements

Allocate an Assurance Level as appropriate


Safety RequirementsSafety Requirements

Risk Mitigation Means

Required to reduce the risk(s) to an acceptable level

Risk mitigation strategy:– Eliminate hazard– Reduce frequency of occurrence of hazard

(prevention) – Reduce severity of effects (protection)

7


Success and Failure PerspectiveSuccess and Failure Perspective

Success Failure

Hazard-types Addressed

Pre-existing Hazards System-generated Hazards

Safety Contribution

Maximize ATM contribution to aviation safety

Minimize ATM contribution to risk of an accident

Dominant Safety Properties

System Functionality and Performance

System Integrity

Safety Requirements (SR)

What we want

the system to do

What we don’t wantthe system

to do


Safety Requirements Safety Requirements –– TopicsTopics

Functionality and performance– Mobile detection rate– Timeliness of info / data provision– Accuracy of info / data provision– Position of sensors– Operational procedures on info / data usage– …

Integrity and reliability– Failure rate– False alerts– Fail-safe degradation– Back-up procedures– …

Assumptions

8


Risk ApportionmentRisk Apportionment

CHANGEARCHITECTURE

EquipmentOperationalProcedures

ATCOs Equipment

SoftwareHardware

ATCOsOperationalProcedures

Man MachineInterface

SYSTEM FUNCTIONS

Safety

Objectives

S.R.SR+HAL SR+PAL

SR+SWALSRSR

SR = SafetyRequirements

PAL = ProcedureAssurance Level

HAL = HumanAssurance Level

SWAL = SoftwareAssurance Level


Realism of Safety RequirementsRealism of Safety Requirements

Achievable Necessary and sufficient Effective Traceable to Causes / Hazards / Safety

Objective(s)

9


Assurance LevelsAssurance Levels


What is the idea of an Assurance Level?What is the idea of an Assurance Level? You want to build a

– Dog kennel?– House extension?– Skyscraper?

You have several methods– Do it yourself– Use a local builder– Use an architect

Which would you use?

Means of adapting the level of effort to the criticality of the change

10


PROCEDURES PEOPLE

EQUIPMENT

Where can we credibly quantify?Where can we credibly quantify?

Procedure:– PAL

People– HAL

Equipment – Software– SWAL

Equipment – Hardware– Figures (MTBF, Etc.)

No No

SW: No

HW: Yes (+/-)


Allocation of an Assurance LevelAllocation of an Assurance Level

D3

D2

D1Effect A

Sev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Worst Credible

Effect

Severity

Distance between failing component and effect

Failing Component

11


Definition of the Assurance LevelDefinition of the Assurance Level

Effect Severity

Distance between failing component & effect

1 2 3 4

Very PossiblexxAL1 xxAL2 xxAL3 xxAL4

PossiblexxAL2 xxAL3 xxAL3 xxAL4

Very UnlikelyxxAL3 xxAL3 xxAL4 xxAL4

Extremely UnlikelyxxAL4 xxAL4 xxAL4 xxAL4

D3

D2

D1 Effect ASev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Worst Credible

Effect

Severity

Distance between failing component and effectFailing Component


PAL ObjectivesPAL Objectives

1. Ensure documentation control

2. Establish a reporting system covering occurrences relating to the procedure

3. Ensure high-ranking proficiency levels

1. Ensure that feedback concerning the transfer process is provided to involved staff

2. Ensure dissemination of contingency measures

3. Ensure documented contingency measures

1. Establish an Implementation Plan which includes quality assurance activities

2. Ensure an acceptable quality assurance level

1) Establish an acceptable risk level (in qualitative terms)

2) Ensure that HMI has been assessed

3) Ensure suitably validationPAL 4

v.4 Ensure validity of assumptions

v.5 Ensure promulgation of related incident investigations

iv.4 Ensure enhanced competence levels of staff to perform the transfer

iii.3 Ensure stakeholder acceptance

iii.4 Ensure training levels

ii.3 Ensure suitably validation at different levels

ii.4 Ensure robustness

1. Ensure involvement of relevant operational expertise

2. Ensure a minimum set of quality assurance activities

3. Establish a proven and well-documented starting point for the definition exercises

PAL 3

v.6 Ensure acceptable performance levels

iv.5 Ensure incremental transfer

iv.6 Ensure approval of the Transfer Plan at management level

iv.7 Ensure stakeholder acceptance of the Transfer Plan

iv.8 Ensure application of an approved and systematic method to verify the transfer process

iii.5 Ensure approval at the Corporate level of management

iii.6 Establish evidence of acceptable design maturity

ii.5 Ensure external expert acceptance

ii.6 Ensure enhanced competence levels of designers

i.4 Ensure stakeholder acceptance

PAL 2

v.7 Ensure that the application of the procedure is reduced to its minimum

iii.7 Ensure independent auditing of the procedure

iii.8 Ensure corporate level of approval by stakeholders

1) Establish an acceptable risk level (in quantitative terms)

ii.7 Ensure independency in design and validation

i.5 Ensure an approved and systematic specification

PAL 1

vOperation

ivTransfer into operations

iiiImplementation

iiDesign and Validation

iDefinition

Objectives to be fulfilled during the Procedure Life Cycle Phases:

Procedure Assurance

Level

12


PAL 4 ObjectivesPAL 4 Objectives

1.Ensure documentation control

2.Establish a reporting system covering occurrences relating to the procedure

3.Ensure high-ranking proficiency levels

1.Ensure that feedback concerning the transfer process is provided to involved staff

2.Ensure dissemination of contingency measures

3.Ensure documented contingency measures

1.Establish an Implementation Plan which includes quality assurance activities

2.Ensure an acceptable quality assurance level

1. Establish an acceptable risk level (in qualitative terms)

2. Ensure that HMI has been assessed

3. Ensure suitably validation

1.Ensure involvement of relevant operational expertise

2.Ensure a minimum set of quality assurance activities

3.Establish a proven and well-documented starting point for the definition exercises

PAL 4

vOperations

ivTransfer into

operations

iiiImplementation

iiDesign and Validation

iDefinition

Objectives to be fulfilled during the Procedure Life Cycle Phases:Procedure Assurance Level


Day to day human issuesDay to day human issues

13





14


What is Human Performance ?What is Human Performance ?

HumanPotential

HumanPerformance

Interference_ =

Myself

Team

Organisation

Environment


Human Performance Areas in ATM ?Human Performance Areas in ATM ?

HumanPerformance

Interference HumanPerformance

15


System Used Beyond CapabilitiesSystem Used Beyond Capabilities


PSSA OutputsPSSA Outputs

SAFETYREQUIREMENTS

16


SummarySummary

Purpose Inputs Scope Core Activities Safety Requirements Assurance levels Outputs



1


Safety Verification and ValidationSafety Verification and Validation

Risk Assessment and Mitigation of ATM Risk Assessment and Mitigation of ATM Change ImplementationChange Implementation

& Transfer into Operations& Transfer into Operations

SAM SSA PrinciplesSAM SSA Principles

Session 11



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES


2


StructureStructure

Purpose Inputs Core Activities Outputs


SSA PurposeSSA Purpose

Demonstrate that change/system actually achieves an acceptable level of safety from implementation till decommissioning

Safety evidence

Assurance

3


TimescaleTimescale

Cha

nge

Initi

atio

nFHA

Impl

emen

tatio

n

Tra

nsfe

r to

Ops

Ope

ratio

ns

Dec

omm

issi

oni

ng

PSSA

SSA


Bow TieBow Tie

D4

D3

D2

D1Effect A

Sev 5

Effect BSev 4

Effect CSev 3

Effet DSev 2

Effect ESev 1

F1

F2

F3

F4

ERH

Causes

Hazard

Effect

FHAPSSA

SSA

Safety Objective

Saf

ety

Re

quire

me

nts

Barriers

4


SSA InputsSSA Inputs


Hazards & SO

System Architecture

Safety RqtsALs


Verification Versus ValidationVerification Versus Validation

Verification Have we built the system RIGHT?

Validation Have we built the RIGHT system?

5


Need for Verification & ValidationNeed for Verification & Validation


SSA Core ActivitiesSSA Core Activities

Build and Collect Evidence that:– Safety Requirements / ALs are met

– Safety Objectives are satisfied

– Assumptions are correct

– Users Expectations are satisfied

– System achieves an Acceptable Level of Safety

For the whole lifecycle of the change/system!

6


What is Risky in Each Phase?What is Risky in Each Phase?

Implementation


Operations

Maintenance

Decommissioning


For Each PhaseFor Each Phase

What type of evidence?

Verification or validation?

Who will provide this evidence?

What if you need acceptance by your NSA before transfer into ops?

What if a SR is not met?

Can you use previous safety assessments as evidence?

7


Use your SMS & QMS!Use your SMS & QMS!

SMS processes:– Roles and responsibilities (management commitment)– Occurrence Reporting & Investigation– Competency assessment– Monitoring– Safety Surveys– Lesson Dissemination– External Services– …

Quality Processes– Design– Document control– Management of problem reports– …


Getting the Big Picture of RiskGetting the Big Picture of Risk

Lack of evidence of risk… is not evidence of lack of risk

8


SSA OutputsSSA Outputs

EVIDENCE & ASSURANCE


SummarySummary

Purpose Inputs Core Activities Outputs

9



1


Safety Argument / CaseSafety Argument / CasePrinciplesPrinciples

Session 14



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES


2


StructureStructure

Why do we develop Safety Arguments?

How to develop a Safety Argument?

How to present a Safety Argument?

What Safety Assurance activities?

What is a Safety Case?

What are the types of Safety Cases?

How to develop Safety Cases?

How to structure Safety Documentation?


Safety ArgumentSafety Argument--Based ApproachBased Approach

To provide assurance

To provide structured and systematic approach

To address EC. 1035/2011 & ESARR4 requirement

Safety Argument Safety Argument

ActivitiesActivities

To satisfy

Evidence Evidence

To produce

To give confidence

Assurance Level (AL)

To achieve

Safety Argument Safety Argument

ActivitiesActivities

To satisfy

Evidence Evidence

To produce

To give confidence

Assurance Level (AL)

To achieve

3


Top Level Safety ArgumentTop Level Safety Argument

Arg 0ATM Operations will be acceptably safe.

Cr001Acceptably safe is defined by the Safety Criteria to be satisfied

Arg 1ATM system has been specified to be acceptably safe

Arg 5ATM system will be shown to operate acceptably safely throughout its service

Arg 3ATM system Design has been implementedcompletely & correctly

Arg 4Transition from current state to full ATM system will be acceptably safe

C001Operational Service & Environment are described

A0001Assumptions are stated

J0001Justification and benefits are provided

[tbd][tbd] [tbd]

Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life

Arg 2ATM system has been designed to be acceptably safe

[tbd] [tbd]


Safety Assurance ActivitiesSafety Assurance Activities

Specification

Design

Implementation


Operations

4


Safety LifecycleSafety Lifecycle

Definition



Low

er-le

vel S

afet

y A

rgum

ents

Evidence

System Safety Assurance Activities

Arg

0

Arg 0

Design & Validation(High-level)

Arg

1A

rg 2

Arg

4A

rg 3

Arg

5

Arg 1

Arg 2

Arg 4

Arg 3

Arg 5

Implementation & Integration

SSA

PSSA

FHA


What is a Safety Case?What is a Safety Case?

Presentation of:

– Structured argumentation to support a claim

Statements which claim that something is true (or false)

– Supporting rationale and evidence to show that each argument is true

5


Types of Safety Cases and their UseTypes of Safety Cases and their Use

Unit Unit Unit

System

Subsystems SubsystemsSubsystems

System SystemSystem


Unit Safety CaseUnit Safety Case

Top-claim: “Air Navigations Services provided by ATSU are, and will remain acceptably safe”

What would you expect to see in such a unit safety case?

6


Safety Case Development ProcessSafety Case Development Process


Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation


Safety Plan

Project

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration



Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation


Safety Plan

System

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration



Safety Documentation StructureSafety Documentation Structure

Safety Case Report

Design Documents

Safety Register (Hazard Log, S.R., Assumptions, …)

Safety Assessment Report

Part 1 & 2

Other reference sources

7


System Safety Case Report StructureSystem Safety Case Report Structure

Introduction Change description Safety Argument

– Top argument– Safety criteria

Sub-arguments, rationale & evidence Caveats (assumptions, limitations, open issues) Safety Requirements Conclusions Reference Appendices (S.A., simulations, test results,…)


SummarySummary

Why do we develop Safety Arguments?

How to develop a Safety Argument?

How to present a Safety Argument?

What is a Safety Case?

What are the types of Safety Cases?

How to develop Safety Cases?

How to structure Safety Documentation?

8



1


PracticalitiesPracticalities

Session 15



KEY CONCEPTS

SAM PROCESS

FHA SSAPSSA

PRACTICALITIES


2


StructureStructure

SAM Practicalities FHA Practicalities PSSA Practicalities SSA Practicalities


SAM Practicalities SAM Practicalities -- 00

This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.

There was an important job to be done and Everybody was sure that Somebody would do it.

Anybody could have done it, but Nobody did it. Somebody got angry about that because it was

Everybody's job. Everybody thought that Anybody could do it, but

Nobody realized that Everybody wouldn't do it. It ended up that Everybody blamed Somebody when

Nobody did what Anybody could have done.

3



At organizational level– Define who is doing what– Closely linked with:

Other SMS processes Other QMS processes Other project related activities

– Make sure methodologies are useful and fit for purpose

– Share efforts: reusability, accessibility



Plan your safety assessment

Start safety assessment as early as possible

Adapt level of effort

4



Be careful when you subdivide a change (overall risk not assessed)

Consider the future environment, not the current one

Total system approach not followed– People, procedures, equipment– Key stakeholders omitted– Success approach not considered



Training needed for– Ops and project managers– Safety practitioners– Participants in a safety assessment

Methodological assistance may be needed– External safety/human experts– Manufacturers

KEEP CONTROL!!

5



Misuse of tools and techniques

– Quantification

– Goal Structuring Notation (GSN)

– Fault trees

– Event trees



Be aware of the advantages & limitations of quantification

Advantages– Avoids diverging understandings– Clear targets to manufacturers– Apportionment of risks– Helps to check credibility of the results

Limitations– False sense of confidence– Not always feasible– Diverts people from dealing with the real issues

6


FHA Practicalities FHA Practicalities -- 11

Scope of FHA should be at functional level!

Share your efforts!

Take enough time to describe the change

Involve the relevant people

Prepare the brainstorming sessions


FHA Practicalities FHA Practicalities -- 22

Don’t forget what we aim at:

– Assessing the overall risks

– Understanding how system works (safety benefits)

– Understanding how system fails (additional risks)

7


PSSA Practicalities PSSA Practicalities -- 11

Misuse of tools and techniques– Fault Trees

Missing barriers / mitigation means AND gates are not always perfect! Have you captured Common Causes, unavailability

of redundancy, Mean Time To Repair, etc.?

– Quantification On humans, procedures, software?



Safety Requirements focused on equipment exclusively

No qualitative Safety Requirement

Unrealistic safety requirements

– Too stringent failure rate on an equipment component

– Credibility towards supplier?

8



Do consider the success approach!

Make best use of SMS / QMS / project related activities

…Otherwise resulting architecture may not meet the user’s needs!

PSSA should not drive design



Safety assessments focused on individual changes– Inconsistent assumptions (risk apportionment,

on going or short term changes not taken into account)

– Overall risk not assessed, may be unacceptable

9


SSA Practicalities SSA Practicalities -- 11

Closely linked with other SMS / QMS processes

Don’t neglect critical phases of the change!

Indicators should be relevant and useful for monitoring (action to be triggered)


SSA Practicalities SSA Practicalities -- 22

SSA safety plan very useful to help structure the evidence collection process

Evidence collection usually requires a lot of efforts

All interested parties should be made aware of what they should produce / collect as evidence

10


SummarySummary

SAM Practicalities FHA Practicalities PSSA Practicalities SSA Practicalities



SAF-SAM Course Slides

Documents

Transcript of SAF-SAM Course Slides