SAF-SAM Course Slides
-
Upload
ecd4282003 -
Category
Documents
-
view
35 -
download
2
description
Transcript of SAF-SAM Course Slides
NSA-SOSM Copyright 2012 EUROCONTROL 1
Introduction to the Safety Assessment Methodology
A centre of excellence in ATM Training
SAF-SAM
05 - Supervision and Safety Oversight
© Copyright 2012 EUROCONTROL
Any use of this training material is subject to prior written consent by EUROCONTROL.
Requests shall be addressed to: Head of the Institute of Air Navigation Services, 12, rue Antoine de Saint-Exupéry, L-1432 Kirchberg, Luxembourg.
The EUROCONTROL Institute of Air Navigation Services aims to provide the services that you want and to make your stay in the Institute as enjoyable as possible. All Institute personnel are there to ensure that your stay at the Institute is successful. However, if you do have a complaint (or a compliment) please tell us. If you are not satisfied with the service we provide or you would like to propose an improvement then please fill out the form at http://www.eurocontrol.int/ians/complaint.html, or contact [email protected] directly.
SAF-SAM Course
Table of content
Course Programme Glossary 01 Introduction to Safety Management in ATM 02 ATM Safety Regulatory Framework 03 Key concepts of Risk Assessment and Mitigation 04 Traffic Risk Exercise 05 Safety Assessment Methodology Overview 06 Initiation of ATM change safety assessment 07 Hazard Identification, Risk Assessment and Determination of Safety Objectives 08 Hazard Identification, Risk Assessment and Determination of Safety Objectives – Exercise 09 Risk Mitigation Strategy of ATM Change Design for Operations 10 Risk Mitigation Strategy of ATM Change Design for Operations – Exercise 11 Safety Verification and Validation 12 Risk Assessment and Mitigation of ATM Change Implementation – Exercise 13 Risk Assessment and Mitigation of ATM Change Transfer into Operations – Exercise 14 Safety Argument / Case Principles 15 Practicalities
12:00
Session 13
Risk Assessment and Mitigation of ATM Change Transfer into Operations
–Exercise
Session 09
Risk Mitigation Strategy of ATM Change Design for
Operations
Session 06
Initiation of ATM Change Safety Assessment
-Example
Session 02
ATM Safety Regulatory Framework
13:30
Session 10
Risk Mitigation Strategyof ATM Change Design
for Operations–
Exercise
Session 16
Practicalities
Session 14
Safety Argument / Case–
Principles
Session 04
Road traffic Exercise
Session 18
Course Debrief
Session 17
Test & Debrief
Session 12
Risk Assessment and Mitigation of ATM Change Implementation
–Exercise
Session 05
Risk assessment and mitigation –Overview of SAM &Fish tank Example
Session 01
Introduction to Safety Management in ATM
DAY/TIME 09:00 10:00 12:30 17:00
Monday
Session 00
Course Intro
Session 03
Key Concepts of Risk Assessment and
Mitigation
Tuesday Debrief 1st day
Session 07
Hazard Identification, Risk Assessment and
Determination of Safety Objectives
Wednesday Debrief 2nd day
Session 08
Hazard Identification, Risk Assessment and Determination of Safety Objectives
–Exercise
Thursday Debrief 3rd day
Session 11
SafetyVerification and
Validation
Friday Debrief 4th day
Session 15SAM
Assistant12:00
Session 13
Risk Assessment and Mitigation of ATM Change Transfer into Operations
–Exercise
Session 09
Risk Mitigation Strategy of ATM Change Design for
Operations
Session 06
Initiation of ATM Change Safety Assessment
-Example
Session 02
ATM Safety Regulatory Framework
13:30
Session 10
Risk Mitigation Strategyof ATM Change Design
for Operations–
Exercise
Session 16
Practicalities
Session 14
Safety Argument / Case–
Principles
Session 04
Road traffic Exercise
Session 18
Course Debrief
Session 17
Test & Debrief
Session 12
Risk Assessment and Mitigation of ATM Change Implementation
–Exercise
Session 05
Risk assessment and mitigation –Overview of SAM &Fish tank Example
Session 01
Introduction to Safety Management in ATM
DAY/TIME 09:00 10:00 12:30 17:00
Monday
Session 00
Course Intro
Session 03
Key Concepts of Risk Assessment and
Mitigation
Tuesday Debrief 1st day
Session 07
Hazard Identification, Risk Assessment and
Determination of Safety Objectives
Wednesday Debrief 2nd day
Session 08
Hazard Identification, Risk Assessment and Determination of Safety Objectives
–Exercise
Thursday Debrief 3rd day
Session 11
SafetyVerification and
Validation
Friday Debrief 4th day
Session 15SAM
Assistant
1
Abbreviations and Acronyms useful for IANS SAF-SAM Training Course
AC, Ac Aircraft
A-SMGCS Advanced Surface Movement Ground Control Systems
ACAS Airborne Collision Avoidance System
ACAS-IR Commission Regulation (EU) No 1332/2011 of 16 December 2011 laying down common airspace usage requirements and operating procedures for airborne collision avoidance
ACC an Area Control Centre (an en-route ATC unit)
ACID-IR Commission Regulation (EU) 1206/2011 of 22 November 2011 laying down requirements on aircraft identification for surveillance for the single European sky
ADQ-IR (I) Commission Regulation (EU) No 73/2010 of 26 January 2010 laying down requirements on the quality of aeronautical data and aeronautical information for the SES – this regulation covers the production and distribution of such data/ info)
AGL Aerodrome Ground Lighting
AIC Aeronautical Information Circular
AIP Aeronautical Information Publication
AIS Aeronautical Information Service, a part of the air navigation services (ANS), meaning a service established within the defined area of coverage responsible for the provision of aeronautical information and data necessary for the safety, regularity, and efficiency of air navigation
ALARP As Low As Reasonably Practicable
AMAN Arrival Manager
AMC Acceptable Means of Compliance
ANS Air Navigation Services, meaning air traffic services; communication, navigation and surveillance services; meteorological services for air navigation; and aeronautical information services
ANSP an organisation providing or offering to provide air navigation services
AO Airport Operator
APP an ATS Approach Unit (an ATSU)
Arg Argument
ARR Arrival
Art article (such as in a Regulation etc)
ASBU ICAO Aviation System Block Upgrades (coordinated approach to the introduction of ATM solutions)
ASM Airspace Management, a planning function with the primary objective of maximising the utilisation of available airspace by dynamic time-sharing and, at times, the segregation of airspace among various categories of airspace users on the basis of short-term needs
A-R (EC) Regulation No 551/2004 of the European Parliament and of the Council of 10 March 2004 on the organisation and use of the airspace in the single European sky (the airspace Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009
ATC Air Traffic Control, meaning a service provided for the purpose of:
(a) preventing collisions:
— between aircraft, and
— in the manoeuvring area between aircraft and obstructions;
and
(b) expediting and maintaining an orderly flow of air traffic
ATCO(s) air traffic controller(s)
ATFCM Air Traffic Flow and Capacity Management (EUROCONTROL concept)
2
ATFM Air Traffic Flow Management, an ATM function established with the objective of contributing to a safe, orderly and expeditious flow of air traffic by ensuring that ATC capacity is utilised to the maximum extent possible, and that the traffic volume is compatible with the capacities declared by the appropriate air traffic service providers
ATFM-IR Commission Regulation (EU) No 255/2010 laying down common rules on air traffic flow management
ATIS Automatic Terminal Information Service
ATM Air Traffic Management, meaning the aggregation of the airborne and ground-based functions (air traffic services, airspace management and air traffic flow management) required to ensure the safe and efficient movement of aircraft during all phases of operations
ATM/ANS Depending on the context:
- Air Traffic Management (ATM) and Air Navigation Services (ANS) as defined in Article 2(4) and 2(10) of the SES framework Regulation (F-R) – see ‘ATM’ and ‘ANS’ definitions separately
- In accordance with EASA Basic Regulation: ‘the air traffic management functions as defined in Article 2(10) of Regulation (EC) No 549/2004, air navigation services defined in Article 2(4) of that Regulation, and services consisting in the origination and processing of data and formatting and delivering data to general air traffic for the purpose of safety-critical air navigation’
ATM/ANSP an organisation providing ATM/ANS
ATS Air Traffic Services (a part of ANS as well as of ATM), meaning the various flight information services, alerting services, air traffic advisory services and ATC services (area, approach and aerodrome control services)
ATSP An organisation providing or offering to provide air traffic services
ATSU an operational unit of an organisation providing air traffic services (e.g. an APP unit, an aerodrome tower unit etc)
AVISO Aide à la Visualisation Sol (a ground surveillance system used in France)
BALTIC FAB the BALTIC FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Poland and Lithuania
BLUE MED the BLUE MED FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Cyprus, Greece, Italy and Malta. Other non-EU States are associates and observers to this FAB
BOS Boston International airport (USA)
BR EASA Basic Regulation (see EASA BR)
CA Depending on the context, CA can refer to:
- Conformity assessment (linked with interoperability)
- Competent authority (an EASA concept)
CA-IR Commission Regulation (EC) No 2042/2003 of 20 November 2003 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in these tasks
CAA a Civil Aviation Authority (e.g. as established in many States originally to fulfil the legal obligations incurred by that State under the 1944 Chicago Convention)
CANSO Civil Air Navigation Services Organisation
CATF Conformity Assessment Task Force; a EUROCONTROL forum which, inter-alia, produced a widely coordinated Guidance Material for Conformity Assessment in the context of SES interoperability
CATF GM The EUROCONTROL Guidelines on conformity assessment for the interoperability Regulation of the single European sky, version 3.0, available at http://www.eurocontrol.int/ses/public/standard_page/conf_assessment.html
CCA Common Cause Analysis
3
CCS-IR Commission Regulation (EC) No 1794/2006 of 6 December 2006 laying down a common charging scheme for air navigation services; as amended by Commission Regulation (EU) No 1191/2010 of 16 December 2010
CE (CE marking) a mandatory conformity mark for products placed on the market in the European Economic Area (EEA). With the CE marking on a product the manufacturer ensures that the product conforms with the essential requirements of the applicable EC directives/regulations. The letters CE stand for ‘Conformité Européenne’ (European conformity). Under the SES IOP-R, systems and their constituents are exempted from CE marking (or CE affixing)
CEN European Committee for Standardisation, one of three recognised ESO
CENELEC European Committee for Electrotechnical Standardisation, one of three recognised ESO
CFIT Controlled Flight Into Terrain
COM Communication services, one of CNS services and a part of ANS; or, depending on context, an abbreviation used in the references to Communications of the European Commission (such as COM(2008)750 final, etc)
Cont’d continued
COTR-IR Commission Regulation (EC) No 1032/2006 laying down requirements for automatic systems for the exchange of flight data for the purpose of notification, coordination and transfer of flights between air traffic control units
CNS Communications, Navigation and Surveillance (services and/or systems & procedures), a part of ANS
CRD Comments Response Document (e.g. following consultation on an EASA NPA etc)
CRs the common requirements for the provision of ANS iaw CR-IR
CR-IR Commission Regulation (EU) No 1035/2011 laying down common requirements for the provision of air navigation services and repealing Regulation (EC) No 2096/2005 and amending Regulations (EC) No 482/2008 and (EU) No 691/2010
CCS-IR Commission Regulation No 1794/2006 of 6 December 2006 laying down a common charging scheme for air navigation services, as amended by Commission Regulation (EU) No 1191/2010 of 16 December 2010
CS Depending on the context:
- a Community Specification in relation to the interoperability regulation (No 552/2004); or
- a Certification Specification in relation to the EASA framework;
CTR Control Tower Region
CWP Controller Working Position
DANUBE FAB the DANUBE FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Bulgaria and Romania
DEP Departure
DFW Dallas/Ft Worth international airport (USA)
DK-SE FAB The Danish/ Swedish FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Denmark and Sweden
DLS-IR Commission Regulation (EC) No 29/2009 of 16 January 2009 laying down requirements on data link services for the single European sky
DoC an EC Declaration of Conformity iaw Article 5 IOP-R
DoV an EC Declaration of Verification of systems iaw Article 6 IOP-R
DSU a Declaration of suitability for use iaw Article 5 IOP-R
EAD the European Aeronautical Information System Database
EASA the European Aviation Safety Agency
EASA BR the EASA ‘Basic Regulation’, Regulation (EC) No 216/2008 as variously amended
EASP European Aviation Safety Programme
EATMN The European air traffic management network, a concept of eight systems in relation to interoperability as defined in Annex 1 of IOP-R
4
EC Depending on the context:
- the European Community (as in ‘Regulation (EC) No. xxx/…’)
- the European Commission (in all other cases)
ECAA European Common Aviation Agreement
ECAC European Civil Aviation Conference (usually used to refer to the ECAC Region, comprising those States members of ECAC)
ECCAIRS the European Co-ordination Centre for Aviation Incident Reporting System, a software platform developed by the EU; also adopted for ADREP use in 2004
ECTRL EUROCONTROL
ED EUROCAE document; a series of technical standards issued by EUROCAE
e.g. for example
EN European Norm (Standard)
EoSM the Effectiveness of Safety Management; a KPI developed under the PS-IR and measured by a methodology based on the ATM Safety Framework Maturity Survey
EP the European Parliament
ER, ERs Depending on the context:
- essential requirements (as defined in IOP-R)
- essential requirements (as defined in the EASA basic regulation)
ERND European Route Network Design (one of the three network functions iaw NF-IR)
ESARR one of six EUROCONTROL Safety Regulatory Requirement documents adopted under the EUROCONTROL Revised Convention; Following the adoption of the SES I legislative package, most of the contents of the six ESARRs has been transposed into the SES legislation
ESARRs a collective reference to the six ESARR documents
ESARR 1 Safety Oversight in ATM, current edition 2.0 of December 2009
ESARR 2 Reporting and Assessment of Safety Occurrences in ATM, current edition 3.0 of December 2009
ESARR 3 Use of Safety Management Systems by ATM Service Providers, current edition 1.0 of July 2000
ESARR 4 Risk Assessment and Mitigation in ATM, current edition 1.0 of April 2001
ESARR 5 Safety Regulatory Requirement for ATM Services' Personnel, current edition 2.0 of April 2002
ESARR 6 Software in ATM Functional Systems, current edition 2.0 of May 2010
ESO European Standardisation Organisation; a recognised regional standardisation body under Annex 1 of Directive 98/34/EC
ESSIP The European Single Sky ImPlementation plan; a EUROCONTROL performance-oriented process that describes common implementation actions required to improve the European ATM network over the next five to seven years
ETSI European Telecommunication Standards Institute, one of three recognised ESO
EU European Union
EUIR the foreseen European Upper Flight Information Region, a SES concept
FAA the Federal Aviation Administration of the United States
FAB(s) Functional Airspace Block(s) established iaw Article 9a of SP-R
FAB-IR Commission Regulation (EC) No 176/2011 on the information to be provided before the establishment and modification of a functional airspace block
FAB CE FAB Central Europe, one of nine FAB initiatives, comprising defined airspaces within responsibility of the seven FAB CE States: Austria, Bosnia & Herzegovina, Croatia, Czech Republic, Hungary, Slovak Republic and Slovenia
FABEC FAB Europe Central, one of nine FAB initiatives, comprising defined airspaces within responsibility of six FABEC States: Belgium, France, Germany, Luxembourg, Netherlands and Switzerland
5
FAQ Frequently Asked Questions
FAROS Final Approach Runway Occupancy Signal
FAT Factory Acceptance Tests
FC-IR Commission Regulation (EU) No 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew pursuant to Regulation (EC) No 216/2008 of the European Parliament and of the Council, as amended by Commission Regulation (EU) No 290/2012 of 30 March 2012
FDPS flight data processing system (and procedures), referring to a sub-category of EATMN system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)
FFPG FAB Focal Points Group, one of the two SES Coordination Platforms organised by the European Commission with support from EUROCONTROL (the 2nd one is NCP)
FHA Functional Hazard Assessment
FIR Flight Information Region (ICAO)
FIS Flight Information Service, a part of ATS
FL Flight Level
FLS Field Lighting System
FMTP Flight Message Transfer Protocol; FMTP is based on industry-standard Transmission Control Protocol / Internet Protocol (TCP/IP) provisions; a community specification associated to FMTP-IR
FMTP-IR Commission Regulation (EC) No 633/2007 of 7 June 2007 laying down requirements for the application of a flight message transfer protocol used for the purpose of notification, coordination and transfer of flights between air traffic control units
FOD Foreign Object Debris
FPL Filed Flight Plan submitted by an aircraft
F-R Regulation (EC) No 549/2004 of the European Parliament and of the Council of 10 March 2004 laying down the framework for the creation of the single European sky (the framework Regulation of the SES legislation); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009
FUA (The concept of) flexible use of airspace
FUA-IR Commission Regulation (EC) No 2150/2005 laying down common rules for the flexible use of airspace
FTA Fault Tree Analysis
GA General Aviation (one of the two categories of civil aviation), meaning all flights other than military and scheduled airline and regular cargo flights, both private and commercial. General aviation flights range from gliders and powered parachutes to large, non-scheduled cargo jet flights (source: wikipedia).
GAT General Air Traffic
GM Guidance Material
GPS Global Positioning System
GSN Goal Structuring Notation
HAL Human Assurance Level
HMI human machine interface (systems and procedures), referring to a sub-category of EATMN system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)
HF Human Factors
HW hardware
Hz Hazard
IA-IR Commission Regulation (EC) No 1702/2003 of 24 September 2003 laying down implementing rules for the airworthiness and environmental certification of aircraft and related products, parts and appliances, as well as for the certification of design and production organisations
IANS the EUROCONTROL Institute of Air Navigation Services in Luxembourg
IAW (iaw) in accordance with
6
ICAO The International Civil Aviation Organization
ICB The Industry Consultation Body established by the European Commission iaw Article 6 of the SES framework Regulation to advise the Commission on the implementation of the SES. The ICB comprises representatives of the ANSPs, associations of airspace users, airport operators, the manufacturing industry and professional staff representative bodies
Id, ID Identifier
i.e. that is…; from the Latin ‘id est’
IFPL refers to the procedures and requirements for the provision, processing and distribution of FPLs in the pre-flight phase (preceding the 1st delivery of ATC clearance); a community specification associated to IFPL-IR
IFPL-IR Commission Regulation (EC) No 1033/2006 laying down the requirements on procedures for flight plans in the pre-flight phase for the single European sky
IFR Instrument Flight Rules (ICAO Annex 11); a flight may be conducted in accordance with VFR or IFR; an IFR flight is a flight conducted in accordance with instrument flight rules
IMC Instrumentent Meteorological Conditions
IOP Interoperability
IOP-R Regulation (EC) No 552/2004 of the European Parliament and of the Council of 10 March 2004 on the interoperability of the European Air Traffic Management network (the interoperability Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009
IOP-IRs a collective reference to the implementing rules for interoperability (Commission Regulations and Decisions adopting implementing rules within the framework of IOP-R)
IR(s) implementing rule(s); in the SES and/or EASA context, these are usually implementing measures adopted in the form of Commission Regulations or Decisions, complementing or refining specific legal obligations and requirements laid down in the SES main regulations, the EASA Basic Regulation or, depending of the legal basis, other EP and/or Council acts such as regulations, directives, decisions
Km/h kilometers per hour
KPA Key Performance Area, a concept in relation to ATM performance and the performance scheme iaw PS-IR
KPI Key Performance Indicator
L/U Line Up
LAX Los Angeles international Airport (USA)
LDG Landing (usually used
LoA(s) Letter(s) of Agreement (such as between two ATSUs)
LoC Loss of Control
LSSIP the Local Single Sky ImPlementation documents coordinated by EUROCONTROL in the ESSIP common framework
LVO Low Visibility Operations
LVP Low Visibility Procedures
MAC Mid Air Collision
MET Meteorological service, an air navigation service
METP An organisation providing or offering to provide MET services
MIT Massachusetts Institute of Technology
Mode S-IR Commission Regulation (EC) No 262/2009 of 30 March 2009 laying down requirements for the coordinated allocation and use of Mode S interrogator codes for the SES
MoC Means of Compliance; a generic reference to (usually) voluntary standards of which application may ensure that specific binding requirements are met or fulfilled by an activity, product or function
MS Member State(s) of the European Union
MSAW Minimum Safe Altitude Warning (a safety net in the ATC system)
7
MTBF Mean Time Between Failure
MUAC Maastricht Upper Area Control Centre
NAA National Aviation Administration (as in the EASA framework)
NAV Navigation services, one of CNS services and of ANS
N.B. nota bene
NBs notified bodies, iaw IOP-R and IOP-IRs; NBs are accredited under the ‘New Legislative Framework’
NCP the NSA Coordination Platform, one of the two SES Coordination Platforms organised by the European Commission with support from EUROCONTROL (the 2nd one is FFPG)
NEFAB the North-European FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Estonia, Finland, Iceland, Latvia, Norway; Denmark and Sweden opted out of the NEFAB initiative in early 2011
NF the network functions, as defined in NF-IR
NF-IR Commission Regulation (EC) No 677/2011 of 7 July 2011 laying down detailed rules for the implementation of air traffic management (ATM) network functions and amending Regulation (EU) No 691/2010 (the performance Regulation)
NM The nominated Network Manager of the SES iaw NF-IR
NOP The Network Operations Plan developed by the Network Manager iaw NF-IR
NOTAM Notice To Airmen
NPA Notice of Proposed Amendment; in the EASA rule-making procedure, an NPA is issued following the drafting of new or amended regulatory material, for the purpose of consultation
NRA a collective, generic reference to national regulatory authorities/ agencies
NSA a National Supervisory Authority nominated or established iaw Article 4 of the F-R
NSP The Network Strategy Plan developed by the Network Manager iaw NF-IR
OAT Operational Air Traffic; in other words, other than General Air Traffic (GAT) – air traffic which is not operated in accordance with the ICAO SARPs and procedures
ODS Operational Display System
OJEU the Official Journal of the European Union
OJTI On the Job Training Instructor
OLDI On-Line Data Interchange, a community specification in association to COTR-IR; OLDI specifies the facilities and messages to be provided between FDPSs serving ATC units for the purpose of, inter-alia, notification of flights, coordination prior to transfer of flight to next unit, civil-military coordination, situational awareness, transfer of communication of such flights, support to A/G datalink etc
OPS (ops) depending on context, operations (e.g. flight operations), operational, or relating to operations/ operational
OR operational requirements, as defined in NF-IR
OSED Operational Service and Environnment Description
PAL Procedure Assurance Level
PANS ICAO Procedures for Air Navigation Services
PANS-ATM ICAO Doc 4444, Procedures for Air Navigation Services – Air Traffic Management
PAPI Precision Approach Path Indicator
PBN Performance Based Navigation
PBN-IR Commission (EU) Regulation (under development) laying down the requirements for performance based navigation within the SES
PP performance plan, in accordance with PS-IR
PRB The designated Performance Review Body of the SES in accordance with Article 11(2) of the SES framework Regulation (in relation with the performance scheme, PS-IR)
PRC The Performance Review Commission established under the EUROCONTROL Revised Convention; The PRC and the PRB of the SES conduct their activities in close consultation and synergy.
8
PS The SES Performance Scheme, as per Article 11 F-R and PS-IR
PS-IR Commission Regulation (EC) No 691/2010 laying down a performance scheme for air navigation services and network functions and amending Regulation (EC) No 2096/2005
PSC Project Safety Case
PSSA Preliminary System Safety Assessment
QE a Qualified Entity to which an NSA may decide to delegate in full or in part supervisory tasks (e.g. iaw Article 3 of SP-R or SO-IR); QEs were formerly referred to as ‘recognised organisations’ in SES I
QMS Quality Management System
R&D research and development
R/T Radio telecommunications
RAT Risk Analysis Tool, in relation to one of the KPIs for safety in the implementation of the performance scheme (PS-IR)
RCS Risk Classification Scheme RDPS Radar Data Processing System
Reg, Reg. Regulation (as in Regulation (EC) No 550/…)
REL Runway Entry Lights (a concept of the Runway Status Light – RWSL system)
RIL Runway Intersection Lights (a concept of the Runway Status Light – RWSL system)
RIMCAS Runway Incursion Monitoring and Conflict Alert System
RoP rules of procedure (of a group, task force, committee etc)
RP, RP1 etc a ‘reference period’ in the frame of the performance scheme (PS-IR). RP1, the 1st reference period, is set from 01 January 2012 until 31 December 2014. RP2 and following reference periods will be of five calendar years each, unless decided otherwise through amendments to PS-IR
RWSL Runway Status Light
RWY Runway
SAFA Safety Assessment of Foreign Aircraft; an EU programme coordinated by EASA for the assessment of the safety of foreign aircraft operations at EU airports
SAM Safety Assessment Methodology
SARPs a collective reference to the ICAO Standards and Recommended Practices laid down in the 18 Annexes to the 1944 Chicago Convention on international civil aviation
SAT Site Acceptance Tests
SC Depending on the context:
- Safety Case
- Severity Class (usually followed by a number ranging from 1 to 5)
SCDM Safety Case Development Manual
SERA-IR Commission Regulation laying down standardised European rules of the air (under development)
SES the Single European Sky, an initiative introduced by the SES I legislative package
SES I the first legislative package of the single European sky (2004) of four EC Regulations of the European Parliament and of the Council (see F-R, SP-R, A-R and IOP-R)
SES II the 2nd legislative package of the single European sky (2009) comprised of
- Regulation (EC) No 1070/2009 of 21 October 2009 of the European Parliament and of the Council amending the four regulations of the 1st SES package in order to improve the performance and sustainability of the European aviation system; and
- Regulation (EC) No 1108/2009 of 21 October 2009 amending Regulation (EC) No 216/2008 (the EASA Basic Regulation) in the field of aerodromes, air traffic management and air navigation services and repealing Directive 2006/23/EC
SESAR the Single European Sky Aviation Research programme
SESAR JU, SJU the SESAR Joint Undertaking, the single managing entity for the SESAR development phase (2008-2013), established by Council Reg. (EC) No 219/2007 of 27 Feb 2007
9
SMI Separation Minima Infringement
SMR Surface Movement Radar
SMS Safety Management System
SO depending on the context:
- safety objective (in most of the cases)
- safety oversight
SO-IR Commission Regulation (EU) No 1034/2011 on safety oversight in air traffic management and air navigation services, replacing Commission Regulation (EC) No 1315/2007 and amending Commission Regulation (EU) No 691/2010
SOCS Safety Objective Classification Scheme
SOP Standard Operating Procedures
SP-R Regulation (EC) No 550/2004 of the European Parliament and of the Council of 10 March 2004 on the provision of air navigation services in the single European sky (the service provision Regulation, one of the four main SES Regulations); as amended by Regulation (EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009
SPR Safety and Performance Requirements
SPI-IR Commission Regulation (EC) No. 1207/2011 laying down requirements for the performance and the interoperability of surveillance for the single European sky
SR Safety Requirement
SRR(s) safety regulatory requirement(s), as defined in Article 2 SO-IR
SSA System Safety Assessment
SSC the Single Sky Committee, the comitology forum which assists and oversees the European Commission’ implementing measures under the SES framework
SSP a State’s Safety Programme (ICAO); also related to the application of the PS-IR in the safety KPA
STCA Short Term Conflict Alert (a safety net in the ATC system)
STL Saint Louis international airport (USA)
SUR surveillance services, one of CNS services and of ANS
SW software
SW FAB the South-West FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of Portugal and Spain
SWAL Software Assurance Level
SWIM System Wide Information Management
T/O Take Off
TCAS Traffic Collision Avoidance System
TEU Treaty on the European Union, one of several founding treaties of the European Union and of the European Communities
TF a technical file accompanying a DoV iaw Article 6 IOP-R
TFEU Treaty on the Functioning of the European Union; The title of the 'Treaty establishing the European Community' was replaced by 'Treaty on the Functioning of the European Union (iaw Treaty of Lisbon article 2§1, as of 1st December 2009 date of entry into force of the Lisbon Treaty)
THL Take-off Hold Lights (a concept of the Runway Status Light – RWSL system)
TLS Target Level of Safety
TMA Terminal control area (ICAO Annex 11, Air Traffic Services)
ToR Terms of Reference (e.g. of a group, forum, committee, body etc)
TWR (aerodrome) tower unit (an ATS unit)
TWY Taxiway
UIR Upper Flight Information Region (ICAO)
10
UK-IE FAB The United Kingdom/ Ireland FAB, one of nine FAB initiatives, comprising defined airspaces within responsibility of the United Kingdom of Great Britain & Northern Ireland and Ireland
UCS Unit Competence Scheme
USC Unit Safety Case
UTP Unit Training Plan
VCS-IR Commission Regulation (EU) No 1265/2007 of 26 October 2007 laying down requirements on air-ground voice channel spacing for the single European sky
VFR Visual Flight Rules (ICAO); a flight may be conducted in accordance with VFR or IFR
WTA Wake Turbulence Induced Accident
1Copyright 2011 EUROCONTROL
Introduction to Safety ManagementIntroduction to Safety Management
Session 01
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
3Copyright 2011 EUROCONTROL
StructureStructure
What is the role of ATM? What is Safety? Why are ATM Services safe? How does ATM contribute to Safety? Why do we need Safety Assessment? What are the future challenges?
4Copyright 2011 EUROCONTROL
Role of ATM?Role of ATM?
To prevent Air and Ground Collision
To manage traffic in an orderly and efficient way
“ATM is the aggregation of ground based (comprising ATS, ASM, ATFM) and airborne functions required to ensure the safe and efficient movement of aircraft during all phases of operations”
5Copyright 2011 EUROCONTROL
Safety and SecuritySafety and Security
Safety: Freedom from the unacceptable risk of unintended harm
Harm means accident with fatalities or serious injuries to human, or structural damage to aircraft
Security: Freedom from the unacceptable risk of intended harm
6Copyright 2011 EUROCONTROL
Why is your ANS / ATM safe?
Question:
7Copyright 2011 EUROCONTROL
Why Safety Management System?Why Safety Management System?
Video of Überlingen accident
8Copyright 2011 EUROCONTROL
Swiss Cheese ModelSwiss Cheese Model
Model developed by J. Reason
9Copyright 2011 EUROCONTROL
Swiss Cheese ModelSwiss Cheese Model
HHAAZZAARRDDSS
AACCCCIIDDEENNTT
LATENTLATENT CONDITIONSCONDITIONS
Model developed by J. Reason
IINNCCIIDDEENNTT
10Copyright 2011 EUROCONTROL
What is Safety ManagementWhat is Safety Management
Formalised, explicit and proactiveapproach to systematic safety
Process for managing safety risks
11Copyright 2011 EUROCONTROL
SMS ComponentsSMS Components
Risk Assessment and Mitigation
CompetencyOccurrences
Ext. services
Surveys
RecordsMonitoring
Lesson Dissemination Safety
Responsibilities
SMS
QMS Internal Audits, Documentation Control System, external services, elimination of causes of non conformities, etc.
12Copyright 2011 EUROCONTROL
Why is your ANS / ATM safe?
Question:
On-going ATM Services / Systems Changes to ATM Services / Systems New ATM Services / Systems
13Copyright 2011 EUROCONTROL
ATM ChangesATM Changes
Operational Environment is changing!
Systems / Services are changing!
Shall we remain acceptably safe?
If Change #1 is acceptably safe and Change #2 is acceptably safe, are Changes #1 & #2acceptably safe?
14Copyright 2011 EUROCONTROL
.
.
Figures
2000
8.0 Million Flights8.0 Million Flights 16.0 Million Flights16.0 Million Flights
Traffic tripled over last 25 years Traffic may double over next 20 years
Traffic Growth in ECAC RegionTraffic Growth in ECAC Region.
2020
15Copyright 2011 EUROCONTROL
Traffic & AccidentsTraffic & Accidents
One accident per week!
Traffic grows
Accident rate is stable
16Copyright 2011 EUROCONTROL
ATC Tools ChangeATC Tools Change
From Paper Flight Strips
17Copyright 2011 EUROCONTROL
ATC Tools ChangeATC Tools Change
… to Electronic Flight Strips
18Copyright 2011 EUROCONTROL
ANS/ATM Evolution ChangeANS/ATM Evolution Change
Past
Procedural Control
the current and planned a/c positions
Today
Radar Control
Know the current andestimate planned a/c
positions
Future
TrajectoryManagement
Know & share the current & planned a/c positions
19Copyright 2011 EUROCONTROL
Reg. 1032/2006 - Requirements for automatic systems for exchange of flight data for notification, coord. & transfer of flights between ATC units
Reg. 1033/2006 - Requirements. for flight plans in the pre-flight phase
Reg. 633/2007 - Requirements for the application of a FMTP used for […] notification, coordination and transfer of flights between ATC units
Reg. 1265/2007 - Requirements on A/G voice channel spacing
Reg. 29/2009 - Requirements on datalink services for the SES
Reg. 30/2009 amending Reg. 1032/2006 re the req. for automatic systems for exchange of flight data supporting datalink services
Reg. 262/2009 - Requirements for the coordinated allocation and use of Mode S interrogator codes for the SES
Reg. 73/2010 - Requirements on the quality of aeronautical data and aeronautical information for the SES (Part I)
Reg. 1207/2011 – Reqs. on Surveillance Performance and IOP (SPI)
Reg. 1206/2011 - Requirements on Aircraft Identification (ACID)
Reg. xxx/201x ADQ II & PBN (under development)
SES Interoperability RegulationsSES Interoperability Regulations
Framework Reg.EC 549/2004 & 1070/2009
Service Provision Reg.EC 550/2004 & 1070/2009
Airspace Reg.EC 551/2004 & 1070/2009
InteroperabilityReg.
EC 552/2004 & 1070/2009
20Copyright 2011 EUROCONTROL
SESAR ATM SystemSESAR ATM System
21Copyright 2011 EUROCONTROL
SESAR Operational Concept 2020SESAR Operational Concept 2020
More automation
support
More automation
support
Business trajectoriesBusiness
trajectories
Change of roles
Change of roles
Enhancedinformation
management
Enhancedinformation
management
Increased flexibility
Increased flexibility
More strategic planning
More strategic planning
SESAR
22Copyright 2011 EUROCONTROL
Enabling EU skiesto handle 3 times
more traffic
Improving safety by a factor of 10
Reducingthe environmental
impactper flight by 10%
Cutting ATM costs by 50%
SESAR Performance TargetsSESAR Performance Targets
23Copyright 2011 EUROCONTROL
Defragmentation Defragmentation -- FABsFABs
24Copyright 2011 EUROCONTROL
ATM ChallengesATM Challenges
Single European Sky
Fragmentation
Cost-efficiencyFlight efficiency
Safety
Environmental Impact
Security
Capacity
New Technologies
Delays
25Copyright 2011 EUROCONTROL
SummarySummary
What is the role of ATM? What is Safety? Why are ATM Services safe? How does ATM contribute to Safety? Why do we need Safety Assessment? What are the future challenges?
26Copyright 2011 EUROCONTROL
Questions?Questions?
1Copyright 2011 EUROCONTROL
Safety Regulatory FrameworkSafety Regulatory Framework
Session 02
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
3Copyright 2011 EUROCONTROL
StructureStructure
SES, Eurocontrol and EASA frameworks EASA Total Aviation System Approach in Safety EASA Basic Regulation
– Essential Requirements for ATM/ANS
Performance scheme– Safety Key Performance Indicators (KPIs)
Common Requirements on:– SMS– Risk assessment and mitigation of changes
Safety Oversight Requirements related to changes
4Copyright 2011 EUROCONTROL
Foundation of SES
ATM Master Plan
National Supervisory Authority (NSA)
Concept of Implementing Rule
Industry Consultation Body (ICB)
Single Sky Committee (SSC)
EUROCONTROL
Performance scheme
EASA
List of systems
Essential Requirements
Implementing Rules
Community specifications
Conformity assessment (DoC/DSU & DoV)
Alternative Verification of Compliance
Notified bodies
NSA Tasks
Qualified Entities
Common requirements
Certification of ANSPs
Designation of ATSPs, possibly of METPs
FAB Requirements
Charging Scheme for common projects
Airspace Classification
European Upper Flight Information Region (EUIR)
Electronicaeronautical information
Rules of the Air
Network Management (incl. ATFM, route design and scarce resources)
Flexible use of airspace
Single European Sky IISingle European Sky II (2009)(2009)
Framework Reg. (F-R)
Reg. 549/2004 & 1070/2009
Service Provision Reg. (SP-R)
Reg. 550/2004 & 1070/2009
Airspace Reg. (A-R)
Reg. 551/2004 & 1070/2009
InteroperabilityReg. (IOP-R)
Reg. 552/2004 & 1070/2009
5Copyright 2011 EUROCONTROL
EASA Total Aviation System Approach in SafetyEASA Total Aviation System Approach in SafetyA
irw
orth
ine
ss
Flig
ht C
rew
Lic
ensi
ng
AT
M/A
NS
Aer
odro
mes
Flig
ht O
pera
tions
Former EASA Remit (Reg. 216/2008)
Current EASA Remit (Reg. 1108/2009)
6Copyright 2011 EUROCONTROL
New Tasks of EASA in ATM/ANSNew Tasks of EASA in ATM/ANS Development of implementing measures with regard to
ATM/ANS and aerodromes
Safety Oversight of
– 3rd country ATM/ANSPs
– Pan-European ATM/ANSPs
– MS Competent Authorities (through standardisation inspections)
Certification of
– 3rd country ANSPs
– Pan-European ANSPs
– ATCO Training organisations located outside EU
7Copyright 2011 EUROCONTROL
EASA TerminologyEASA Terminology
Certification Specifications (CS) *
Acceptable Means of Compliance (AMC)
Basic Regulation (BR)
Implementing Rules (IR)
Guidance Material (GM)
Non
-Bin
ding
Bind
ing
Implementing MeasuresImplementing Measures
* CS are made binding through certification basis
http://easa.europa.eu/regulations/regulationshttp://easa.europa.eu/regulations/regulations--structure.phpstructure.php
““Soft LawSoft Law””
8Copyright 2011 EUROCONTROL
EASA BR (Reg. 216/2008
amended by Reg. 1108/2009)
SP-R (Reg. 550/2004
amended by Reg. 1070/2009)
F-R (Reg. 549/2004
amended by Reg. 1070/2009)
A-R (Reg. 551/2004
amended by Reg. 1070/2009)
IOP-R (Reg. 552/2004
amended by Reg. 1070/2009)
SES FrameworkEASA
Framework
SES and EASA Frameworks in ATM/ANS
Decision –
Nom
ination of EC
TR
L as network m
anager
FA
B-IR
(Reg. 1765/2011)
SW
-IR (R
eg. 482/2008)
Decision setting E
U-w
ide performance targets and alert
thresholds (21/02/2011)
AT
CO
-IR (R
eg. 805/2011)
Decision –
Designation of G
eorg Jarzembovski as
FA
Bs system
coordinator (12/08/2010)
CC
S-IR
(Reg. 1794/2006 am
ended by Reg. 1191/2010)
PS
-IR (R
eg. 691/2010 amended by R
eg. 1216/2011)
NF
-IR (R
eg. 677/2011)A
TF
M-IR
(Reg. 255/2010)
AC
-IR (R
eg. 730/2006)F
UA
-IR (R
eg. 2150/2005)
VC
S-IR
(Reg. 1265/2007)
FM
TP
-IR (R
eg. 633/2007)IF
P-IR
(Reg. 1033/2006)
CO
TR
-IR (R
eg. 1032/2006 amended by R
eg. 30/2009)
Decision –
Exem
ptions under Art. 14 of D
L-IRA
DQ
I-IR (R
eg. 73/2010)M
ode S-IR
(Reg. 262/2009)
DL-IR
(Reg. 29/2009)
CR
-IR (R
eg. 1035/2011 repea
ling R
eg. 209
6/200
5)S
O-IR
(Reg. 1034/2011 rep
ealin
g Re
g. 1315
/2007)
CA
-IR (R
eg
. 2042
/2003 a
s variou
sly am
ended
)IA
-IR (R
eg
. 1702
/2003 a
s variou
sly am
end
ed)
Decision –
Designation of
EC
TR
L as PR
B (29/07/2010)
AC
AS
-IR (R
eg. 1332/2011)
FC
-IR (R
eg
. 1178/2011
)
9Copyright 2011 EUROCONTROL
EASA BR (Reg. 216/2008
amended by Reg. 1108/2009)
SP-R (Reg. 550/2004
amended by Reg. 1070/2009)
F-R (Reg. 549/2004
amended by Reg. 1070/2009)
A-R (Reg. 551/2004
amended by Reg. 1070/2009)
IOP-R (Reg. 552/2004
amended by Reg. 1070/2009)
SES FrameworkEASA
Framework
SES and EASA Frameworks in ATM/ANS
Decision –
Nom
ination of EC
TR
L as network m
anager
FA
B-IR
(Reg. 1765/2011)
SW
-IR (R
eg. 482/2008)
Decision setting E
U-w
ide performance targets and alert
thresholds (21/02/2011)
AT
CO
-IR (R
eg. 805/2011)
Decision –
Designation of G
eorg Jarzembovski as
FA
Bs system
coordinator (12/08/2010)
CC
S-IR
(Reg. 1794/2006 am
ended by Reg. 1191/2010)
PS
-IR (R
eg. 691/2010 amended by R
eg. 1216/2011)
NF
-IR (R
eg. 677/2011)A
TF
M-IR
(Reg. 255/2010)
AC
-IR (R
eg. 730/2006)F
UA
-IR (R
eg. 2150/2005)
VC
S-IR
(Reg. 1265/2007)
FM
TP
-IR (R
eg. 633/2007)IF
P-IR
(Reg. 1033/2006)
CO
TR
-IR (R
eg. 1032/2006 amended by R
eg. 30/2009)
Decision –
Exem
ptions under Art. 14 of D
L-IRA
DQ
I-IR (R
eg. 73/2010)M
ode S-IR
(Reg. 262/2009)
DL-IR
(Reg. 29/2009)
CR
-IR (R
eg. 1035/2011 repea
ling R
eg. 209
6/200
5)S
O-IR
(Reg. 1034/2011 rep
ealin
g Re
g. 1315
/2007)
CA
-IR (R
eg
. 2042
/2003 a
s variou
sly am
ended
)IA
-IR (R
eg
. 1702
/2003 a
s variou
sly am
end
ed)
Decision –
Designation of
EC
TR
L as PR
B (29/07/2010)
AC
AS
-IR (R
eg. 1332/2011)
FC
-IR (R
eg
. 1178/2011
)
10Copyright 2011 EUROCONTROL
ERsERsforfor
ATSATS(from (from EASA EASA BR)BR)
11Copyright 2011 EUROCONTROL
ERsERs for CNS (from EASA BR)for CNS (from EASA BR)
12Copyright 2011 EUROCONTROL
ERsERs for ATM/ANS Systems & Constituents (1)for ATM/ANS Systems & Constituents (1)(from EASA BR)(from EASA BR)
13Copyright 2011 EUROCONTROL
ERsERs for ATM/ANS Systems & Constituents (2)for ATM/ANS Systems & Constituents (2)
14Copyright 2011 EUROCONTROL
ERsERs for ATM/ANS Systems & Constituents (3)for ATM/ANS Systems & Constituents (3)
15Copyright 2011 EUROCONTROL
EASA BR (Reg. 216/2008
amended by Reg. 1108/2009)
SP-R (Reg. 550/2004
amended by Reg. 1070/2009)
F-R (Reg. 549/2004
amended by Reg. 1070/2009)
A-R (Reg. 551/2004
amended by Reg. 1070/2009)
IOP-R (Reg. 552/2004
amended by Reg. 1070/2009)
SES FrameworkEASA
Framework
SES and EASA Frameworks in ATM/ANS
Decision –
Nom
ination of EC
TR
L as network m
anager
FA
B-IR
(Reg. 1765/2011)
SW
-IR (R
eg. 482/2008)
Decision setting E
U-w
ide performance targets and alert
thresholds (21/02/2011)
AT
CO
-IR (R
eg. 805/2011)
Decision –
Designation of G
eorg Jarzembovski as
FA
Bs system
coordinator (12/08/2010)
CC
S-IR
(Reg. 1794/2006 am
ended by Reg. 1191/2010)
PS
-IR (R
eg. 691/2010 amended by R
eg. 1216/2011)
NF
-IR (R
eg. 677/2011)A
TF
M-IR
(Reg. 255/2010)
AC
-IR (R
eg. 730/2006)F
UA
-IR (R
eg. 2150/2005)
VC
S-IR
(Reg. 1265/2007)
FM
TP
-IR (R
eg. 633/2007)IF
P-IR
(Reg. 1033/2006)
CO
TR
-IR (R
eg. 1032/2006 amended by R
eg. 30/2009)
Decision –
Exem
ptions under Art. 14 of D
L-IRA
DQ
I-IR (R
eg. 73/2010)M
ode S-IR
(Reg. 262/2009)
DL-IR
(Reg. 29/2009)
CR
-IR (R
eg. 1035/2011 repea
ling R
eg. 209
6/200
5)S
O-IR
(Reg. 1034/2011 rep
ealin
g Re
g. 1315
/2007)
CA
-IR (R
eg
. 2042
/2003 a
s variou
sly am
ended
)IA
-IR (R
eg
. 1702
/2003 a
s variou
sly am
end
ed)
Decision –
Designation of
EC
TR
L as PR
B (29/07/2010)
AC
AS
-IR (R
eg. 1332/2011)
FC
-IR (R
eg
. 1178/2011
)
16Copyright 2011 EUROCONTROL
Performance Scheme & Safety Performance Scheme & Safety KPIsKPIs(PS(PS--IR Reg. 691/2010)IR Reg. 691/2010)
4 Key Performance Areas (KPAs) including safety
3 Safety KPIs1. Effectiveness of Safety Management
2. Risk assessment of ATM occurrences (RAT)
3. Reporting of Just Culture
No EU-wide quantitative targets set States can set targets for themselves and/or add new Safety KPIs
EASA AMC/GM on implementation and measurement of Safety KPIshttp://www.easa.eu.int/agency-measures/acceptable-means-of-compliance-and-guidance-material.php#SKPI
17Copyright 2011 EUROCONTROL
EASA BR (Reg. 216/2008
amended by Reg. 1108/2009)
SP-R (Reg. 550/2004
amended by Reg. 1070/2009)
F-R (Reg. 549/2004
amended by Reg. 1070/2009)
A-R (Reg. 551/2004
amended by Reg. 1070/2009)
IOP-R (Reg. 552/2004
amended by Reg. 1070/2009)
SES FrameworkEASA
Framework
SES and EASA Frameworks in ATM/ANS
Decision –
Nom
ination of EC
TR
L as network m
anager
FA
B-IR
(Reg. 1765/2011)
SW
-IR (R
eg. 482/2008)
Decision setting E
U-w
ide performance targets and alert
thresholds (21/02/2011)
AT
CO
-IR (R
eg. 805/2011)
Decision –
Designation of G
eorg Jarzembovski as
FA
Bs system
coordinator (12/08/2010)
CC
S-IR
(Reg. 1794/2006 am
ended by Reg. 1191/2010)
PS
-IR (R
eg. 691/2010 amended by R
eg. 1216/2011)
NF
-IR (R
eg. 677/2011)A
TF
M-IR
(Reg. 255/2010)
AC
-IR (R
eg. 730/2006)F
UA
-IR (R
eg. 2150/2005)
VC
S-IR
(Reg. 1265/2007)
FM
TP
-IR (R
eg. 633/2007)IF
P-IR
(Reg. 1033/2006)
CO
TR
-IR (R
eg. 1032/2006 amended by R
eg. 30/2009)
Decision –
Exem
ptions under Art. 14 of D
L-IRA
DQ
I-IR (R
eg. 73/2010)M
ode S-IR
(Reg. 262/2009)
DL-IR
(Reg. 29/2009)
CR
-IR (R
eg. 1035/2011 repea
ling R
eg. 209
6/200
5)S
O-IR
(Reg. 1034/2011 rep
ealin
g Re
g. 1315
/2007)
CA
-IR (R
eg
. 2042
/2003 a
s variou
sly am
ended
)IA
-IR (R
eg
. 1702
/2003 a
s variou
sly am
end
ed)
Decision –
Designation of
EC
TR
L as PR
B (29/07/2010)
AC
AS
-IR (R
eg. 1332/2011)
FC
-IR (R
eg
. 1178/2011
)
18Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––SMSSMS
Annex II (Specific Requirements for the Provision of Air Traffic Services)
3. SAFETY OF SERVICES3.1. Safety management system3.1.1. General safety requirementsA provider of air traffic services shall, as
an integral part of the management of its services, have in place a safety management system (SMS) […]
19Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes
Annex II3. SAFETY OF SERVICES3.1. Safety management system3.1.2. Requirements for safety achievementEnsure that risk assessment and mitigation is
conducted to an appropriate level to ensure that due consideration is given to all aspects of the provision of ATM (risk assessment and mitigation).
As far as changes to the ATM functional system are concerned, the provisions of part 3.2 of this Annex shall apply.
20Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes
3.2. Safety requirements for risk assessment and mitigation with regard to changes
3.2.1. Section 2The hazard identification, risk assessment and
mitigation processes shall include:(a) a determination of the scope, boundaries
and interfaces of the constituent part being considered, as well as the identification of the functions that the constituent part is to perform and the environment of operationsin which it is intended to operate;
21Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes
(b) a determination of the safety objectives to be placed on the constituent part, incorporating: - an identification of ATM-related credible hazardsand failure conditions, together with their combined effects,- an assessment of the effects they may have on the safety of aircraft, as well as an assessment of the severity of those effects, using the severity classification scheme set out in Section 4,- a determination of their tolerability, in terms of the hazard’s maximum probability of occurrence, derived from the severity and the maximum probability of the hazard’s effects, in a manner consistent with Section 4;
22Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes
(c) the derivation, as appropriate, of a risk mitigation strategy which:- specifies the defences to be implemented to protect against therisk-bearing hazards,- includes, as necessary, the development of safety requirementspotentially bearing on the constituent part under consideration, or other parts of the ATM functional system, or environment of operations, and- presents an assurance of its feasibility and effectiveness;
(d)verification that all identified safety objectives and safety requirements have been met:- prior to its implementation of the change,- during any transition phase into operational service,- during its operational life, and- during any transition phase until decommissioning.
23Copyright 2011 EUROCONTROL
Common Requirements (CRCommon Requirements (CR--IR Reg. 1035/2011) IR Reg. 1035/2011) ––Risk Assessment and Mitigation of ChangesRisk Assessment and Mitigation of Changes
3.2.3. Section 3The results, associated rationales and evidence of the risk
assessment and mitigation processes, including hazard identification, shall be collated and documented in a manner which ensures that:- complete arguments are established to demonstrate that the constituent part under consideration, as well as the overall ATMfunctional system are, and will remain tolerably safe by meetingallocated safety objectives and requirements. This shall include, as appropriate, specifications of any predictive, monitoring or survey techniques being used,- all safety requirements related to the implementation of a change are traceable to the intended operations/functions.
24Copyright 2011 EUROCONTROL
Requirements on SMS and Risk Assessment and Requirements on SMS and Risk Assessment and Mitigation of Changes Mitigation of Changes –– Summary Summary
CR-IR (Reg. 1035/2011) require Service Providers to:
– Implement a Safety Management System (SMS)
– Perform safety assessments on any change to the ATM system
– Document these safety assessments (argument + evidence)
25Copyright 2011 EUROCONTROL
Safety Oversight Requirements Related to Safety Oversight Requirements Related to Changes (Reg. 1034/2011)Changes (Reg. 1034/2011)
Article 9 (Safety Oversight of Changes to Functional Systems)1. Organisations shall only use procedures accepted by relevant competent
authority when deciding whether to introduce a safety-related change to their functional systems. […]
2. Organisations shall notify the relevant competent authority of all planned safety related changes.[…]
Article 10 (Review Procedure of the Proposed Changes)1. Competent authorities shall review the safety arguments associated
with new functional systems or changes to existing functional systems proposed by an organisation when:(a) the severity assessment conducted in accordance with Annex II, point 3.2.4 of Implementing Regulation (EU) No 1035/2011 determines a severity class 1 or a severity class 2 for the potential effects of the hazards identified; or(b) the implementation of the changes requires the introduction of new aviation standards.
3. The introduction into service of the change under consideration in the review shall be subject to acceptance by competent authorities.
26Copyright 2011 EUROCONTROL
SummarySummary
SES, Eurocontrol and EASA frameworks EASA Total Aviation System Approach in Safety EASA Basic Regulation
– Essential Requirements for ATM/ANS
Performance scheme– Safety Key Performance Indicators (KPIs)
Common Requirements on:– SMS– Risk assessment and mitigation of changes
Safety Oversight Requirements related to changes
27Copyright 2011 EUROCONTROL
Questions?Questions?
1Copyright 2011 EUROCONTROL
Key Concepts for Safety AssessmentsKey Concepts for Safety Assessments
Session 03
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
3Copyright 2011 EUROCONTROL
StructureStructure
What is a risk? What is a Risk Classification Scheme? Safety criteria ATM-related categories of accidents ATM-related hazards How safe do we need to be? Success and failure perspective
4Copyright 2011 EUROCONTROL
Risk in various areasRisk in various areas
What types? – Safety– Financial– Environmental– Legal– Security– …
Who is exposed?– Individuals– Companies– Society– …
5Copyright 2011 EUROCONTROL
Hazard and Safety RiskHazard and Safety Risk
HAZARD
Hazard Effects
with Severity
Likelihood
of effects
RISK of incidents / accidents
Likelihood
of hazards
6Copyright 2011 EUROCONTROL
RiskRisk of of whatwhat??
Likelihood / Probability
AccidentSerious
Incident
Major
Incident
ATM
Hazard
Initiating Event / Failure
Hazard Prevention Hazard Protection / Recovery
Severity increases
7Copyright 2011 EUROCONTROL
Severity of EffectsSeverity of Effects
INC
RE
AS
ING
SE
VE
RIT
Y
ACCIDENTS
SERIOUS INCIDENTS
MAJOR INCIDENTS
SIGNIFICANT INCIDENTS
SEVERITY 1
SEVERITY 2
SEVERITY 3
SEVERITY 4
SEVERITY 5 NO IMMEDIATE EFFECT ON SAFETY
8Copyright 2011 EUROCONTROL
Severity Classification Scheme Severity Classification Scheme (Reg. 1035/2011 Repealing 2096/2005)(Reg. 1035/2011 Repealing 2096/2005)
9Copyright 2011 EUROCONTROL
Frequency of Occurrence of EffectsFrequency of Occurrence of Effects
How often? “Once every …”
Decreasing Frequency
10-3/h 10-4/h 10-5/h
month year decade
10-6/h
century
Frequent Likely Rare Extremely Rare
10-2/h
3 days
Very frequent
Illustrative only
10Copyright 2011 EUROCONTROL
Per Movement
Per month,year
Per Flight Hour
DEPENDENT ON SYSTEM
Per mission
Per operational
hour
Per operational
hour per sector
Use of Appropriate UnitsUse of Appropriate Units
11Copyright 2011 EUROCONTROL
A Typical Transportation Risk ComparisonA Typical Transportation Risk Comparison
deaths per 106 journeys deaths per 1010 psgr - km
30
30
60
540
11
4
Air
Train
BusUnited Kingdom 1970-1989
12Copyright 2011 EUROCONTROL
A Typical Transportation Risk ComparisonA Typical Transportation Risk Comparison
0,035 0,04 Train
0,035 0,08 Air (civil aviation)
0,07 0,08 Bus and coach
0,25 0,33 Ferry
0,7 0,8 Convey
5,4 6,3 Bicycle
6,4 7,5 Pedestrian displacement
13,8 16 Motocyclette/cyclomotor
2001-2002 1999
Killed passengersby 100 million
passenger-kilometers Means of transport
2 2 Train
2 2 Bus and coach
8 10,5 Ferry
16 36,5 Air (civil aviation)
25 30 Convey
25 30 Pedestrian displacement
75 90 Bicycle
440 500 Motocyclette/cyclomotor
2001-2002 1999
Killed passengersby 100 million
passenger-hours Means of transport
13Copyright 2011 EUROCONTROL
Some Individual Fatality RisksSome Individual Fatality Risks
Hazardous situation
road user
car driver
while at work
falling aircraft 0.02 2*10-8
resident near chemical plant
smoking 20 cigarettes/day
Probability of fatality per year
Fatalities per million per year
14Copyright 2011 EUROCONTROL
Some Individual Fatality RisksSome Individual Fatality Risks
Hazardous situation
road user
car driver
while at work
falling aircraft
resident near chemical plant
smoking 20 cigarettes/day
100
150
10
0.02
35
5000
10-4
1.5x10-4
10-5
2x10-8
3.5x10-5
5x10-3
Probability of fatality per year
Fatalities per million per year
15Copyright 2011 EUROCONTROL
Risk AcceptabilityRisk Acceptability
16Copyright 2011 EUROCONTROL
Factors Affecting Risk PerceptionFactors Affecting Risk Perception
Visibility of benefits News headlines Harm caused by accident Personal experience Personal control Uncertainty Time-delayed effects Human vs natural causes Confidence in operator / regulator
17Copyright 2011 EUROCONTROL
Risk Perception ExerciseRisk Perception Exercise
A way of representing the way
people feel about risk is to place
the risk on a matrix which shows
if they rate as fear or not fear,
known or unknown.
This is shown here for the risks
posed by asbestos, food
colouring, fireworks and crime.
The exercise is to place on the
matrix your perception of the
risks posed by:
1) Nuclear power
2) Commercial aviation
3) Mobile Phones
4) Pesticides in Food
Food colouringX
X Asbestos
Not Fear Fear
XFireworks
Known risk
CrimeX
A B
CD
Unknown
18Copyright 2011 EUROCONTROL
Common Risk Acceptability LevelsCommon Risk Acceptability Levels
FREQUENCY OF OCCURRENCE OF EFFECTS
ACCEPTABLERISKS
UNACCEPTABLERISKS
RISK
SignificantIncident
ATM Accident
Serious Incident
MajorIncident
Target Level of Safety 1
(TLS1)TLS4TLS2 TLS3
SEVERITY OFEFFECTS
19Copyright 2011 EUROCONTROL
Example of Risk Matrix / RCSExample of Risk Matrix / RCS
SC 5
ACCEPTABLESC 4
SC 3
SC 2
UNACCEPTABLESC 1Effect Severity
FrequentLikely(TLS4)
Occasional(TLS3)
Unlikely(TLS2)
Extremely Unlikely (TLS1)
Frequency of Occurrence of Effect
20Copyright 2011 EUROCONTROL
Safety CriteriaSafety Criteria
Absolute– Against an absolute Target Level of Safety
(TLS)
Relative– As safe as before or safer than before
Reductive– As Low as Reasonably Practicable (ALARP)
21Copyright 2011 EUROCONTROL
How safe do we need to be and remain?How safe do we need to be and remain? ICAO Target Levels of Safety (TLS)
ATM 2000+: “risk of an accident not to increase (with time) and preferablydecrease “
ESARR 4: “risk of an accident with ATM contribution not higher than 1.55e-8 per fligh-hour” (up to 2015)
SES CIR 1035/2011: – To minimize the risk of aircraft accident as far as reasonably practicable– Safety objectives based on risk shall be established in terms of the hazard’s
maximum probability of occurrence, derived both from the severity of its effect, and from the maximum probability of the hazard’s effect
National RCS
ANSP Safety Performance Targets and Safety KPI
E.g. MUAC (from Annual Safety Report 2010): – Objective: Minimize MUAC contribution to the risk of a air traffic accident– Primary goal (SPI): Zero Accident and Separation Minima Infringements (SMI)– 5 SMI (Severity A & B) per year
22Copyright 2011 EUROCONTROL
Safety Performance Targets and IndicatorsSafety Performance Targets and Indicators
SES Safety KPI (from Reg. 691/2010):1. Effectiveness of Safety Management
2. Risk assessment of ATM occurrences (RAT)
3. Reporting of Just Culture
Safety Performance Targets by Member States
Future SES Safety Performance Targets?
ATM Master Plan: To improve the safety performance by a factor of 10
23Copyright 2011 EUROCONTROL
Flight Guidance: Controlled Flight Into Terrain (CFIT)Loss of Control (LoC) in Flight Loss of Control (LoC) on Runway
Traffic Management: Mid-Air Collision (MAC)Wake Turbulence-induced Accident (WTA)Runway Collision (RC)
Phases of Flight and Accident Phases of Flight and Accident CategoriesCategories
24Copyright 2011 EUROCONTROL
Wrong Runway use
Runway Incursion
Bird Strike Encounter
Runway Excursion
Runway Overrun
Loss of Directional Control
Runway Undershoot
Loss of Separation
Airspace Infringement
Level Bust
Wake Vortex Encounter
Adverse Weather Encounter
Flight Control Deficiency
Controlled Flight TowardsTerrain
ExamplesExamples of ATM of ATM HazardsHazards
25Copyright 2011 EUROCONTROL
Operational Environment
Airborne & Ground‐based
System (Pe,Pr, EQ)Service
HazardsHazards
HazardsHazards
What we WANT system to do
What we DON’T want system to do
Pre‐existing
System‐generated
ATM/ANS Contribution to SafetyATM/ANS Contribution to Safety
ANS/ATM
26Copyright 2011 EUROCONTROL
Success and Failure PerspectiveSuccess and Failure Perspective
Risk R
Risk without Airbag
Minimum-achievable
Risk
~ Functionality & Performance
0
~ 1/(Reliability &Integrity)
Airbag contribution to driver’s safety
Risk with Airbag
What we wantthe airbag to do
What we don’t want the system to do
27Copyright 2011 EUROCONTROL
Safety Barrier View of ATM/ANSSafety Barrier View of ATM/ANS
Pilot Recovery
Collision m
iss without control
Pre-tactical
Conflicts
Collision Collision AvoidanceAvoidance
Airspace Design
Flow & Capacity Managem
ent
Planning & Coordination
SeparationInfringement
ATC
Recovery
Separation Separation ProvisionProvision
Strategic Strategic Conflict Conflict
ManagementManagement
Pilot Tactical Control
ATC
Tactical Control
Trajectory tactical conflicts
Communication, Navigation, Surveillance
Aeronautical Information
Meteorological Information
Aircraft-induced conflicts
ATC-induced conflicts
28Copyright 2011 EUROCONTROL
ATM/ANS Safety Performance for DesignATM/ANS Safety Performance for Design
Risk R
Pre-existing Risk
Current Level of Risk
0
Separation Provision
Collision Avoidance
Strategic Conflict Mgt
Conflict Geometry
/ luck
Design targets must not rely on Safety Nets ! (STCA, ACAS, …)
29Copyright 2011 EUROCONTROL
SummarySummary
What is a risk? What is a Risk Classification Scheme? Safety criteria ATM-related categories of accidents ATM-related hazards How safe do we need to be? Success and failure perspective
30Copyright 2011 EUROCONTROL
Questions?Questions?
1Copyright 2011 EUROCONTROL
Risk Assessment and Mitigation Risk Assessment and Mitigation ––Overview of SAMOverview of SAM
Session 05
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
3Copyright 2011 EUROCONTROL
StructureStructure
Safety assessment logic Safety assessment steps Change lifecycle Overall SAM process Safety assessment approach Safety assessment and possible deliverables
4Copyright 2011 EUROCONTROL
Risk ManagementRisk Management
Hazard
Severity ofEffects
Risk ofEffects
Acceptable?Yes/No
Safety Criteria
Likelihood/Frequencyof Effects
Identification of Hazards
NOAdditional
RiskMitigation
MeansYES
Risk-based Decision
5Copyright 2011 EUROCONTROL
ATM/ANS Elements to ConsiderATM/ANS Elements to Consider
PROCEDURESHUMAN ACTORS
“SYSTEMS”
ATC
Maintenance
Operating
Surveillance
CommunicationsNavaids
Information
ATCOs
Support
Engineers
Managers
Pilots
Airspace
ENVIRONMENT
6Copyright 2011 EUROCONTROL
Change Implementation
Operation / Maintenance
Transfer into Operations
Change Design
Change Definition
Decommissioning
ATM/ANS Change Development LifecycleATM/ANS Change Development Lifecycle
7Copyright 2011 EUROCONTROL
Safety Assessment LogicSafety Assessment Logic
What needs to be done about it?
What can go wrong?
Is the risk acceptable?
How likely is it to
happen?
What effect can it have?
Risk assessment Risk mitigation
Risk Monitoring
8Copyright 2011 EUROCONTROL
Safety Assessment StepsSafety Assessment Steps Safety Assessment initiation:
– Review of Concept of Operations – Review of Operational Service and Environment
Characteristics– Scoping and Change Assessment– Safety Considerations– Safety Criteria– Safety Assessment Organization
Hazard Identification, Risk Assessment and Safety Objectives Risk Mitigation Strategy and Safety Requirements Safety Verification and Validation Safety Assessment of Change Implementation and Transfer
into Operations Safety Performance Monitoring Safety Argumentation and Case
9Copyright 2011 EUROCONTROL
What is SAM?What is SAM?
“SAM” = Air Navigation System Safety Assessment Methodology
Developed by EUROCONTROL and ANSP to reflect best practice in this domain
A process derived from Aircraft System SafetyAssessment: FHA, PSSA, SSA
3 levels: Method, Guidance Material, Examples
Acceptable Means of Compliance (AMC) to ESARR 4
A set of techniques to develop ATM/ANS safety assessment
10Copyright 2011 EUROCONTROL
SAM & Change LifecycleSAM & Change Lifecycle
FHA
SSA
PSSA
SAFETY ASSURANCESYSTEM LIFECYCLE
Change Implementation
Operation / Maintenance
Transfer into Operations
Change Design
Change DefinitionHow safe does the
system need to be?
Is the proposed architecture able to
achieve an acceptable level of safety?
Does the system achieve an acceptable
level of safety?
Decommissioning
11Copyright 2011 EUROCONTROL
Inputs/Outputs of a Safety AssessmentInputs/Outputs of a Safety Assessment
Safety Assessment
Concept of Operations
System Functions Interfaces /
Stakeholders
Safety Objectives, Requirements and Evidence
Environment Description
Related SMS Procedures
12Copyright 2011 EUROCONTROL
S.A Steps and SAM processS.A Steps and SAM process
FHA
SSA
PSSA
Safety Assessment initiation:– Review of Concept of Operations – Review of Operational Service and
Environment Characteristics– Scoping and Change Assessment– Safety Considerations– Safety Criteria– Safety Assessment Organization
Hazard Identification, Risk Assessment and Safety Objectives
Risk Mitigation Strategy and SafetyRequirements
Safety Verification and Validation Safety Assessment of Change Implementation
and Transfer into Operations Safety Performance Monitoring Safety Argumentation and Case SCDM
13Copyright 2011 EUROCONTROL
Plan the WorkPlan the Work
For each step, define– Scope– Who? (roles and responsibilities)– What? (activities and deliverables)– When? (schedule)– How? (tools and techniques)
14Copyright 2011 EUROCONTROL
Safety Barrier View of ATM/ANSSafety Barrier View of ATM/ANS
Pilot Recovery
Collision m
iss without control
Pre-tactical
Conflicts
Collision Collision AvoidanceAvoidance
Airspace Design
Flow & Capacity Managem
ent
Planning & Coordination
SeparationInfringement
ATC
Recovery
Separation Separation ProvisionProvision
Strategic Strategic Conflict Conflict
ManagementManagement
Pilot Tactical Control
ATC
Tactical Control
Trajectory tactical conflicts
Communication, Navigation, Surveillance
Aeronautical Information
Meteorological Information
Aircraft-induced conflicts
ATC-induced conflicts
15Copyright 2011 EUROCONTROL
Success approach: seeks to assess the achieved level of safety when ATM/ANS is operated as specified
Failure approach: seeks to assess the achieved level of safety in the event of faults and failures of ATM/ANS
Success & Failure ApproachSuccess & Failure Approach
16Copyright 2011 EUROCONTROL
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
EUROCONTROL SAM EUROCONTROL SAM overalloverall processprocess
17Copyright 2011 EUROCONTROL
Safety Assessment and Possible DeliverablesSafety Assessment and Possible Deliverables
Safety ConsiderationsSafety PlanSafety Assessment ReportSafety Case (Report)
Possible SafetyDeliverables
Safety CriteriaHazardsSafety ObjectivesSafety RequirementsSafety Arguments and Evidence
SafetyAssessmentOutputs
Project PlanConcept of Operations (CONOPS)Operational Service and Environnment Description (OSED)Validation PlanValidation Report…
Possible Project Deliverables
18Copyright 2011 EUROCONTROL
SummarySummary
Safety assessment logic Safety assessment steps Change lifecycle Overall SAM process Safety assessment approach Safety assessment and possible deliverables
19Copyright 2011 EUROCONTROL
Questions?Questions?
20Copyright 2011 EUROCONTROL
Aquarium system safety assessmentAquarium system safety assessment
21Copyright 2011 EUROCONTROL
Introduce a fish tank with tropical fish
Aquarium systemAquarium system
Required inputs before starting the safety assessment?
22Copyright 2011 EUROCONTROL
Inputs/Outputs of a Safety AssessmentInputs/Outputs of a Safety Assessment
Safety Assessment
Concept of Operations
System Functions Interfaces /
Stakeholders
Safety Objectives, Requirements and Evidence
Environment Description
Related SMS Procedures
23Copyright 2011 EUROCONTROL
System AnalysisSystem AnalysisFood
qualityWaterquality
Waterquantity
Watertemperature
Cleaning
FoodquantityOxygen
level
…Structured brainstorming,reports, studies, etc.
Common understanding on how the system works
and what the main functions are !
24Copyright 2011 EUROCONTROL
OUTPUTS
INPUTS
FHA
Functional Hazard Assessment (FHA)Functional Hazard Assessment (FHA)
HAZARD IDENTIFICATION
HAZARD EFFECT I.D.
SEVERITY CLASS
RELATED SMS PROCEDURES
EXTERNAL INTERFACES /
STAKEHOLDERS
CONCEPT OF OPERATIONS
SYSTEMFUNCTIONS
SYSTEM SAFETY
OBJECTIVES
SAFETY OBJECTIVESPECIFICATION
ENVIRONMENT DESCRIPTION
25Copyright 2011 EUROCONTROL
Overall Operational Objective
Maintain Health of Tropical Fish
System Functions• Maintain Water Quantity
• Maintain Water Temperature
• Maintain Water QualityFood LevelPollution LevelOxygen Level
For example:QuantityTotal LossPartial Loss 75%
50% 5%
TemperatureToo HighToo Low
Quality - FoodToo Low <1 week
>1 week
Quality - PollutionToo High >3 days < 1 week
>1 week < 2 weeks>2 weeks
OxygenToo Low
Failure Modes
Functions & failure modes
What can go wrong ?
26Copyright 2011 EUROCONTROL
Severity Definitions
(in terms of effects on operations)
Severity definitions
1 All fish within the tank die.
2 All Fish become unhealthy, many fish will die.
3 Many fish become unhealthy, some fish will die.
4 Uncomfortable environment, some fish maybecome unhealthy.
5 No effect on the fish.INC
RE
AS
ING
SE
VE
RIT
Y
27Copyright 2011 EUROCONTROL
AquariumAquarium System FHA System FHA ResultsResults (1)(1)
SeverityEffect on operationsSystem Functions Failure mode
Pollution Level
Maintain WaterQuality
(+ Exposure Time)
Too High >3 days<1 week
>1 week <2 weeks
>2 weeks
Too Low
Maintain WaterQuantity
Total Loss
Partial Loss 75%
50%
5%
Maintain WaterTemperature
Too High
Too Low
Food Level Too Low <3 days
>3 days
All fish within the tank die
Many fish become unhealthy, some die
Uncomfortable environment, some may become unhealthy
All fish become unhealthy, many die
All fish within the tank die
All fish within the tank die
Uncomfortable environment, some may become unhealthy
Many fish become unhealthy, some die
Many fish become unhealthy, some die
All fish within the tank die
All fish become unhealthy, many die
All fish become unhealthy, many die
1
2
3
4
1
1
4
3
3
1
2
2
Oxygen Level
28Copyright 2011 EUROCONTROL
Aquarium System SOCSAquarium System SOCS
5
4
3
2
1
NumerousLikelyOccasionalRareExtremely Rare
Severity of the Effect
Frequency of Occurrence of Hazard
Acceptable
Unacceptable
29Copyright 2011 EUROCONTROL
System Functions Failure mode Severity AcceptableFrequency
SafetyObjectives
Ext rare
Ext Rare
Occasional
Rare
Ext Rare
The frequency of occurrence of water T° exceeding 28°C shall be no
greater than Extremely Rare.
The frequency of occurrence of pollution level exceeding dangerous level for more than 3 days shall be
no greater than occasional.
The frequency of occurrence of pollution level exceeding dangerous level for more than 1 week shall be
no greater than rare.
The frequency of occurrence of pollution level exceeds dangerous
level for more than 2 weeks shall be no greater than extremely rare.
Maintain WaterTemperature
Too High
Too Low
1
1
Maintain WaterQuantity
Pollution Level
Total loss
Too High >3 days<1 week
>1 week <2 weeks
>2 weeks
3
1
2
1
The frequency of occurrence of water T° droping below 20°C shall be
no greater than Extremely Rare.
Ext Rare The frequency of occurrence of a total water loss shall be no greater
than Extremely Rare.
AquariumAquarium System FHA System FHA ResultsResults (2)(2)
30Copyright 2011 EUROCONTROL
OUTPUTS
PSSA
INPUTS
Preliminary System Safety Preliminary System Safety Assessment (PSSA)Assessment (PSSA)
EVALUATE PROPOSED
ARCHITECTURE(S)
PROPOSED SYSTEM
ARCHITECTURE(S)
FHA RESULTS –HAZARDS & SO
ENVIRONMENT DESCRIPTION
SAFETY REQUIREMENTS
FOR SYSTEM ELEMENTS
DERIVE SR FROM SO
31Copyright 2011 EUROCONTROL
Plastic tank
Heater, Thermostat
Feed weekly
Pump&filter
Big Bubble maker
Proposed System ArchitectureProposed System Architecture
Water Containmentsub-system
Heating sub-system
Feeding sub-system
Filtration sub-system
Oxygen sub-system
32Copyright 2011 EUROCONTROL
Aquarium System PSSAAquarium System PSSA
D4
D3
D2
D1Effect A
Sev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Effects
PSSA
Safety Objective
Saf
ety
Re
quire
me
nts
D4
D3F41
F42
D4
D3F21
F22
Evaluate the proposed architecture, mitigate the remaining
unacceptable risks and iterate if necessary
33Copyright 2011 EUROCONTROL
Modified System ArchitectureModified System Architecture
ProceduresObserve Fish DailyFeed dailyTest Pollution every 2 daysClean WeeklyTesting Procedures
People
Train Kids for Feeding & Cleaning
EquipmentAllocate Safety Requirements tosystem/sub-system elements
Validate SystemArchitecture
Water Containmentsub-system
Heating sub-system
Feeding sub-system
Filtration sub-system
Oxygen sub-system
Identify RiskReduction Measures
Glass tank
Heater, Thermostat(Alarms+display)
Feed daily
Pump&filter
Tiny Bubble maker
34Copyright 2011 EUROCONTROL
Aquarium System Design SolutionAquarium System Design Solution
35Copyright 2011 EUROCONTROL
OUTPUTS
SSA
INPUTS
System Safety Assessment (SSA)System Safety Assessment (SSA)
DEVELOPMENT STRATEGY
FHA RESULTS –HAZARDS & SO
PSSA RESULTS -SAFETY
REQUIREMENTS
SYSTEM DESCRIPTION
SAFETY EVIDENCE
ASSURANCE AND EVIDENCE
COLLECTION AND MONITORING
36Copyright 2011 EUROCONTROL
Aquarium System SSAAquarium System SSA
ProceduresObserve Fish DailyFeed dailyTest Pollution every 2 daysClean Weekly
People
Train Kids for Feeding & Cleaning
Equipment Evidence:FAT, SAT, etc.Safety Survey.
Equipment:Is the risk mitigation in place?Meeting design specification?
Procedures:Are the procedures in place?Are they carried out effectively?
People:Are staffing levels correct?Have they been trained?Is the training effective?
37Copyright 2011 EUROCONTROL
SAM is iterative:
Hazards may only appear during PSSA or SSA:
External Events, Common Cause Failures,
Design induced hazards, etc.
Aquarium SystemAquarium System
38Copyright 2011 EUROCONTROL
SAM Process SummarySAM Process Summary
FHA
SSA
PSSA
SAFETY ASSURANCESYSTEM LIFECYCLE
System Implementation
Operation / Maintenance
Transfer into operations
System Design
System DefinitionHow safe does the
system need to be?
Is the proposed architecture able to
achieve an acceptable level of safety?
Does the system achieve an acceptable
level of safety?
Decommissioning
39Copyright 2011 EUROCONTROL
Questions?
1Copyright 2011 EUROCONTROL
Hazard Identification, Risk Assessment and Hazard Identification, Risk Assessment and Determination of Safety ObjectivesDetermination of Safety Objectives
SAM FHA PrinciplesSAM FHA Principles
Session 07
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
3Copyright 2011 EUROCONTROL
StructureStructure
Purpose Scope Inputs Core Activities Outputs Brainstorming
4Copyright 2011 EUROCONTROL
FHA PurposeFHA Purpose
Define how safe the change needs to be
Identification of hazards
Assessing the operational risk
Define safety objectives for performance and failure prevention
Hazards, Risks and Safety Objectives
5Copyright 2011 EUROCONTROL
Bow TieBow Tie
D4
D3
D2
D1Effect A
Sev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Effect
FHAPSSA
SSA
Safety Objective
Saf
ety
Re
quire
me
nts
Barriers
6Copyright 2011 EUROCONTROL
ScopeScope
At the level of operational functions
Scope of FHA should be consistent with scope defined for the safety assessment
7Copyright 2011 EUROCONTROL
Generic ATM Functional DescriptionGeneric ATM Functional Description
Sequencing&
Metering
IFR ArrivalsIFR DeparturesVFR ArrivalsVFR DeparturesHoldingTransitsRadar to Non-Radar
TacticalSeparation
ConflictDetection
ConflictResolution
IFR/IFRIFR/VFR Class “B, C"IFR/VFR Class "D“IFR/VFR Class “E, F, G”VFR/VFR Class “B, C, D”VFR/VFR Class “E, F, G”
Coordination&
Transfer
Adjacent Units:ACCAPPTWR
MilitaryGA AirfieldsTransfer of ControlAssume Control:
Non-RadarRadar with correlationRadar without correlation
CollisionAvoidance
Between Aircraft:IFR/IFR & IFR/VFR
Between Aircraft:VFR/VFR
Between Aircraft & Ground
AirspaceManagement
Strategic Airspace ManagementTactical Airspace ManagementRunway ChangesTactical Management of Unusual Occurrences
Flow &Capacity
Management
Manage Flow RegulationSector ManagementRouting Management
FlightInformation
Service
Airspace InformationMeteorological InformationAerodrome InformationStatus of Services & SystemsProcedures & Regulations
AlertingService
Problem DetectionCoordination with Rescue ServicesHigh Risk Causal Link
CommsSystems
NavSystems
SurveillanceSystems
MetServices
AIS
Supporting Services
Situational AwarenessATCO
Create Maintain
Situational AwarenessPilot
Create Maintain
8Copyright 2011 EUROCONTROL
Safety Barrier View of ATM/ANSSafety Barrier View of ATM/ANS
Pilot Recovery
Collision m
iss without control
Pre-tactical
Conflicts
Collision Collision AvoidanceAvoidance
Airspace Design
Flow & Capacity Managem
ent
Planning & Coordination
SeparationInfringement
ATC
Recovery
Separation Separation ProvisionProvision
Strategic Strategic Conflict Conflict
ManagementManagement
Pilot Tactical Control
ATC
Tactical Control
Trajectory tactical conflicts
Communication, Navigation, Surveillance
Aeronautical Information
Meteorological Information
Aircraft-induced conflicts
ATC-induced conflicts
9Copyright 2011 EUROCONTROL
FHA InputsFHA Inputs
System functions
Concept of operations
Environment description
Interfaces / Stakeholders
Related SMS Procedures
10Copyright 2011 EUROCONTROL
BrainstormingBrainstorming FUNCTIONALFUNCTIONAL
FHA Core ActivitiesFHA Core Activities
HAZARD EFFECTS IDENTIFICATION
EFFECTS SEVERITYCLASSIFICATION
SAFETY OBJECTIVESSPECIFICATION
HAZARDIDENTIFICATION
HOW SAFE DOES THE SYSTEMNEED TO BE?
WHAT CAN GO WRONG ?
WHAT ARE THE POTENTIALCONSEQUENCES?
HOW SEVERE ARE THE CONSEQUENCES?
11Copyright 2011 EUROCONTROL
Hazard IdentificationHazard Identification
Function 1
Function 2
Hazard 1
Hazard 2
Hazard 3
Failure Mode1.1
Failure Mode1.2
Failure Mode2.1
Failure Mode2.2
Ext EventE.1
• Common understanding?
• Scale
12Copyright 2011 EUROCONTROL
ExamplesExamples of of FailureFailure ModesModes
Out of time synchronisation
Used beyond intentErroneous updating
MisunderstoodInconsistent information
MisheardMisdirection of data
Violation of operation (Routine or unintentional)
- out of range
Modified operation- out of sequence
Intermittent or erratic operation- spontaneous data
Inadvertent operation- undetected erroneous/corrupted data (credible error/corruption)
Premature operation (too early)- detected erroneous/corrupted data (not credible error/corruption)
Delayed operation (too late)- missing data (partial loss, total loss)
Failure to switchError of input/ output:
Failure to stopPartial loss
Failure to startTotal loss / Inability to provide a function
13Copyright 2011 EUROCONTROL
Hazard Effect DeterminationHazard Effect Determination
Barrier A Barrier C
1. Common understanding of the hazard
2. Identify the barriers
3. Consider exposure time and hazard detection
Effect ASev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
H
Hazard
Effect
Barrier B Barrier D
14Copyright 2011 EUROCONTROL
Severity ClassificationSeverity Classification
Identify the factors or protective barriersinfluencing the effects of each hazard
Assess the effectiveness of the barriers, and determine the possible scenarios and their end-effects
Allocate a severity class to each effect, in accordance with the Severity Classification Scheme from Reg. 1035/2011
15Copyright 2011 EUROCONTROL
Severity Classification Scheme Severity Classification Scheme (Reg. 1035/2011 Repealing 2096/2005)(Reg. 1035/2011 Repealing 2096/2005)
16Copyright 2011 EUROCONTROL
List of examples of serious incidents from Reg. 996/2010 Near collision requiring an avoidance manoeuvre to avoid a collision or an unsafe situation or
when an avoidance action would have been appropriate, Controlled flight into terrain only marginally avoided, Runway incursions classified with severity A according to the Manual on the Prevention of runway
Incursions (ICAO Doc 9870) which contains information on the severity classifications, Take-off or landing incidents. Incidents such as undershooting, overrunning or running off the
side of runways Take-offs from a closed or engaged runway, from a taxiway, excluding authorised operations by
helicopters, or from an unassigned runway Aborted take-offs on a closed or engaged runway, on a taxiway, excluding authorised operations
by helicopters, or from an unassigned runway, Landings or attempted landings on a closed or engaged runway, on a taxiway, excluding
authorised operations by helicopters, or from an unassigned runway,
— Gross failures to achieve predicted performance during take-off or initial climb, — Fires and smoke in the passenger compartment, in cargo compartments or engine fires, even though such fires were extinguished by the use of extinguishing agents, — Events requiring the emergency use of oxygen by the flight crew, — Aircraft structural failure or engine disintegration, including uncontained turbine engine failures, not classified as an accident,
Multiple malfunctions of one or more aircraft systems seriously affecting the operation of
17Copyright 2011 EUROCONTROL
ESARR 4 Severity SchemeESARR 4 Severity Scheme
Severity class
1 [Most Severe]
2
3
4 5 [Least Severe]
Effect
on Operations
Accidents Serious incidents Major incidents Significant incidents No immediate effect on safety.
Examples of effects on operation include:
One or more catastrophic accidents,
One or more mid-air collisions
One or more collisions on the ground between two aircraft
One or more Controlled Flight Into Terrain
Total loss of flight control
No independent source of recovery mechanism, such as surveillance or ATC and/or flight crew procedures can reasonably be expected to prevent the accident(s).
Large reduction in separation(e.g., a separation of less than half the separation minima), without crew or ATC fully controlling the situation or able to recover from the situation.
One or more aircraft
deviating from their intended clearance, so that abrupt manoeuvre is required to avoid collision with another aircraft or with terrain (or when an avoidance action would be appropriate).
large reduction (e.g., a separation of less than half the separation minima) in separation with crew or ATC controlling the situation and able to recover from the situation.
minor reduction (e.g., a
separation of more than half the separation minima) in separation without crew or ATC fully controlling the situation, hence jeopardising the ability to recover from the situation (without the use of collision or terrain avoidance manoeuvres).
increasing workload of the air traffic controller or aircraft flight crew, or slightly degrading the functional capability of the enabling CNS system.
minor reduction (e.g., a
separation of more than half the separation minima) in separation with crew or ATC controlling the situation and fully able to recover from the situation.
No hazardous condition i.e. no immediate direct or indirect impact on the operations.
18Copyright 2011 EUROCONTROL
Slight reduction of the ability to cope withadverse operational and environmental conditions
Significant reductionof the ability to copewith adverse operational and environmentalconditions
Large reduction of the ability to copewith adverse operational and environmentalconditions
Unable to copewith adverse operational and environmentalconditions
ATCO and/or Flight Crew Ability to Copewith Adverse Operational and EnvironmentalConditions
Slight reduction of functional capabilities
Significant reductionof functionalcapabilities
Large reduction of functionalcapabilities
Total loss of functionalcapabilities
Effect on ground ATM System and/or AircraftFunctionalCapabilities
Workload, stress or working conditions are such that their abilitiesare slightly impaired
Workload, stress or working conditions such that theirability is significantlyimpaired
Workload, stress or working conditions are such that theyare unable to perform their taskseffectively
Workload, stress or working conditions are such that theycannot performtheir tasks at all
ATCO and/or Flight Crew WorkingConditions
Ability to provide or maintain safe but degraded service
Partial inability to provide or maintainsafe service
Serious inability to provide or maintainsafe service
Total inability to provide or maintainsafe service
Effect on Air Navigation Service within the area of responsibility
SEVERITY INDICATORS SET1: EFFECTS ON AIR NAVIGATION SERVICE
Significant IncidentsMajor IncidentsSerious IncidentsAccidentsEffects on Operations
4321[Most Severe]
Severity Class
19Copyright 2011 EUROCONTROL
•Plenty of time available.
•Slow•Similar•Fast•Sudden. It does not allow recovery
•Rate of development of the hazardous condition, compared to the time necessary for annunciation, detection, diagnosis and application of contingencymeasures
•Highly reliable, automatic, comprehensivecontingency measures
Reliable, automatic, comprehensivecontingency measures
•Contingencymeasures available, providing most of required functionality. Fall back equipmentusually reliable. Operator intervention required, but a practised procedurewithin the scope of normal training
•Limited contingencymeasures, providingonly partial replacement functionality. Operatorsnot familiar withprocedures or mayneed to devise a new procedure at the time.
•No existingcontingency measuresavailable. Operatorsunprepared. Limited ability to intervene.
•Contingency measures(other systems or procedures) available
•Clear annunciation. Easily detected and very reliable diagnosis
•Clear annunciation. Easily detected, reliable diagnosis
•May require someinterpretation. Detectable. Incorrect diagnosis possible
•Ambiguous indication. Not easily detected. Incorrect diagnosislikely
•Undetectedmisleading indication.
•Annunciation, Detection and Diagnosis *
•SEVERITY INDICATORS SET 3: RECOVERY
•No aircraft affected•Single aircraft•Aircraft within a smallgeographic area or an area of low trafficdensity
•All aircraft in severalATC Sectors
•All aircraft in the area of responsibility
•Number of aircraft exposed / area of responsibility
•Too brief to have anysafety-related effect
•Hazard may persist for a short period of time such that no significantconsequences are expected.
•Hazard may persist for a moderate period of time.
•Hazard may persistfor a substantial periodof time
•The presence of the hazard is almostpermanent. Reductionof safety marginspersists even afterrecovering from the immediate problem.
•Exposure time
•SEVERITY INDICATORS SET 2: EXPOSURE
20Copyright 2011 EUROCONTROL
Safety Objectives SpecificationSafety Objectives Specification
Safety Objective: Maximum Acceptable Frequency of Occurrence of Hazard
Safety Objective
Classification Scheme
Safety Objective
Severity Class
Risk Classification
Scheme
21Copyright 2011 EUROCONTROL
FHA OutputsFHA Outputs
Hazards
Effects
Severity class
Rationale / Barriers
Assumptions
SAFETYOBJECTIVES
22Copyright 2011 EUROCONTROL
Risk Assessment Template Risk Assessment Template Factors,
Protective Barriers and Effectiveness
Context andExposure
Time
Rationale/Remarks
SeverityClass
Effect on operationsHazardFunctionHazardId
23Copyright 2011 EUROCONTROL
BrainstormingBrainstorming
Participants/Functions– End users (ATCO, pilots, technicians)
Background, mindset, independence
– Moderator Optimise effectiveness
– Safety expert Safety process, challenger
– Secretary To make notes
Preparation is key
24Copyright 2011 EUROCONTROL
SummarySummary
Purpose Scope Inputs Core Activities Outputs Brainstorming
25Copyright 2011 EUROCONTROL
Questions?Questions?
1
1Copyright 2011 EUROCONTROL
Risk Mitigation Strategy of ATM Change Risk Mitigation Strategy of ATM Change Design for OperationsDesign for Operations
SAM PSSA PrinciplesSAM PSSA Principles
Session 09
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
2
3Copyright 2011 EUROCONTROL
StructureStructure
Purpose Inputs Scope Core Activities Safety Requirements Assurance levels Outputs
4Copyright 2011 EUROCONTROL
PSSA PurposePSSA Purpose
Assess whether the proposed architecture of Change to functional System is (are) able to achieve an acceptable level of safety
Safety Requirements
Assurance Levels
3
5Copyright 2011 EUROCONTROL
PSSA InputsPSSA Inputs
Environment description
List of hazards
List of Safety Objectives
Proposed design
architecture(s)
6Copyright 2011 EUROCONTROL
PSSA Core ActivitiesPSSA Core Activities
EVALUATE PROPOSEDCHANGE ARCHITECTURE
DERIVE SAFETY REQUIREMENTS
CAN THE PROPOSED ARCHITECTURE(S)CAUSE OR CONTRIBUTE TO HAZARDS?
HOW?
HOW TO ALLOCATE SAFETY REQUIREMENTS TO EACH INDIVIDUAL SYSTEM ELEMENT?
4
7Copyright 2011 EUROCONTROL
Questions for Change Design PhaseQuestions for Change Design Phase
Will the performance of functionalities be sufficient?
Will it work properly, under all normal conditions of the operational environment that it is likely to encounter?
What happens under abnormal conditions of the operational environment?
What happens in the event of a failure or error?
Are the Safety Requirements realistic – i.e. could they be achievable?
8Copyright 2011 EUROCONTROL
Evaluate Proposed Change ArchitectureEvaluate Proposed Change Architecture Change architecture modelling
– Functional / Logical Level– Task analysis– HF assessment
Design analysis 1 – Normal conditions (Performance)– Safety Benefits analysis– Real Time Simulations
Design analysis 2 – Abnormal conditions (Robustness)– Robustness analysis
Design analysis 3 – Failure conditions (Integrity, Reliability)– FTA (Fault Tree Analysis),– CCA (Common Cause Analysis)– HF assessment
5
9Copyright 2011 EUROCONTROL
Bow TieBow Tie
D4
D3
D2
D1Effect A
Sev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Effect
FHAPSSA
SSA
Safety Objective
Saf
ety
Re
quire
me
nts
Barriers
10Copyright 2011 EUROCONTROL
Safety RequirementsSafety Requirements
6
11Copyright 2011 EUROCONTROL
Derive Safety RequirementsDerive Safety Requirements
Specify the safety requirements necessary to meet the safety objectives
Provide assurance of the effectiveness and realism of the safety requirements
Allocate an Assurance Level as appropriate
12Copyright 2011 EUROCONTROL
Safety RequirementsSafety Requirements
Risk Mitigation Means
Required to reduce the risk(s) to an acceptable level
Risk mitigation strategy:– Eliminate hazard– Reduce frequency of occurrence of hazard
(prevention) – Reduce severity of effects (protection)
7
13Copyright 2011 EUROCONTROL
Success and Failure PerspectiveSuccess and Failure Perspective
Success Failure
Hazard-types Addressed
Pre-existing Hazards System-generated Hazards
Safety Contribution
Maximize ATM contribution to aviation safety
Minimize ATM contribution to risk of an accident
Dominant Safety Properties
System Functionality and Performance
System Integrity
Safety Requirements (SR)
What we want
the system to do
What we don’t wantthe system
to do
14Copyright 2011 EUROCONTROL
Safety Requirements Safety Requirements –– TopicsTopics
Functionality and performance– Mobile detection rate– Timeliness of info / data provision– Accuracy of info / data provision– Position of sensors– Operational procedures on info / data usage– …
Integrity and reliability– Failure rate– False alerts– Fail-safe degradation– Back-up procedures– …
Assumptions
8
15Copyright 2011 EUROCONTROL
Risk ApportionmentRisk Apportionment
CHANGEARCHITECTURE
EquipmentOperationalProcedures
ATCOs Equipment
SoftwareHardware
ATCOsOperationalProcedures
Man MachineInterface
SYSTEM FUNCTIONS
Safety
Objectives
S.R.SR+HAL SR+PAL
SR+SWALSRSR
SR = SafetyRequirements
PAL = ProcedureAssurance Level
HAL = HumanAssurance Level
SWAL = SoftwareAssurance Level
16Copyright 2011 EUROCONTROL
Realism of Safety RequirementsRealism of Safety Requirements
Achievable Necessary and sufficient Effective Traceable to Causes / Hazards / Safety
Objective(s)
9
17Copyright 2011 EUROCONTROL
Assurance LevelsAssurance Levels
18Copyright 2011 EUROCONTROL
What is the idea of an Assurance Level?What is the idea of an Assurance Level? You want to build a
– Dog kennel?– House extension?– Skyscraper?
You have several methods– Do it yourself– Use a local builder– Use an architect
Which would you use?
Means of adapting the level of effort to the criticality of the change
10
19Copyright 2011 EUROCONTROL
PROCEDURES PEOPLE
EQUIPMENT
Where can we credibly quantify?Where can we credibly quantify?
Procedure:– PAL
People– HAL
Equipment – Software– SWAL
Equipment – Hardware– Figures (MTBF, Etc.)
No No
SW: No
HW: Yes (+/-)
20Copyright 2011 EUROCONTROL
Allocation of an Assurance LevelAllocation of an Assurance Level
D3
D2
D1Effect A
Sev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Worst Credible
Effect
Severity
Distance between failing component and effect
Failing Component
11
21Copyright 2011 EUROCONTROL
Definition of the Assurance LevelDefinition of the Assurance Level
Effect Severity
Distance between failing component & effect
1 2 3 4
Very PossiblexxAL1 xxAL2 xxAL3 xxAL4
PossiblexxAL2 xxAL3 xxAL3 xxAL4
Very UnlikelyxxAL3 xxAL3 xxAL4 xxAL4
Extremely UnlikelyxxAL4 xxAL4 xxAL4 xxAL4
D3
D2
D1 Effect ASev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Worst Credible
Effect
Severity
Distance between failing component and effectFailing Component
22Copyright 2011 EUROCONTROL
PAL ObjectivesPAL Objectives
1. Ensure documentation control
2. Establish a reporting system covering occurrences relating to the procedure
3. Ensure high-ranking proficiency levels
1. Ensure that feedback concerning the transfer process is provided to involved staff
2. Ensure dissemination of contingency measures
3. Ensure documented contingency measures
1. Establish an Implementation Plan which includes quality assurance activities
2. Ensure an acceptable quality assurance level
1) Establish an acceptable risk level (in qualitative terms)
2) Ensure that HMI has been assessed
3) Ensure suitably validationPAL 4
v.4 Ensure validity of assumptions
v.5 Ensure promulgation of related incident investigations
iv.4 Ensure enhanced competence levels of staff to perform the transfer
iii.3 Ensure stakeholder acceptance
iii.4 Ensure training levels
ii.3 Ensure suitably validation at different levels
ii.4 Ensure robustness
1. Ensure involvement of relevant operational expertise
2. Ensure a minimum set of quality assurance activities
3. Establish a proven and well-documented starting point for the definition exercises
PAL 3
v.6 Ensure acceptable performance levels
iv.5 Ensure incremental transfer
iv.6 Ensure approval of the Transfer Plan at management level
iv.7 Ensure stakeholder acceptance of the Transfer Plan
iv.8 Ensure application of an approved and systematic method to verify the transfer process
iii.5 Ensure approval at the Corporate level of management
iii.6 Establish evidence of acceptable design maturity
ii.5 Ensure external expert acceptance
ii.6 Ensure enhanced competence levels of designers
i.4 Ensure stakeholder acceptance
PAL 2
v.7 Ensure that the application of the procedure is reduced to its minimum
iii.7 Ensure independent auditing of the procedure
iii.8 Ensure corporate level of approval by stakeholders
1) Establish an acceptable risk level (in quantitative terms)
ii.7 Ensure independency in design and validation
i.5 Ensure an approved and systematic specification
PAL 1
vOperation
ivTransfer into operations
iiiImplementation
iiDesign and Validation
iDefinition
Objectives to be fulfilled during the Procedure Life Cycle Phases:
Procedure Assurance
Level
12
23Copyright 2011 EUROCONTROL
PAL 4 ObjectivesPAL 4 Objectives
1.Ensure documentation control
2.Establish a reporting system covering occurrences relating to the procedure
3.Ensure high-ranking proficiency levels
1.Ensure that feedback concerning the transfer process is provided to involved staff
2.Ensure dissemination of contingency measures
3.Ensure documented contingency measures
1.Establish an Implementation Plan which includes quality assurance activities
2.Ensure an acceptable quality assurance level
1. Establish an acceptable risk level (in qualitative terms)
2. Ensure that HMI has been assessed
3. Ensure suitably validation
1.Ensure involvement of relevant operational expertise
2.Ensure a minimum set of quality assurance activities
3.Establish a proven and well-documented starting point for the definition exercises
PAL 4
vOperations
ivTransfer into
operations
iiiImplementation
iiDesign and Validation
iDefinition
Objectives to be fulfilled during the Procedure Life Cycle Phases:Procedure Assurance Level
24Copyright 2011 EUROCONTROL
Day to day human issuesDay to day human issues
13
25Copyright 2011 EUROCONTROL
Day to day human issuesDay to day human issues
26Copyright 2011 EUROCONTROL
Day to day human issuesDay to day human issues
14
27Copyright 2011 EUROCONTROL
What is Human Performance ?What is Human Performance ?
HumanPotential
HumanPerformance
Interference_ =
Myself
Team
Organisation
Environment
28Copyright 2011 EUROCONTROL
Human Performance Areas in ATM ?Human Performance Areas in ATM ?
HumanPerformance
Interference HumanPerformance
15
29Copyright 2011 EUROCONTROL
System Used Beyond CapabilitiesSystem Used Beyond Capabilities
30Copyright 2011 EUROCONTROL
PSSA OutputsPSSA Outputs
SAFETYREQUIREMENTS
16
31Copyright 2011 EUROCONTROL
SummarySummary
Purpose Inputs Scope Core Activities Safety Requirements Assurance levels Outputs
32Copyright 2011 EUROCONTROL
Questions?Questions?
1
1Copyright 2011 EUROCONTROL
Safety Verification and ValidationSafety Verification and Validation
Risk Assessment and Mitigation of ATM Risk Assessment and Mitigation of ATM Change ImplementationChange Implementation
& Transfer into Operations& Transfer into Operations
SAM SSA PrinciplesSAM SSA Principles
Session 11
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
2
3Copyright 2011 EUROCONTROL
StructureStructure
Purpose Inputs Core Activities Outputs
4Copyright 2011 EUROCONTROL
SSA PurposeSSA Purpose
Demonstrate that change/system actually achieves an acceptable level of safety from implementation till decommissioning
Safety evidence
Assurance
3
5Copyright 2011 EUROCONTROL
TimescaleTimescale
Cha
nge
Initi
atio
nFHA
Impl
emen
tatio
n
Tra
nsfe
r to
Ops
Ope
ratio
ns
Dec
omm
issi
oni
ng
PSSA
SSA
6Copyright 2011 EUROCONTROL
Bow TieBow Tie
D4
D3
D2
D1Effect A
Sev 5
Effect BSev 4
Effect CSev 3
Effet DSev 2
Effect ESev 1
F1
F2
F3
F4
ERH
Causes
Hazard
Effect
FHAPSSA
SSA
Safety Objective
Saf
ety
Re
quire
me
nts
Barriers
4
7Copyright 2011 EUROCONTROL
SSA InputsSSA Inputs
Environment description
Hazards & SO
System Architecture
Safety RqtsALs
8Copyright 2011 EUROCONTROL
Verification Versus ValidationVerification Versus Validation
Verification Have we built the system RIGHT?
Validation Have we built the RIGHT system?
5
9Copyright 2011 EUROCONTROL
Need for Verification & ValidationNeed for Verification & Validation
10Copyright 2011 EUROCONTROL
SSA Core ActivitiesSSA Core Activities
Build and Collect Evidence that:– Safety Requirements / ALs are met
– Safety Objectives are satisfied
– Assumptions are correct
– Users Expectations are satisfied
– System achieves an Acceptable Level of Safety
For the whole lifecycle of the change/system!
6
11Copyright 2011 EUROCONTROL
What is Risky in Each Phase?What is Risky in Each Phase?
Implementation
Transfer into Operations
Operations
Maintenance
Decommissioning
12Copyright 2011 EUROCONTROL
For Each PhaseFor Each Phase
What type of evidence?
Verification or validation?
Who will provide this evidence?
What if you need acceptance by your NSA before transfer into ops?
What if a SR is not met?
Can you use previous safety assessments as evidence?
7
13Copyright 2011 EUROCONTROL
Use your SMS & QMS!Use your SMS & QMS!
SMS processes:– Roles and responsibilities (management commitment)– Occurrence Reporting & Investigation– Competency assessment– Monitoring– Safety Surveys– Lesson Dissemination– External Services– …
Quality Processes– Design– Document control– Management of problem reports– …
14Copyright 2011 EUROCONTROL
Getting the Big Picture of RiskGetting the Big Picture of Risk
Lack of evidence of risk… is not evidence of lack of risk
8
15Copyright 2011 EUROCONTROL
SSA OutputsSSA Outputs
EVIDENCE & ASSURANCE
16Copyright 2011 EUROCONTROL
SummarySummary
Purpose Inputs Core Activities Outputs
9
17Copyright 2011 EUROCONTROL
Questions?Questions?
1
1Copyright 2011 EUROCONTROL
Safety Argument / CaseSafety Argument / CasePrinciplesPrinciples
Session 14
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
2
3Copyright 2011 EUROCONTROL
StructureStructure
Why do we develop Safety Arguments?
How to develop a Safety Argument?
How to present a Safety Argument?
What Safety Assurance activities?
What is a Safety Case?
What are the types of Safety Cases?
How to develop Safety Cases?
How to structure Safety Documentation?
4Copyright 2011 EUROCONTROL
Safety ArgumentSafety Argument--Based ApproachBased Approach
To provide assurance
To provide structured and systematic approach
To address EC. 1035/2011 & ESARR4 requirement
Safety Argument Safety Argument
ActivitiesActivities
To satisfy
Evidence Evidence
To produce
To give confidence
Assurance Level (AL)
To achieve
Safety Argument Safety Argument
ActivitiesActivities
To satisfy
Evidence Evidence
To produce
To give confidence
Assurance Level (AL)
To achieve
3
5Copyright 2011 EUROCONTROL
Top Level Safety ArgumentTop Level Safety Argument
Arg 0ATM Operations will be acceptably safe.
Cr001Acceptably safe is defined by the Safety Criteria to be satisfied
Arg 1ATM system has been specified to be acceptably safe
Arg 5ATM system will be shown to operate acceptably safely throughout its service
Arg 3ATM system Design has been implementedcompletely & correctly
Arg 4Transition from current state to full ATM system will be acceptably safe
C001Operational Service & Environment are described
A0001Assumptions are stated
J0001Justification and benefits are provided
[tbd][tbd] [tbd]
Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life
Arg 2ATM system has been designed to be acceptably safe
[tbd] [tbd]
6Copyright 2011 EUROCONTROL
Safety Assurance ActivitiesSafety Assurance Activities
Specification
Design
Implementation
Transfer into Operations
Operations
4
7Copyright 2011 EUROCONTROL
Safety LifecycleSafety Lifecycle
Definition
Transfer into Operation
Operation & Maintenance
Low
er-le
vel S
afet
y A
rgum
ents
Evidence
System Safety Assurance Activities
Arg
0
Arg 0
Design & Validation(High-level)
Arg
1A
rg 2
Arg
4A
rg 3
Arg
5
Arg 1
Arg 2
Arg 4
Arg 3
Arg 5
Implementation & Integration
SSA
PSSA
FHA
8Copyright 2011 EUROCONTROL
What is a Safety Case?What is a Safety Case?
Presentation of:
– Structured argumentation to support a claim
Statements which claim that something is true (or false)
– Supporting rationale and evidence to show that each argument is true
5
9Copyright 2011 EUROCONTROL
Types of Safety Cases and their UseTypes of Safety Cases and their Use
Unit Unit Unit
System
Subsystems SubsystemsSubsystems
System SystemSystem
10Copyright 2011 EUROCONTROL
Unit Safety CaseUnit Safety Case
Top-claim: “Air Navigations Services provided by ATSU are, and will remain acceptably safe”
What would you expect to see in such a unit safety case?
6
11Copyright 2011 EUROCONTROL
Safety Case Development ProcessSafety Case Development Process
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
12Copyright 2011 EUROCONTROL
Safety Documentation StructureSafety Documentation Structure
Safety Case Report
Design Documents
Safety Register (Hazard Log, S.R., Assumptions, …)
Safety Assessment Report
Part 1 & 2
Other reference sources
7
13Copyright 2011 EUROCONTROL
System Safety Case Report StructureSystem Safety Case Report Structure
Introduction Change description Safety Argument
– Top argument– Safety criteria
Sub-arguments, rationale & evidence Caveats (assumptions, limitations, open issues) Safety Requirements Conclusions Reference Appendices (S.A., simulations, test results,…)
14Copyright 2011 EUROCONTROL
SummarySummary
Why do we develop Safety Arguments?
How to develop a Safety Argument?
How to present a Safety Argument?
What is a Safety Case?
What are the types of Safety Cases?
How to develop Safety Cases?
How to structure Safety Documentation?
8
15Copyright 2011 EUROCONTROL
Questions?Questions?
1
1Copyright 2011 EUROCONTROL
PracticalitiesPracticalities
Session 15
2Copyright 2011 EUROCONTROL
Course StructureCourse StructureNEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA SSAPSSA
PRACTICALITIES
SAFETY ARGUMENTS SAM ASSISTANT
2
3Copyright 2011 EUROCONTROL
StructureStructure
SAM Practicalities FHA Practicalities PSSA Practicalities SSA Practicalities
4Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 00
This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it. Somebody got angry about that because it was
Everybody's job. Everybody thought that Anybody could do it, but
Nobody realized that Everybody wouldn't do it. It ended up that Everybody blamed Somebody when
Nobody did what Anybody could have done.
3
5Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 11
At organizational level– Define who is doing what– Closely linked with:
Other SMS processes Other QMS processes Other project related activities
– Make sure methodologies are useful and fit for purpose
– Share efforts: reusability, accessibility
6Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 22
Plan your safety assessment
Start safety assessment as early as possible
Adapt level of effort
4
7Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 33
Be careful when you subdivide a change (overall risk not assessed)
Consider the future environment, not the current one
Total system approach not followed– People, procedures, equipment– Key stakeholders omitted– Success approach not considered
8Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 44
Training needed for– Ops and project managers– Safety practitioners– Participants in a safety assessment
Methodological assistance may be needed– External safety/human experts– Manufacturers
KEEP CONTROL!!
5
9Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 55
Misuse of tools and techniques
– Quantification
– Goal Structuring Notation (GSN)
– Fault trees
– Event trees
10Copyright 2011 EUROCONTROL
SAM Practicalities SAM Practicalities -- 66
Be aware of the advantages & limitations of quantification
Advantages– Avoids diverging understandings– Clear targets to manufacturers– Apportionment of risks– Helps to check credibility of the results
Limitations– False sense of confidence– Not always feasible– Diverts people from dealing with the real issues
6
11Copyright 2011 EUROCONTROL
FHA Practicalities FHA Practicalities -- 11
Scope of FHA should be at functional level!
Share your efforts!
Take enough time to describe the change
Involve the relevant people
Prepare the brainstorming sessions
12Copyright 2011 EUROCONTROL
FHA Practicalities FHA Practicalities -- 22
Don’t forget what we aim at:
– Assessing the overall risks
– Understanding how system works (safety benefits)
– Understanding how system fails (additional risks)
7
13Copyright 2011 EUROCONTROL
PSSA Practicalities PSSA Practicalities -- 11
Misuse of tools and techniques– Fault Trees
Missing barriers / mitigation means AND gates are not always perfect! Have you captured Common Causes, unavailability
of redundancy, Mean Time To Repair, etc.?
– Quantification On humans, procedures, software?
14Copyright 2011 EUROCONTROL
PSSA Practicalities PSSA Practicalities -- 22
Safety Requirements focused on equipment exclusively
No qualitative Safety Requirement
Unrealistic safety requirements
– Too stringent failure rate on an equipment component
– Credibility towards supplier?
8
15Copyright 2011 EUROCONTROL
PSSA Practicalities PSSA Practicalities -- 33
Do consider the success approach!
Make best use of SMS / QMS / project related activities
…Otherwise resulting architecture may not meet the user’s needs!
PSSA should not drive design
16Copyright 2011 EUROCONTROL
PSSA Practicalities PSSA Practicalities -- 44
Safety assessments focused on individual changes– Inconsistent assumptions (risk apportionment,
on going or short term changes not taken into account)
– Overall risk not assessed, may be unacceptable
9
17Copyright 2011 EUROCONTROL
SSA Practicalities SSA Practicalities -- 11
Closely linked with other SMS / QMS processes
Don’t neglect critical phases of the change!
Indicators should be relevant and useful for monitoring (action to be triggered)
18Copyright 2011 EUROCONTROL
SSA Practicalities SSA Practicalities -- 22
SSA safety plan very useful to help structure the evidence collection process
Evidence collection usually requires a lot of efforts
All interested parties should be made aware of what they should produce / collect as evidence
10
19Copyright 2011 EUROCONTROL
SummarySummary
SAM Practicalities FHA Practicalities PSSA Practicalities SSA Practicalities
20Copyright 2011 EUROCONTROL
Questions?Questions?