1

Safety Assessment

July 2006

2

SAFETY ASSESSMENTSAFETY ASSESSMENT

A Safety Assessment is essentially a process for finding answers to three fundamental questions:

What could go wrong? What would be the consequences? How often is it likely to occur?

Once we know the answers this automatically raises the next question:

Is this acceptable? What can we do if not?

3

SAFETY ASSESSMENTSAFETY ASSESSMENT

The objective of Safety Assessments is to:

Ensure that the system operates normally and without exposing unacceptable risk to anyone;

Reduce and prevent incidents and accidents and;

Limit the consequences of any occurrence that might occur.

8

SAFETY ASSESSMENTSAFETY ASSESSMENT

ICAO SEVEN STEP APPROACH Hazard Identification and Estimation steps

Step 1 – System and Environment Description Step 2 – Hazard Identification Step 3 – Hazard Severity Step 4 – Hazard Likelihood

Mitigation steps Step 5 – Risk Evaluation Step 6 – Risk Mitigation

Documentation Step 7 – Safety Assessment Documentation

9

STEP 1 - DESCRIPTIONSTEP 1 - DESCRIPTION

Before a safety assessment can be performed, we need to describe the ATM system and environment being assessed.

10

STEP 1 - DESCRIPTIONSTEP 1 - DESCRIPTION

APP/DEP Charts Topographical maps A/D layout (markers, position of NAVAIDS, fence, roads,

rwy extension, etc.) MET info – origin, wind conditions/shears, visibility, rwy

friction Equipment liability (VHF, NAVAIDS, etc.) APP/DEP procedures Ground Operations procedures ETA or cancellation – information from where? Procedures for non-normal operations (missed APP,

malfunction of A/C, etc.) Previous occurrences, reports, investigation results

11

STEP 2 – HAZARD IDENTIFICATIONSTEP 2 – HAZARD IDENTIFICATION

Purpose

…to identify what could go wrong!(- or anticipate problems before they occur…)

….to identify the consequences (on safety) of the hazards

A hazard is defined as any condition, event or

circumstances which could induce an accident

or incident (ICAO DOC 9422)

The equipment (hardware and software);

The operating environment; The human operators; The human machine interface (HMI); Operational procedures; Maintenance procedures; External services.

12

13

14

STEP 2 – HAZARD IDENTIFICATIONSTEP 2 – HAZARD IDENTIFICATION

Brainstorming: Easy and straightforward process. Group sessions are usually good at

generating ideas and identifying issues. The interactions between participants with

varying experience and knowledge tend to lead to broader, more comprehensive and more balanced consideration of safety issues.

No criticism – No judgment – No explanation Hitchhiking – Freewheeling

15

STEP 2 – HAZARD IDENTIFICATIONSTEP 2 – HAZARD IDENTIFICATION

EXAMPLE

16

STEP 3 – SEVERITY ASSESSMENT

The severity expresses the impact on operation or the harm an individual may suffer.

Severity Classification is a gradation, ranging from "worst case/accident" to "no safety impact" – expressing the magnitude of the consequence of the hazard.

Thus, a severity is allocated each hazard consequence in accordance with the agreed severity classification scheme.

17

STEP 3 – SEVERITY ASSESSMENT

Severity Classification Scheme

1 Accident One or more catastrophic accident One or more mid-air collision One of more collisions on ground between two aircraft No independent source of recovery mechanism, such as surveillance or ATC / Flight Crew procedure, can

reasonably be expected to prevent the accident(s)

2 Serious Incident large reduction in separation (e.g. a separation of less than half the separation minima), without crew or ATC fully controlling the situation or able to recover from the situation.

one or more aircraft deviating from their intended clearance, so that abrupt manoeuvre is required to avoid collision with another aircraft or with terrain (or when an avoidance action would be appropriate).

3 Major Incident large reduction in separation (e.g. a separation of less than half the separation minima), with crew or ATC fully controlling the situation or able to recover from the situation.

Minor reduction in separation (e.g. a separation of more than half the separation minima), without crew or ATC fully controlling the situation, or able to recover from the situation, jeopardising the ability to recover without use of collision or terrain avoidance manoeuvres

4 Significant Incident Increased workload on ATCO or Flight Crew or slightly degrading capability of the CSN system Minor reduction in separation (e.g. a separation of more than half the separation minima), without crew or

ATC fully controlling the situation, or able to recover from the situation and fully able to recover the situation

5 No immediate effect on safety

No immediate direct or indirect impact on operations

18

STEP 4 – LIKELIHOOD ASSESSMENT

The likelihood of occurrence expresses how often the consequence of a hazard is likely to occur.

Likelihood Classification is a gradation, ranging from "frequently" to “extremely improbable".

Thus, a likelihood is allocated each hazard consequence in accordance with the agreed likelihood classification scheme.

19

STEP 4 – LIKELIHOOD ASSESSMENT

Likelihood Classification Scheme

1 Frequently Likely to occur frequently (often)

2 Probable Likely to occur several times during the life-time of the system (2-5 occurrences per year)

3 Occasional Occurs sometimes during the life-time of the system (1 occurrence per year)

4 Remote Unlikely to occur sometimes during the life-time of the system (1 occurrence per 5 years)

5 Improbable Very unlikely to occur (1 occurrence per 20 years)

6 Extremely Improbable Extremely unlikely to occur (1 occurrence per 100 years)

20

STEP 3 & 4 – SEVERITY AND LIKELIHOODSTEP 3 & 4 – SEVERITY AND LIKELIHOOD

EXAMPLE

22

STEP 5 – RISK EVALUATION

Determine what is / is not acceptable Acceptable level of Safety

Determine acceptability of identified risks Clearly unacceptable Clearly acceptable May be / may be not acceptable

Risk Classification

Probability Severity

Probability Qualitative Definition Quantitative

Definition 1 2 3 4 5

Frequently Likely to occur frequently. > 5*10-4 A A A A C

Probable Likely to occur several times during system life.

< 5*10-4 A A A B D

Occasional Occurs sometime during system life. < 1*10-5 A A B C D

Remote Unlikely to occur sometimes during system life.

< 1*10-6 A B C D D

Improbable Very unlikely to occur. < 1*10-7 B C D D D

Extremely Improbable

Extremely unlikely to occur. < 1*10-8 C D D D D

likelihood

likelihood

24

STEP 5 – RISK EVALUATIONSTEP 5 – RISK EVALUATION

EXAMPLE

25

STEP 6 – RISK MITIGATIONSTEP 6 – RISK MITIGATION

Identify potential causes for a risk to occur Some causes are identified during the hazard

identification Ensure that we have identified all causes

Identify potential mitigation Remove the risk (remove the cause of the risk) Reduce the risk

Reduce severity and/or probability

Identify preferred mitigation approach

26

Risk Classification

Probability Severity

Probability Qualitative Definition Quantitative

Definition 1 2 3 4 5

Frequently Likely to occur frequently. > 5*10-4 A A A A C

Probable Likely to occur several times during system life.

< 5*10-4 A A A B D

Occasional Occurs sometime during system life. < 1*10-5 A A B C D

Remote Unlikely to occur sometimes during system life.

< 1*10-6 A B C D D

Improbable Very unlikely to occur. < 1*10-7 B C D D D

Extremely Improbable

Extremely unlikely to occur. < 1*10-8 C D D D D

likelihood

likelihood

STEP 6 – RISK MITIGATIONSTEP 6 – RISK MITIGATION

29

STEP 6 – RISK MITIGATIONSTEP 6 – RISK MITIGATION

Performed by a small group System users/operational experts System technical experts Safety and human factors experts

Different experts may be required to: Performed detailed studies of the causes of a risk

Study system design to determine component potentially causing, e.g. loss of air situation display

Study procedures to determine where e.g. misunderstandings can arise

Ways to remove those causes

31

STEP 6 – RISK MITIGATIONSTEP 6 – RISK MITIGATION

EXAMPLE

32

STEP 7 - SAFETY ASSESSMENT DOCUMENTATION

The purpose: To provide a permanent record of the final result of

the safety assessment To provide the arguments and evidence

demonstrating that the risks associated with the implementation of the proposed system or change:

have been eliminated, or have been adequately controlled and reduced to a

tolerable level.