3 ODQ - Eurocontrol Experimental · PDF fileCAT-I GBAS Safety Plan Page v Edition: 3.0 GBAS...

(8523($1�25*$1,6$7,21�)25�7+(�6$)(7<�2)$,5�1$9,*$7,21

(852&21752/

(8523($1�$,5�75$)),&�0$1$*(0(17�352*5$00(

&DWHJRU\�,��&$7�,�*URXQG�%DVHG�$XJPHQWDWLRQ

6\VWHP��*%$6�6DIHW\�3ODQ

*16��

(GLWLRQ � 9��(GLWLRQ�'DWH � ��-$1��6WDWXV � 5HOHDVHG�,VVXH&ODVV � 5HVWULFWHG

3$*(�,17(17,21$//<�/()7�%/$1.

'2&80(17�,'(17,),&$7,21�6+((7

'2&80(17�'(6&5,37,21

'RFXPHQW�7LWOH

&DWHJRU\�,��&$7�,��*URXQG�%DVHG�$XJPHQWDWLRQ�6\VWHP6DIHW\�3ODQ

EWP DELIVERABLE REFERENCE NUMBER: GNS/02-019

352*5$00(�5()(5(1&(�,1'(;� (',7,21� 3.0

(',7,21�'$7(� 30 JAN 2002

$EVWUDFW

This document has been developed by the Ground-Based Augmentation System (GBAS) Projectwithin the EATMP Global Navigation Satellite System (GNSS) Programme. It includes Projectobjectives, system description, Project roles and responsibilities towards safety and the interfacesbetween relevant organisations. It includes a model for what should be contained in a FunctionalHazard Assessment (FHA), Preliminary System Safety Assessment (PSSA) and System SafetyAssessment (SSA).

.H\ZRUGVGlobal Navigation Satellite System (GNSS) Approval PlanGround-Based Augmentation System (GBAS) System Safety AssessmentICAO CAT-I Precision Approach Functional Hazard AssessmentGNSS Landing System (GLS) Safety Regulation

&217$&7�3(5621� Eric PERRIN 7(/� 74 01 352*5$00(� GNSS

'2&80(17�67$786�$1'�7<3(

67$786 &/$66,),&$7,21

Working Draft o General Public o

Draft o EATMP o

Proposed Issue o Restricted ã

Released Issue ã

(/(&7521,&�%$&.83

,17(51$/�5()(5(1&(�1$0(� D:\ericp\Eurocontrol\GBAS\Safety Assessment\ApprovalPlan\GBAS_Safety_Plan_v3.0.doc

+267�6<67(0 0(',$ 62)7:$5(Microsoft Windows Type: Hard Disk 06�2IILFH�:RUG��

Media Identification: 06�:LQGRZV��

3$*(�,17(17,21$//<�/()7�%/$1.

CAT-I GBAS Safety Plan

Page v Edition: 3.0 GBAS Project

'2&80(17�$33529$/

The following table identifies all management authorities who have successively approvedthe present issue of this document.

$87+25,7< 1$0(�$1'�6,*1$785( '$7(

GBAS ProjectManager

(Bernd TIEMEYER)

ProgrammeManager GNSS

(John STOREY)

EATMP DSADirector

(George PAULSON)


GBAS Project Edition: 3.0 Page vi

'2&80(17�&+$1*(�5(&25'

The following table records the complete history of the successive editions of the presentdocument.

(',7,21 '$7( 5($621�)25�&+$1*(6(&7,2163$*(6

$))(&7('

0.1 04 APR 2001 Creation All

0.2 23 APR 2001 Comments from DFS and EUROCONTROL Sections 1.3,2.4, 3.2, 5.1,

6 and 7

0.3 04 MAY 2001 Comments from Skyguide All

0.4 16 MAY 2001 Comments from the GBAS Safety Workshop All

0.5 12 JUNE 2001 Comments from STNA All

1.0 27 JUNE 2001 Comments from SRU/SQS

1st submission to SRC

Sections 1.2,1.3, 1.6, 2.3,

and 4.2

2.0 27 NOV 2001 Comments from SRC

2nd submission to SRC

All

3.0 30 JAN 2002 Released issue --


Page vii Edition: 3.0 GBAS Project

7$%/(�2)�&217(176

'2&80(17�,'(17,),&$7,21�6+((7 ��LLL

'2&80(17�$33529$/ ��Y

'2&80(17�&+$1*(�5(&25' ��YL

(;(&87,9(�6800$5< ��

�� ,1752'8&7,21 ��

1.1 Aims and Objectives of the Safety Plan................................................................................ 3

1.2 Background ......................................................................................................................... 3

1.3 EATMP GBAS Project Objectives ........................................................................................ 5

1.4 Specific GBAS Project Safety Objectives ............................................................................. 5

1.5 GBAS System Description ................................................................................................... 5

1.6 Scope of Plan ...................................................................................................................... 9

Safety Plan Structure .................................................................................................................. 9

�� 6$)(7<�&5,7(5,$��5(*8/$725<�%$&.*5281' ��

2.1 Overview ........................................................................................................................... 10

2.2 ICAO - GBAS SARPS and PANS-OPS .............................................................................. 10

2.3 EUROCONTROL Requirements ........................................................................................ 12

2.4 Other International Standards ............................................................................................ 14

�� 6$)(7<�$66(660(17�$3352$&+��

3.1 Scope ................................................................................................................................ 15

3.2 Functional Hazard Assessment.......................................................................................... 15

3.3 PSSA and SSA.................................................................................................................. 20

3.4 Safety Case....................................................................................................................... 24

�� 52/(6�$1'�5(63216,%,/,7,(6��

4.1 EATMP GBAS Project........................................................................................................ 25

4.2 SRC/SRU/JAA................................................................................................................... 26

4.3 SQS................................................................................................................................... 26

4.4 National Regulatory Bodies................................................................................................ 26


GBAS Project Edition: 3.0 Page viii

4.5 States ANS providers......................................................................................................... 27

4.6 Ground Station Vendors and Avionics Manufacturers......................................................... 27

4.7 Airports and Airlines........................................................................................................... 27

�� 6$)(7<�$6685$1&(��

5.1 Introduction........................................................................................................................ 29

5.2 Critical Reviews ................................................................................................................. 29

5.3 Operational Trials............................................................................................................... 29

5.4 Monitoring.......................................................................................................................... 30

�� 6&+('8/(�$1'�'(/,9(5$%/(6��

6.1 Overall Safety Assessment Schedule................................................................................. 32

6.2 Consultation with SRC .......................................................................................................33

6.3 Resources ......................................................................................................................... 33

�� 6$)(7<�0$1$*(0(17�6<67(0��

�� )857+(5� $&7,216� )25� 67$.(+2/'(56� $5,6,1*� )520� 6$)(7<$66(660(17�352&(66��

8.1 Overview ........................................................................................................................... 35

8.2 Illustrative Example with respect to Pilot Training ............................................................... 35

�� 5()(5(1&(6��

�� $&521<06�$1'�$%%5(9,$7,216��

�� 7(506�$1'�'(),1,7,216�±�*/266$5< ��


Page ix Edition: 3.0 GBAS Project

3$*(�,17(17,21$//<�/()7�%/$1.


Page 1 Edition: 3.0 GBAS Project

(;(&87,9(�6800$5<

This document has been developed by the Ground-Based Augmentation System (GBAS)Project within the EATMP Global Navigation Satellite System (GNSS) Programme. Itoutlines a "route map" for the safety assessment of GBAS CAT-I approaches. It does notcontain the safety assessment itself; this will be contained in accompanying documents yetto be prepared. The Safety Plan clarifies how technical and operational issues can behandled within a coherent framework. It also shows how the ground and airborne sub-systems can be treated in a harmonised manner.

It is intended that the Safety Plan will aid service providers by:

• Indicating what safety assessment activities will be addressed at a European level;

• Demonstrating techniques for conducting safety assessments that need to be done atnational/ local level; and

• Illustrating the roles and responsibilities of other GBAS stakeholders.

It includes Project objectives, system description, Project roles and responsibilities towardssafety and the interfaces between relevant organisations. It includes a model for whatshould be contained in a Functional Hazard Assessment (FHA), Preliminary System SafetyAssessment (PSSA) and System Safety Assessment (SSA).


GBAS Project Edition: 3.0 Page 2

3$*(�,17(17,21$//<�/()7�%/$1.



�� ,1752'8&7,21

�� $LPV�DQG�2EMHFWLYHV�RI�WKH�6DIHW\�3ODQ

The Safety Plan outlines a "route map" for the safety assessment of GBAS CAT-Iapproaches. It does not contain the safety assessment itself; this will be contained inaccompanying documents yet to be prepared. The Safety Plan clarifies how technical andoperational issues can be handled within a coherent framework. It also shows how theground and airborne sub-systems can be treated in a harmonised manner.

It is intended that the Safety Plan will aid service providers by:

• Indicating what safety assessment activities will be addressed at a European level;

• Demonstrating techniques for conducting safety assessments that need to be done atnational/ local level; and

• Illustrating the roles and responsibilities of other GBAS stakeholders.

�� %DFNJURXQG

This Safety Plan is intended to be a living document that will evolve throughout the lifecycleof the GBAS Project in order to ensure that, at any given time, it gives a valid picture of howthe safety assessment process will be or is being applied.

CAT-I/II/III operations at European airports are presently supported by Instrument LandingSystems (ILS). The continued use of ILS-based operations as long as operationallyacceptable and economically beneficial is promoted by the European Strategy for theplanning of All Weather Operations (AWO). However, in ECAC, the forecast traffic increasewill create major operational constraints at all airports, in particular in Low VisibilityConditions (LVC) with the decreased capacity of runways. Consequently, the technicallimitations of ILS such as VHF interference, multipath effects due to, for example, newbuilding works at and around airports, and ILS channel limitations will be a major constraintto its continued use.

Hence, ILS CAT-I is expected to remain in use until the end of its service life at locationswhere there is no stringent requirement for upgrading/replacing and it is expected that ILSCAT-I will be progressively superseded by GNSS using Space- or Ground-BasedAugmentation Systems (SBAS/GBAS). Since GBAS is expected to be an importantcomponent making GNSS a truly gate-to-gate navigation system and airspace usersacknowledge that it is a major steps towards the operational use of satellite navigationsystems for civil aviation applications, GBAS CAT-I operations will need to be successfullyimplemented to allow lessons to be learnt from that experience. Implementation of GBAScould be achieved in ECAC as early as 2004-2005.

The validation of the GBAS SARPs for CAT-I operations was completed at the ICAO GNSSPWorking Group B meeting in Seattle in June 2000 �5HI�� and the SARPs should becomeapplicable in the fall of 2001, making GBAS a world-wide recognised system. The Minimum



Operational Performance Specification (MOPS) for GBAS Ground Station are beingdeveloped by the EUROCAE WG28 SG2 �5HI��. In parallel to the work conducted by SG2,members of SG3 are developing MOPS for Multi-Mode Airborne Receiver (MMR) thatinclude GNSS �5HI��.

The process of Technical Approval is already ongoing in some ECAC states. It has beenrecognised that there is also a need for an Operational Safety Assessment of GBAS CAT-Iapproaches. EUROCONTROL is working with stakeholders to define the requirements foran Operational Safety Assessment. The combination of Technical Approval plus theOperational Safety Assessment will cover the equipment, human, and procedural aspects ofGBAS as well as its operational environment, and will ensure that there has been an end-to-end assessment of the safety of GBAS.

)LJXUH� �� illustrates how the Technical Approval Process and Operational SafetyAssessment are intended to interact. In combination they will provide the evidence whetherGBAS is safe for operational use.

)LJXUH��,QWHUDFWLRQ�RI�7HFKQLFDO�$SSURYDO�3URFHVV�DQG�2SHUDWLRQDO�6DIHW\$VVHVVPHQW

Start

Operational assumptions +

Technical Approval Process

Issues relevant to operations

No - redesign

Relevant technical certification

requirements met? Yes

Operational Safety Assessment

No - risk reducing measures

GBAS safe for operational use?

Yes - start operations



This Safety Plan defines the safety activities that will form the safety assessment. It includesprogramme objectives, system description, programme roles and responsibilities towardssafety and the interfaces between relevant organisations.

Evidence and arguments that GBAS-based CAT-I precision approach operations aretolerably safe will be provided in the GBAS Safety Case.

�� ($703�*%$6�3URMHFW�2EMHFWLYHV

The GBAS Project is required to comply with the safety regulatory requirements of the SafetyRegulation Commission (SRC), recommendations of the EATMP Safety Policy anddeclarations of safety objectives and requirements in the GBAS Safety Policy �5HI��.

The GBAS Project, in order to proceed with a robust GBAS operational implementation tosupport CAT-I precision approach operations, requires that Flight Inspection and FlightProcedures, and ATC and AIS procedures be developed and that training of aircrew andATC staff be performed prior to the start of GBAS-based operations.

�� 6SHFLILF�*%$6�3URMHFW�6DIHW\�2EMHFWLYHV

The following safety objectives are proposed for the GBAS project:

• GBAS CAT-I approaches should be at least as safe as ILS CAT-I approaches. The latterare accepted internationally as safe.

• The safety criteria set by the SRC should be met �5HI��.

�� *%$6�6\VWHP�'HVFULSWLRQ

�� 2YHUYLHZ

The GNSS/ GBAS system consists of three primary sub-systems as shown in )LJXUH��:



)LJXUH��*166�*%$6�6\VWHP�2YHUYLHZ

1. The satellite sub-system which produces ranging signals.

2. The GBAS ground sub-system collects pseudoranges for all GNSS satellites withinview and then computes and broadcasts differential corrections for them based on itsown surveyed position. In the timeframe of initial implementation, it is anticipated thatthe United States’ Global Positioning System (GPS) and the Russian GlobalNavigation Satellite System (GLONASS) will be the only satellite constellationsdeclared operational for civil use. However, additional ranging sources fromgeostationary satellites (Satellite-Based Augmentation System – SBAS) may also beavailable. High integrity computed corrections are transmitted from the ground systemvia a Very High Frequency (VHF) Data Broadcast (VDB) together with GBAS groundsystem related data and the Final Approach Segment (FAS) data. The FAS is a linein space defined by different parameters including amongst others the landingthreshold point, the threshold crossing height and the glide path angle.

In addition to the technical equipment elements of the ground sub-system, the humanand procedural elements also need to be considered. These include ATC tasks,communication and reversionary procedures, issue of NOTAMS and AIS proceduresgenerally and ground station database input.

3. Aircraft sub-systems within the area of coverage of the ground station use thebroadcast corrections to compute their own measurements in line with the differentialprinciple. After selection of the desired FAS for the landing runway, the differentiallycorrected position is used to generate navigation guidance signals. Those are lateraland vertical deviations as well as distance to the threshold crossing point of theselected FAS and an integrity flag. In order to minimise impact upon current aircraftdesign and thereby certification effort, guidance information output from a Multi-Mode



Receiver (MMR) is consistent with ILS requirements (‘ILS look-alike’). The option ofrectilinear scaling may need to be evaluated.

For the airborne sub-system human and procedural elements also need to beconsidered. These include pilot tasks, flightdeck procedures and all the relevantinterfaces between the technical, human and procedural elements and the groundand airborne sub-systems.

The satellite constellations are not under the direct control of the ECAC States but theintegrity of GBAS is assured by the ground component. ICAO SARPS cover the interfaceissues with the space sub-system.

�� %RXQGDULHV�RI�*%$6�XQGHU�VWXG\

The safety assessment is studying the safety of CAT-I precision approaches. The CAT-Ioperational range is defined from the Final Approach Fix (FAF) down to Decision Altitude(DA). However, flight and operational phases that affect final approach also need to beconsidered, e.g. if GBAS approach is selected by the pilot in the intermediate approach thistask needs to be considered. In addition the safety of missed approach must be studied indetail as this phase cannot be divorced from final approach. With respect to final approachbelow the DA, this phase will be considered initially, but it is anticipated that it can bescreened out as it should be no different from an ILS approach. In the case of an auto-landthe safety assessment of this operation is considered to be the responsibility of the airlineand outside the scope of this plan.

The analysis will adopt a total aviation system approach. However, based on discussionswith stakeholders, the technical elements are assumed to deliver the performancerequirements laid out in the ICAO SARPs and these are not to be revisited. Any operationalassumptions made in the technical approval are of interest however, as are technical issuesthat impact operational use (e.g. system failure characteristics). In order to show compliancewith JAR 25.1309 requirements, the JAA will be required to perform the airborne operationalsafety assessment for certification of the airborne equipment for installation on the aircraft.In order to avoid duplication of efforts, JAA and the EATMP GBAS Project have establishedarrangements for co-operation which are fundamental for the efficient implementation ofGBAS. This will ensure that airworthiness and operational requirements are effectively co-ordinated with Air Traffic Management development for GBAS.

ICAO's Obstacle Clearance Panel (OCP) develops procedure design criteria for specificoperations. These criteria are designed to meet a specific target level of safety (TLS). In thecontext of the safety assessment these OCP criteria are considered to be internationallyaccepted “state of the art”. Hence it is not within the scope of the safety assessment to re-investigate these criteria.

It is assumed that a GBAS system is only providing guidance to one airport. Given theprojected progress of GBAS implementation, it is not judged at this stage worth consideringthe extra complications that would arise from use of one GBAS system at multiple airports.Such use would require an additional safety assessment.

This subsection defines the boundaries of the GBAS system under study. Organisationalboundaries and interfaces are described in Section 4.



�� 2SHUDWLRQDO�6\VWHP�(OHPHQWV

The following human and procedural elements of the system have been identified to date asrelevant to the Operational Safety Assessment:

+XPDQ

• Pilot tasks including pre-flight activities and flight preparation (e.g. checking NOTAMS),communication with ATC, selection of GBAS approach, changeover from en-routenavigation equipment to GBAS, capturing the GBAS signal, monitoring final approach,decision-making with respect to conducting a missed approach, contingencyarrangements (e.g. in event of failure of GBAS system).

• ATC tasks;• Ground station operational/maintenance tasks;• Training (ATC, Flight Crew and ground station operational/maintenance personnel),

working methods of controllers.

3URFHGXUDO

• Flight plan identification;• Communications procedures;• Emergency/ reversionary procedures (including procedures for ATC if a number of

aircraft lose GBAS facility simultaneously);• Availability of reversionsary operational procedures;• Performance monitoring;• Interference monitoring and control;• Flight inspection procedures;• Issue of NOTAMS/ charts and AIS procedures in general;• Ground station database input management (including production and processing of

database information). In particular GBAS related data (Message Type 2) and FinalApproach Segment data (Message Type 4).

• Predicted ranging source availability (optional message Type 5)?

This list will be updated after further consultation with stakeholders.

�� 2SHUDWLRQDO�(QYLURQPHQW

Assumptions about the operational environment will need to be made in the following areasbefore the safety assessment is carried out. Assumptions will represent best practice.However, in certain circumstances, a State may need to revisit assumptions to reflect itslocal environment and activities. Those assumptions are related to but not limited to:

• &XUUHQW� &16�$70� FDSDELOLWLHV - Primary radar + SSR environment for surveillance?VHF voice communications between ATC and aircraft. Navigation by GBAS, plus someaircraft using ILS, MLS or SBAS. What mix should be assumed?

• 6HSDUDWLRQ - Minimum Radar Separation or Wake Turbulence Separation on finalapproach.

• 7UDIILF� FKDUDFWHULVWLFV - density per hour? Any assumptions about intermediateapproaches and interface with final approach that are relevant? Aircraft mix.

• $LUFUDIW� SHUIRUPDQFH - all doing GBAS approaches or mixture to same runway? Allaircraft certified for CAT-I approaches.

• $7&�FHQWUH�SURYLVLRQV - what provisions will there be for monitoring of GBAS?



• $LUSRUW� LQIUDVWUXFWXUH – GBAS Ground Station siting issues and changes,characteristics of airport runways, availability of visual aids, airspace class. Are theremultiple runways which will affect the availability requirement?

• ,QWHUIHUHQFH�PRQLWRULQJ�DQG�FRQWURO - what assumptions should be made?• 7RSRJUDSK\ - any assumptions to be made? N.B. OCP criteria will take account of

topography.• (QYLURQPHQWDO�FRQVWUDLQWV - not relevant for final approach?• 2SHUDWLRQDO�SURFHGXUHV��e.g. assumptions related to missed approach

Prior to conducting a safety assessment, a screening exercise will probably be able tosimplify this list of potential assumptions, by excluding those which have no relevance forGBAS safety.

�� 6FRSH�RI�3ODQ

As noted above, the scope of this plan while adopting a total aviation system approachcovers assessment of the operational safety of GBAS. The technical elements are assumedto deliver the performance requirements laid out in the ICAO SARPs. OCP procedure designcriteria are also excluded from the scope.

The requirements for a Functional Hazard Assessment (FHA) are covered in some detailwithin the Safety Plan. Details of the Preliminary System Safety Assessment (PSSA) andSystem Safety Assessment (SSA) will be further defined after completion of the FHA (by theend of 2001).

�� 6DIHW\�3ODQ�6WUXFWXUH

The structure of the Safety Plan is as follows:

Section 2 - Safety Criteria and Regulatory BackgroundSection 3 - Safety Assessment ApproachSection 4 - Roles and ResponsibilitiesSection 5 - Safety AssuranceSection 6 - Schedule and DeliverablesSection 7 - Safety Management SystemSection 8 - Further Actions for Stakeholders Arising from Safety Assessment ProcessSection 9 - ReferencesSection 10 - Acronyms and Abbreviations

The Safety Plan will be updated as the GBAS project progresses.



�� 6$)(7<�&5,7(5,$��5(*8/$725<�%$&.*5281'

�� 2YHUYLHZ

)LJXUH�� provides an overview of regulations and guidance material applicable to GBAS. Itis based on a paper prepared by the EATMP GNSS Programme in co-operation withEUROCONTROL’s DSA/SQS unit (5HI�� ). The diagram divides technical and operationalaspects to clarify the scope of the proposed Operational Safety Assessment. The technicalaspects of GBAS are covered by the regulations and guidance material shown in )LJXUH��;these are described below in Sections 2.2 to 2.4. The Safety Assessment Methodology,SAM, will be deployed to cover:

• The operational elements associated with the airborne and ground sub-systems outlinedin )LJXUH�� (shaded blue);

• The interfaces between the operational elements associated with the airborne andground sub-systems; and

• The relevant interfaces between the technical and operational elements (i.e. assumptionsmade about operational issues during the technical approval studies as well as technicalissues that impact operational use).

�� ,&$2��*%$6�6$536�DQG�3$16�236

The Operational Safety Assessment will assume that the ground and airborne segments aswell the Signal In Space will be ICAO GBAS SARPs compliant as a minimum. In addition itis assumed that final approach procedures are compliant with PANS-OPS.

For the airborne and ground subsystems, the regulatory material shown in Figure 2.1 are notnecessarily applied since ICAO SARPs is the only international standard.



)LJXUH��2YHUYLHZ�RI�5HOHYDQW�5HJXODWLRQV��*XLGDQFH

GBAS SystemSARPS

Airborne Sub-System Ground Sub-System

Technical: Navigation System,

Airframe Integration,

Maintenance of Equipment

Operational: Pilot tasks, Flightdeck

procedures (communications,

emergency/ reversionary),

Other

Operational

Technical: Ground Station Hardware,

Software, Maintenance of Equipment

Interference monitoring and

control

Op. assumptions Op. assumptions

ARP 4761 from technical requirements SAM from technical IEC 61508 Regulations/ guidance JAR 25 requirements GBAS MOPS to be developedD0-178B, DO-248 ESARR6 (working draft)IEC 61508JAR NPA AWO 9MMR MOPSNon-MMR MOPS ATC tasks,

Procedures (communications,

emergency/ reversionary), Issue of NOTAMS/charts, GS database input,

Maintenance

Flight Procedure

SAM PANS-OPS



�� (852&21752/�5HTXLUHPHQWV

The following represent the Safety Assessment requirements and guidance produced byEUROCONTROL:

(852&21752/�6DIHW\�5HJXODWRU\�5HTXLUHPHQW��5LVN� $VVHVVPHQW� DQG�0LWLJDWLRQ� LQ$70 (ESARR 4, 5HI�� ) - identifies the requirement for the structured assessment andmitigation of risk. This document also identifies the severity and risk classification schemesfor the ECAC region. The severity scheme is shown in 7DEOH�� and the risk classificationscheme in )LJXUH��. )LJXUH�� only refers to an overall safety performance of ATM atECAC and national level and is not directly applicable to the classification of individualhazards. To achieve this a method of apportionment of the overall probability to theconstituent parts of the ATM system may need to be developed. )LJXUH� ��, taken fromESARR4, assumes an ECAC safety minimum of a "maximum tolerable probability of ATMdirectly contributing to an accident of a Commercial Air Transport aircraft of 1.55 x 10–8

accidents per Flight Hour”1. For the GBAS safety assessment consideration may also haveto be given to non-ATM contributions to risk.

)LJXUH��5LVN�&ODVVLILFDWLRQ�6FKHPH�LQ�$70

6HYHULW\&ODVV

� � � � �

0D[LPXPWROHUDEOHSUREDELOLW\�RI� $70GLUHFWFRQWULEXWLRQ�

1.55 x 10-8 perflight hour

To be includedin a futurerevision ofESARR 4,once enoughsafety datahave beencollectedaccording toESARR 2*




* To be determined at national level based on past evidence on numbers of ATM related incidents.

As a necessary complement to the demonstration that these quantitative objectives are met,additional safety management considerations shall be applied so that more safety is addedto the ATM system whenever reasonable. An approach to this requirement is set out inSection 3 of this Safety Plan.

1 Or a maximum tolerable probability of ATM directly contributing to an accident of a commercial Air Transport aircraft of 2.31 x10–8 accidents per flight.



7DEOH��6HYHULW\�&ODVVLILFDWLRQ�6FKHPH�LQ�$70

6HYHULW\&ODVV

��>0RVW�6HYHUH@

� � � �1R�VDIHW\HIIHFW>/HDVW6HYHUH@

(IIHFWRQ

2SHUDWLRQV

$FFLGHQWV 6HULRXV�,QFLGHQWV 0DMRU�LQFLGHQWV 6LJQLILFDQW�LQFLGHQWV 1R�LPPHGLDWHHIIHFW�RQVDIHW\

([DPSOHV�RIHIIHFWV�RQRSHUDWLRQV,QFOXGH�

q one or morecatastrophic accidents,

q one or more mid-aircollisions

q one or more collisionson the ground betweentwo aircraft

q one or more ControlFlight Into Terrain

q total loss of flightcontrol.

No independent source ofrecovery mechanism, suchas surveillance or ATCand/or flight crewprocedures can reasonablybe expected to prevent theaccident(s).

q large reduction inseparation (e.g. aseparation of less thanhalf the separationminima), without crew orATC fully controlling thesituation or able to recoverfrom the situation.

q one or more aircraftdeviating from theirintended clearance, sothat abrupt manoeuvre isrequired to avoid collisionwith another aircraft orwith terrain (or when anavoidance action would beappropriate).

q large reduction inseparation (e.g. aseparation of less than halfthe separation minima),with crew or ATCcontrolling the situationand able to recover fromthe situation.

q minor reduction inseparation (e.g. aseparation of more thanhalf the separationminima) without crew orATC fully controlling thesituation, hencejeopardizing the ability torecover from the situation(without the use ofcollision or terrainavoidance manoeuvres).

q increasing the workloadof the air trafficcontroller or aircraftflight crew, or slightlydegrading the functionalcapability of theenabling CNS system.

q minor reduction inseparation (e.g. aseparation of more thanhalf the separationminima) with crew orATC controlling thesituation and fully ableto recover from thesituation.

No hazardouscondition i.e. inno direct orindirect impacton theoperations�

1RWH��7KH�ZRUVW�FUHGLEOH�HIIHFW�LQ�WKH�HQYLURQPHQW�RI�RSHUDWLRQV�GHWHUPLQHV�WKH�VHYHULW\�FODVV�

��7KH�VHYHULW\�FODVVLILFDWLRQ�RI�HIIHFWV�LV�FRPPRQ�WR�WKDW�LQ�(6$55��EXW�WKH�H[DPSOHV�FKRVHQ�UHODWH�WR�D�SULRUL�DVVHVVPHQW��7KLVOLVW�LV�E\�QR�PHDQV�H[KDXVWLYH



(852&21752/� ($703� $LU� 1DYLJDWLRQ� 6\VWHP� 6DIHW\� $VVHVVPHQW� 0HWKRGRORJ\[SAM] - provides guidance on the preferred methodology for the assessment of ATM systemsafety within EUROCONTROL. This methodology is referenced in ESARR4. Themethodology currently only covers the Functional Hazard Assessment, FHA (5HI�� ).Further guidance on Preliminary System Safety Assessment (PSSA) and System SafetyAssessment (SSA) will be issued in 2001 and 2002 respectively.(852&21752/�6DIHW\�5HJXODWRU\�5HTXLUHPHQW��6RIWZDUH�LQ�$70 6\VWHPV (ESARR 6,working draft) is related to the use of software in safety-related ground-based ATM systems.Although it is still in a working draft format, the document might be considered as a usefulguidance when considering the use of software assurance systems for GBAS.

�� 2WKHU�,QWHUQDWLRQDO�6WDQGDUGV

7KH� $HURVSDFH� 5HFRPPHQGHG� 3UDFWLFH� �$53�� developed by the Society ofAutomotive Engineers (SAE), provides guidelines and methods for evaluating the safetyaspects of design of civil airborne systems and equipment. It aims to show systems andequipment compliance with applicable requirements contained in FAR/JAR 25.1309 Code(or other FAR/JAR advisory material for propeller-driven aircraft). Consequently, ultimately,the objective is to get airworthiness approval and the issue of type certificates or changes tothose certificates (Supplemental Type Certificate – STC), for Large Turbine-poweredAeroplanes. The safety assessment process described in ARP4761 is based on FHA,PSSA and SSA. It ends with the verification that the design meets the safety requirements,i.e. at the end of the design phase. ARP4761 is intended to be used in conjunction with, inparticular, the RTCA DO-178B document. It should be noted that ARP 4761 is not the onlyapproach to achieving airborne certification.7KH� '2��%�('��%� GRFXPHQW� provides guidelines for the production of airborneequipment software in order to ensure the integrity and reliability of such software. Inaddition, RTCA Special Committee SC-190/EUROCAE Working Group WG52 has issuedthe DO-248 document, entitled “First annual report for clarification of DO-178B”, thatprovides clarification and resolution of inconsistencies of the guidance material contained inthe latter. This document provides industry and certification authorities with errata materialand answers to frequently asked questions. It does not contain additional guidance material.The 0LQLPXP�2SHUDWLRQDO� 3HUIRUPDQFH� 6SHFLILFDWLRQ for a Global Navigation SatelliteSystem Ground Based Augmentation System to support CAT-I operations GroundEquipment, hereinafter referred to as the GBAS MOPS, are developed by the EUROCAEWG28 SG2. The document describes minimum requirements for the safety assessment tobe performed by vendors of GBAS Ground Stations. Consequently, the GBAS MOPS areoriented towards type acceptance of ground systems. In parallel to the work conducted bySG2, members of SG3 are developing MOPS for Multi-Mode Airborne Receiver (MMR) thatinclude GNSS. This draft document, referred to as ED88A, provides minimum performancespecifications for the airborne portion of the ILS, MLS and GNSS Landing System(s) (GLS).MOPS for the airborne sub-system, not related to the MMR, are also being developed byRTCA (DO-253).-$5�$:2�13$�$:2�� (draft) presents requirements for the "ILS look-alike" concept. Itdefines the concept and includes the interface with downstream system users. Thecertification process is described.)XQFWLRQDO� VDIHW\� RI� HOHFWULFDO�HOHFWURQLF�SURJUDPPDEOH� HOHFWURQLF� VDIHW\�UHODWHGV\VWHPV��,(&��VWDQGDUG, addresses the use of these systems in safety functions. Toachieve safety certain planning, design, analysis and verification activities must take place.The achievement should be measured throughout the life cycle based on a combination ofproduct, process and competency. This standard will become EN 61508.



�� 6$)(7<�$66(660(17�$3352$&+

�� 6FRSH

The central objective of the safety assessment is to ensure that the GBAS system will beacceptably safe once in operational use. The EATMP SAM framework will be used toconduct the safety assessment for the total aviation system. At this stage it is possible todefine in some detail how the first stage of the SAM, the Functional Hazard Assessment(FHA), will be carried out. The requirements for the subsequent stages, the PSSA and theSSA, will become clearer during the course of the FHA stage; hence they are described inless detail below.

The following sections outline an approach which is consistent with ESARR4. It should benoted that this section combines Sections 3 and 5 suggested in the EUROCONTROLguidance on Safety Plans (5HI��).

�� )XQFWLRQDO�+D]DUG�$VVHVVPHQW

�� ,QWURGXFWLRQ

The structure for the FHA outlined below is based on EUROCONTROL’s "FunctionalHazard Assessment", SAM SAF.ET1.ST03.1000-MAN-01-00. For consistency the outlineuses the stages described in EUROCONTROL’s FHA document.

�� )+$�,QLWLDWLRQ�DQG�3ODQQLQJ

The following tasks should be undertaken/checked in the first phase of the FHA:

• Plan each step of the FHA - this can build on the outline included within this Safety Plan.• Identify the main stakeholders - it is believed that this has already been carried out in

Section 4 of the Safety Plan, but checks should be made to ensure that no gaps exist.• Organise the resources that will be required. This is especially important for the hazard

identification sessions (HAZIDs) as there can potentially be long lead times in terms oforganising dates when all the specialists are available.

• Identify and order material relevant to hazard identification, e.g. historical incident review(AIRPROXs or incidents on final approach), any data from trials, preliminary experiencewith differential GNSS systems, etc.

• Produce a system description and an operational environment description - these canbuild on the material that is within the Safety Plan.

• Summarise relevant material from previous GBAS safety studies. This should include alist of operational assumptions made during the Technical Approval process.

• Develop an appropriate risk classification scheme. It is proposed that two approachesare considered with respect to classifying the hazards identified. The first approachwould be based on the severity indicators described in EUROCONTROL’s FHAdocument (Table I-4). The second approach would be to compare hazards identified inthe GBAS FHA with a relevant system that is already considered acceptably safe by theaviation community. A relevant system would be ILS. In terms of CAT-I approaches,GBAS could be considered to resemble ILS in terms of functions to be performed andthe extensive history of ILS operational use has demonstrated that it is acceptably safe.



Hence the criteria for using such a relative approach, as set out in EUROCONTROL’sFHA document (pg. I-49), are satisfied.

�� +D]DUG�,GHQWLILFDWLRQ�DQG�6DIHW\�2EMHFWLYHV�6SHFLILFDWLRQ

Preparation for the HAZID should include:

• Decomposing the operational system description developed above into key functionsbased on:

½ Pilot tasks½ ATC tasks½ Pilot-ATC interactions/ communications½ Procedures (including communications and emergency/reversionary)½ Interfaces with technical elements (i.e. inputs/ outputs to and from the avionics and

ground station)½ External factors (e.g. weather)

• Structuring the HAZID in such a way to facilitate the brainstorming process. This couldbe based on a combination of flight phase and relevant functions.

• Preparing a checklist of key issues that should be covered to help the chairpersonprompt the group.

• Briefing participants as to what is expected from them in advance.

Participants for the GBAS HAZID should include:• Pilots• Controllers• Operational personnel (familiar with production of AIS information and proposed support

functions such as ground station database management)• System designers from ground and airborne sides (familiar with the overall system and

the assumptions made regarding operations)• GBAS experts• Safety specialists

It is proposed that the HAZID would be run in the following manner (this process is open toproposed changes):

1. After introductions and a briefing on the purpose/structure of the HAZID, the groupwould run through the assumptions on system operation and the operationalenvironment. These will be reviewed and extra assumptions added during thecourse of the HAZID when necessary. This will establish the basis for the HAZID.

2. The chairperson will lead the group though each key function. For each function thefollowing items will be discussed:

)DLOXUH�PRGH - prompt words/phrases can be used by the chair to help the groupidentify potential failure modes. Examples of these are given in Table I-2 in the FHAdocument.



&DXVH - it is useful to record the possible causes of the identified failure mode. Thisleads to the subsequent identification of mitigating measures, or extra safeguardsthat are needed.2SHUDWLRQDO�FRQVHTXHQFH - the operational effects of the failure are discussed andrecorded, whereupon the safety consequences are based on these operationalconsequences. This should make the severity assessment easier for operationalexperts participating in the FHA sessions.+D]DUG�GHVFULSWLRQ - the effects in terms of the safety of Air Navigation Services arerecorded, considering potentially adverse operational and environmental conditions.&XUUHQW�SODQQHG� VDIHJXDUGV - safeguards that already exist within the system orare planned when GBAS is introduced should be recorded. It is important that theseare highlighted in case future operational changes should affect any of theseidentified safeguards.6HYHULW\� �DEVROXWH� - the severity of the hazard based on the EUROCONTROLclassification scheme is assessed and recorded together with the rationale for theclassification.6HYHULW\��UHODWLYH�WR�,/6� - the alternative approach to classification is to assess thehazard relative to ILS. If there is no significant change from the ILS system thisshould be recorded. If there is a significant change (with either positive or negativeimpacts on severity) this should also be recorded.5HFRPPHQGDWLRQV�� FRPPHQWV - the final item allows general comments to berecorded or provisional recommendations if the group believes that the currentsafeguards are not commensurate with the severity and perceived likelihood of thehazard. Such recommendations should be collected together in a register ofsuggested risk reducing measures. Later stages of the safety assessment shouldaddress each of these suggested measures in the demonstration that risks havebeen reduced as far as reasonably practicable. Either the measure should beincorporated or else justification must be given (and documented) to record why themeasure was not practicable.

Table 3.1 shows a couple of LOOXVWUDWLYH GBAS operational functions and how a group mightassess them using the structure above. It is stressed that this is only illustrative; however,this table provides an indication that such a structure is workable and would provide outputsthat will be useful to the safety assessment process.

It should be noted that deriving severities for each hazard can be a judgemental process,one that does not always fit well within a creative brainstorming session. Thus it may be thatseverities are addressed once the notes from the brainstorming sessions are collated andordered.

The HAZID records should be circulated to the session participants so that they have achance to correct any mis-interpretations.

Once the records have been reviewed and severities allocated, safety objectives need to bespecified, i.e. an assessment needs to be made of how often the hazard can be tolerated.As noted above, this can use relative or absolute safety objectives. The objectives could bequalitative or quantitative. There are certain advantages in setting quantitative objectives(these are noted in the FHA document, pg. I-48). A key benefit is that it forces thesubsequent safety to adopt a quantitative approach, and imposes a degree of rigour on theassessment which is of benefit it terms of understanding the system better and how it canfail. However, it needs to be recognised that there are practical limitations to the degree ofquantification that is justifiable, particularly when operational aspects related to human



performance are being considered. Hence at this stage, it is considered that a combinationof quantitative (e.g. statistical/probabilistic analyses) and qualitative (e.g. expert judgement)arguments might be used to identify safety objectives.

The main outputs from this stage will be:

• HAZID records• Register of hazards• Register of suggested risk reducing measures (to be continually updated during course

of safety assessment - this will be a key part of the ALARP demonstration)• Safety objectives and action items - allocated to relevant stakeholders.

�� )+$�(YDOXDWLRQ

It is proposed that the outputs from the stages above are evaluated by:

• Safety specialists, e.g. drawn from EUROCONTROL’s SQS department or State’spersonnel. This would be to ensure that the FHA process has been followed correctly.

• Stakeholders - this would be to ensure that any assumptions about GBAS operationsand the operational environment are sensible and that the outputs from the process arerealistic.

�� )+$�&RPSOHWLRQ

The results from the previous stages will be documented in full and put under an appropriatedocumentation control scheme. The document will be disseminated to all interestedstakeholders.

It should be noted that the hazard identification will need to be revisited during the safetyassessment process as more information becomes available or assumptions are changed.



7DEOH��,OOXVWUDWLYH�+$=,'�VKHHW�IRU�*%$6

)XQFWLRQ )DLOXUH�0RGH &DXVH 2SHUDWLRQDO&RQVHTXHQFH

+D]DUG'HVFULSWLRQ

&XUUHQW��SODQQHG6DIHJXDUGV

6HYHULW\�DEVROXWHVFDOH�

6HYHULW\�UHODWLYH�WR

,/6�

5HFRPPHQG�DWLRQV��

&RPPHQWVPilot selects

GBASapproachidentifier

Incorrectidentifier

chosen by pilot

Lapse,distraction,confusingHMI, etc.

Potentialconfusion onflight deck.

Aircraft linesup on wrongapproach atairport?

Increased pilotworkload atcritical phase offlight

Potential forincreased ATCworkload if theyare needed toresolveconfusion.

Distinct fivenumeric ID forGBAS withchannel numbersfrom 20000 to39999 todistinguish themfrom SBAS, etc.

Cross checkprocedures onflightdeck.

HMI accounted forin aircraftintegration ofapproachselection.

? Are failures inselection

process forGBAS

approach moreor less serious

than ILSselection?

FAS up-linkedto aircraft

Wrong FASdata input toGS database

Inadequateprocedures,inadequatetraining, etc.

Hazardouslymisleadinginformation toaircraft

Aircraft deviatesfrom intendedapproach pathwith potential forcollision intoterrain orobstacles (mid-aircollision less of ahazard on finalapproach)

Procedure forinput of data toGS (developedyet?)

Checking of FASdata at GS

Cross checks bypilots

? New additionalhazard

compared toan ILS

approach

Developoperational

procedures (ifnot already

done) coveringthe input ofFAS data toGS database



�� 366$�DQG�66$

�� ,QWURGXFWLRQ

The main outputs from the FHA will include identification of hazards and analysis of theirseverity. To assess risk, the likelihood of these hazards being realised needs to bedetermined. Hence during PSSA and SSA the frequencies of hazards and their possibleoutcomes need to be estimated. Once this has been done frequencies and consequencescan be combined together to provide measures of risk. These risk estimates can then beassessed against appropriate criteria. To ensure that risks are ALARP, each risk reducingmeasure proposed during the course of the safety assessment will be evaluated; thepracticability of the measure will be balanced against its safety benefit and an assessmentabout the measure made and documented.

These framework is illustrated in )LJXUH� ��. The main stages of PSSA and SSA areexpanded below.

)LJXUH��6DIHW\�$VVHVVPHQW�)UDPHZRUN

6WDJH $FWLYLWLHV 2XWSXWV

Functional decomposition Basis for analysisSystem Definition Assumptions

F Task analysis Hazard RegisterH Hazard Identification Historic data Extra potential risk reducing measuresA and Analysis HAZID Impact of GBAS v ILS (+, 0, -)

Adoption of risk classification scheme Severity classification (Table 2.3)Consequence and Assign severities to hazards Safety requirements/objectives

Criticality Assessment

Fault tree analysis Best-estimate frequenciesFrequency Analysis Event tree analysis Likelihood classification (Figure 2.2)

Expert judgement Uncertainty rangesPSS Combining frequencies / consequences Frequency of exceeding containment surfacesA Risk Results Risk matrices (Figure 2.2)

&

S Identify key planned controls Effectiveness of extra measuresS Review of Controls & Analyse proposed risk reducing measures Practicability of measuresA Risk Reducing Measures

Balance effectiveness and practicability Requirements to demonstrate ALARPALARP Demonstration



�� )UHTXHQF\�$QDO\VLV

There are various techniques available to conduct frequency estimation. For the OperationalSafety Assessment, where human actions and procedures are of most importance, two ofthe most important techniques are likely to be fault tree analysis (FTA) and event treeanalysis (ETA).

)7$ breaks down an incident into its component causes, including human error. It uses alogical representation of the many events and component failures which can combine tocause a critical "top event". An example fault tree is shown in )LJXUH� �� for a deviationcaused by error in the FAS data. The top event is a deviation beyond a defined containmentsurface during final approach using GBAS. The immediate causes of this are taken to be anerror in the ground station database and failure of flightdeck cross checks to detect this error.An error in the GS database could arise either because the data is input incorrectly or datacorruption occurs after input. Data corruption and failure to detect is considered as atechnical issue and colour coded appropriately. A data input error requires the initial errorand failure of cross checks in the input process. Initial input errors could arise from a numberof causes (to be defined). Colour coding can also be used to highlight the existing controls/safeguards currently in the system. Fault trees can be used for qualitative and/orquantitative analysis. For quantitative analysis, values based on actual data or expertjudgement need to be assigned to the basic events within the tree.

)LJXUH��([DPSOH�)DXOW�7UHH�IRU�)$6�'DWD�(UURU$LUFUDIW�GHYLDWHV�

EH\RQG�FRQWDLQPHQW�VXUIDFH

(UURU�LQ�JURXQG�VWDWLRQ�GDWDEDVH

)DLOXUH�RI�IOLJKWGHFN�FURVV�FKHFNV�WR�GHWHFW�HUURU

(UURU�HQWHUHG�LQ�GDWDEDVH

'DWD�FRUUXSWLRQ��7HFKQLFDO�

,QLWLDO�HUURU�HQWHUHG�LQWR�GDWDEDVH

)DLOXUH�RI�FRQWURO�PHDVXUHV�LQ�GDWDEDVH�

LQSXW�SURFHVV

&DXVH�� &DXVH�� &DXVH��

current/ planned safeguards - basic event technical faults, ex-scope

AND

AND

OR

OR



An (YHQW�7UHH is a graphical representation of a logic model which identifies and quantifiespossible outcomes following an initiating event. An illustrative example is shown in )LJXUH��. The input to this tree is a deviation on final approach. The Event Tree shows threeexample nodes covering:

• Detection of deviation by pilots;• Detection of deviation by ATC; and• Correction of the deviation following one of the two detection mechanisms above.

The outcomes are simply shown as deviation corrected or potential collision but differentoutcomes could be represented such as controller overload, deviation beyond a definedcontainment surface etc.

)LJXUH�� ([DPSOH�(YHQW�7UHH�IRU�2XWFRPH�RI�'HYLDWLRQ

Deviation detected Deviation detected Deviation OUTCOMEby pilots by ATC corrected

Aircraft deviates due to incorrect FAS Yes Yes Deviationdata corrected

No Potential collisionwith terrain/ obstacle

No Yes Yes Deviationcorrected



In conducting the frequency analysis consideration will be given to dependencies andcommon-cause failures. For example, GBAS failures could affect several aircraftsimultaneously including aircraft at different airports if a GBAS system is being sharedamong airports. The wide-ranging effect of such failures will need to be considered andCommon-Cause Analysis (CCA) carried out.

�� 5LVN�5HVXOWV�DQG�$VVHVVPHQW

The frequencies and consequences of the identified hazards need to be combined togenerate risk predictions. Risk results could be presented in several ways including:

• In the form of a risk matrix.• As frequencies of exceeding defined containment surfaces. These could then be

compared to ILS performance or used for developing estimates of collisions intoobstacles/terrain etc.



These risk results should then be compared to relevant criteria. Potential criteria include therisk classification scheme from )LJXUH� �� and the use of ILS system safety as a relativecriterion. The probability shown in )LJXUH�� would need to be suitably partitioned to beused for GBAS CAT-I approaches.

�� 5HYLHZLQJ�5LVN�5HGXFLQJ�0HDVXUHV�DQG�$/$53�'HPRQVWUDWLRQ

The existing controls can be illustrated using the fault tree and event tree format shown in)LJXUH��. The diagram in )LJXUH��, will also help identify areas where there are relativelyfew barriers to a major event. Fault trees are used on the left hand side of the model tounderstand how combinations of failures can lead to an undesired top event (e.g. deviation ofaircraft from route, controller overload) and event trees are used on the right hand side of themodel to analyse the consequences. This "bow-tie" approach has become an increasinglycommon technique to identify under-controlled areas of the overall system. A key benefit isthe ability to link the assessment to the activities required to control risks and the broadersafety management system.

)LJXUH��5HYLHZ�RI�&RQWUROV

,QLWLDWLQJ�(YHQWV 7RS�(YHQW &RQVHTXHQFHV��(YHQW�'HYHORSPHQW

Pilot Error

ATC Error Mitigation 2 OutcomeYes 1

Mitigation 1Pilot-ATC Yes No 2Miscommunication Significant Deviation

or Overload Yes 3Procedure Inadequate No

No 4

Technical (ex-scope)

control/ barrierExternal

0DQDJHPHQW�6\VWHP

Activities/ Procedures/ Hardware

Possible extra controls could include:

• Equipment/ hardware issues - e.g. extra warning system• Procedures• Human factors issues• Safety management - e.g. training, monitoring.

For each of these an assessment will be carried out of the effectiveness of the measure (i.e.to what degree is risk reduced) and the practicability of the measure (e.g. are there



operational reasons why the measure is not practicable). The outputs of the steps above willbe used to categorise the proposed risk-reducing measures:

• Those measures which should be implemented as the benefits clearly outweigh anycosts or operational difficulties.

• Those measures which should not be implemented as the benefits are clearlyoutweighed by costs or operational difficulties.

• Those measures where their practicability is difficult to judge without further analysis,quantitative data (e.g. from operational trials), etc.

This stage will define any additional requirements needed to show that risks are ALARP.

�� 6DIHW\�&DVH

Having completed the FHA, PSSA and SSA it is proposed to prepare the outline of a GBASSafety Case. This will:

• Set out the safety requirements broken down to the level of system elements;• Show by means of argument and supporting evidence that the concept and

implementation of GBAS CAT-I precision approaches is tolerably safe.

It is intended that this will serve as a template for States ANSPs own Safety Cases; the latterwill need to address local, site-specific factors..



�� 52/(6�$1'�5(63216,%,/,7,(6

This section provides a high-level overview of the roles and responsibilities of the mainstakeholders in GBAS. More details will be provided after the FHA when it is clearer whatactions are required. The framework set out in this section is intended to support the ANSPin the safe implementation of GBAS.

�� ($703�*%$6�3URMHFW

�� *%$6�3URMHFW�0DQDJHU

The EATMP GBAS Project Manager is responsible for the overall management of theEATMP GBAS Project��For the safety activities, the GBAS Project Manager:

• Elaborates the GBAS Project Description and identifies any particular items that have tobe tailored with respect to the EATMP Safety Policy;

• Co-ordinates the GBAS Project Safety Policy with the GBAS Project Safety Manager inaccordance with the EATMP Safety Policy principles [SMS Policy];

• Ensures compliance of the GBAS Project Safety Policy with EATMP Safety Policy [SMSPolicy] and appropriate standards and requirements;

• Manages co-ordination between GBAS Project Safety Manager and SRC;

�� *%$6�3URMHFW�6DIHW\�0DQDJHU

The GBAS Project Safety Manager is responsible for the preparation of a GBAS SafetyPolicy Document and a Safety Plan and for ensuring that safety activities are carried out byproperly trained, qualified and competent personnel and for ensuring that all those involvedin implementing the Safety Plan are informed of responsibilities assigned to them under thePlan.

The development and execution of the Safety Plan is undertaken by the GBAS Project teamof Safety Analysis Specialists under the oversight and responsibility of the GBAS ProjectSafety Manager.

The GBAS Project Safety Manager is also responsible for the co-ordination of localimplementations to ensure consistency of approach by the ANSPs.

�� *%$6�6DIHW\�$QDO\VLV�6SHFLDOLVWV

The GBAS Project team of Safety Analysis Specialists is responsible for undertaking safetyplanning and assessment activities in order to determine safety objectives for the GBASProject and subsequently provide documentary assurance that the GBAS Project meetsthese safety objectives.



The team of Safety Analysis Specialists performs the Operational Safety Assessment of theGBAS Project in collaboration with the relevant stakeholders.

According to the EATMP methodology [SAM], the major types of activities relate to:

• GBAS Project Safety Plan• FHA process• PSSA process• SSA process• Transition to operations• Decommissioning.

In addition the Safety Analysis Specialists will be involved in the application of the GBASOperational Safety Assessment to example ECAC airports.

�� 65&�658�-$$

The main roles and responsibilities of the SRC/SRU are to:

• Liaise with the EATMP GBAS Project concerning review and approval of the Safety Plan;• Ensure that the documented assurance provided by the EATMP GBAS project is

sufficient to demonstrate that the Project is suitable for implementation from a safetypoint of view; and

• Ensure, in co-operation with the JAA, that airworthiness and operational requirements areeffectively co-ordinated with Air Traffic Management development related to GBAS andthat the regulatory approach taken by States to the implementation of GBAS operationsis consistent across all implementing States.

Whenever necessary, SRC may agree to provide ATM safety regulatory advice to theProvisional Council on the GBAS Project. In particular, SRC may inform the ProvisionalCouncil of its safety regulatory position on the acceptability of the Project after considering allits safety products and the related SRC formal outputs.

�� 646

SQS is responsible for:

• Ensuring that the EATMP GBAS Project is undertaking appropriate safety planning andassessment activities in order to determine safety objectives for the Project; and

• Subsequently provide methodological and documentary assurance that the Project meetsthese safety objectives.

�� 1DWLRQDO�5HJXODWRU\�%RGLHV

The main roles and responsibilities of the national regulatory bodies are to:

• Liaise with the SRC concerning the Safety Plan;• Review and accept the safety assessments conducted in support of Technical and

Operational Approval submitted by the ANSPs and manufacturers.



�� 6WDWHV�$16�SURYLGHUV

The main roles and responsibilities of the States ANS providers are to:

• Liaise with and advise the EATMP GBAS Project team on their requirements;• Prepare safety assessments for GBAS making use of generic safety assessments

produced by the EATMP GBAS Project, Ground Station vendors and avionicsmanufacturers assessments as appropriate.

• Provide inputs on local, site specific safety issues.

�� *URXQG�6WDWLRQ�9HQGRUV�DQG�$YLRQLFV�0DQXIDFWXUHUV

The main roles and responsibilities of the GS vendors and avionics manufacturers are to:

• Obtain technical approval/ certification via the national regulatory bodies; and• Provide information as necessary to the EATMP GBAS Project and ANS providers to

assist them in the production of required safety assessments.

�� $LUSRUWV�DQG�$LUOLQHV

Personnel from airports and airlines will be needed to assist in the Operational SafetyAssessment. Their expertise will be required during the FHA in the structured brain-stormingsessions, and subsequently in providing expert judgements on operational matters. Theirinput will also be needed in reviewing safety assessment reports to check operationalassumptions, etc.

)LJXUH�� shows the anticipated interactions between some of the stakeholders above.



)LJXUH��,QWHUDFWLRQV�EHWZHHQ�*%$6�6WDNHKROGHUV

Team of Safety AnalysisSpecialists in collaborationwith System Developers

GBAS SAFETYMANAGER

GBAS PROJECTMANAGER

SRC/SRU

GBAS SERVICEPROVIDERS

NATIONALREGULATORYAUTHORITIES

GBAS Safety Documents

FHA

PSSA

SSA

GBAS Safety Plan andApplications

GBAS SAFETY CASE

GBAS Safety Policy

National Materials

SafetyPrinciples

GBASDescription

SafetyDeliverables

FormalComments / Acceptance

Recommendations

Submission

GNSS PROGRAMMEMANAGER

SQS Support

/HYHO 5HVSRQVLEOH�3DUW\ 7RROV 2XWSXWV

(XURSHDQ�5HJLRQDO

1DWLRQDO



�� 6$)(7<�$6685$1&(

�� ,QWURGXFWLRQ

Safety Assurance is defined in ESARR 4 as "All planned and systematic actions necessaryto provide adequate confidence that a product, a service, an organisation or a systemachieves acceptable or tolerable safety". Based on this definition, three categories of actionshave been identified with respect to GBAS:

• Critical reviews of the safety assessment

• Operational trials

• Monitoring during the operational phase

7DEOH�� illustrates these actions with respect to a simplified project lifecycle.

7DEOH��6DIHW\�$VVXUDQFH�$FWLRQV

6\VWHP�/LIH�&\FOH 6DIHW\�$VVHVVPHQW 6DIHW\�$VVXUDQFH

System definition and design Safety assessment (pre-implementation) - FHA&PSSA

Critical reviews

System implementation SSA Operational trials

System in operation Safety assessment (post-implementation) - SSA

Critical reviews +Monitoring

�� &ULWLFDO�5HYLHZV

It is proposed that the overall safety assessment is evaluated by:

• Safety specialists, e.g. drawn from EUROCONTROL’s SQS Unit or State’s personnel.This would be to ensure that the safety assessment methodology has been followedcorrectly and is appropriate.

• Stakeholders - this would be to ensure that any assumptions about GBAS operations andthe operational environment are sensible and that the outputs from the process arerealistic.

Pre-implementation and post-implementation safety assessments are planned and criticalreviews will be required for both.

�� 2SHUDWLRQDO�7ULDOV

For some European States where flag carriers have either retired from a MLS-orientedstrategy or acknowledged the potential benefits (e.g. cheaper CAT-I capability for someplatforms), flight test programmes have been elaborated to cover operational aspects, safety



aspects, the validation of the GBAS Collision Risk Model (CRM), etc. over the period of timefrom 2002 until 2004-2005 inclusive. In particular, operational trials of GBAS CAT-Iapproaches are currently planned at the following ECAC airports:

• Bremen (Germany) - certified ground and airborne equipment would be a pre-requisite forthe operational trial. The trials are anticipated to begin in 2003, depending on theavailability of certified equipment.

• Milan Linate (Italy) - dates to be specified• Zurich (Switzerland) - beginning of test phase in 2003 with aim for approval by 2005.• Malaga (Spain) - dates to be specified.

The expertise gained within the framework of the safety assessment process will contributeto the definition of the flight campaigns, the results of which will go back to the safetyactivities. This results in an iterative and incremental lifecycle since safety and operationalvalidation tasks will proceed in synergy. As a first step in this twin-track approach, practicalapplications of how the safety assessment models will work will be conducted at theseairports.

Prior to these operational trials the pre-implementation GBAS Safety Assessment shouldhave identified:

• Issues that need to be monitored during trials;• Key risk drivers to be evaluated during operational trials; and• Uncertainties to be evaluated during operational trials

Data from the operational trials will need to be fed back into updates of the safetyassessment.

�� 0RQLWRULQJ

The safety assessment will include a list of assumptions concerning GBAS operations andthe operating environment. The ANS provider will need to review and monitor the continuedrelevance of these assumptions. This will include co-ordination with the JAA to ensure thatassumptions concerning airborne sub-system are still valid.

In addition it is expected that as part of each ANS provider’s Safety Management System(SMS) there will be monitoring of:

• Incidents related to GBAS use including significant deviations from final approach path• Significant changes of the system with a commensurate safety assessment.

The EATMP GBAS Project will develop data collection mechanisms and data processingfacilities within the framework of the Operational Validation activity. These tools aredesigned to provide evidence of safe GBAS-based operations even under marginalconditions, for special situations/installations and over extended periods of time. They willenable validation of safety assumptions and requirements as identified during the riskassessment and mitigation processes. Results of the validation process related to safetyaspects of the models used in the safety assessment and safety assurance processes are



intended to benefit the entire aviation community and the GBAS Project will initiateprocesses to enable those results to be widely spread.

Moreover, tools developed within the framework of the GBAS Project will be made availableto the GNSS Programme Stakeholders and in particular Air Navigation Services (ANS)providers. Those tools could be used as a basis towards the in-service safety monitoring ofGBAS in the various ECAC States to verify that the system continues to meet its specifiedperformance over its operational life. They will indicate methods to detect changes insystems or operations which may suggest any element is approaching a point at whichacceptable standards of safety can no longer be met and where corrective action needs tobe taken.



�� 6&+('8/(�$1'�'(/,9(5$%/(6

�� 2YHUDOO�6DIHW\�$VVHVVPHQW�6FKHGXOH

The key dates and deliverables for the safety assessment are as follows:

7DEOH��.H\�$FWLYLWLHV�DQG�'HOLYHUDEOHV

$FWLYLW\ 'DWHV 'HOLYHUDEOHProduction of Safety Plancontaining safety assessmentframework

Up to December 2001 Safety Plan for GBAS CAT-Iapproaches

Application of safetyassessment framework toexample airport(s)

September 2001 to March 2002 Report describing application

EATMP GBAS FHA October 2001 to March 2002 FHA report (see Section 3.2)EATMP GBAS PSSA January 2002 to May 2003 PSSA reportEATMP GBAS SSA January 2003 to end of 2004 SSA reportApplication of FHA/PSSA/SSAto specific airport

Dates to be decided Safety assessment of GBAS ata specific airport

The relationships between these proposed activities are illustrated in )LJXUH��.

)LJXUH��3ODQQHG�$FWLYLWLHV

EATMP SAM

GBAS reference material

Consultation

GBAS Approval Plan containing:

GBAS framework for: Develop FHA/ PSSA/ SSAFHA applicable to any GBAS system,PSSA i.e. not specific to an airportSSA

Analysis of framework applied Safety Assessment of GBASto specific airport/ operational at a specific airportenvironment



�� &RQVXOWDWLRQ�ZLWK�65&

A consultation process with EUROCONTROL’s Safety Regulation Commission is plannedduring the further development of this Safety Plan.

Following discussion of this draft Safety Plan with GBAS Project Stakeholders, the draft willbe updated to form the First Issue of the Safety Plan. Having prepared the First Issue afurther round of consultation will take place. There will be consultation with the GBASProject Stakeholders and with the SRU.

Based on the response of stakeholders and the SRU to the First Issue, a Second Issue ofthe Safety Plan will be prepared and submitted to the SRC for their review. The responseand recommendations of the SRC will then be built into the Third Issue of the Safety Plan.

The Third Issue of the Safety Plan will be re-submitted to the SRC for its agreement. TheSRC will then pass on its recommendation to the national Safety Regulatory Authorities.

This iterative process is intended to ensure that all the SRC’s comments and concerns areaddressed in a thorough manner. The target dates for delivery of the Safety Plan reports areas follows:

First Issue 26th July 2001 (Letter from Peter STASTNY, Head SRU to SRCCommissioners, Advisers and Observers dated 26th July)

Second Issue End of November (proposed)Third Issue By end of year 2001 (proposed)

�� 5HVRXUFHV

The exact scopes of the future work packages are currently difficult to define. Once furtherfeedback has been obtained from stakeholders and the SRC these scopes will be betterdefined and the resources needed for the FHA, PSSA and SSA can be predicted.



�� 6$)(7<�0$1$*(0(17�6<67(0

In this section the relevant elements of the EATMP GBAS Project Safety ManagementSystem are checked against the requirements of ESARR 3 (5HI��). Table 7.1 details thecompliance review.

7DEOH��&RPSOLDQFH�RI�*%$6�3URMHFW�606�ZLWK�(6$55�

(6$55��5HTXLUHPHQWV *%$6�3URMHFW�606�(OHPHQWVGeneral Requirements:

Safety managementSafety responsibilitySafety prioritySafety objective of the ATM service

• GBAS safety policy to cover general requirements• GBAS safety manager appointed• GBAS project adopting SRC criteria including need to

show that risk has been reduced as far a reasonablypracticable.

Requirements for Safety Achievement:Competency

Safety management responsibilityQuantitative safety levels

Risk assessment and mitigationSMS documentationExternal services

Safety occurrences

• GBAS safety staff have necessary qualifications,experience and training

• Responsibility of GBAS safety manager defined• GBAS will be assessed against quantitative safety levels

where appropriate• Safety plan details risk assessment and mitigation• SMS documentation to be updated as project progresses• External services to be included in the safety

assessment• GBAS project to set up monitoring of safety occurrences

Requirements for Safety Assurance:Safety surveysSafety monitoring

Safety records

Risk assessment and mitigationdocumentation

• Reviews to be carried out of safety assessment• Safety monitoring to be set up by GBAS project in co-

operation with ANSPs• Records of safety assessment to be controlled and

maintained• Documentation to reflect system life cycle including any

changes and to be maintained for appropriate period

Requirements for Safety Promotion:Lesson dissemination

Safety improvement

• GBAS project will set up monitoring systems includingfeedback loop to ANSPs to disseminate lessons

• GBAS project will work to improve safety pre-implementation through the safety assessment processand post-implementation through safety monitoring anddata collection/analysis



�� )857+(5�$&7,216�)25�67$.(+2/'(56�$5,6,1*�)520�6$)(7<$66(660(17�352&(66

�� 2YHUYLHZ

Sections 1 to 7 of this document can be regarded as providing a high level plan for GBASsafety analysis. Following the initiation of the safety assessment process detailed actionsare likely to arise that will need to be addressed by various stakeholders. Hence Sections 1-7 are considered to represent the Level 1 Plan and this section describes how the detailedLevel 2 Plan will develop.

Areas which GBAS stakeholders will probably need to address include:

• Changes to ATS procedures

• Changes to Flight Crew procedures

• ATS training

• Pilot training

• Parallel ILS/GBAS operations

• Operational aspects i.e. In-Service GBAS monitoring

As the safety assessment progresses the Safety Plan will be expanded to cover the actionsrequired in each of these areas. For each of those actions, the Safety Plan should:

• Describe those activities

• Identify the appropriate responsible authorities

• Describe the detailed activities, i.e. Lines of Action (LoAs), including the QualityManagement activities

• Show how hazard and risks identified and quantified through the activities conductedwithin the EUROCONTROL GBAS Project will be addressed as appropriate by theState/ANSP/Airport Operator.

�� ,OOXVWUDWLYH�([DPSOH�ZLWK�UHVSHFW�WR�3LORW�7UDLQLQJ

As an example, the documentation concerning the actions necessary on pilot training couldhave the following format:

� Action Identification Code: TRA2� Safety Requirement: To show that all relevant staff have been appropriately trained in

GBAS procedures� Standards: [Standard Reference or EUROCONTROL Material] used as reference

material for the development of training material



� Planned activities: (i) Establishing Training roles and responsibilities; (ii) Developmentof the Training packages; (iii) Development of Training Programme; (iv)Implementation of Training Programmes in each Airline that plans to make use ofGBAS for CAT-I operations.

� Approval activities:- Approval of the Training Material: LoA Identification Code TRA2 – USE01- Acceptance of Pilot competence in GBAS-based precision approach: TRA2 –

USE02

� Quality Assurance: e.g. use of standards and or guidance material for thedevelopment of training material, experience of the trainers, review of the trainingmaterial; sufficient notice for training before revenue flights, etc.

� Management of risks: review of relevant results of FHA, PSSA and SSA performed byEUROCONTROL and identifications of those operational aspects that are different fromthe assumptions made by EUROCONTROL + argumentation to substantiate thatrequired measures have been taken to address those differences.

� Description of TRA2 – USE01 and TRA2 – USE02 in Annexes with mention of criteriato assess the achievement of those LoA’s.

)LJXUH�� illustrates the document structure and links between the various levels.

)LJXUH��)ORZ�RI�$FWLRQV

2SHUDWLRQDO�6\VWHP2SHUDWLRQDO�6\VWHP(OHPHQWV(OHPHQWV

,QWURGXFWLRQ,QWURGXFWLRQ

$33529$/$33529$/3/$1�/(9(/�3/$1�/(9(/�

6DIHW\�&ULWHULD�5HJXODWRU\6DIHW\�&ULWHULD�5HJXODWRU\%DFNJURXQG%DFNJURXQG

6DIHW\�$VVHVVPHQW6DIHW\�$VVHVVPHQW$SSURDFK$SSURDFK

5ROHV��5HVSRQVLELOLWLHV5ROHV��5HVSRQVLELOLWLHV

6DIHW\�$VVXUDQFH6DIHW\�$VVXUDQFH

6FKHGXOH��'HOLYHUDEOHV6FKHGXOH��'HOLYHUDEOHV

$FWLRQ$FWLRQ�>LGHQWLILFDWLRQ�&RGH@�>LGHQWLILFDWLRQ�&RGH@,QWURGXFWLRQ,QWURGXFWLRQ

$33529$/$33529$/3/$1�/(9(/�3/$1�/(9(/�

$FWLRQ��>$,&@�>7LWOH@$FWLRQ��>$,&@�>7LWOH@



,QWURGXFWLRQ,QWURGXFWLRQ

$FWLRQ��>�$,&@�>7LWOH@$FWLRQ��>�$,&@�>7LWOH@

6DIHW\�5HTXLUHPHQW6DIHW\�5HTXLUHPHQW

6WDQGDUG�DSSOLHG6WDQGDUG�DSSOLHG

3ODQQHG�DFWLYLWLHV3ODQQHG�DFWLYLWLHV

$SSURYDO�DFWLYLWLHV$SSURYDO�DFWLYLWLHV

4XDOLW\�DVVXUDQFH4XDOLW\�DVVXUDQFH

0DQDJHPHQW�RI�5LVNV0DQDJHPHQW�RI�5LVNV

/LQHV�RI�$FWLRQV/LQHV�RI�$FWLRQV>LGHQWLILFDWLRQ�&RGH@>LGHQWLILFDWLRQ�&RGH@

$QQH[HV$QQH[HV

>$,&@��>/R$,&@�>$,&@��>/R$,&@� 7LWOH7LWOH

&$37,21&$37,21

$,&��$FWLRQ�,GHQWLILFDWLRQ�&RGH$,&��$FWLRQ�,GHQWLILFDWLRQ�&RGH/R$,&��/LQH�RI�$FWLRQ�,GHQWLILFDWLRQ�&RGH/R$,&��/LQH�RI�$FWLRQ�,GHQWLILFDWLRQ�&RGH

$SSOLFDELOLW\�$SSOLFDELOLW\� �7LPHVFDOH�7LPHVFDOH

&ULWHULD�WR�DVVHVV�SURJUHVVDFKLHYHPHQW&ULWHULD�WR�DVVHVV�SURJUHVVDFKLHYHPHQW��>«@��>«@��>«@��>«@

��>«@��>«@

)DFWXDO�GHVFULSWLRQ)DFWXDO�GHVFULSWLRQ��>«@��>«@��>«@��>«@

��>«@��>«@

5HVXOWV�RI�5HVXOWV�RI�



�� 5()(5(1&(6

Ref. 1 ICAO "'UDIW� 6$53V� IRU� *OREDO� 1DYLJDWLRQ� 6DWHOOLWH� 6\VWHP� �*166)" Annex10, ICAO GNSSP/3-WP/66, Montreal, 12-23 April 1999 with List of proposed SARPsChanges, GNSSP WG B meeting, Seattle, May 29-June 9, 2000

Ref. 2 EUROCAE "0LQLPXP� 2SHUDWLRQDO� 3HUIRUPDQFH� 6SHFLILFDWLRQ� IRU� D� *OREDO1DYLJDWLRQ� 6DWHOOLWH� 6\VWHP� *URXQG� %DVHG� $XJPHQWDWLRQ� 6\VWHP� WR� 6XSSRUW� &$7�,2SHUDWLRQV�*URXQG�(TXLSPHQW", May 2000

Ref. 3 EUROCAE "�0LQLPXP�2SHUDWLRQDO�3HUIRUPDQFH�6SHFLILFDWLRQ� IRU�0XOWL�0RGH$LUERUQH�5HFHLYHU� �005�� ,QFOXGLQJ� ,/6��0/6� DQG� *166� ", Draft ED-88A v 6, November2000

Ref. 4 EUROCONTROL: “&DWHJRU\�,� �&$7�,�� *URXQG�%DVHG� $XJPHQWDWLRQ� 6\VWHP�*%$6��6DIHW\�3ROLF\�'RFXPHQW”, Edition 0.1, working draft

Ref. 5 EUROCONTROL: "5LVN� $VVHVVPHQW� DQG� 0LWLJDWLRQ� LQ� $70",EUROCONTROL Safety Regulatory Requirement (ESARR) 4, Edition 1.0, Released Issue

Ref. 6 EUROCONTROL: "$SSOLFDWLRQ� RI� WKH� ($703� $LU� 1DYLJDWLRQ� 6\VWHP� 6DIHW\$VVHVVPHQW�0HWKRGRORJ\�WR�*%$6�6\VWHP�6DIHW\�$VVHVVPHQW", Eric Perrin, Andreas Lipp &Bernd Tiemeyer (GNSS Programme), Jacques Beaufays (SQS), 2001

Ref. 7 EUROCONTROL: ")XQFWLRQDO� +D]DUG� $VVHVVPHQW", SAMSAF.ET1.ST03.1000-MAN-01-00

Ref. 8 EUROCONTROL: "*XLGHOLQHV� IRU� WKH� VDIHW\� DVVHVVPHQW� RI� ($7033URJUDPPHV", SAF.ET1.ST03.1000.MAN-02-00, v3.1, Proposed Issue

Ref. 9 EUROCONTROL: "8VH� RI� 6DIHW\� 0DQDJHPHQW� 6\VWHPV� E\� $70� 6HUYLFH3URYLGHUV", EUROCONTROL Safety Regulatory Requirement (ESARR) 3, Edition 1.0,Released Issue



�� $&521<06�$1'�$%%5(9,$7,216

AIRPROX Aircraft Proximity EventAIS Aeronautical Information ServiceALARP As Low as Reasonably PracticableANSP Air Navigation Service ProviderARP Aerospace Recommended PracticeATC Air Traffic ControlATM Air Traffic ManagementATS Air Traffic ServiceAWO All Weather OperationsCAT-I Category ICNS Communication, Navigation, SurveillanceDH Decision HeightDNV Det Norske VeritasDSA Directorate of Safety, Airspace, Airport & Information ServicesEATMP European Air Traffic Management ProgrammeECAC European Civil Aviation ConferenceESARR EUROCONTROL SAfety Regulatory RequirementETA Event Tree AnalysisEUROCAE European Organisation for Civil Aviation EquipmentFAF Final Approach FixFAR Federal Aviation RegulationsFAS Final Approach SegmentFHA Functional Hazard AssessmentFTA Fault Tree AnalysisGBAS Ground-based Augmentation SystemGNSS Global Navigation Satellite SystemGPWS Ground Proximity Warning SystemGS Ground StationHAZID Hazard IdentificationHMI Human Machine InterfaceICAO International Civil Aviation OrganisationID IdentifierIEC International Electro-technical CommitteeILS Instrument Landing SystemJAA Joint Aviation AuthoritiesJAR Joint Airworthiness RequirementMASPS Minimum Aviation Systems Performance StandardMLS Microwave Landing SystemMMR Multi-Mode ReceiverMOPS Minimum Operational Performance StandardNPA Notice of Proposed Amendment (to JAR)OCP Obstacle Clearance PanelPANS-OPS Procedures for Air Navigation Services Aircraft OperationsPSSA Preliminary System Safety AssessmentRTCA Requirements and Technical Concepts for AviationSAE Society for Automotive Engineers



SAM Safety Assessment MethodologySARPs Standards and Recommended PracticesSBAS Space-Based Augmentation SystemSMS Safety Management SystemSQS Safety, Quality Management and Standardisation UnitSRC Safety Regulation CommissionSRU Safety Regulation UnitSSA System Safety AssessmentSSR Secondary Surveillance RadarSTC Supplemental Type CertificateVHF Very High FrequencyWG Working Group



�� 7(506�$1'�'(),1,7,216�±�*/266$5<

7HUP 'HILQLWLRQ��'HVFULSWLRQ ([DPSOHV�DQG�RU&RPPHQWV

6DIHW\�REMHFWLYHV A safety objective is a planned safety goal. The achievementof an objective may be demonstrated by appropriate means tobe determined in agreement with the safety regulator.

Consistent with ESARR4

6DIHW\�UHJXODWRU\�UHTXLUHPHQW The formal stipulation by the regulator of a safety relatedspecification which, if complied with, will lead toacknowledgement of safety competence in that respect.


6DIHW\�UHTXLUHPHQW A risk mitigation means, defined from the risk mitigationstrategy, that achieves a particular safety objective. Safetyrequirements may take various forms, including organisational,operational, procedural, functional, performance, andinteroperability requirements or environmental characteristics.


7DUJHW�/HYHO�RI�6DIHW\ A level of how far safety is to be pursued in a given context,assessed with reference to a tolerable risk.


7ROHUDEOH�ULVN Willingness to live with a risk so as to secure certain benefitsand in the confidence that it is being properly controlled. Totolerate a risk means that we do not regard it as negligible orsomething we might ignore, but rather as something we needto keep under review and reduce still further as we can.

Consistent with theEATMP Safety Policydefinition (based on ‘Thetolerability of risk fromnuclear power stations’,UK HSE publication)

Date post:	15-Feb-2018
Category:	Documents
Upload:	doanthuy
View:	213 times
Download:	0 times