Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective...

Integra Consult A/SIntegra Consult A/S

SAFETY ASSESSMENTSAFETY ASSESSMENT• ObjectiveObjective

– Demonstrate that an acceptable Demonstrate that an acceptable level of safety will be met and users level of safety will be met and users have been consulted.have been consulted.

SafetyMonitoring

SafetyAssessment

SafetyAuditing

SafetyPromotion


SAFETY ASSESSMENTSAFETY ASSESSMENT• Seven step approachSeven step approach

– Develop complete description of the system Develop complete description of the system and of the environment in which the system and of the environment in which the system is to be operatedis to be operated

– Identification of hazardsIdentification of hazards – Estimation of severity of potential Estimation of severity of potential

consequencesconsequences – Estimate of likelihood of hazard occurringEstimate of likelihood of hazard occurring – Evaluation of riskEvaluation of risk – Mitigation of riskMitigation of risk – Development of safety assessment Development of safety assessment

documentationdocumentation

SafetyMonitoring

SafetyAssessment

SafetyAuditing

SafetyPromotion


SAFETY ASSESSMENTSAFETY ASSESSMENT

• SafetySafety– A condition in which the risk of harm or A condition in which the risk of harm or

damages is limited to an acceptable leveldamages is limited to an acceptable level

• RiskRisk– The probable rate of occurrence of a The probable rate of occurrence of a

hazard causing harm and the degree of hazard causing harm and the degree of severity of the harmseverity of the harm

– Risk = Severity * likelihoodRisk = Severity * likelihood

– Need to define severity and likelihoodNeed to define severity and likelihood– Need to define acceptabilityNeed to define acceptability


STEP 2 – HAZARD STEP 2 – HAZARD IDENTIFICATIONIDENTIFICATION

• PurposePurpose

– ……to identify what could go wrong!to identify what could go wrong!(- or anticipate problems before they occur…)(- or anticipate problems before they occur…)

– …….to identify the consequences (on safety) .to identify the consequences (on safety) of the hazardsof the hazards

A hazard is defined as any condition, event or

circumstances which could induce an accident

or incident (ICAO DOC 9422)

The equipment (hardware and software);

The operating environment; The human operators; The human machine interface (HMI); Operational procedures; Maintenance procedures; External services.


STEP 3 – SEVERITY STEP 3 – SEVERITY ASSESSMENTASSESSMENT

• A severity is allocated each hazard A severity is allocated each hazard consequence in accordance with the consequence in accordance with the agreed severity classification agreed severity classification scheme.scheme.

SEVERITY CLASSIFICATION

Severity Category State Remark

1 Catastrophic Aircraft destroyed / multiple deaths

2 Significant Incident Considerable aircraft damage / loss of life

3 Major Incident Aircraft serious incident or personal injury

4 Serious Incident Aircraft minor incident or minor injury

5 Negligible Little or no consequence

Example


STEP 4 – LIKELIHOOD STEP 4 – LIKELIHOOD ASSESSMENTASSESSMENT

• A likelihood is allocated each hazard A likelihood is allocated each hazard consequence and expresses how often consequence and expresses how often the consequence of a hazard is likely the consequence of a hazard is likely to occurto occurLIKELIHOOD CLASSIFICATION

Likelihood Category Qualitative Description

Frequently Likely to occur frequently

Probable Likely to occur several times during system life

Occasional Occurs sometime during system life

Remote Unlikely to occur sometime during system life

Improbable Very unlikely to occur

Extremely Improbable Extremely unlikely to occur

Example

Quantitative

1*10-3

1*10-4

1*10-5

1*10-6

1*10-7

1*10-9


STEP 5 – RISK EVALUATIONSTEP 5 – RISK EVALUATION

• Determine acceptability of Determine acceptability of identified risksidentified risks– Clearly unacceptableClearly unacceptable– Clearly acceptableClearly acceptable– May be / may be not acceptableMay be / may be not acceptable

Risk Classification

Probability Severity

Probability Qualitative Definition Quantitative

Definition 1 2 3 4 5

Frequently Likely to occur frequently. > 5*10-4 A A A A C

Probable Likely to occur several times during system life.

< 5*10-4 A A A B D

Occasional Occurs sometime during system life. < 1*10-5 A A B C D

Remote Unlikely to occur sometimes during system life.

< 1*10-6 A B C D D

Improbable Very unlikely to occur. < 1*10-7 B C D D D

Extremely Improbable

Extremely unlikely to occur. < 1*10-8 C D D D D

likelihood

likelihood

Example


STEP 6 – RISK MITIGATIONSTEP 6 – RISK MITIGATION

• Identify potential causes for a risk to Identify potential causes for a risk to occuroccur

• Identify potential mitigationIdentify potential mitigation– Remove the risk (remove the cause of the Remove the risk (remove the cause of the

risk)risk)– Reduce the riskReduce the risk

•Reduce severity and/or probabilityReduce severity and/or probability

• Identify preferred mitigation approachIdentify preferred mitigation approach


Risk Classification

Probability Severity

Probability Qualitative Definition Quantitative

Definition 1 2 3 4 5

Frequently Likely to occur frequently. > 5*10-4 A A A A C

Probable Likely to occur several times during system life.

< 5*10-4 A A A B D

Occasional Occurs sometime during system life. < 1*10-5 A A B C D

Remote Unlikely to occur sometimes during system life.

< 1*10-6 A B C D D

Improbable Very unlikely to occur. < 1*10-7 B C D D D

Extremely Improbable

Extremely unlikely to occur. < 1*10-8 C D D D D

likelihood

likelihood




• Risk mitigation should be sought in any of Risk mitigation should be sought in any of the three components of a system:the three components of a system:– PeoplePeople– ProceduresProcedures– EquipmentEquipment

• The possible approaches to risk mitigation The possible approaches to risk mitigation include:include:– revision of the system (or airport) design;revision of the system (or airport) design;– modification of operational procedures;modification of operational procedures;– changes to staffing arrangements; andchanges to staffing arrangements; and– training of personnel to deal with the hazard.training of personnel to deal with the hazard.



• To identify causes a number of techniques To identify causes a number of techniques may be requiredmay be required– Brainstorming sessionsBrainstorming sessions– Fault tree analysis - Effect tree analysisFault tree analysis - Effect tree analysis– Common cause failure identification (Single Common cause failure identification (Single

point failure)point failure)– Task, Fail-Safe & Error Tolerance AnalysisTask, Fail-Safe & Error Tolerance Analysis– Failure Mode and Criticality AnalysisFailure Mode and Criticality Analysis– Reliability, Availability and Maintainability Reliability, Availability and Maintainability

AnalysisAnalysis


STEP 7 - SAFETY STEP 7 - SAFETY ASSESSMENT ASSESSMENT DOCUMENTATIONDOCUMENTATION• The purpose:The purpose:

– To provide a permanent record of the To provide a permanent record of the final result of the safety assessmentfinal result of the safety assessment

– To provide the arguments and evidence To provide the arguments and evidence demonstrating that the risks associated demonstrating that the risks associated with the implementation of the proposed with the implementation of the proposed system or change:system or change:•have been eliminated, or have been eliminated, or •have been adequately controlled and have been adequately controlled and

reduced to a tolerable level.reduced to a tolerable level.


DIFFICULTIES – DIFFICULTIES – SAFETY ASSESSMENTSAFETY ASSESSMENT

• GeneralGeneral– Complex, resource-demanding activityComplex, resource-demanding activity

• Target Levels of Safety (Severity and Target Levels of Safety (Severity and Likelihood)Likelihood)– ComplexityComplexity– No guidelines or recommendation – in most cases No guidelines or recommendation – in most cases

not even statisticsnot even statistics– No guidelines to apportioning Safety Targets to No guidelines to apportioning Safety Targets to

lower levelslower levels– No guidelines to who does what (Regulator No guidelines to who does what (Regulator

Provider Provider Supplier) Supplier)


DIFFICULTIES – DIFFICULTIES – SAFETY ASSESSMENTSAFETY ASSESSMENT

• Risk MitigationRisk Mitigation– Very demanding concepts (software Very demanding concepts (software

assurance levels, procedure assurance assurance levels, procedure assurance levels)levels)

– Very demanding activities for risk Very demanding activities for risk mitigationmitigation

– Analyses required beyond reach for Analyses required beyond reach for many organisationmany organisation


RECOMMENDATIONSRECOMMENDATIONS

• Start with low level of ambitionStart with low level of ambition– Even simple Safety Assessment provides Even simple Safety Assessment provides

quite efficient risk mitigationquite efficient risk mitigation– Introduce more advanced features once Introduce more advanced features once

the simple version worksthe simple version works– Start with quantitative likelihood Start with quantitative likelihood

classification while data are collected to classification while data are collected to establish qualitative figuresestablish qualitative figures

• Make sure assumptions are well-Make sure assumptions are well-defined and traceddefined and traced


RECOMMENDATIONSRECOMMENDATIONS

• Don’t forget to design a follow-up Don’t forget to design a follow-up system for (ICAO 2.26.5)system for (ICAO 2.26.5)– Hazards (likelihood for different causes)Hazards (likelihood for different causes)– Assumptions, e.g.:Assumptions, e.g.:

•Capacity figuresCapacity figures

•Reliability figuresReliability figures

– Should be extracted from the reporting Should be extracted from the reporting systemsystem


SUPPORTING SLIDESSUPPORTING SLIDES


Target Level of SafetyTarget Level of Safety

Severity Class

State Maximum tolerable probability (of ATM-direct contribution)

1 Accident 1,55 10-8 per Flight hours(equal to 2,31 10-8 per Flight)

2 Serious Incident To be included in future revision (once enough safety data has been collected)

3 Major Incident To be included in future revision (once enough safety data has been collected)

4 Significant Incident

To be included in future revision (once enough safety data has been collected)

5 No immediate effect

To be included in future revision (once enough safety data has been collected)

Ref.: ESARR 4, Appendix A



•ESARR 4 notes that:ESARR 4 notes that:– In order to deal with specific constituent In order to deal with specific constituent

parts of the ATM system (sub-systems), parts of the ATM system (sub-systems), the table will have to be refined so that it the table will have to be refined so that it adequately reflect the operational adequately reflect the operational environment of the sub-system under environment of the sub-system under consideration (e.g. interfaces with other consideration (e.g. interfaces with other systems, phases of flight, classes of systems, phases of flight, classes of airspace). airspace).


• This will necessitate:-This will necessitate:-• the redefinition of the severity categories such that the redefinition of the severity categories such that

they are meaningful in the context of the sub-they are meaningful in the context of the sub-system under consideration, andsystem under consideration, and

• the accommodation of mitigations in other sub-the accommodation of mitigations in other sub-systems for events in the sub-system under systems for events in the sub-system under consideration which may lead to a hazard.consideration which may lead to a hazard.

• No guidance is given here (in the ESARR) No guidance is given here (in the ESARR) as to how the refinement should be as to how the refinement should be achieved.achieved.



• ESARR figures only refers to an overall ESARR figures only refers to an overall safety performance of ATM at ECAC and safety performance of ATM at ECAC and national level and is not directly applicable national level and is not directly applicable to the classification of individual hazards. to the classification of individual hazards.

• To achieve this a method of To achieve this a method of apportionment of the overall probability to apportionment of the overall probability to the constituent parts of the ATM system the constituent parts of the ATM system may need to be developed.may need to be developed.

• This apportionment may be done per This apportionment may be done per phase of flight and/or per accident types.phase of flight and/or per accident types.



• The National Regulatory Authority will The National Regulatory Authority will have to establish National Target Levels of have to establish National Target Levels of Safety based on:Safety based on:– National statistics (should as minimum be as National statistics (should as minimum be as

safe as today)safe as today)• Difficulties (data for all severity categories are not Difficulties (data for all severity categories are not

collected currently)collected currently)

– Benchmarking other countries to which we Benchmarking other countries to which we would like to be compared and where:would like to be compared and where:• Statistics are availableStatistics are available• Targets have been setTargets have been set



AN SP (1 )R I SK

CLASSI FI CATI O NSCHEM E

SY STEM ASAFETY O BJ ECTI VECLASSI FI CATI O N

SCHEM E

SY STEM BSAFETY O BJ ECTI VECLASSI FI CATI O N

SCHEM E

SER VI CE TY PE 1R I SK


SER VI CE TY PE 2R I SK


AN SP (2 )R I SK


N ATI O N ALR I SK



Target Level of SafetyTarget Level of SafetyMETMET NAV/EnrNAV/Enr NAV/NAV/

TermTermGroundGround TWRTWR APPAPP ACCACC

Safety factor for Accidents (1,55 10Safety factor for Accidents (1,55 10-8-8 per Flight hour) per Flight hour)

Mid-air collisionMid-air collision ÷÷

Controlled flight Controlled flight into terraininto terrain

÷÷

Accident on Accident on ground with ground with

fatalitiesfatalities

÷÷ ÷÷ ÷÷

…………

Safety Factors for Serious IncidentsSafety Factors for Serious Incidents

Separation minima Separation minima infringement (less infringement (less

than 50%)than 50%)

÷÷

Runway incursion Runway incursion with avoiding with avoiding

actionaction

÷÷ ÷÷ ÷÷

…………

Date post:	27-Mar-2015
Category:	Documents
Upload:	jackson-stuart
View:	216 times
Download:	1 times

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective...

Documents