Safety Assessment

Safety Assessment

The European Organisation for the Safety of Air Navigation

Safety Assessment

Safety Assessment is an EC1035/2011 requirement

EC1034-2011 helps understanding which changes require a formal assessment that needs NSA review

Experience has shown that the “Safety Consideration Process” provides good understanding of the changes

Safety Assessment

The Only acceptable means of compliance to ESARR4 (~EC1035/2011) as of today is SAM (with limitations)

SAM most suitable for hardware changes for which we can have an influence on the design, usage much more difficult for many other changes, procedures, airspace etc…

SAM is a toolbox mainly known for its FHA-PSSA-SSA processes

- Functional Hazard Assessment

- Preliminary System Safety Assessment

- System Safety Assessment

Safety Assessment

eSAM

• eSAM V2.1 helps navigating through the documentation set of "ANS Safety Assessment Methodology";

• http://www.eurocontrol.int/safety/public/site_preferences/display_library_list_public.html#17

Safety Assessment

Safety considerations

Initial safety argument

Safety Plan

Go further?

Y

N

Safety consideration report

Argumented rationale for not going further

Go further?

Y

N

Initial Safety argument (termination)

Argumented rationale for not going further

Safety assessment(activities as per Safety Plan)

SAFETY CASESafety Case Report

Brainstorming

First attempt to construct Safety Argument (high level)

Translation of initial argument into required activities

Conduct of activities

Production of the report

OPS Concept(concept

elements)

Safety Assessment

Safety considerations process

Safety Assessment

No operational concept

Scope unclear

Missing assumptions

Safety requirements unrealistic

Bad arguments

Little or no evidence

Errors in calculations

No concept of operations

Impact at boundaries not addressed

Hazards classification questionable

SAFETY BENEFITS OF NORMAL OPERATIONS?

What are the needs for change?

What are the new system boundaries? (OPS Concept)

Are there (initial) assumptions? (OPS Concept)

Are (Initial) Safety requirements realistic?

Will it be possible to build an argument?

What evidence could be provided?

Would it feasible and beneficial to quantify?

How shall the new system/change be operated?

What are the interfaces? What impact foreseeable?

How and who will assess hazards?

In what way is the proposed operational concept different from current one?

Safety considerations

Safety Assessment

We have trained the

staff

We have a fall-back

system

We have temporary procedures

OK ifbreakdown

Switching overshould be OK

We have tested the

system

Good Specifications

System OK

New centerwill start operations

On XX/XX/XXDecision to go operational

How did we do things so far?

We have Revised

procedures

Staff OK

What we used to do

What we concluded

Safety Assessment

What are we asked to do today?

We have trained the

staff

We have Contingency

measures

We have temporary procedures

OK ifbreakdown

Switching overshould be OK

We have tested the

system

Good Specifications

System OK

New centerwill start operations

On XX/XX/XX

We have Revised

procedures

Staff OK

We have trained the

staff

We have Contingency

measures

We have temporary procedures

OK ifbreakdown

Switching overshould be OK

We have tested the

system

Good Specifications

System OK

It will be safe to provide operations

from new center

We have Revised

procedures

Staff OK

Safety Assessment

We need to demonstrate that

change will be safe

How are wegoing to do that?

CONOPS

Why do we want to do this change?

Is there anything that we know we will only be able to prove

after implementation but we are confident we are right

Criteria for safety(ESARR4)

Safe by design Safe after implementation

Safe to migrate operations

On-going operations will be

safe

Life cycleHow are wegoing to do that?

Safety Plan

Arg0

Arg1 Arg2 Arg3 Arg4

Caveats

How are wegoing to do that?

How are wegoing to do that?

How are wegoing to do that?

Initial safety argumentOPS Concept(conceptelements)

Safety Assessment

Safety Assessment for DQR[DQR-REQ-300] The safety assessment process to support

the establishment of new or updated data quality requirements shall be documented and include all the necessary steps to derive the data quality requirements to ensure data of sufficient quality are provided to meet the intended use for each data item under consideration, as a minimum:

Safety Assessment

1. Identify all relevant uses for the aeronautical data item or dataset. 2. Conduct Hazard Identification and Analysis. 3. Determine accuracy and resolution requirements taking into consideration:

a) The functionality, performance and availability required by the intended use to achieve an acceptable level of safety.

b) The inherent limitations in originating the data item or dataset.

4. Determine the data integrity level, based on the results of step 1 and step 2, for the most stringent use.

5. Consider the necessity to assign requirements for the ability to determine the origin of the data, other than the ones already defined in Annex I Part C of Commission Regulation (EU) 73/2010.

6. Consider the necessity to assign requirements for the level of assurance that the data is made available to the next intended user prior to its effective start date/time and not deleted before its effective end date/time, other than the ones already defined in Article 7(3) and Article 7(4) of Commission Regulation (EU) 73/2010.

Safety Assessment for DQR

Safety Assessment

Initial safety argument

Let’s have a look at the MS-Visio figures

Safety Assessment

Arg – 1.X.X.Y.NData and associated quality

requirements are “adequate “ “

Change/Project using the « data »

is « safe »

Arg – 1Design of the

« Change/Project » is safe

Arg – 2Implementation of

the « Change/Project » is safe

Arg – 3Migration of the

« Change/Project » is safe

Arg – 3On-going

operations of the « Change/

Project » are safe

… Further development of Arg-1 ...

Safety Assessment

Data and associated quality requirements are

“adequate “

New Data has NOT yet a quality label (i.e.: is not in

the HL)

Data is in the HL

C: Adequate is defined in the context of the project

Data Quality Requirements are

defined

Process defining the « Data Quality Requirements » is

thrustworthy

Risk assosiated with this data is

managed

Mitigation means are in place

Risk assessment has been performed

Process is trustful

FHA/PSSA FHA/PSSA

Data Quality Requirements (as

in HL) are « enough »

Data Quality Requirements (as in HL) are NOT « enough »; risk has been mitigated through additional

risk reduction measures

Conops: User Requirements

SMS Procedures

J :Introduction of new applications require changes to the DQR

Cr: Criteria for Safety (ESARR4)

FHA/PSSA Change/Project

Design documentations

FHA/PSSA

Change/Project Design

documentations

SMS Procedures

Project Management Procedures

Safety Assessment

Q&A

The European Organisation for the Safety of Air Navigation