Safety Assessment The European Organisation for the Safety of Air Navigation
Safety Assessment is an EC1035/2011 requirement EC1034-2011 helps understanding which changes require a formal assessment that needs NSA review Experience has shown that the “Safety Consideration Process” provides good understanding of the changes
The Only acceptable means of compliance to ESARR4 (~EC1035/2011) as of today is SAM (with limitations) SAM is a toolbox mainly known for its FHA-PSSA-SSA processes - Functional Hazard Assessment - Preliminary System Safety Assessment - System Safety Assessment SAM most suitable for hardware changes for which we can have an influence on the design, usage much more difficult for many other changes, procedures, airspace etc…
eSAM V2.1 helps navigating through the documentation set of "ANS Safety Assessment Methodology"; http://www.eurocontrol.int/safety/public/site_preferences/display_library_list_public.html#17 eSAM
OPS Concept(conceptelements) Safety consideration report Argumented rationale for not going further Go further? N Y Initial Safety argument (termination) Argumented rationale for not going further Go further? N Y Safety assessment (activities as per Safety Plan) SAFETY CASE Safety Case Report Safety considerations Brainstorming First attempt to construct Safety Argument (high level) Initial safety argument Translation of initial argument into required activities Safety Plan Conduct of activities Production of the report
Safety considerations What are the needs for change? What are the new system boundaries? (OPS Concept) Are there (initial) assumptions? (OPS Concept) Are (Initial) Safety requirements realistic? Will it be possible to build an argument? What evidence could be provided? Would it feasible and beneficial to quantify? How shall the new system/change be operated? What are the interfaces? What impact foreseeable? How and who will assess hazards? In what way is the proposed operational concept different from current one? No operational concept Scope unclear Missing assumptions Safety requirements unrealistic Bad arguments Little or no evidence Errors in calculations No concept of operations Impact at boundaries not addressed Hazards classification questionable SAFETY BENEFITS OF NORMAL OPERATIONS?
Good Specifications We have tested the system System OK Staff OK OK if breakdown Switching over should be OK New center will start operations On XX/XX/XX How did we do things so far? What we used to do We have Revised procedures We have trained the staff We have a fall-back system We have temporary procedures What we concluded Decision to go operational
It will be safe to provide operations from new center Good Specifications Good Specifications We have tested the system We have tested the system We have Revised procedures We have trained the staff We have Contingencymeasures We have temporary procedures System OK System OK Staff OK Staff OK OK if breakdown OK if breakdown Switching over should be OK Switching over should be OK New center will start operations On XX/XX/XX We have Revised procedures We have trained the staff We have Contingencymeasures We have temporary procedures What are we asked to do today?
OPS Concept(conceptelements) Is there anything that we know we will only be able to prove after implementation but we are confident we are right Caveats Why do we want to do this change? Criteria for safety (ESARR4) CONOPS Initial safety argument Arg0 We need to demonstrate that change will be safe How are we going to do that? Arg4 Arg1 Arg2 Arg3 On-going operations will be safe Safe after implementation Safe to migrate operations Safe by design How are we going to do that? How are we going to do that? How are we going to do that? Life cycle How are we going to do that? Safety Plan
[DQR-REQ-300] The safety assessment process to support the establishment of new or updated data quality requirements shall be documented and include all the necessary steps to derive the data quality requirements to ensure data of sufficient quality are provided to meet the intended use for each data item under consideration, as a minimum: Safety Assessment for DQR
Identify all relevant uses for the aeronautical data item or dataset. Conduct Hazard Identification and Analysis. Determine accuracy and resolution requirements taking into consideration: The functionality, performance and availability required by the intended use to achieve an acceptable level of safety. The inherent limitations in originating the data item or dataset. Determine the data integrity level, based on the results of step 1 and step 2, for the most stringent use. Consider the necessity to assign requirements for the ability to determine the origin of the data, other than the ones already defined in Annex I Part C of Commission Regulation (EU) 73/2010. Consider the necessity to assign requirements for the level of assurance that the data is made available to the next intended user prior to its effective start date/time and not deleted before its effective end date/time, other than the ones already defined in Article 7(3) and Article 7(4) of Commission Regulation (EU) 73/2010. SafetyAssessment for DQR
Initial safety argument Let’s have a look at the MS-Visio figures
Q&A The European Organisation for the Safety of Air Navigation