SAF-SAM Course Slides

Introduction to the Safety Assessment
Methodology
A centre of excellence in ATM Training
SAF-SAM
NSA-SOSM
Copyright 2012 EUROCONTROL
05 - Supervision and Safety Oversight
Any use of this training material is subject to prior written consent by EUROCONTROL.
Requests shall be addressed to:
Head of the Institute of Air Navigation Services,
12, rue Antoine de Saint-Exupry,
L-1432 Kirchberg, Luxembourg.
The EUROCONTROL Institute of Air Navigation Services aims to provide the services that you want and to make your
stay in the Institute as enjoyable as possible. All Institute personnel are there to ensure that your stay at the Institute is
successful. However, if you do have a complaint (or a compliment) please tell us. If you are not satisfied with the
service we provide or you would like to propose an improvement then please fill out the form at
http://www.eurocontrol.int/ians/complaint.html, or contact IANS.complaints@eurocontrol.int directly.
SAF-SAM Course
Table of content
Course Programme
Glossary
01 Introduction to Safety Management in ATM
02 ATM Safety Regulatory Framework
03 Key concepts of Risk Assessment and
Mitigation
04 Traffic Risk Exercise
05 Safety Assessment Methodology Overview
06 Initiation of ATM change safety assessment
07 Hazard Identification, Risk Assessment and
Determination of Safety Objectives
08 Hazard Identification, Risk Assessment and
Determination of Safety Objectives Exercise
09 Risk Mitigation Strategy of ATM Change
Design for Operations
10 Risk Mitigation Strategy of ATM Change
Design for Operations Exercise
11 Safety Verification and Validation
12 Risk Assessment and Mitigation of ATM
Change Implementation Exercise
13 Risk Assessment and Mitigation of ATM
Change Transfer into Operations Exercise
14 Safety Argument / Case Principles
15 Practicalities
DAY/TIME
09:00
10:00
12:30
Session
00
Monday
Course
Intro
Tuesday
Debrief
1st day
13:30
Debrief
2nd day
Session 02
Introduction to Safety Management

in ATM
ATM Safety Regulatory

Framework
Key Concepts of
Risk Assessment and
Mitigation
Session 06
Session 07
Initiation of ATM Change

Safety Assessment
Example
Hazard Identification,
Risk Assessment and
Determination of Safety
Objectives
Session 04
Session 05
Road traffic
Exercise
Risk assessment and mitigation

Overview of SAM &
Fish tank Example
Session 10
Debrief
3rd day
Friday
Debrief
4th day
Session 09
Hazard Identification, Risk Assessment and

Exercise
Safety
Verification and
Validation
Session 15
SAM
Assistant
Risk Mitigation Strategy of

ATM Change Design for
Operations
Session 14
Risk Assessment and Mitigation of

ATM Change Implementation
Exercise
Session 16
Practicalities
Risk Mitigation Strategy

of ATM Change Design
for Operations
Exercise
Session 13
Session 12
Session 11
Thursday
Session 03
Session 01
Session 08
Wednesday
17:00
Session 17
Session 18
Test &
Debrief
Course
Debrief
Risk Assessment and

Mitigation of ATM Change
Transfer into Operations
Exercise
12:00
Safety Argument / Case
Principles
Abbreviations and Acronyms useful for IANS SAF-SAM Training Course
AC, Ac
A-SMGCS
ACAS
ACAS-IR
ACC
ACID-IR
ADQ-IR (I)
AGL
AIC
AIP
AIS
ALARP
AMAN
AMC
ANS
ANSP
AO
APP
Arg
ARR
Art
ASBU
ASM
A-R
ATC
ATCO(s)
ATFCM
Aircraft
Advanced Surface Movement Ground Control Systems
Airborne Collision Avoidance System
Commission Regulation (EU) No 1332/2011 of 16 December 2011 laying down common
airspace usage requirements and operating procedures for airborne collision avoidance
an Area Control Centre (an en-route ATC unit)
Commission Regulation (EU) 1206/2011 of 22 November 2011 laying down
requirements on aircraft identification for surveillance for the single European sky
Commission Regulation (EU) No 73/2010 of 26 January 2010 laying down requirements
on the quality of aeronautical data and aeronautical information for the SES this
regulation covers the production and distribution of such data/ info)
Aerodrome Ground Lighting
Aeronautical Information Circular
Aeronautical Information Publication
Aeronautical Information Service, a part of the air navigation services (ANS), meaning a
service established within the defined area of coverage responsible for the provision of
aeronautical information and data necessary for the safety, regularity, and efficiency of
air navigation
As Low As Reasonably Practicable
Arrival Manager
Acceptable Means of Compliance
Air Navigation Services, meaning air traffic services; communication, navigation and
surveillance services; meteorological services for air navigation; and aeronautical
information services
an organisation providing or offering to provide air navigation services
Airport Operator
an ATS Approach Unit (an ATSU)
Argument
Arrival
article (such as in a Regulation etc)
ICAO Aviation System Block Upgrades (coordinated approach to the introduction of
ATM solutions)
Airspace Management, a planning function with the primary objective of maximising the
utilisation of available airspace by dynamic time-sharing and, at times, the segregation of
airspace among various categories of airspace users on the basis of short-term needs
(EC) Regulation No 551/2004 of the European Parliament and of the Council of 10
March 2004 on the organisation and use of the airspace in the single European sky (the
airspace Regulation, one of the four main SES Regulations); as amended by Regulation
(EC) No 1070/2009 of the European Parliament and of the Council of 21 October 2009
Air Traffic Control, meaning a service provided for the purpose of:
(a) preventing collisions:
between aircraft, and
in the manoeuvring area between aircraft and obstructions;
and
(b) expediting and maintaining an orderly flow of air traffic
air traffic controller(s)
Air Traffic Flow and Capacity Management (EUROCONTROL concept)
ATFM
ATFM-IR
ATIS
ATM
ATM/ANS
ATM/ANSP
ATS
ATSP
ATSU
AVISO
BALTIC FAB
BLUE MED
BOS
BR
CA
CA-IR
CAA
CANSO
CATF
CATF GM
CCA
Air Traffic Flow Management, an ATM function established with the objective of
contributing to a safe, orderly and expeditious flow of air traffic by ensuring that ATC
capacity is utilised to the maximum extent possible, and that the traffic volume is
compatible with the capacities declared by the appropriate air traffic service providers
Commission Regulation (EU) No 255/2010 laying down common rules on air traffic flow
management
Automatic Terminal Information Service
Air Traffic Management, meaning the aggregation of the airborne and ground-based
functions (air traffic services, airspace management and air traffic flow management)
required to ensure the safe and efficient movement of aircraft during all phases of
operations
Depending on the context:
Air Traffic Management (ATM) and Air Navigation Services (ANS) as
defined in Article 2(4) and 2(10) of the SES framework Regulation (F-R) see
ATM and ANS definitions separately
In accordance with EASA Basic Regulation: the air traffic management
functions as defined in Article 2(10) of Regulation (EC) No 549/2004, air
navigation services defined in Article 2(4) of that Regulation, and services
consisting in the origination and processing of data and formatting and
delivering data to general air traffic for the purpose of safety-critical air
navigation
an organisation providing ATM/ANS
Air Traffic Services (a part of ANS as well as of ATM), meaning the various flight
information services, alerting services, air traffic advisory services and ATC services
(area, approach and aerodrome control services)
An organisation providing or offering to provide air traffic services
an operational unit of an organisation providing air traffic services (e.g. an APP unit, an
aerodrome tower unit etc)
Aide la Visualisation Sol (a ground surveillance system used in France)
the BALTIC FAB, one of nine FAB initiatives, comprising defined airspaces within
responsibility of Poland and Lithuania
the BLUE MED FAB, one of nine FAB initiatives, comprising defined airspaces within
responsibility of Cyprus, Greece, Italy and Malta. Other non-EU States are associates and
observers to this FAB
Boston International airport (USA)
EASA Basic Regulation (see EASA BR)
Depending on the context, CA can refer to:
Conformity assessment (linked with interoperability)
Competent authority (an EASA concept)
Commission Regulation (EC) No 2042/2003 of 20 November 2003 on the continuing
airworthiness of aircraft and aeronautical products, parts and appliances, and on the
approval of organisations and personnel involved in these tasks
a Civil Aviation Authority (e.g. as established in many States originally to fulfil the legal
obligations incurred by that State under the 1944 Chicago Convention)
Civil Air Navigation Services Organisation
Conformity Assessment Task Force; a EUROCONTROL forum which, inter-alia,
produced a widely coordinated Guidance Material for Conformity Assessment in the
context of SES interoperability
The EUROCONTROL Guidelines on conformity assessment for the interoperability
Regulation of the single European sky, version 3.0, available at
http://www.eurocontrol.int/ses/public/standard_page/conf_assessment.html
Common Cause Analysis
CCS-IR
CE (CE marking)
CEN
CENELEC
CFIT
COM
Contd
COTR-IR
CNS
CRD
CRs
CR-IR
CCS-IR
CS
CTR
CWP
DANUBE FAB
DEP
DFW
DK-SE FAB
DLS-IR
DoC
DoV
DSU
EAD
EASA
EASA BR
EASP
EATMN
Commission Regulation (EC) No 1794/2006 of 6 December 2006 laying down a common

charging scheme for air navigation services; as amended by Commission Regulation
(EU) No 1191/2010 of 16 December 2010
a mandatory conformity mark for products placed on the market in the European
Economic Area (EEA). With the CE marking on a product the manufacturer ensures that
the product conforms with the essential requirements of the applicable EC
directives/regulations. The letters CE stand for Conformit Europenne (European
conformity). Under the SES IOP-R, systems and their constituents are exempted from CE
marking (or CE affixing)
European Committee for Standardisation, one of three recognised ESO
European Committee for Electrotechnical Standardisation, one of three recognised ESO
Controlled Flight Into Terrain
Communication services, one of CNS services and a part of ANS; or, depending on
context, an abbreviation used in the references to Communications of the European
Commission (such as COM(2008)750 final, etc)
continued
Commission Regulation (EC) No 1032/2006 laying down requirements for automatic
systems for the exchange of flight data for the purpose of notification, coordination and
transfer of flights between air traffic control units
Communications, Navigation and Surveillance (services and/or systems & procedures), a
part of ANS
Comments Response Document (e.g. following consultation on an EASA NPA etc)
the common requirements for the provision of ANS iaw CR-IR
Commission Regulation (EU) No 1035/2011 laying down common requirements for the
provision of air navigation services and repealing Regulation (EC) No 2096/2005 and
amending Regulations (EC) No 482/2008 and (EU) No 691/2010
Commission Regulation No 1794/2006 of 6 December 2006 laying down a common
charging scheme for air navigation services, as amended by Commission Regulation
(EU) No 1191/2010 of 16 December 2010
- a Community Specification in relation to the interoperability regulation (No 552/2004);
or
- a Certification Specification in relation to the EASA framework;
Control Tower Region
Controller Working Position
the DANUBE FAB, one of nine FAB initiatives, comprising defined airspaces within
responsibility of Bulgaria and Romania
Departure
Dallas/Ft Worth international airport (USA)
The Danish/ Swedish FAB, one of nine FAB initiatives, comprising defined airspaces
within responsibility of Denmark and Sweden
Commission Regulation (EC) No 29/2009 of 16 January 2009 laying down requirements
on data link services for the single European sky
an EC Declaration of Conformity iaw Article 5 IOP-R
an EC Declaration of Verification of systems iaw Article 6 IOP-R
a Declaration of suitability for use iaw Article 5 IOP-R
the European Aeronautical Information System Database
the European Aviation Safety Agency
the EASA Basic Regulation, Regulation (EC) No 216/2008 as variously amended
European Aviation Safety Programme
The European air traffic management network, a concept of eight systems in relation to
interoperability as defined in Annex 1 of IOP-R
EC
ECAA
ECAC
ECCAIRS
ECTRL
ED
e.g.
EN
EoSM
EP
ER, ERs
ERND
ESARR
ESARRs
ESARR 1
ESARR 2
ESARR 3
ESARR 4
ESARR 5
ESARR 6
ESO
ESSIP
ETSI
EU
EUIR
FAA
FAB(s)
FAB-IR
FAB CE
FABEC

the European Community (as in Regulation (EC) No. xxx/)
the European Commission (in all other cases)
European Common Aviation Agreement
European Civil Aviation Conference (usually used to refer to the ECAC Region,
comprising those States members of ECAC)
the European Co-ordination Centre for Aviation Incident Reporting System, a software
platform developed by the EU; also adopted for ADREP use in 2004
EUROCONTROL
EUROCAE document; a series of technical standards issued by EUROCAE
for example
European Norm (Standard)
the Effectiveness of Safety Management; a KPI developed under the PS-IR and measured
by a methodology based on the ATM Safety Framework Maturity Survey
the European Parliament
essential requirements (as defined in IOP-R)
essential requirements (as defined in the EASA basic regulation)
European Route Network Design (one of the three network functions iaw NF-IR)
one of six EUROCONTROL Safety Regulatory Requirement documents adopted under
the EUROCONTROL Revised Convention; Following the adoption of the SES I
legislative package, most of the contents of the six ESARRs has been transposed into the
SES legislation
a collective reference to the six ESARR documents
Safety Oversight in ATM, current edition 2.0 of December 2009
Reporting and Assessment of Safety Occurrences in ATM, current edition 3.0 of
December 2009
Use of Safety Management Systems by ATM Service Providers, current edition 1.0 of
July 2000
Risk Assessment and Mitigation in ATM, current edition 1.0 of April 2001
Safety Regulatory Requirement for ATM Services' Personnel, current edition 2.0 of April
2002
Software in ATM Functional Systems, current edition 2.0 of May 2010
European Standardisation Organisation; a recognised regional standardisation body under
Annex 1 of Directive 98/34/EC
The European Single Sky ImPlementation plan; a EUROCONTROL performanceoriented process that describes common implementation actions required to improve the
European ATM network over the next five to seven years
European Telecommunication Standards Institute, one of three recognised ESO
European Union
the foreseen European Upper Flight Information Region, a SES concept
the Federal Aviation Administration of the United States
Functional Airspace Block(s) established iaw Article 9a of SP-R
Commission Regulation (EC) No 176/2011 on the information to be provided before the
establishment and modification of a functional airspace block
FAB Central Europe, one of nine FAB initiatives, comprising defined airspaces within
responsibility of the seven FAB CE States: Austria, Bosnia & Herzegovina, Croatia,
Czech Republic, Hungary, Slovak Republic and Slovenia
FAB Europe Central, one of nine FAB initiatives, comprising defined airspaces within
responsibility of six FABEC States: Belgium, France, Germany, Luxembourg,
Netherlands and Switzerland
FAQ
FAROS
FAT
FC-IR
FDPS
FFPG
FHA
FIR
FIS
FL
FLS
FMTP
FMTP-IR
FOD
FPL
F-R
FUA
FUA-IR
FTA
GA
GAT
GM
GPS
GSN
HAL
HMI
HF
HW
Hz
IA-IR
IANS
IAW (iaw)
Frequently Asked Questions

Final Approach Runway Occupancy Signal
Factory Acceptance Tests
Commission Regulation (EU) No 1178/2011 of 3 November 2011 laying down technical
requirements and administrative procedures related to civil aviation aircrew pursuant to
Regulation (EC) No 216/2008 of the European Parliament and of the Council, as
amended by Commission Regulation (EU) No 290/2012 of 30 March 2012
flight data processing system (and procedures), referring to a sub-category of EATMN
system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)
FAB Focal Points Group, one of the two SES Coordination Platforms organised by the
European Commission with support from EUROCONTROL (the 2nd one is NCP)
Functional Hazard Assessment
Flight Information Region (ICAO)
Flight Information Service, a part of ATS
Flight Level
Field Lighting System
Flight Message Transfer Protocol; FMTP is based on industry-standard Transmission
Control Protocol / Internet Protocol (TCP/IP) provisions; a community specification
associated to FMTP-IR
Commission Regulation (EC) No 633/2007 of 7 June 2007 laying down requirements for
the application of a flight message transfer protocol used for the purpose of notification,
coordination and transfer of flights between air traffic control units
Foreign Object Debris
Filed Flight Plan submitted by an aircraft
Regulation (EC) No 549/2004 of the European Parliament and of the Council of 10
March 2004 laying down the framework for the creation of the single European sky (the
framework Regulation of the SES legislation); as amended by Regulation (EC) No
1070/2009 of the European Parliament and of the Council of 21 October 2009
(The concept of) flexible use of airspace
Commission Regulation (EC) No 2150/2005 laying down common rules for the flexible
use of airspace
Fault Tree Analysis
General Aviation (one of the two categories of civil aviation), meaning all flights other
than military and scheduled airline and regular cargo flights, both private and
commercial. General aviation flights range from gliders and powered parachutes to large,
non-scheduled cargo jet flights (source: wikipedia).
General Air Traffic
Guidance Material
Global Positioning System
Goal Structuring Notation
Human Assurance Level
human machine interface (systems and procedures), referring to a sub-category of
EATMN system no. 3 (systems and procedures for ATS, iaw Annex I of IOP-R)
Human Factors
hardware
Hazard
Commission Regulation (EC) No 1702/2003 of 24 September 2003 laying down
implementing rules for the airworthiness and environmental certification of aircraft and
related products, parts and appliances, as well as for the certification of design and
production organisations
the EUROCONTROL Institute of Air Navigation Services in Luxembourg
in accordance with
ICAO
ICB
Id, ID
i.e.
IFPL
IFPL-IR
IFR
IMC
IOP
IOP-R
IOP-IRs
IR(s)
Km/h
KPA
KPI
L/U
LAX
LDG
LoA(s)
LoC
LSSIP
LVO
LVP
MAC
MET
METP
MIT
Mode S-IR
MoC
MS
MSAW
The International Civil Aviation Organization

The Industry Consultation Body established by the European Commission iaw Article 6
of the SES framework Regulation to advise the Commission on the implementation of the
SES. The ICB comprises representatives of the ANSPs, associations of airspace users,
airport operators, the manufacturing industry and professional staff representative bodies
Identifier
that is; from the Latin id est
refers to the procedures and requirements for the provision, processing and distribution of
FPLs in the pre-flight phase (preceding the 1st delivery of ATC clearance); a community
specification associated to IFPL-IR
Commission Regulation (EC) No 1033/2006 laying down the requirements on procedures
for flight plans in the pre-flight phase for the single European sky
Instrument Flight Rules (ICAO Annex 11); a flight may be conducted in accordance with
VFR or IFR; an IFR flight is a flight conducted in accordance with instrument flight rules
Instrumentent Meteorological Conditions
Interoperability
March 2004 on the interoperability of the European Air Traffic Management network
(the interoperability Regulation, one of the four main SES Regulations); as amended by
October 2009
a collective reference to the implementing rules for interoperability (Commission
Regulations and Decisions adopting implementing rules within the framework of IOP-R)
implementing rule(s); in the SES and/or EASA context, these are usually implementing
measures adopted in the form of Commission Regulations or Decisions, complementing
or refining specific legal obligations and requirements laid down in the SES main
regulations, the EASA Basic Regulation or, depending of the legal basis, other EP and/or
Council acts such as regulations, directives, decisions
kilometers per hour
Key Performance Area, a concept in relation to ATM performance and the performance
scheme iaw PS-IR
Key Performance Indicator
Line Up
Los Angeles international Airport (USA)
Landing (usually used
Letter(s) of Agreement (such as between two ATSUs)
Loss of Control
the Local Single Sky ImPlementation documents coordinated by EUROCONTROL in the
ESSIP common framework
Low Visibility Operations
Low Visibility Procedures
Mid Air Collision
Meteorological service, an air navigation service
An organisation providing or offering to provide MET services
Massachusetts Institute of Technology
Commission Regulation (EC) No 262/2009 of 30 March 2009 laying down requirements
for the coordinated allocation and use of Mode S interrogator codes for the SES
Means of Compliance; a generic reference to (usually) voluntary standards of which
application may ensure that specific binding requirements are met or fulfilled by an
activity, product or function
Member State(s) of the European Union
Minimum Safe Altitude Warning (a safety net in the ATC system)
MTBF
MUAC
NAA
NAV
N.B.
NBs
NCP
NEFAB
NF
NF-IR
NM
NOP
NOTAM
NPA
NRA
NSA
NSP
OAT
ODS
OJEU
OJTI
OLDI
OPS (ops)
OR
OSED
PAL
PANS
PANS-ATM
PAPI
PBN
PBN-IR
PP
PRB
PRC
Mean Time Between Failure

Maastricht Upper Area Control Centre
National Aviation Administration (as in the EASA framework)
Navigation services, one of CNS services and of ANS
nota bene
notified bodies, iaw IOP-R and IOP-IRs; NBs are accredited under the New Legislative
Framework
the NSA Coordination Platform, one of the two SES Coordination Platforms organised
by the European Commission with support from EUROCONTROL (the 2nd one is FFPG)
the North-European FAB, one of nine FAB initiatives, comprising defined airspaces
within responsibility of Estonia, Finland, Iceland, Latvia, Norway; Denmark and Sweden
opted out of the NEFAB initiative in early 2011
the network functions, as defined in NF-IR
Commission Regulation (EC) No 677/2011 of 7 July 2011 laying down detailed rules for
the implementation of air traffic management (ATM) network functions and amending
Regulation (EU) No 691/2010 (the performance Regulation)
The nominated Network Manager of the SES iaw NF-IR
The Network Operations Plan developed by the Network Manager iaw NF-IR
Notice To Airmen
Notice of Proposed Amendment; in the EASA rule-making procedure, an NPA is issued
following the drafting of new or amended regulatory material, for the purpose of
consultation
a collective, generic reference to national regulatory authorities/ agencies
a National Supervisory Authority nominated or established iaw Article 4 of the F-R
The Network Strategy Plan developed by the Network Manager iaw NF-IR
Operational Air Traffic; in other words, other than General Air Traffic (GAT) air traffic
which is not operated in accordance with the ICAO SARPs and procedures
Operational Display System
the Official Journal of the European Union
On the Job Training Instructor
On-Line Data Interchange, a community specification in association to COTR-IR; OLDI
specifies the facilities and messages to be provided between FDPSs serving ATC units
for the purpose of, inter-alia, notification of flights, coordination prior to transfer of flight
to next unit, civil-military coordination, situational awareness, transfer of communication
of such flights, support to A/G datalink etc
depending on context, operations (e.g. flight operations), operational, or relating to
operations/ operational
operational requirements, as defined in NF-IR
Operational Service and Environnment Description
Procedure Assurance Level
ICAO Procedures for Air Navigation Services
ICAO Doc 4444, Procedures for Air Navigation Services Air Traffic Management
Precision Approach Path Indicator
Performance Based Navigation
Commission (EU) Regulation (under development) laying down the requirements for
performance based navigation within the SES
performance plan, in accordance with PS-IR
The designated Performance Review Body of the SES in accordance with Article 11(2)
of the SES framework Regulation (in relation with the performance scheme, PS-IR)
The Performance Review Commission established under the EUROCONTROL Revised
Convention; The PRC and the PRB of the SES conduct their activities in close
consultation and synergy.
PS
PS-IR
PSC
PSSA
QE
QMS
R&D
R/T
RAT
RCS
RDPS
Reg, Reg.
REL
RIL
RIMCAS
RoP
RP, RP1 etc
RWSL
RWY
SAFA
SAM
SARPs
SAT
SC
SCDM
SERA-IR
SES
SES I
SES II
SESAR
SESAR JU, SJU
The SES Performance Scheme, as per Article 11 F-R and PS-IR

Commission Regulation (EC) No 691/2010 laying down a performance scheme for air
navigation services and network functions and amending Regulation (EC) No 2096/2005
Project Safety Case
Preliminary System Safety Assessment
a Qualified Entity to which an NSA may decide to delegate in full or in part supervisory
tasks (e.g. iaw Article 3 of SP-R or SO-IR); QEs were formerly referred to as recognised
organisations in SES I
Quality Management System
research and development
Radio telecommunications
Risk Analysis Tool, in relation to one of the KPIs for safety in the implementation of the
performance scheme (PS-IR)
Risk Classification Scheme
Radar Data Processing System
Regulation (as in Regulation (EC) No 550/)
Runway Entry Lights (a concept of the Runway Status Light RWSL system)
Runway Intersection Lights (a concept of the Runway Status Light RWSL system)
Runway Incursion Monitoring and Conflict Alert System
rules of procedure (of a group, task force, committee etc)
a reference period in the frame of the performance scheme (PS-IR). RP1, the 1st
reference period, is set from 01 January 2012 until 31 December 2014. RP2 and
following reference periods will be of five calendar years each, unless decided otherwise
through amendments to PS-IR
Runway Status Light
Runway
Safety Assessment of Foreign Aircraft; an EU programme coordinated by EASA for the
assessment of the safety of foreign aircraft operations at EU airports
Safety Assessment Methodology
a collective reference to the ICAO Standards and Recommended Practices laid down in
the 18 Annexes to the 1944 Chicago Convention on international civil aviation
Site Acceptance Tests
- Safety Case
- Severity Class (usually followed by a number ranging from 1 to 5)
Safety Case Development Manual
Commission Regulation laying down standardised European rules of the air (under
development)
the Single European Sky, an initiative introduced by the SES I legislative package
the first legislative package of the single European sky (2004) of four EC Regulations of
the European Parliament and of the Council (see F-R, SP-R, A-R and IOP-R)
the 2nd legislative package of the single European sky (2009) comprised of
- Regulation (EC) No 1070/2009 of 21 October 2009 of the European Parliament and of
the Council amending the four regulations of the 1st SES package in order to improve
the performance and sustainability of the European aviation system; and
- Regulation (EC) No 1108/2009 of 21 October 2009 amending Regulation (EC) No
216/2008 (the EASA Basic Regulation) in the field of aerodromes, air traffic
management and air navigation services and repealing Directive 2006/23/EC
the Single European Sky Aviation Research programme
the SESAR Joint Undertaking, the single managing entity for the SESAR development
phase (2008-2013), established by Council Reg. (EC) No 219/2007 of 27 Feb 2007
SMI
SMR
SMS
SO
SO-IR
SOCS
SOP
SP-R
SPR
SPI-IR
SR
SRR(s)
SSA
SSC
SSP
STCA
STL
SUR
SW
SW FAB
SWAL
SWIM
T/O
TCAS
TEU
TF
TFEU
THL
TLS
TMA
ToR
TWR
TWY
UIR
Separation Minima Infringement

Surface Movement Radar
Safety Management System
depending on the context:
- safety objective (in most of the cases)
- safety oversight
Commission Regulation (EU) No 1034/2011 on safety oversight in air traffic
management and air navigation services, replacing Commission Regulation (EC) No
1315/2007 and amending Commission Regulation (EU) No 691/2010
Safety Objective Classification Scheme
Standard Operating Procedures
March 2004 on the provision of air navigation services in the single European sky (the
service provision Regulation, one of the four main SES Regulations); as amended by
October 2009
Safety and Performance Requirements
Commission Regulation (EC) No. 1207/2011 laying down requirements for the
performance and the interoperability of surveillance for the single European sky
Safety Requirement
safety regulatory requirement(s), as defined in Article 2 SO-IR
System Safety Assessment
the Single Sky Committee, the comitology forum which assists and oversees the
European Commission implementing measures under the SES framework
a States Safety Programme (ICAO); also related to the application of the PS-IR in the
safety KPA
Short Term Conflict Alert (a safety net in the ATC system)
Saint Louis international airport (USA)
surveillance services, one of CNS services and of ANS
software
the South-West FAB, one of nine FAB initiatives, comprising defined airspaces within
responsibility of Portugal and Spain
Software Assurance Level
System Wide Information Management
Take Off
Traffic Collision Avoidance System
Treaty on the European Union, one of several founding treaties of the European Union
and of the European Communities
a technical file accompanying a DoV iaw Article 6 IOP-R
Treaty on the Functioning of the European Union; The title of the 'Treaty establishing the
European Community' was replaced by 'Treaty on the Functioning of the European Union
(iaw Treaty of Lisbon article 21, as of 1st December 2009 date of entry into force of the
Lisbon Treaty)
Take-off Hold Lights (a concept of the Runway Status Light RWSL system)
Target Level of Safety
Terminal control area (ICAO Annex 11, Air Traffic Services)
Terms of Reference (e.g. of a group, forum, committee, body etc)
(aerodrome) tower unit (an ATS unit)
Taxiway
Upper Flight Information Region (ICAO)
UK-IE FAB
UCS
USC
UTP
VCS-IR
VFR
WTA
The United Kingdom/ Ireland FAB, one of nine FAB initiatives, comprising defined
airspaces within responsibility of the United Kingdom of Great Britain & Northern
Ireland and Ireland
Unit Competence Scheme
Unit Safety Case
Unit Training Plan
Commission Regulation (EU) No 1265/2007 of 26 October 2007 laying down
requirements on air-ground voice channel spacing for the single European sky
Visual Flight Rules (ICAO); a flight may be conducted in accordance with VFR or IFR
Wake Turbulence Induced Accident
10
Introduction to Safety Management

Session 01
Course Structure
NEED FOR SAFETY ASSESSMENT
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
What is the role of ATM?

What is Safety?
Why are ATM Services safe?
How does ATM contribute to Safety?
Why do we need Safety Assessment?
What are the future challenges?
Role of ATM?
To prevent Air and Ground

Collision
To manage traffic in an
orderly and efficient way
ATM is the aggregation of

ground based (comprising
ATS, ASM, ATFM) and
airborne functions required to
ensure the safe and efficient
movement of aircraft during all
phases of operations
Safety and Security
Safety: Freedom from the unacceptable

risk of unintended harm
Harm means accident with fatalities or
serious injuries to human, or structural
damage to aircraft
Security: Freedom from the

unacceptable risk of intended harm
Question:
Why is your ANS / ATM safe?
Why Safety Management System?
Video of berlingen accident
Swiss Cheese Model
Model developed by J. Reason

Swiss Cheese Model
H
A
Z
A
R
D
S
LATENT CONDITIONS
I A
NC
CC
I I
DD
EE
NN
T T
Model developed by J. Reason
What is Safety Management

Formalised,
explicit and
proactive
approach to
systematic safety
Process for
managing safety
risks
10
SMS Components
SMS
Occurrences
Competency
Ext. services
Lesson
Dissemination
Risk Assessment
and Mitigation
Safety
Responsibilities
Surveys
Monitoring
Records
QMS Internal Audits, Documentation Control System, external

services, elimination of causes of non conformities, etc.
11
Question:
Why is your ANS / ATM safe?
On-going ATM Services / Systems

Changes to ATM Services / Systems
New ATM Services / Systems
12
ATM Changes
Operational Environment is changing!
Systems / Services are changing!

Shall we remain acceptably safe?
If Change #1 is acceptably safe and Change
#2 is acceptably safe, are Changes #1 & #2
acceptably safe?
13
Traffic Growth in ECAC Region

.
2000
2020
8.0 Million Flights
16.0 Million Flights
Traffic tripled over last 25 years

Traffic may double over next 20 years
Figures
14
Traffic & Accidents

One accident
per week!
Traffic grows
Accident rate is
stable
15
ATC Tools Change

From Paper Flight Strips
16
ATC Tools Change
to Electronic Flight Strips

17
ANS/ATM Evolution Change
Past
Today
Future
Procedural Control
Radar Control
the current and planned a/c

positions
Know the current and

estimate planned a/c
positions
Trajectory
Management
Know & share the current

& planned a/c positions
18
SES Interoperability Regulations

Framework Reg.
Service Provision Reg.
Airspace Reg.
EC 549/2004 & 1070/2009
EC 550/2004 & 1070/2009
EC 551/2004 & 1070/2009
Interoperability
Reg.
EC 552/2004 & 1070/2009
Reg. 1032/2006 - Requirements for automatic systems for exchange of flight data for notification,
coord. & transfer of flights between ATC units
Reg. 1033/2006 - Requirements. for flight plans in the pre-flight phase
Reg. 633/2007 - Requirements for the application of a FMTP used for [] notification, coordination
and transfer of flights between ATC units
Reg. 1265/2007 - Requirements on A/G voice channel spacing
Reg. 29/2009 - Requirements on datalink services for the SES
Reg. 30/2009 amending Reg. 1032/2006 re the req. for automatic systems for exchange of flight data
supporting datalink services
Reg. 262/2009 - Requirements for the coordinated allocation and use of Mode S interrogator codes
for the SES
Reg. 73/2010 - Requirements on the quality of aeronautical data and aeronautical information for
the SES (Part I)
Reg. 1207/2011 Reqs. on Surveillance Performance and IOP (SPI)
Reg. 1206/2011 - Requirements on Aircraft Identification (ACID)
Reg. xxx/201x ADQ II & PBN (under development)
19
SESAR ATM System
20
SESAR Operational Concept 2020

Business
trajectories
More
automation
support
Enhanced
information
management
SESAR
More strategic
planning
Change of
roles
Increased
flexibility
21
SESAR Performance Targets
Enabling EU skies
to handle 3 times
more traffic
Improving safety
by a factor of 10
Reducing
the environmental
impact
per flight by 10%
Cutting ATM
costs by 50%
22
Defragmentation - FABs
23
ATM Challenges
Environmental Impact
Delays
Security
Capacity
Single European Sky
Safety
Cost-efficiency
Flight efficiency
New Technologies
Fragmentation
24
Summary
What is the role of ATM?

What is Safety?
Why are ATM Services safe?
How does ATM contribute to Safety?
Why do we need Safety Assessment?
What are the future challenges?
25
Questions?
26
Safety Regulatory Framework

Session 02
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
SES, Eurocontrol and EASA frameworks

EASA Total Aviation System Approach in Safety
EASA Basic Regulation
Essential Requirements for ATM/ANS
Performance scheme
Safety Key Performance Indicators (KPIs)
Common Requirements on:

SMS
Risk assessment and mitigation of changes
Safety Oversight Requirements related to changes
Single European Sky II
(2009)
Framework
Reg. (F-R)
Service Provision
Reg. (SP-R)
Airspace Reg.
(A-R)
Interoperability
Reg. (IOP-R)
Reg. 549/2004 & 1070/2009
Reg. 550/2004 & 1070/2009
Reg. 551/2004 & 1070/2009
Reg. 552/2004 & 1070/2009
Foundation of SES
ATM Master Plan
National
Supervisory
Authority (NSA)
Concept of
Implementing Rule
Industry
Consultation Body
(ICB)
Single Sky
Committee (SSC)
EUROCONTROL
Performance
scheme
EASA
NSA Tasks
Qualified Entities
Common requirements
Certification of ANSPs
Designation of ATSPs,
possibly of METPs
FAB Requirements
Charging Scheme for
common projects
Airspace
Classification
List of systems
European Upper
Flight Information
Region (EUIR)
Implementing Rules
Electronic
aeronautical
information
Conformity assessment
(DoC/DSU & DoV)
Rules of the Air

Network
Management
(incl. ATFM,
route design and
scarce
resources)
Essential Requirements
Community specifications
Alternative Verification of
Compliance
Notified bodies
Flexible use of
airspace
ATM/ANS
Aerodromes
Flight Crew Licensing
Flight Operations
Airworthiness
Former EASA Remit (Reg. 216/2008)
Current EASA Remit (Reg. 1108/2009)

New Tasks of EASA in ATM/ANS
Development of implementing measures with regard to

ATM/ANS and aerodromes
Safety Oversight of
3rd country ATM/ANSPs
Pan-European ATM/ANSPs
MS Competent Authorities (through standardisation
inspections)
Certification of
3rd country ANSPs
Pan-European ANSPs
ATCO Training organisations located outside EU
Certification Specifications (CS) *
Acceptable Means of Compliance (AMC)
FC-IR (Reg. 1178/2011)

IA-IR (Reg. 1702/2003 as variously amended)
CA-IR (Reg. 2042/2003 as variously amended)
ACAS-IR (Reg. 1332/2011)

ATCO-IR (Reg. 805/2011)
SO-IR (Reg. 1034/2011 repealing Reg. 1315/2007)
CR-IR (Reg. 1035/2011 repealing Reg. 2096/2005)
COTR-IR (Reg. 1032/2006 amended by Reg. 30/2009)

IFP-IR (Reg. 1033/2006)
FMTP-IR (Reg. 633/2007)
VCS-IR (Reg. 1265/2007)
DL-IR (Reg. 29/2009)
Mode S-IR (Reg. 262/2009)
ADQ I-IR (Reg. 73/2010)
Decision Exemptions under Art. 14 of DL-IR
EASA
Framework
Decision setting EU-wide performance targets and alert

thresholds (21/02/2011)
Decision Designation of
ECTRL as PRB (29/07/2010)
PS-IR (Reg. 691/2010 amended by Reg. 1216/2011)
SW-IR (Reg. 482/2008)

FAB-IR (Reg. 1765/2011)
CCS-IR (Reg. 1794/2006 amended by Reg. 1191/2010)
Decision Designation of Georg Jarzembovski as
FABs system coordinator (12/08/2010)
FUA-IR (Reg. 2150/2005)

AC-IR (Reg. 730/2006)
ATFM-IR (Reg. 255/2010)
NF-IR (Reg. 677/2011)
Decision Nomination of ECTRL as network manager
SES Framework
Binding
Implementing Rules (IR)
7
F-R
SP-R
A-R
IOP-R
EASA BR
(Reg. 549/2004
amended by Reg.
1070/2009)
(Reg. 550/2004
amended by Reg.
1070/2009)
(Reg. 551/2004
amended by Reg.
1070/2009)
(Reg. 552/2004
amended by Reg.
1070/2009)
(Reg. 216/2008
amended by Reg.
1108/2009)
Non-Binding
Implementing Measures
EASA Terminology
Basic Regulation (BR)
Soft Law
Law
Guidance Material (GM)
* CS are made binding through certification basis
http://easa.europa.eu/regulations/regulationshttp://easa.europa.eu/regulations/regulations-structure.php
SES and EASA Frameworks in ATM/ANS

F-R
SP-R
A-R
IOP-R
EASA BR
(Reg. 549/2004
amended by Reg.
1070/2009)
(Reg. 550/2004
amended by Reg.
1070/2009)
(Reg. 551/2004
amended by Reg.
1070/2009)
(Reg. 552/2004
amended by Reg.
1070/2009)
(Reg. 216/2008
amended by Reg.
1108/2009)
FC-IR (Reg. 1178/2011)

ACAS-IR (Reg. 1332/2011)

ATCO-IR (Reg. 805/2011)
IFP-IR (Reg. 1033/2006)
FMTP-IR (Reg. 633/2007)
VCS-IR (Reg. 1265/2007)
DL-IR (Reg. 29/2009)
ADQ I-IR (Reg. 73/2010)
EASA
Framework

SW-IR (Reg. 482/2008)

FAB-IR (Reg. 1765/2011)
FUA-IR (Reg. 2150/2005)

AC-IR (Reg. 730/2006)
ATFM-IR (Reg. 255/2010)
NF-IR (Reg. 677/2011)
SES Framework
10
ERs
for
ATS
(from
EASA
BR)
ERs for CNS (from EASA BR)
11
ERs for ATM/ANS Systems & Constituents (1)

(from EASA BR)
12
13
14
3 Safety KPIs
1. Effectiveness of Safety Management
SP-R
A-R
IOP-R
EASA BR
(Reg. 550/2004
amended by Reg.
1070/2009)
(Reg. 551/2004
amended by Reg.
1070/2009)
(Reg. 552/2004
amended by Reg.
1070/2009)
(Reg. 216/2008
amended by Reg.
1108/2009)
EASA AMC/GM on implementation and measurement of Safety KPIs
15
16
FC-IR (Reg. 1178/2011)

4 Key Performance Areas (KPAs) including safety
ACAS-IR (Reg. 1332/2011)

ATCO-IR (Reg. 805/2011)
IFP-IR (Reg. 1033/2006)
FMTP-IR (Reg. 633/2007)
VCS-IR (Reg. 1265/2007)
DL-IR (Reg. 29/2009)
ADQ I-IR (Reg. 73/2010)
FUA-IR (Reg. 2150/2005)
AC-IR (Reg. 730/2006)
ATFM-IR (Reg. 255/2010)
NF-IR (Reg. 677/2011)
SW-IR (Reg. 482/2008)

FAB-IR (Reg. 1765/2011)
EASA
Framework
SES Framework

No EU-wide quantitative targets set

States can set targets for themselves and/or add new Safety KPIs
F-R
(Reg. 549/2004
amended by Reg.
1070/2009)
Performance Scheme & Safety KPIs

(PS-IR Reg. 691/2010)
2. Risk assessment of ATM occurrences (RAT)
3. Reporting of Just Culture
http://www.easa.eu.int/agency-measures/acceptable-means-of-compliance-andguidance-material.php#SKPI

F-R
SP-R
A-R
IOP-R
EASA BR
(Reg. 549/2004
amended by Reg.
1070/2009)
(Reg. 550/2004
amended by Reg.
1070/2009)
(Reg. 551/2004
amended by Reg.
1070/2009)
(Reg. 552/2004
amended by Reg.
1070/2009)
(Reg. 216/2008
amended by Reg.
1108/2009)
FC-IR (Reg. 1178/2011)

ACAS-IR (Reg. 1332/2011)

ATCO-IR (Reg. 805/2011)
IFP-IR (Reg. 1033/2006)
FMTP-IR (Reg. 633/2007)
VCS-IR (Reg. 1265/2007)
DL-IR (Reg. 29/2009)
ADQ I-IR (Reg. 73/2010)
FUA-IR (Reg. 2150/2005)
AC-IR (Reg. 730/2006)
ATFM-IR (Reg. 255/2010)
NF-IR (Reg. 677/2011)
SW-IR (Reg. 482/2008)

FAB-IR (Reg. 1765/2011)

17
18
EASA
Framework
SES Framework
Common Requirements (CR-IR Reg. 1035/2011)

SMS
Annex II (Specific Requirements for the

Provision of Air Traffic Services)
3. SAFETY OF SERVICES
3.1. Safety management system
3.1.1. General safety requirements
A provider of air traffic services shall, as
an integral part of the management of its
services, have in place a safety
management system (SMS) []

Risk Assessment and Mitigation of Changes
Annex II
3. SAFETY OF SERVICES
3.1. Safety management system
3.1.2. Requirements for safety achievement
Ensure that risk assessment and mitigation is
conducted to an appropriate level to ensure that due
consideration is given to all aspects of the provision
of ATM (risk assessment and mitigation).
As far as changes to the ATM functional system are
concerned, the provisions of part 3.2 of this Annex
shall apply.
19

3.2. Safety requirements for risk assessment

and mitigation with regard to changes
3.2.1. Section 2
The hazard identification, risk assessment and
mitigation processes shall include:
(a) a determination of the scope, boundaries
and interfaces of the constituent part being
considered, as well as the identification of the
functions that the constituent part is to
perform and the environment of operations
in which it is intended to operate;
20

(b) a determination of the safety objectives to be placed
on the constituent part, incorporating:
- an identification of ATM-related credible hazards
and failure conditions, together with their combined
effects,
- an assessment of the effects they may have on the
safety of aircraft, as well as an assessment of the
severity of those effects, using the severity
classification scheme set out in Section 4,
- a determination of their tolerability, in terms of the
hazards maximum probability of occurrence,
derived from the severity and the maximum probability
of the hazards effects, in a manner consistent with
Section 4;
21

(c) the derivation, as appropriate, of a risk mitigation strategy which:
- specifies the defences to be implemented to protect against the
risk-bearing hazards,
- includes, as necessary, the development of safety requirements
potentially bearing on the constituent part under consideration, or
other parts of the ATM functional system, or environment of
operations, and
- presents an assurance of its feasibility and effectiveness;
(d)verification that all identified safety objectives and safety
requirements have been met:
- prior to its implementation of the change,
- during any transition phase into operational service,
- during its operational life, and
- during any transition phase until decommissioning.
22

3.2.3. Section 3
The results, associated rationales and evidence of the risk
assessment and mitigation processes, including hazard
identification, shall be collated and documented in a manner which
ensures that:
- complete arguments are established to demonstrate that the
constituent part under consideration, as well as the overall ATM
functional system are, and will remain tolerably safe by meeting
allocated safety objectives and requirements. This shall include, as
appropriate, specifications of any predictive, monitoring or survey
techniques being used,
- all safety requirements related to the implementation of a change
are traceable to the intended operations/functions.
23
Requirements on SMS and Risk Assessment and

Mitigation of Changes Summary
CR-IR (Reg. 1035/2011) require Service

Providers to:
Implement a Safety Management System
(SMS)
Perform safety assessments on any change to
the ATM system
Document these safety assessments
(argument + evidence)
24
Safety Oversight Requirements Related to

Changes (Reg. 1034/2011)
Article 9 (Safety Oversight of Changes to Functional Systems)
1. Organisations shall only use procedures accepted by relevant competent
authority when deciding whether to introduce a safety-related change to
their functional systems. []
2. Organisations shall notify the relevant competent authority of all
planned safety related changes.[]
Article 10 (Review Procedure of the Proposed Changes)
1. Competent authorities shall review the safety arguments associated
with new functional systems or changes to existing functional systems
proposed by an organisation when:
(a) the severity assessment conducted in accordance with Annex II,
point 3.2.4 of Implementing Regulation (EU) No 1035/2011 determines a
severity class 1 or a severity class 2 for the potential effects of the
hazards identified; or
(b) the implementation of the changes requires the introduction of new
aviation standards.
3. The introduction into service of the change under consideration in the
review shall be subject to acceptance by competent authorities.
25
Summary
SES, Eurocontrol and EASA frameworks

EASA Basic Regulation
Essential Requirements for ATM/ANS
Performance scheme
Safety Key Performance Indicators (KPIs)
Common Requirements on:

SMS
Risk assessment and mitigation of changes
Safety Oversight Requirements related to changes
26
Questions?
27
Key Concepts for Safety Assessments

Session 03
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
What is a risk?
What is a Risk Classification Scheme?
Safety criteria
ATM-related categories of accidents
ATM-related hazards
How safe do we need to be?
Success and failure perspective
Risk in various areas
What types?
Safety
Financial
Environmental
Legal
Security
Who is exposed?
Individuals
Companies
Society
Hazard and Safety Risk

Likelihood
HAZARD
of hazards
Hazard Effects
Likelihood
with Severity
of effects
RISK of incidents / accidents
Risk of what?
Likelihood / Probability
Initiating
Event /
Failure
ATM
Major
Serious
Hazard
Incident
Incident
Accident
Severity increases
Hazard Prevention
Hazard Protection / Recovery

Severity of Effects
SEVERITY 2
SEVERITY 3
SEVERITY 4
SEVERITY 5
ACCIDENTS
INCREASING SEVERITY
SEVERITY 1
SERIOUS INCIDENTS
MAJOR INCIDENTS
SIGNIFICANT INCIDENTS
NO IMMEDIATE EFFECT ON SAFETY
Severity Classification Scheme

(Reg. 1035/2011 Repealing 2096/2005)
Frequency of Occurrence of Effects
How often?
Once every
Decreasing Frequency
10-2/h
10-3/h
10-4/h
10-5/h
10-6/h
3 days
month
year
decade
century
Very
frequent
Frequent
Rare
Extremely
Rare
Likely
Illustrative only
Use of Appropriate Units

Per
Movement
Per
operational
hour per
sector
Per mission
Per month,
year
Per Flight Hour
Per
operational
hour
DEPENDENT ON SYSTEM
10
A Typical Transportation Risk Comparison
deaths per 106 journeys
deaths per 1010 psgr - km
540
11
30
Air
30
Train
Bus
60
United Kingdom 1970-1989
11
A Typical Transportation Risk Comparison

Means of
transport
Killed passengers
by 100 million
passenger-kilometers
1999
Means of
transport
2001-2002
Killed passengers
by 100 million
passenger-hours
1999
2001-2002
Motocyclette/
cyclomotor
16
13,8
Pedestrian
displacement
7,5
6,4
Bicycle
6,3
5,4
Convey
0,8
0,7
30
25
0,33
0,25
Air (civil aviation)
36,5
16
Ferry
10,5
Ferry
Motocyclette/cycl
omotor
500
440
Bicycle
90
75
Pedestrian
displacement
30
25
Convey
Bus and coach
0,08
0,07
Air (civil aviation)
0,08
0,035
Bus and coach
Train
0,04
0,035
Train
12
Some Individual Fatality Risks
Hazardous situation
Fatalities per million

per year
Probability of
fatality per year
road user
car driver
while at work
falling aircraft
0.02
2*10-8
resident near chemical plant

smoking 20 cigarettes/day
13
Some Individual Fatality Risks
Hazardous situation
Fatalities per million Probability of

per year
fatality per year
-4
road user
100
10
car driver
150
1.5x10
while at work
10
10
falling aircraft
0.02
2x10
resident near chemical plant
35
3.5x10-5
smoking 20 cigarettes/day
5000
5x10
-4
-5
-8
-3
14
Risk Acceptability
15
Factors Affecting Risk Perception
Visibility of benefits
News headlines
Harm caused by accident
Personal experience
Personal control
Uncertainty
Time-delayed effects
Human vs natural causes
Confidence in operator / regulator
16
Risk Perception Exercise

Unknown
A way of representing the way
people feel about risk is to place
the risk on a matrix which shows
if they rate as fear or not fear,
known or unknown.
Food colouring
X
This is shown here for the risks

posed by asbestos, food
colouring, fireworks and crime.
The exercise is to place on the
matrix your perception of the
risks posed by:
1)
Nuclear power
2)
Commercial aviation
3)
Mobile Phones
4)
Pesticides in Food
X Asbestos
Not Fear
Fear
X
Crime
X
Fireworks
C
Known risk
17
Common Risk Acceptability Levels

SEVERITY OF
EFFECTS
ATM Accident
UNACCEPTABLE
RISKS
RI
SK
Serious
Incident
Major
Incident
Significant
Incident
ACCEPTABLE
RISKS
Target Level
of Safety 1
(TLS1)
TLS2
TLS3
TLS4
FREQUENCY OF OCCURRENCE OF EFFECTS

18
Example of Risk Matrix / RCS

Frequency of Occurrence of Effect
Extremely
Unlikely
(TLS1)
Unlikely
(TLS2)
Occasional
(TLS3)
Effect
SC 1
Severity
SC 2
Likely
(TLS4)
Frequent
UNACCEPTABLE
SC 3
SC 4
ACCEPTABLE
SC 5
19
Safety Criteria
Absolute
Against an absolute Target Level of Safety
(TLS)
Relative
As safe as before or safer than before
Reductive
As Low as Reasonably Practicable (ALARP)
20
How safe do we need to be and remain?
ICAO Target Levels of Safety (TLS)
ATM 2000+: risk of an accident not to increase (with time) and preferably
decrease
ESARR 4: risk of an accident with ATM contribution not higher than 1.55e-8 per
fligh-hour (up to 2015)
SES CIR 1035/2011:

To minimize the risk of aircraft accident as far as reasonably practicable
Safety objectives based on risk shall be established in terms of the hazards
maximum probability of occurrence, derived both from the severity of its effect,
and from the maximum probability of the hazards effect
National RCS
ANSP Safety Performance Targets and Safety KPI

E.g. MUAC (from Annual Safety Report 2010):
Objective: Minimize MUAC contribution to the risk of a air traffic accident
Primary goal (SPI): Zero Accident and Separation Minima Infringements (SMI)
5 SMI (Severity A & B) per year
21
Safety Performance Targets and Indicators
SES Safety KPI (from Reg. 691/2010):

1. Effectiveness of Safety Management
2. Risk assessment of ATM occurrences (RAT)
3. Reporting of Just Culture
Safety Performance Targets by Member States
Future SES Safety Performance Targets?
ATM Master Plan: To improve the safety performance by

a factor of 10
22
Phases of Flight and Accident Categories
Flight Guidance:
Controlled Flight Into Terrain (CFIT)

Loss of Control (LoC) in Flight
Loss of Control (LoC) on Runway
Traffic Management:
Mid-Air Collision (MAC)

Wake Turbulence-induced Accident (WTA)
Runway Collision (RC)
23
Examples of ATM Hazards

Loss of Separation
Wrong Runway use
Airspace Infringement
Runway Incursion
Level Bust
Bird Strike Encounter
Wake Vortex Encounter
Runway Excursion
Adverse Weather Encounter
Runway Overrun
Flight Control Deficiency
Loss of Directional Control
Controlled Flight Towards

Terrain
Runway Undershoot
24
ATM/ANS Contribution to Safety

OperationalEnvironment
ANS/ATM
Airborne&
Groundbased
System(Pe,Pr,EQ)
WhatweWANT
systemtodo
Hazards
Pre
existing
Service
Hazards
System
generated
WhatweDONT
wantsystemtodo
25
Success and Failure Perspective

Minimumachievable
Risk
Risk with
Airbag
What we want
the airbag to do
Risk without
Airbag
~ Functionality &
Performance
~ 1/(Reliability
&Integrity)
What we dont want
the system to do
Airbag contribution to drivers safety
Risk R
26
Safety Barrier View of ATM/ANS

Separation
Provision
ATCinduced
conflicts
PilotRecovery
Separation
Infringement
ATCRecovery
PilotTacticalControl
ATCTacticalControl
Trajectory
tactical
conflicts
Collisionmisswithoutcontrol
Collision
Avoidance
Aircraftinduced
conflicts
Planning&Coordination
Conflicts
Flow&CapacityManagement
Pre-tactical
AirspaceDesign
Strategic
Conflict
Management
Communication,Navigation,Surveillance
AeronauticalInformation
MeteorologicalInformation
27
ATM/ANS Safety Performance for Design

Current
Level of
Risk
Pre-existing
Risk
Strategic
Conflict Mgt
Separation
Provision
Collision
Avoidance
Design targets must not

rely on Safety Nets !
(STCA, ACAS, )
Conflict
Geometry
/ luck
0
Risk R
28
Summary
What is a risk?
What is a Risk Classification Scheme?
Safety criteria
ATM-related categories of accidents
ATM-related hazards
How safe do we need to be?
Success and failure perspective
29
Questions?
30
Risk Assessment and Mitigation

Overview of SAM
Session 05
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
Safety assessment logic

Safety assessment steps
Change lifecycle
Overall SAM process
Safety assessment approach
Safety assessment and possible deliverables
Risk Management
Identification of Hazards
Hazard
Likelihood/Frequency
of Effects
Severity of
Effects
Risk of
Effects
Safety
Criteria
Acceptable?
Yes/No
NO
YES
Additional
Risk
Mitigation
Means
Risk-based Decision
ATM/ANS Elements to Consider

ENVIRONMENT
ATCOs
ATC
Maintenance
PROCEDURES
HUMAN
ACTORS
Operating
Support
Engineers
Pilots
SYSTEMS
Airspace
Managers
Surveillance
Information
Navaids
Communications
ATM/ANS Change Development Lifecycle

Change Definition
Change Design
Change Implementation
Operation / Maintenance
Decommissioning
Safety Assessment Logic

What can
go wrong?
What effect
can it have?
How likely
is it to
happen?
Risk
Monitoring
Is the risk
acceptable?
What needs
to be done
about it?
Risk assessment
Risk mitigation
Safety Assessment Steps
Safety Assessment initiation:

Review of Concept of Operations
Review of Operational Service and Environment
Characteristics
Scoping and Change Assessment
Safety Considerations
Safety Criteria
Safety Assessment Organization
Hazard Identification, Risk Assessment and Safety Objectives
Risk Mitigation Strategy and Safety Requirements
Safety Verification and Validation
Safety Assessment of Change Implementation and Transfer
into Operations
Safety Performance Monitoring
Safety Argumentation and Case
What is SAM?
SAM = Air Navigation System Safety Assessment

Methodology
Developed by EUROCONTROL and ANSP to reflect best

practice in this domain
A process derived from Aircraft System Safety

Assessment: FHA, PSSA, SSA
3 levels: Method, Guidance Material, Examples
Acceptable Means of Compliance (AMC) to ESARR 4

A set of techniques to develop ATM/ANS safety assessment
SAM & Change Lifecycle

SYSTEM LIFECYCLE
SAFETY ASSURANCE
Change Definition
FHA
Change Design
PSSA
How safe does the

system need to be?
Is the proposed
architecture able to
achieve an acceptable
level of safety?

SSA
Does the system

level of safety?
Decommissioning
10
Inputs/Outputs of a Safety Assessment
Concept of
Operations
System
Functions
Environment
Description
Interfaces /
Stakeholders
Related SMS
Procedures
Safety Assessment
Safety Objectives,
Requirements and Evidence
11
S.A Steps and SAM process
Safety Assessment initiation:
Review of Concept of Operations
Review of Operational Service and

Environment Characteristics
Scoping and Change Assessment
Safety Criteria
Safety Assessment Organization

Safety Objectives
Risk Mitigation Strategy and Safety
Requirements
Safety Assessment of Change Implementation
and Transfer into Operations
Safety Performance Monitoring
Safety Argumentation and Case
FHA
PSSA
SSA
SCDM
12
Plan the Work
For each step, define

Scope
Who? (roles and responsibilities)
What? (activities and deliverables)
When? (schedule)
How? (tools and techniques)
13

Separation
Provision
ATCinduced
conflicts
PilotRecovery
Separation
Infringement
ATCRecovery
ATCTacticalControl
Trajectory
tactical
conflicts
Collision
Avoidance
Aircraftinduced
conflicts
Conflicts
Pre-tactical
AirspaceDesign
Strategic
Conflict
Management
14
Success & Failure Approach
Success approach: seeks to assess the

achieved level of safety when ATM/ANS is
operated as specified
Failure approach: seeks to assess the

achieved level of safety in the event of faults
and failures of ATM/ANS
15
EUROCONTROL SAM overall process
Safety
Considerations
Initial
Safety
Argument
Evidence
Operational
Concept
Evidence
FHA
System
Project
Evidence
Safety
PSSA
Safety
Plan
Update, if required
SSA
Case
Implementation
Integration
Evidence
Evidence
Update
Transfer into
Operation
Approval
Operation &
Maintenance
Evidence
Safety
Monitoring
Reports
Unit
Safety
Case
Update
16
Safety Assessment and Possible Deliverables

Possible
Project
Deliverables
Project Plan
Concept of Operations (CONOPS)
Operational Service and Environnment Description (OSED)
Validation Plan
Validation Report
Possible
Safety
Deliverables
Safety Plan
Safety Assessment Report
Safety Case (Report)
Safety
Assessment
Outputs
Safety Criteria
Hazards
Safety Objectives
Safety Requirements
Safety Arguments and Evidence
17
Summary
Safety assessment logic

Safety assessment steps
Change lifecycle
Overall SAM process
Safety assessment approach
Safety assessment and possible deliverables
18
Questions?
19
Aquarium system safety assessment
20
Aquarium system
Introduce a fish tank with
tropical fish
Required inputs before starting the safety assessment?
21
Inputs/Outputs of a Safety Assessment
Concept of
Operations
System
Functions
Environment
Description
Interfaces /
Stakeholders
Related SMS
Procedures
Safety Assessment
Safety Objectives,
Requirements and Evidence
22
System Analysis
Water
quality
Water
temperature
Water
quantity
Food
quality
Cleaning
Structured brainstorming,
reports, studies, etc.
Oxygen
level
Food
quantity
Common understanding on how the system works

and what the main functions are !
23
Functional Hazard Assessment (FHA)

INPUTS
SYSTEM
FUNCTIONS
CONCEPT OF
OPERATIONS
ENVIRONMENT
DESCRIPTION
EXTERNAL
INTERFACES /
STAKEHOLDERS
FHA
HAZARD
IDENTIFICATION
OUTPUTS
HAZARD EFFECT I.D.
SEVERITY CLASS
SYSTEM
SAFETY
OBJECTIVES
SAFETY OBJECTIVE
SPECIFICATION
RELATED SMS
PROCEDURES
24
Functions & failure modes

Overall Operational Objective
Maintain Health of Tropical Fish
System Functions
Maintain Water Quantity

Maintain Water Temperature
Maintain Water Quality
Food Level
Pollution Level
Oxygen Level
Failure Modes
For example:
Quantity
Total Loss
Partial Loss
75%
50%
5%
Temperature
Too High
Too Low
Quality - Food
Too Low
What can go wrong ?
<1 week
>1 week
Quality - Pollution
Too High >3 days < 1 week
>1 week < 2 weeks
>2 weeks
Oxygen
Too Low
25
Severity definitions
Severity Definitions
(in terms of effects on operations)
INCREASING SEVERITY
1 All fish within the tank die.

2 All Fish become unhealthy, many fish will die.
3 Many fish become unhealthy, some fish will die.
4 Uncomfortable environment, some fish may
become unhealthy.
5 No effect on the fish.
26
Aquarium System FHA Results (1)

System Functions
Maintain Water
Quantity
Failure mode
Effect on operations
All fish within the tank die
All fish become unhealthy, many die

Many fish become unhealthy, some die
Uncomfortable environment, some may become

unhealthy
Too High
Too Low
Total Loss
75%
Partial Loss
50%
5%
Maintain Water
Temperature
Severity
Maintain Water
Quality
Food Level
(+ Exposure Time)
Too Low <3 days
Pollution Level
Oxygen Level
Too High
Uncomfortable environment, some may become

unhealthy
>3 days
>3 days<1 week
>1 week <2 weeks
>2 weeks
Too Low
27
Aquarium System SOCS
Frequency of Occurrence of Hazard

Severity of
the Effect
Extremely
Rare
Rare
Occasional
Likely
Numerous
1
2
Unacceptable
3
4
5
Acceptable
28
Aquarium System FHA Results (2)

System Functions
Maintain Water
Temperature
Failure mode
Severity
Too High
Ext rare
Too Low
Ext Rare
Ext Rare
Occasional
Maintain Water
Quantity
Total loss
Pollution Level
Too High
>3 days<1 week
>1 week <2 weeks 2
>2 weeks
Safety
Objectives
Acceptable
Frequency
The frequency of occurrence of

water T exceeding 28C shall be no
greater than Extremely Rare.
water T droping below 20C shall be
no greater than Extremely Rare.
The frequency of occurrence of a
total water loss shall be no greater
than Extremely Rare.
pollution level exceeding dangerous
level for more than 3 days shall be
no greater than occasional.
Rare

pollution level exceeding dangerous
level for more than 1 week shall be
no greater than rare.
Ext Rare

pollution level exceeds dangerous
level for more than 2 weeks shall be
no greater than extremely rare.
29
Preliminary System Safety

Assessment (PSSA)
INPUTS
ENVIRONMENT
DESCRIPTION
PSSA
FHA RESULTS
HAZARDS & SO
EVALUATE
PROPOSED
ARCHITECTURE(S)
PROPOSED
SYSTEM
ARCHITECTURE(S)
DERIVE SR
FROM SO
OUTPUTS
SAFETY
REQUIREMENTS
FOR SYSTEM
ELEMENTS
30
Proposed System Architecture
Water Containment
sub-system
Plastic tank
Heating sub-system
Heater, Thermostat
Feeding sub-system
Feed weekly
Filtration sub-system
Pump&filter
Oxygen sub-system
Big Bubble maker
31
Aquarium System PSSA

PSSA
Causes
Effects
Safety
Requirements
F1
D1
Hazard
Effect A
Sev 5
H
ER
Effect B
Sev 4
Safety
Objective
Effect C
Sev 3
F21
D3
D2
F2
F22
D4
D3
F3
F41
D3
D4
F4
Effet D
Sev 2
F42
D4
Effect E
Sev 1
Evaluate the proposed architecture, mitigate the remaining

unacceptable risks and iterate if necessary
32
Modified System Architecture

Allocate Safety Requirements to
system/sub-system elements
Validate System
Architecture
Identify Risk
Reduction Measures
Water Containment
sub-system
Glass tank
Heating sub-system
Heater, Thermostat
(Alarms+display)
Feeding sub-system
Feed daily
Equipment
Procedures
Observe Fish Daily
Feed daily
Test Pollution every 2 days
Clean Weekly
Testing Procedures
People
Filtration sub-system
Pump&filter
Oxygen sub-system
Tiny Bubble maker
Train Kids for Feeding &

Cleaning
33
Aquarium System Design Solution
34
System Safety Assessment (SSA)
INPUTS
SYSTEM
DESCRIPTION
SSA
OUTPUTS
FHA RESULTS
HAZARDS & SO
PSSA RESULTS SAFETY
REQUIREMENTS
ASSURANCE AND
EVIDENCE
COLLECTION AND
MONITORING
SAFETY
EVIDENCE
DEVELOPMENT
STRATEGY
35
Aquarium System SSA

Equipment
Evidence:
FAT, SAT, etc.
Safety Survey.
Equipment:
Is the risk mitigation in place?
Meeting design specification?
Procedures
Observe Fish Daily
Feed daily
Test Pollution every 2 days
Clean Weekly
People
Train Kids for Feeding &
Cleaning
Procedures:
Are the procedures in place?
Are they carried out effectively?
People:
Are staffing levels correct?
Have they been trained?
Is the training effective?
36
Aquarium System
SAM is iterative:
Hazards may only appear during PSSA or SSA:
External Events, Common Cause Failures,
Design induced hazards, etc.
37
SAM Process Summary

SYSTEM LIFECYCLE
SAFETY ASSURANCE
System Definition
FHA
How safe does the

system need to be?
System Design
PSSA
Is the proposed
architecture able to
level of safety?
System Implementation
Transfer into operations

SSA
Does the system

level of safety?
Decommissioning
38
Questions?
39

SAM FHA Principles
Session 07
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
Purpose
Scope
Inputs
Core Activities
Outputs
Brainstorming
FHA Purpose
Define how safe the change needs to be
Identification of hazards
Assessing the operational risk
Define safety objectives for performance and

failure prevention
Hazards, Risks and Safety Objectives
Bow Tie
PSSA
FHA
Causes
Safety
Requirements
F1
D1
Barriers
Hazard
Effect A
Sev 5
H
ER
Effect B
Sev 4
D2
F2
D3
F3
Safety
Objective
D4
F4
Effect
Effect C
Sev 3
Effet D
Sev 2
Effect E
Sev 1
SSA
Scope
At the level of operational functions
Scope of FHA should be consistent with

scope defined for the safety assessment
Generic ATM Functional Description

Tactical
Separation
Collision
Avoidance
Conflict
Detection
Sequencing
&
Metering
Conflict
Resolution
Between Aircraft:
IFR/IFR & IFR/VFR
Between Aircraft:
VFR/VFR
Between Aircraft & Ground
IFR/IFR
IFR/VFR Class B, C"
IFR/VFR Class "D
IFR/VFR Class E, F, G
VFR/VFR Class B, C, D
VFR/VFR Class E, F, G
IFR Arrivals
IFR Departures
VFR Arrivals
VFR Departures
Holding
Transits
Radar to Non-Radar
Situational Awareness
ATCO
Create
Situational Awareness
Pilot
Maintain
Create
Maintain
Coordination
&
Transfer
Adjacent Units:
ACC
APP
TWR
Military
GA Airfields
Transfer of Control
Assume Control:
Non-Radar
Radar with correlation
Radar without correlation
Flow &
Capacity
Management
Flight
Information
Service
Airspace
Management
Manage Flow Regulation

Sector Management
Routing Management
Airspace Information
Meteorological Information
Aerodrome Information
Status of Services & Systems
Procedures & Regulations
Strategic Airspace Management

Tactical Airspace Management
Runway Changes
Tactical Management of Unusual Occurrences
Alerting
Service
Supporting Services
AIS
Met
Services
High Risk
Comms
Systems
Nav
Systems
Surveillance
Systems
Problem Detection
Coordination with Rescue Services
Causal Link

Separation
Provision
ATCinduced
conflicts
PilotRecovery
Separation
Infringement
ATCRecovery
ATCTacticalControl
Trajectory
tactical
conflicts
Collision
Avoidance
Aircraftinduced
conflicts
Conflicts
Pre-tactical
AirspaceDesign
Strategic
Conflict
Management
FHA Inputs
System
functions
Concept of
operations
Environment
description
Interfaces /
Stakeholders
Related SMS
Procedures
FHA Core Activities

Brainstorming
Brainstorming
FUNCTIONAL
FUNCTIONAL
HAZARD
IDENTIFICATION
WHAT CAN GO WRONG ?
HAZARD EFFECTS
IDENTIFICATION
WHAT ARE THE POTENTIAL

CONSEQUENCES?
EFFECTS SEVERITY
CLASSIFICATION
HOW SEVERE ARE THE

CONSEQUENCES?
SAFETY OBJECTIVES
SPECIFICATION
HOW SAFE DOES THE SYSTEM

NEED TO BE?
10
Hazard Identification
Function 1
Failure Mode
1.1
Hazard 1
Failure Mode
1.2
Hazard 2
Failure Mode
2.1
Function 2
Failure Mode
2.2
Hazard 3
Ext Event
E.1
Common understanding?
Scale
11
Examples of Failure Modes

Total loss / Inability to provide a function
Failure to start
Partial loss
Failure to stop
Error of input/ output:
Failure to switch
- missing data (partial loss, total loss)
Delayed operation (too late)
- detected erroneous/corrupted data (not

credible error/corruption)
Premature operation (too early)
- undetected erroneous/corrupted data

(credible error/corruption)
Inadvertent operation
- spontaneous data
Intermittent or erratic operation
- out of sequence
Modified operation
- out of range
Violation of operation (Routine or

unintentional)
Misdirection of data
Misheard
Inconsistent information
Misunderstood
Erroneous updating
Used beyond intent

Out of time synchronisation
12
Hazard Effect Determination

Effect
Hazard
Barrier A
Barrier B
Barrier C
Barrier D
Effect A
Sev 5
Effect B
Sev 4
Effect C
Sev 3
Effet D
Sev 2
1. Common understanding of the hazard
Effect E
Sev 1
2. Identify the barriers

3. Consider exposure time and hazard detection
13
Severity Classification
Identify the factors or protective barriers

influencing the effects of each hazard
Assess the effectiveness of the barriers, and

determine the possible scenarios and their
end-effects
Allocate a severity class to each effect, in

accordance with the Severity Classification
Scheme from Reg. 1035/2011
14
Severity Classification Scheme

(Reg. 1035/2011 Repealing 2096/2005)
15
List of examples of serious incidents from Reg. 996/2010

Near collision requiring an avoidance manoeuvre to avoid a collision or an unsafe
situation or
when an avoidance action would have been appropriate,
Controlled flight into terrain only marginally avoided,
Runway incursions classified with severity A according to the Manual on the
Prevention of runway
Incursions (ICAO Doc 9870) which contains information on the severity
classifications,
Take-off or landing incidents. Incidents such as undershooting, overrunning or
running off the
side of runways
Take-offs from a closed or engaged runway, from a taxiway, excluding authorised
operations by
helicopters, or from an unassigned runway
Aborted take-offs on a closed or engaged runway, on a taxiway, excluding
authorised operations
by helicopters, or from an unassigned runway,
Landings or attempted landings on a closed or engaged runway, on a taxiway,
excluding
authorised operations by helicopters, or from an unassigned runway,
Gross failures to achieve predicted performance during take-off or initial climb,
Fires and smoke in the passenger compartment, in cargo compartments or engine fires,
even though such fires were extinguished by the use of extinguishing agents,
Events requiring the emergency use of oxygen by the flight crew,
Aircraft structural failure or engine disintegration, including uncontained turbine engine
failures, not classified as an accident,
Multiple malfunctions of one or more aircraft systems seriously affecting the operation of
16
ESARR 4 Severity Scheme

Severity
class
1
[Most Severe]
Effect
Accidents
5
[Least Severe]
Serious incidents
Major incidents
Significant incidents
No immediate effect
on safety.
on Operations
Examples of
effects on
operation
include:
One or more
catastrophic accidents,
One or more mid-air
collisions
One or more collisions
on the ground between
two aircraft
One or more
Controlled Flight Into
Terrain
Total loss of flight
control
No independent source of
recovery mechanism, such
as surveillance or ATC
and/or flight crew
procedures can reasonably
be expected to prevent the
accident(s).
Large reduction in
separation(e.g., a
separation of less than half
the separation minima),
without crew or ATC fully
controlling the situation or
able to recover from the
situation.
One or more aircraft

deviating from their
intended clearance, so that
abrupt manoeuvre is
required to avoid collision
with another aircraft or with
terrain (or when an
avoidance action would be
appropriate).
large reduction (e.g., a

separation of less than half
the separation minima) in
separation with crew or
ATC controlling the
situation and able to
recover from the situation.
minor reduction (e.g., a

separation of more than half
separation without crew or
ATC fully controlling the
situation, hence
jeopardising the ability to
recover from the situation
(without the use of collision
or terrain avoidance
manoeuvres).
increasing workload of the

air traffic controller or
aircraft flight crew, or
slightly degrading the
functional capability of the
enabling CNS system.
minor reduction (e.g., a

separation of more than half
separation with crew or
ATC controlling the
situation and fully able to
recover from the situation.
No hazardous
condition i.e. no
immediate direct
or indirect
impact on the
operations.
17
Severity Class
1
[Most Severe]
Effects on
Operations
Accidents
Serious Incidents
Major Incidents
Significant Incidents
SEVERITY INDICATORS SET1: EFFECTS ON AIR NAVIGATION SERVICE

Effect on Air
Navigation Service
within the area of
responsibility
Total inability to
Serious inability to
provide or maintain provide or maintain
safe service
safe service
Partial inability to
provide or maintain
safe service
Ability to provide or
maintain safe but
degraded service
ATCO and/or Flight

Crew Working
Conditions
Workload, stress or
working conditions
are such that they
cannot perform
their tasks at all
Workload, stress or
working conditions
are such that they
are unable to
perform their tasks
effectively
Workload, stress or
working conditions
such that their
ability is significantly
impaired
Workload, stress or
working conditions are
such that their abilities
are slightly impaired
Effect on ground ATM Total loss of

System and/or Aircraft functional
Functional
capabilities
Capabilities
Large reduction of
functional
capabilities
Significant reduction Slight reduction of

of functional
functional capabilities
capabilities
ATCO and/or Flight

Crew Ability to Cope
with Adverse
Operational and
Environmental
Conditions
Large reduction of
the ability to cope
with adverse
operational and
environmental
conditions
Significant reduction
of the ability to cope
with adverse
operational and
environmental
conditions
Unable to cope
with adverse
operational and
environmental
conditions
Slight reduction of the

ability to cope with
adverse operational and
environmental conditions
18
SEVERITY INDICATORS SET 2: EXPOSURE

Exposure time
The presence of the

hazard is almost
permanent. Reduction
of safety margins
persists even after
recovering from the
immediate problem.
Hazard may persist

for a substantial period
of time
Hazard may persist for

a moderate period of
time.
Hazard may persist for

a short period of time
such that no significant
consequences are
expected.
Too brief to have any

safety-related effect
Number of aircraft exposed /

area of responsibility
All aircraft in the area

of responsibility
All aircraft in several

ATC Sectors
Aircraft within a small

geographic area or an
area of low traffic
density
Single aircraft
No aircraft affected
Annunciation, Detection and

Diagnosis *
Undetected
misleading indication.
Ambiguous indication.
Not easily detected.
Incorrect diagnosis
likely
May require some

interpretation.
Detectable. Incorrect
diagnosis possible
Clear annunciation.
Easily detected,
reliable diagnosis
Clear annunciation.
Easily detected and
very reliable diagnosis
Contingency measures
(other systems or
procedures) available
No existing
contingency measures
available. Operators
unprepared. Limited
ability to intervene.
Limited contingency
measures, providing
only partial
replacement
functionality. Operators
not familiar with
procedures or may
need to devise a new
procedure at the time.
Contingency
measures available,
providing most of
required functionality.
Fall back equipment
usually reliable.
Operator intervention
required, but a
practised procedure
within the scope of
normal training
Reliable, automatic,
comprehensive
Highly reliable,
automatic,
comprehensive
Rate of development of the

hazardous condition,
compared to the time
necessary for annunciation,
detection, diagnosis and
application of contingency
measures
Sudden. It does not

allow recovery
Fast
Similar
Slow
Plenty of time
available.
SEVERITY INDICATORS SET 3: RECOVERY
19
Safety Objectives Specification
Severity Class
Risk
Classification
Scheme
Safety
Objective
Classification
Scheme
Safety
Objective
Safety Objective:
Maximum Acceptable Frequency of Occurrence of Hazard
20
FHA Outputs
Hazards
Effects
Severity class
Rationale / Barriers
Assumptions
SAFETY
OBJECTIVES
21
Risk Assessment Template

Hazard
Id
Function
Hazard
Context and
Exposure
Time
Factors,
Protective Barriers and
Effectiveness
Effect on operations
Severity
Class
Rationale/
Remarks
22
Brainstorming
Participants/Functions
End users (ATCO, pilots, technicians)
Background, mindset, independence
Moderator
Optimise effectiveness
Safety expert
Safety process, challenger
Secretary
To make notes
Preparation is key
23
Summary
Purpose
Scope
Inputs
Core Activities
Outputs
Brainstorming
24
Questions?
25
Risk Mitigation Strategy of ATM Change

Design for Operations
SAM PSSA Principles
Session 09
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
Purpose
Inputs
Scope
Core Activities
Safety Requirements
Assurance levels
Outputs
PSSA Purpose
Assess whether the proposed architecture of

Change to functional System is (are) able to
achieve an acceptable level of safety
Safety Requirements
Assurance Levels
PSSA Inputs
Environment
description
List of
hazards
List of Safety
Objectives
Proposed
design
architecture(s)
PSSA Core Activities
EVALUATE PROPOSED
CHANGE ARCHITECTURE
DERIVE SAFETY
REQUIREMENTS
CAN THE PROPOSED ARCHITECTURE(S)

CAUSE OR CONTRIBUTE TO HAZARDS?
HOW?
HOW TO ALLOCATE SAFETY REQUIREMENTS

TO EACH INDIVIDUAL SYSTEM ELEMENT?
Questions for Change Design Phase
Will the performance of functionalities be sufficient?
Will it work properly, under all normal conditions of

the operational environment that it is likely to
encounter?
What happens under abnormal conditions of the

operational environment?
What happens in the event of a failure or error?
Are the Safety Requirements realistic i.e. could

they be achievable?
Evaluate Proposed Change Architecture
Change architecture modelling

Functional / Logical Level
Task analysis
HF assessment
Design analysis 1 Normal conditions (Performance)

Safety Benefits analysis
Real Time Simulations
Design analysis 2 Abnormal conditions (Robustness)

Robustness analysis
Design analysis 3 Failure conditions (Integrity,

Reliability)
FTA (Fault Tree Analysis),
CCA (Common Cause Analysis)
HF assessment
Bow Tie
PSSA
FHA
Causes
Safety
Requirements
F1
D1
Barriers
Hazard
Effect A
Sev 5
H
ER
Effect B
Sev 4
D2
F2
D3
F3
Safety
Objective
D4
F4
Effect
Effect C
Sev 3
Effet D
Sev 2
Effect E
Sev 1
SSA
Safety Requirements
10
Derive Safety Requirements
Specify the safety requirements necessary to

meet the safety objectives
Provide assurance of the effectiveness and

realism of the safety requirements
Allocate an Assurance Level as appropriate
11
Safety Requirements
Risk Mitigation Means
Required to reduce the risk(s) to an

acceptable level
Risk mitigation strategy:

Eliminate hazard
Reduce frequency of occurrence of hazard
(prevention)
Reduce severity of effects (protection)
12
Success and Failure Perspective

Success
Failure
Hazard-types
Addressed
Pre-existing Hazards
System-generated Hazards
Safety
Contribution
Maximize ATM contribution

to aviation safety
Minimize ATM contribution to

risk of an accident
Dominant
Safety
Properties
System Functionality
Performance
System Integrity
and
What we
want
the system
to do
What we
dont want
the system
to do
Safety Requirements (SR)
13
Safety Requirements Topics
Functionality and performance
Integrity and reliability
Mobile detection rate

Timeliness of info / data provision
Accuracy of info / data provision
Position of sensors
Operational procedures on info / data usage
Failure rate
False alerts
Fail-safe degradation
Back-up procedures
Assumptions
14
SYSTEM FUNCTIONS
Safety
Objectives
Risk Apportionment
SR = Safety
Requirements
CHANGE
ARCHITECTURE
ATCOs
Operational
Procedures
SR+HAL SR+PAL
Equipment
ATCOs
S.R.
Hardware
Man Machine
Interface
SR
SR
Software
SR+SWAL
Operational
Procedures
Equipment
PAL = Procedure
Assurance Level
HAL = Human
Assurance Level
SWAL = Software
Assurance Level
15
Realism of Safety Requirements
Achievable
Necessary and sufficient
Effective
Traceable to Causes / Hazards / Safety
Objective(s)
16
Assurance Levels
17
What is the idea of an Assurance Level?
You want to build a

Dog kennel?
House extension?
Skyscraper?
You have several methods

Do it yourself
Use a local builder
Use an architect
Which would you use?
Means of adapting the level of effort to the

criticality of the change
18
Where can we credibly quantify?
Procedure:
No No
PAL
People
PROCEDURES
PEOPLE
HAL
Equipment Software
SWAL
EQUIPMENT
SW: No
Equipment Hardware
Figures (MTBF, Etc.)
HW: Yes (+/-)

19
Allocation of an Assurance Level

Severity
Causes
F1
D1
Hazard
Effect A
Sev 5
H
ER
Effect B
Sev 4
D2
F2
D3
F3
Effect C
Sev 3
F4
Failing
Component
Worst
Credible
Effect
Effet D
Sev 2
Distance between failing

component and effect
Effect E
Sev 1
20
10
Definition of the Assurance Level

Causes
Severity
F1
D1
Effect A
Sev 5
Hazard
Effect B
Sev 4
D2
F2
Effect C
Sev 3
H
ER
D3
F3
Effet D
Sev 2
Worst
Credible
Effect
Effect E
Sev 1
F4
Failing
Component
Distance between failing component and effect

Effect Severity
xxAL1
xxAL2
xxAL3
xxAL4
xxAL2
xxAL3
xxAL3
xxAL4
xxAL3
xxAL3
xxAL4
xxAL4
xxAL4
xxAL4
xxAL4
xxAL4
Distance between failing component & effect

Very Possible
Possible
Very Unlikely
Extremely Unlikely
21
PAL Objectives
Objectives to be fulfilled during the Procedure Life Cycle Phases:
i
Definition
Procedure
Assurance
Level
i.5
PAL 1
Ensure an approved
and systematic
specification
ii
Design and Validation
1)
ii.7
i.4
Ensure stakeholder
acceptance
ii.5
ii.6
iii
Implementation
Establish an
acceptable risk level
(in quantitative
terms)
Ensure independency
in design and
validation
iii.7
Ensure external expert

acceptance
Ensure enhanced
competence levels of
designers
iii.5
iii.8
iii.6
iv
Transfer into operations
Ensure independent
auditing of the
procedure
Ensure corporate level
of approval by
stakeholders
Ensure approval at
the Corporate level of
management
Establish evidence of
acceptable design
maturity
PAL 2
iv.5
iv.6
iv.7
iv.8
1.
PAL 3
2.
3.
Ensure involvement
of relevant
operational expertise
Ensure a minimum
set of quality
assurance activities
Establish a proven
and well-documented
starting point for the
definition exercises
ii.3
Ensure suitably
validation at different
levels
ii.4
Ensure robustness
1)
2)
3)
PAL 4
Establish an
acceptable risk level
(in qualitative terms)
Ensure that HMI has
been assessed
Ensure suitably
validation
iii.3
Ensure stakeholder
acceptance
iii.4
Ensure training levels
1.
Establish an
Implementation Plan
which includes
quality assurance
activities
Ensure an acceptable
quality assurance
level
2.
iv.4
1.
2.
3.
Ensure incremental
transfer
Ensure approval of
the Transfer Plan at
management level
Ensure stakeholder
acceptance of the
Transfer Plan
Ensure application
of an approved and
systematic method
to verify the transfer
process
Ensure enhanced
competence levels
of staff to perform
the transfer
Ensure that
feedback
concerning the
transfer process is
provided to involved
staff
Ensure
dissemination of
contingency
measures
Ensure documented
contingency
measures
v
Operation
v.7
Ensure that the

application of the
procedure is
reduced to its
minimum
v.6
Ensure acceptable
performance
levels
v.4
Ensure validity of
assumptions
v.5
Ensure
promulgation of
related incident
investigations
1.
Ensure
documentation
control
Establish a
reporting system
covering
occurrences
relating to the
procedure
Ensure highranking
proficiency levels
2.
3.
22
11
PAL 4 Objectives
Objectives to be fulfilled during the Procedure Life Cycle Phases:
Procedure
Assurance
Level
PAL 4
i
Definition
1.Ensure
involvement of
relevant
operational
expertise
2.Ensure a
minimum set of
quality
assurance
activities
3.Establish a
proven and
welldocumented
starting point
for the
definition
exercises
ii
Design and Validation
1. Establish an
acceptable
risk level (in
qualitative
terms)
2. Ensure that
HMI has been
assessed
3. Ensure
suitably
validation
iii
Implementation
1.Establish an
Implementation
Plan which
includes quality
assurance
activities
2.Ensure an
acceptable
quality
assurance level
iv
Transfer into
operations
1.Ensure that
feedback
concerning the
transfer
process is
provided to
involved staff
2.Ensure
dissemination
of contingency
measures
3.Ensure
documented
contingency
measures
v
Operations
1.Ensure
documentatio
n control
2.Establish a
reporting
system
covering
occurrences
relating to the
procedure
3.Ensure highranking
proficiency
levels
23
Day to day human issues
24
12
25
26
13
What is Human Performance ?

Myself
Team
Human
Potential
Interference
Human
Performance
Organisation
Environment
27
Human Performance Areas in ATM ?
Interference
Human
Performance
28
14
System Used Beyond Capabilities
29
PSSA Outputs
SAFETY
REQUIREMENTS
30
15
Summary
Purpose
Inputs
Scope
Core Activities
Safety Requirements
Assurance levels
Outputs
31
Questions?
32
16

Risk Assessment and Mitigation of ATM
& Transfer into Operations
SAM SSA Principles
Session 11
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
Purpose
Inputs
Core Activities
Outputs
SSA Purpose
Demonstrate that change/system actually

achieves an acceptable level of safety from
implementation till decommissioning
Safety evidence
Assurance
Timescale
FHA
PSSA
Decommissioning
Operations
Transfer to Ops
Implementation
Change Initiation
SSA
Bow Tie
PSSA
FHA
Causes
Safety
Requirements
F1
D1
Barriers
Hazard
Effect A
Sev 5
H
ER
Effect B
Sev 4
D2
F2
D3
F3
Safety
Objective
D4
F4
Effect
Effect C
Sev 3
Effet D
Sev 2
Effect E
Sev 1
SSA
SSA Inputs
Environment
description
Hazards &
SO
System
Architecture
Safety Rqts
ALs
Verification Versus Validation
Verification
Have we built the system RIGHT?
Validation
Have we built the RIGHT system?
Need for Verification & Validation
SSA Core Activities
Build and Collect Evidence that:

Safety Requirements / ALs are met
Safety Objectives are satisfied
Assumptions are correct
Users Expectations are satisfied
System achieves an Acceptable Level of Safety
For the whole lifecycle of the change/system!

10
What is Risky in Each Phase?
Implementation
Operations
Maintenance
Decommissioning
11
For Each Phase
What type of evidence?
Verification or validation?
Who will provide this evidence?
What if you need acceptance by your NSA before

transfer into ops?
What if a SR is not met?
Can you use previous safety assessments as

evidence?
12
Use your SMS & QMS!
SMS processes:
Roles and responsibilities (management commitment)

Occurrence Reporting & Investigation
Competency assessment
Monitoring
Safety Surveys
Lesson Dissemination
External Services
Quality Processes
Design
Document control
Management of problem reports
13
Getting the Big Picture of Risk
Lack of evidence of risk

is not evidence of lack of risk
14
SSA Outputs
EVIDENCE &
ASSURANCE
15
Summary
Purpose
Inputs
Core Activities
Outputs
16
Questions?
17
Safety Argument / Case

Principles
Session 14
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
Why do we develop Safety Arguments?
How to develop a Safety Argument?
How to present a Safety Argument?
What Safety Assurance activities?
What is a Safety Case?
What are the types of Safety Cases?
How to develop Safety Cases?
How to structure Safety Documentation?

Safety Argument-Based Approach
To provide assurance
Safety
Safety Argument
Argument
To satisfy
Assurance
Level (AL)
To give confidence
To achieve
Activities
Activities
To produce
Evidence
Evidence
To provide structured and systematic approach
To address EC. 1035/2011 & ESARR4 requirement

Top Level Safety Argument

Cr001
Acceptably safe is
defined by the Safety
Criteria to be satisfied
C001
Operational Service &
Environment are described
J0001
Argue on basis of a safe

Specification and Logical
Design, full Implementation
of that design, safe
Transition into service and
Safety Monitoring for whole
operational service life
A0001
Assumptions
are stated
Arg 1
Arg 2
ATM system has

been specified to
be acceptably
safe
ATM system has

been designed to
be acceptably
safe
[tbd]
Arg 0
ATM Operations will
be acceptably safe.
Arg 3
ATM system
Design has been
implemented
completely &
correctly
Justification and
benefits are
provided
Arg 4
Transition from
current state to
full ATM system
will be
acceptably safe
[tbd]
Arg 5
ATM system will
be shown to
operate acceptably
safely throughout
its service
[tbd]
[tbd]
[tbd]
5
Safety Assurance Activities
Specification
Design
Implementation
Operations
Safety Lifecycle
Arg 1
Arg 3
Lower-level Safety Arguments
Operation &
Maintenance
Arg 5
Arg 4
Arg 4
Arg 5
Transfer into
Operation
Arg 0
Implementation &
Integration
Arg 3
Arg 0
Design & Validation

(High-level)
Evidence
SSA
Definition
Arg 2
PSSA
Arg 1
FHA
Arg 2
System Safety
Assurance Activities
Presentation of:
Structured argumentation to support a claim
Statements which claim that something is true
(or false)
Supporting rationale and evidence to show
that each argument is true
Types of Safety Cases and their Use
Unit
System
Subsystems
Unit
Unit
System
System
Subsystems
System
Subsystems
Unit Safety Case
Top-claim:
Air Navigations Services provided by ATSU
are, and will remain acceptably safe
What would you expect to see in such a unit

safety case?
10
Safety Case Development Process

Safety
Considerations
Initial
Safety
Argument
Evidence
Operational
Concept
Evidence
FHA
System
Project
Evidence
Safety
PSSA
Update, if required
SSA
Safety
Plan
Case
Implementation
Integration
Evidence
Evidence
Update
Transfer into
Operation
Approval
Operation &
Maintenance
Evidence
Safety
Monitoring
Reports
Unit
Safety
Case
Update
11
Safety Documentation Structure

Safety Case
Report
Safety Register
(Hazard Log, S.R.,
Assumptions, )
Safety Assessment
Report
Part 1 & 2
Design
Documents
Other
reference
sources
12
System Safety Case Report Structure
Introduction
Change description
Safety Argument
Top argument
Safety criteria
Sub-arguments, rationale & evidence

Caveats (assumptions, limitations, open issues)
Safety Requirements
Conclusions
Reference
Appendices (S.A., simulations, test results,)
13
Summary
Why do we develop Safety Arguments?
How to develop a Safety Argument?
How to present a Safety Argument?
What are the types of Safety Cases?
How to develop Safety Cases?
How to structure Safety Documentation?
14
Questions?
15
Practicalities
Session 15
Course Structure
KEY CONCEPTS
SAM PROCESS
FHA
PSSA
SSA
PRACTICALITIES
SAFETY ARGUMENTS
SAM ASSISTANT
Structure
SAM Practicalities
FHA Practicalities
PSSA Practicalities
SSA Practicalities
SAM Practicalities - 0
This is a little story about four people named
Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody
was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that because it was
Everybody's job.
Everybody thought that Anybody could do it, but
Nobody realized that Everybody wouldn't do it.
It ended up that Everybody blamed Somebody when
Nobody did what Anybody could have done.
At organizational level
Define who is doing what
Closely linked with:
Other SMS processes
Other QMS processes
Other project related activities
Make sure methodologies are useful and fit for

purpose
Share efforts: reusability, accessibility
Plan your safety assessment
Start safety assessment as early as possible
Adapt level of effort
Be careful when you subdivide a change

(overall risk not assessed)
Consider the future environment, not the

current one
Total system approach not followed

People, procedures, equipment
Key stakeholders omitted
Success approach not considered
Training needed for

Ops and project managers
Safety practitioners
Participants in a safety assessment
Methodological assistance may be needed

External safety/human experts
Manufacturers
KEEP CONTROL!!
Misuse of tools and techniques

Quantification
Goal Structuring Notation (GSN)
Fault trees
Event trees
Be aware of the advantages & limitations of

quantification
Advantages
Avoids diverging understandings

Clear targets to manufacturers
Apportionment of risks
Helps to check credibility of the results
Limitations
False sense of confidence
Not always feasible
Diverts people from dealing with the real issues
10
FHA Practicalities - 1
Scope of FHA should be at functional level!
Share your efforts!
Take enough time to describe the change
Involve the relevant people
Prepare the brainstorming sessions
11
FHA Practicalities - 2
Dont forget what we aim at:

Assessing the overall risks
Understanding how system works (safety
benefits)
Understanding how system fails (additional
risks)
12
PSSA Practicalities - 1
Misuse of tools and techniques

Fault Trees
Missing barriers / mitigation means
AND gates are not always perfect!
Have you captured Common Causes, unavailability
of redundancy, Mean Time To Repair, etc.?
Quantification
On humans, procedures, software?
13
Safety Requirements focused on equipment

exclusively
No qualitative Safety Requirement
Unrealistic safety requirements

Too stringent failure rate on an equipment
component
Credibility towards supplier?
14
Do consider the success approach!
Make best use of SMS / QMS / project related

activities
Otherwise resulting architecture may not

meet the users needs!
PSSA should not drive design
15
Safety assessments focused on individual

changes
Inconsistent assumptions (risk apportionment,
on going or short term changes not taken into
account)
Overall risk not assessed, may be
unacceptable
16
SSA Practicalities - 1
Closely linked with other SMS / QMS

processes
Dont neglect critical phases of the change!
Indicators should be relevant and useful for

monitoring (action to be triggered)
17
SSA Practicalities - 2
SSA safety plan very useful to help structure

the evidence collection process
Evidence collection usually requires a lot of

efforts
All interested parties should be made aware

of what they should produce / collect as
evidence
18
Summary
SAM Practicalities
FHA Practicalities
PSSA Practicalities
SSA Practicalities
19
Questions?
20
10

SAF-SAM Course Slides

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

SAF-SAM Course Slides

Diunggah oleh

Hak Cipta:

Format Tersedia

Introduction to the Safety Assessment

Copyright 2012 EUROCONTROL

05 - Supervision and Safety Oversight

Copyright 2012 EUROCONTROL

Introduction to Safety Management

ATM Safety Regulatory

Initiation of ATM Change

Risk assessment and mitigation

Hazard Identification, Risk Assessment and

Risk Mitigation Strategy of

Risk Assessment and Mitigation of

Risk Mitigation Strategy

Risk Assessment and

Safety Argument / Case

Abbreviations and Acronyms useful for IANS SAF-SAM Training Course

Commission Regulation (EC) No 1794/2006 of 6 December 2006 laying down a common

Depending on the context:

Frequently Asked Questions

The International Civil Aviation Organization

Mean Time Between Failure

The SES Performance Scheme, as per Article 11 F-R and PS-IR

Separation Minima Infringement

Introduction to Safety Management

Copyright 2011 EUROCONTROL

Copyright 2011 EUROCONTROL

What is the role of ATM?

Copyright 2011 EUROCONTROL

To prevent Air and Ground

ATM is the aggregation of

Copyright 2011 EUROCONTROL

Safety and Security

Safety: Freedom from the unacceptable

Security: Freedom from the

Copyright 2011 EUROCONTROL

Copyright 2011 EUROCONTROL

Why Safety Management System?

Video of berlingen accident

Copyright 2011 EUROCONTROL

Swiss Cheese Model

Model developed by J. Reason

Swiss Cheese Model

What is Safety Management

Copyright 2011 EUROCONTROL

QMS Internal Audits, Documentation Control System, external

On-going ATM Services / Systems

Copyright 2011 EUROCONTROL

Operational Environment is changing!

Systems / Services are changing!

Copyright 2011 EUROCONTROL

Traffic Growth in ECAC Region

8.0 Million Flights

16.0 Million Flights

Traffic tripled over last 25 years

Copyright 2011 EUROCONTROL

Traffic & Accidents

Copyright 2011 EUROCONTROL

ATC Tools Change

Copyright 2011 EUROCONTROL

ATC Tools Change

to Electronic Flight Strips

ANS/ATM Evolution Change

the current and planned a/c

Know the current and

Copyright 2011 EUROCONTROL