Aviation Safety Cases The Safety Case and Safety Argument Dr Tim Fowler 29 November 2005
Overview � Why Consider Safety? � Safety Assessment: What is Required? � Safety and the System Life Cycle. � The Safety Argument. � Goal Structured Notation (GSN) in Practice. � Approaches to Safety Assessment. - Absolute or Relative. - Strengths and Weaknesses. � Safety Objectives and Safety Requirements. � Benefits of the Safety Case. � Summary. 01 December 2005 Slide 2 Version
Why Consider Safety? � To most people this is a question with an obvious answer. � Today we have to formally consider safety because: - Need to be able to demonstrate to stakeholders that safety has the highest priority. - Safety documentation will be examined if an accident occurs. - The safety reputation of civil aviation is crucial to the industry. 01 December 2005 Slide 3 Version
Safety Assessment: What is Required? � To show that the proposed system change is “safe”. - Safe: To some this could mean zero risk. Clearly this is not attainable. - Acceptably safe: The risk level achieved is shown to be less than one or more criteria (such as a target level of safety, or currently accepted levels of operational safety), and the risk level is reduced as far as is reasonably practicable. � To use a reasoned argument to substantiate why a proposed system change is considered to be acceptably safe to implement. - Acceptably safe in principle – all aspects of the proposed system change have been considered prior to implementation and nothing that might be unacceptably safe has been identified. - Acceptably safe in practice – analysis of post switch-over operational data, and re-evaluation of the safety assessment if appropriate, has shown that the operation is safe in practice. � Whilst safety has the highest priority, there is inevitably a balance to be drawn between safety, capacity, environmental impact, economic, security and other relevant factors. 01 December 2005 Slide 4 Version
Safety and the System Life Cycle Switch-over Concept Concept System System System De- Identification Development Implementation Operation commissioning (Maintenance) Generic, Outline Safety FHA European Case Level PSSA Acceptably Safe in Principle Specific, SSA State ANSP State led concept Level development and National Safety Post- safety assessment Case Implementation activities. Safety Case: Acceptably Acceptably Safe in Safe in Principle Practice 01 December 2005 Slide 5 Version
The Safety Argument � What is it? A reasoned and well-structured accumulation of data, analysis and judgement that shows that the objective of the safety case has been met. � How is it developed? Using the skill and experience of the safety analysts by considering - What can go wrong? – hazard identification. - How bad could it be? – consequence analysis for each hazard. - How often will it occur? – frequency analysis of each hazard. � How is it presented? EUROCONTROL favour the use of Goal Structured Notation for the presentation of the Safety Argument. This helps: - To clearly show the structure and inter-dependencies of the safety assessment. - To identify logical gaps in the safety argument structure. - To ensure that safety evidence is complete. 01 December 2005 Slide 6 Version
GSN in Practice Cr004 Cr004 Acceptably safe means that: Acceptably safe means that: J001 J001 • the risks under e-FUA OI-1B are • the risks under e-FUA OI-1B are Arg 0 Arg 0 Arg 0 e-FUA OI-1B will improve e-FUA OI-1B will improve no greater than for b-FUA no greater than for b-FUA e-FUA OI-1B is e-FUA OI-1B is e-FUA OI-1B is operational efficiency of controllers operational efficiency of controllers • the risks under e-FUA are further • the risks under e-FUA are further acceptably safe in acceptably safe in acceptably safe in reduced as far as reasonably reduced as far as reasonably principle to implement principle to implement principle to implement practicable practicable in ECAC States in ECAC States in ECAC States A001 A001 The risk levels under b-FUA are The risk levels under b-FUA are acceptably safe. acceptably safe. C001 C001 In principle means subject to complete In principle means subject to complete and correct implementation and correct implementation C002 C002 Applies to Class C airspace (excluding VFR Applies to Class C airspace (excluding VFR traffic) and above FL195 only. Excludes traffic) and above FL195 only. Excludes cross-border coordination cross-border coordination St 001 St 001 Arg 5 Arg 5 Arg 5 St 002 St 002 Direct evidence based on Direct evidence based on All assumptions made All assumptions made All assumptions made Backing evidence based on Backing evidence based on analysis of the results of the analysis of the results of the in the safety in the safety in the safety adequacy of the safety adequacy of the safety safety assessment processes and safety assessment processes and assessment processes and assessment processes and assessment and OSC assessment and OSC assessment and OSC specification of the necessary specification of the necessary competence of the project competence of the project risk-reduction measures in risk-reduction measures in have been explicitly have been explicitly have been explicitly team team Outline Safety Case (OSC) Outline Safety Case (OSC) documented and documented and documented and responsibility for their responsibility for their responsibility for their validation has been validation has been validation has been assigned. assigned. assigned. Arg 1 Arg 1 Arg 1 Arg 3 Arg 3 Arg 3 Arg 2 Arg 2 Arg 2 Ev Ev Ev Arg 4 Arg 4 Arg 4 e-FUA OI-1B is e-FUA OI-1B is e-FUA OI-1B is Sufficient measures have Sufficient measures have Sufficient measures have All necessary risk-reduction All necessary risk-reduction All necessary risk-reduction OSC Sect 7 OSC Sect 7 OSC Sect 7 Evidence from Evidence from Evidence from been taken by been taken by been taken by capable of being capable of being capable of being (NRR) measures related (NRR) measures related (NRR) measures related safety assessment safety assessment safety assessment EUROCONTROL to enable EUROCONTROL to enable EUROCONTROL to enable acceptably safe in acceptably safe in acceptably safe in directly to the system have directly to the system have directly to the system have and analysis is and analysis is and analysis is consistent implementation of consistent implementation of consistent implementation of principle (proof of principle (proof of principle (proof of been specified as Safety been specified as Safety been specified as Safety trustworthy trustworthy trustworthy Safety Requirements by Safety Requirements by Safety Requirements by concept) concept) concept) Requirements or recorded as Requirements or recorded as Requirements or recorded as States States States Assumptions Assumptions Assumptions Fig 5 Fig 5 Fig 5 Fig 2a Fig 2a Fig 2a 01 December 2005 Slide 7 Version Fig 4 Fig 4 Fig 4 Fig 3 Fig 3 Fig 3
Approaches to Safety Assessment � Absolute Safety Assessment. How large is it? - A comprehensive assessment of all issues that could impact on accident risk and a comparison to an absolute safety target (apportioned if necessary). - Relatively resource intensive to perform as need to evaluate risks from all hazards. Which is larger? � Relative Safety Assessment. - A comparative safety assessment of (usually) a proposed operational concept to a functioning operational concept. - Enables resources to be focussed on parts of the system that will be changed. 01 December 2005 Slide 8 Version
Absolute Safety Assessment Risk from hazard 1 Outcome Yes 1 Yes No 2 Hazard Yes 3 No No 4 Outcome Risk from hazard n Yes 1 Yes No 2 Hazard Yes 3 No No 4 Total Risk Comparison: Is the risk acceptable? Target Level of Safety Apportioned Target Level of Safety 01 December 2005 Slide 9 Version
Relative Safety Assessment Within a hazard If “before” and “after” Outcome hazards are all Yes 1 matched and, at each Yes No 2 Hazard comparison point, can Yes 3 No show that risks are No 4 lower “after”, then total risk for “after” must be lower. Hazard by hazard “Before” “After” Eliminate hazards = Yes 1 Yes 1 Yes No 2 Yes No 2 that form matching Yes 3 Yes 3 No No No No 4 4 pairs. Hazard n Hazard n “Balance” remaining hazards to assess Hazard m Hazard m relative risk Hazard y Hazard x 01 December 2005 Slide 10 Version
Strengths and Weaknesses Absolute Approach Relative Approach � Resource intensive – need to assess � Comparative approach allows safety all risk contributors for an entire part analysis to concentrate on the system of the system change � Requires an agreed TLS and an � Assumes that the current system is agreed approach to apportioning the acceptably safe TLS. � Cannot provide a basis for � Provides a transparent basis for “relaxation” of established practices “relaxation” of established practices whilst continuing to be acceptably safe 01 December 2005 Slide 11 Version
Recommend
More recommend