EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the Safety of Air Navigation 1
ESARRs - Overview 1. Requirements for safety regulation by State authorities 2. Safety monitoring and improvement 3. Implementation of SMSs 4. Risk assessment [predictive] 5. Competence of ATM personnel 6. Software assurance in ATM systems [ground elements] All about process ( how !), except ESARR 4, Appendix A All about process ( how All about process ( how ! !), except ESARR 4, Appendix A ), except ESARR 4, Appendix A which specifies design targets for product ( what !) which specifies design targets for product ( what which specifies design targets for product ( what ! !) ) 2
The “Building Blocks” Safety Safety Achievement ESARR 1 Regulation [Service Provision] Safety ESARR 4 Safety ESARR 2 Assessment Monitoring & [predictive] Improvement ESARR 5 ESARR 6 Software Assurance Safety Management [and related] Processes ESARR 3 Competent Personnel 3
Safety Lifecycle Evidence Safety Operational Considerations Concept Evidence FHA Initial Project Safety Argument Evidence Update, if required PSSA Safety SSA Safety Case Plan Evidence Implementation & Integration Evidence Migration Update Unit Approval Safety Switchover Case Safety Update Evidence Operational Monitoring Service Reports 4
ATM Hierarchy Operational Environment Service Level Barrier Service Level Safety Targets Model Operational Concepts Abstract Operational Level Functional Abstract Operational Level FHA Model Safety Functions & Tolerable Hazard Occurrence Rates Logical System Logical Level System Logical Level PSSA Architecture/ User Roles Safety Requirements Equipment, People, Physical System Level Physical System Level SSA Procedures & Training 5
Safety Cases - Principles � Needed for on-going operation (Unit Safety Case) and major changes to that operation (Project Safety Case) � Based on the idea of a Legal Case – presentation of Argument and Evidence that a overall claim is true � Need to consider two viewpoints: � “Success Case” – is the service / system safe when it working to specification? � “Failure Case” – is the service / system safe when it fails � Evidence comes mainly from: � Success Case: simulations, trials, analysis, expert operational judgement etc � Failure Case: safety assessment processes – FHA, PSSA, SSA � Purposes: � primarily, for ANSPs to convince themselves that operations are safe � only secondarily to convince the Regulator that operations are safe 6
Figure 7 Overall Argument Structure EUROCONTROL Safety Cases –Safety Argument Arg 0 A001 Change_SGxy will J001 Current ATM service be acceptably safe Change_SGxy is being is accepted as being safe introduced to meet a in operational legitimate operational need service Cr001 The risk of an accident following Change_SGxy shall be: 1.Within the regulatory requirements – eg: St 001 a. such that the whole ATM service C001 Specify safety criteria for each of the meets ESARR 4 Design Safety Subject to declared 4 main life-cycle stages and show that Targets (SAM-FHA ch3 GM E); OR Assumptions, Limitations each stage is / will be acceptably safe and outstanding Issues b. no greater (and preferably lower) – ie the safety criteria are sufficient to than currently exists. achieve the required level of safety, AND and are satisfied 2. reduced as far as reasonably practicable. Arg 1 Arg 2 Arg 3 Arg 4 Arg 5 Change_SGxy Sufficient Guidance Change_SGxy Migration to On-going Operation Concept is exists to enable of Change_SGxy will Implementation Change_SGxy acceptably safe, be shown to be complete and correct is acceptably safe will be in principle Implementation of the a cceptably safe acceptably safe Safety Requirements Fig [….] Fig [….] Fig [….] Fig [….] Fig [….] 7
Safety Cases – the Evidence � Provided only to the degree and extent necessary to support the related Argument � Source – from safety analysis, design, simulation, test, previous usage, compliance with standards etc – must be appropriate to the Argument � Two categories: � “Direct”: relates to outputs of processes (products) � “Backing”: relates to adequacy of those processes � Must be clear, conclusive and, wherever possible, objective � Rigour must be appropriate to the associated risk – Assurance Levels 8
Questions? 9
Conclusions � ESARRs provide minimum regulatory requirements for managing safety � Necessary but not sufficient for demonstrating safety � Need to supplement ESARRs with processes and procedures that are an Acceptable Means of Compliance – eg EUROCONTROL SAM � Need to present results of these applying theses processes and procedures, in a convincing way – eg a Safety Case � Safety Cases should be based on rigorous Argument and conclusive Evidence � Need to consider safety from: � Success viewpoint � Failure viewpoint 10
Recommend
More recommend
