safety assessment
Post on 19-Jan-2016
55 Views
Preview:
DESCRIPTION
TRANSCRIPT
Safety Assessment
Safety Assessment
The European Organisation for the Safety of Air Navigation
Safety Assessment
Safety Assessment is an EC1035/2011 requirement
EC1034-2011 helps understanding which changes require a formal assessment that needs NSA review
Experience has shown that the “Safety Consideration Process” provides good understanding of the changes
Safety Assessment
The Only acceptable means of compliance to ESARR4 (~EC1035/2011) as of today is SAM (with limitations)
SAM most suitable for hardware changes for which we can have an influence on the design, usage much more difficult for many other changes, procedures, airspace etc…
SAM is a toolbox mainly known for its FHA-PSSA-SSA processes
- Functional Hazard Assessment
- Preliminary System Safety Assessment
- System Safety Assessment
Safety Assessment
eSAM
• eSAM V2.1 helps navigating through the documentation set of "ANS Safety Assessment Methodology";
• http://www.eurocontrol.int/safety/public/site_preferences/display_library_list_public.html#17
Safety Assessment
Safety considerations
Initial safety argument
Safety Plan
Go further?
Y
N
Safety consideration report
Argumented rationale for not going further
Go further?
Y
N
Initial Safety argument (termination)
Argumented rationale for not going further
Safety assessment(activities as per Safety Plan)
SAFETY CASESafety Case Report
Brainstorming
First attempt to construct Safety Argument (high level)
Translation of initial argument into required activities
Conduct of activities
Production of the report
OPS Concept(concept
elements)
Safety Assessment
Safety considerations process
Safety Assessment
No operational concept
Scope unclear
Missing assumptions
Safety requirements unrealistic
Bad arguments
Little or no evidence
Errors in calculations
No concept of operations
Impact at boundaries not addressed
Hazards classification questionable
SAFETY BENEFITS OF NORMAL OPERATIONS?
What are the needs for change?
What are the new system boundaries? (OPS Concept)
Are there (initial) assumptions? (OPS Concept)
Are (Initial) Safety requirements realistic?
Will it be possible to build an argument?
What evidence could be provided?
Would it feasible and beneficial to quantify?
How shall the new system/change be operated?
What are the interfaces? What impact foreseeable?
How and who will assess hazards?
In what way is the proposed operational concept different from current one?
Safety considerations
Safety Assessment
We have trained the
staff
We have a fall-back
system
We have temporary procedures
OK ifbreakdown
Switching overshould be OK
We have tested the
system
Good Specifications
System OK
New centerwill start operations
On XX/XX/XXDecision to go operational
How did we do things so far?
We have Revised
procedures
Staff OK
What we used to do
What we concluded
Safety Assessment
What are we asked to do today?
We have trained the
staff
We have Contingency
measures
We have temporary procedures
OK ifbreakdown
Switching overshould be OK
We have tested the
system
Good Specifications
System OK
New centerwill start operations
On XX/XX/XX
We have Revised
procedures
Staff OK
We have trained the
staff
We have Contingency
measures
We have temporary procedures
OK ifbreakdown
Switching overshould be OK
We have tested the
system
Good Specifications
System OK
It will be safe to provide operations
from new center
We have Revised
procedures
Staff OK
Safety Assessment
We need to demonstrate that
change will be safe
How are wegoing to do that?
CONOPS
Why do we want to do this change?
Is there anything that we know we will only be able to prove
after implementation but we are confident we are right
Criteria for safety(ESARR4)
Safe by design Safe after implementation
Safe to migrate operations
On-going operations will be
safe
Life cycleHow are wegoing to do that?
Safety Plan
Arg0
Arg1 Arg2 Arg3 Arg4
Caveats
How are wegoing to do that?
How are wegoing to do that?
How are wegoing to do that?
Initial safety argumentOPS Concept(conceptelements)
Safety Assessment
Safety Assessment for DQR[DQR-REQ-300] The safety assessment process to support
the establishment of new or updated data quality requirements shall be documented and include all the necessary steps to derive the data quality requirements to ensure data of sufficient quality are provided to meet the intended use for each data item under consideration, as a minimum:
Safety Assessment
1. Identify all relevant uses for the aeronautical data item or dataset. 2. Conduct Hazard Identification and Analysis. 3. Determine accuracy and resolution requirements taking into consideration:
a) The functionality, performance and availability required by the intended use to achieve an acceptable level of safety.
b) The inherent limitations in originating the data item or dataset.
4. Determine the data integrity level, based on the results of step 1 and step 2, for the most stringent use.
5. Consider the necessity to assign requirements for the ability to determine the origin of the data, other than the ones already defined in Annex I Part C of Commission Regulation (EU) 73/2010.
6. Consider the necessity to assign requirements for the level of assurance that the data is made available to the next intended user prior to its effective start date/time and not deleted before its effective end date/time, other than the ones already defined in Article 7(3) and Article 7(4) of Commission Regulation (EU) 73/2010.
Safety Assessment for DQR
Safety Assessment
Initial safety argument
Let’s have a look at the MS-Visio figures
Safety Assessment
Arg – 1.X.X.Y.NData and associated quality
requirements are “adequate “ “
Change/Project using the « data »
is « safe »
Arg – 1Design of the
« Change/Project » is safe
Arg – 2Implementation of
the « Change/Project » is safe
Arg – 3Migration of the
« Change/Project » is safe
Arg – 3On-going
operations of the « Change/
Project » are safe
… Further development of Arg-1 ...
Safety Assessment
Data and associated quality requirements are
“adequate “
New Data has NOT yet a quality label (i.e.: is not in
the HL)
Data is in the HL
C: Adequate is defined in the context of the project
Data Quality Requirements are
defined
Process defining the « Data Quality Requirements » is
thrustworthy
Risk assosiated with this data is
managed
Mitigation means are in place
Risk assessment has been performed
Process is trustful
FHA/PSSA FHA/PSSA
Data Quality Requirements (as
in HL) are « enough »
Data Quality Requirements (as in HL) are NOT « enough »; risk has been mitigated through additional
risk reduction measures
Conops: User Requirements
SMS Procedures
J :Introduction of new applications require changes to the DQR
Cr: Criteria for Safety (ESARR4)
FHA/PSSA Change/Project
Design documentations
FHA/PSSA
Change/Project Design
documentations
SMS Procedures
Project Management Procedures
Safety Assessment
Q&A
The European Organisation for the Safety of Air Navigation
top related