Safety Assessment

advertisement
Safety Assessment
Safety Assessment
The European Organisation for the Safety of Air Navigation
Safety Assessment
Safety Assessment is an EC1035/2011 requirement
EC1034-2011 helps understanding which changes
require a formal assessment that needs NSA review
Experience has shown that the “Safety
Consideration Process” provides good
understanding of the changes
Safety Assessment
The Only acceptable means of compliance to
ESARR4 (~EC1035/2011) as of today is SAM (with
limitations)
SAM is a toolbox mainly known for its FHA-PSSASSA processes
- Functional Hazard Assessment
- Preliminary System Safety Assessment
- System Safety Assessment
SAM most suitable for hardware changes for
which we can have an influence on the design,
usage much more difficult for many other
changes, procedures, airspace etc…
Safety Assessment
eSAM
• eSAM V2.1 helps navigating through the
documentation set of "ANS Safety Assessment
Methodology";
• http://www.eurocontrol.int/safety/public/site_prefer
ences/display_library_list_public.html#17
Safety Assessment
OPS Concept
(concept
elements)
Safety consideration
report
Argumented rationale for
not going further
Safety considerations
N
Brainstorming
Go further?
Y
Initial safety argument
Initial Safety argument
(termination)
Argumented rationale for
not going further
N
First attempt to construct
Safety Argument (high
level)
Go further?
Y
Safety Plan
Safety assessment
(activities as per Safety Plan)
SAFETY CASE
Safety Case Report
Translation of initial
argument into required
activities
Conduct of activities
Production of the report
Safety Assessment
Safety considerations process
Safety Assessment
Safety considerations
No operational concept
Scope unclear
Missing assumptions
Safety requirements unrealistic
Bad arguments
What are the needs for change?
What are the new system boundaries? (OPS Concept)
Are there (initial) assumptions? (OPS Concept)
Are (Initial) Safety requirements realistic?
Will it be possible to build an argument?
Little or no evidence
What evidence could be provided?
Errors in calculations
Would it feasible and beneficial to quantify?
No concept of operations
Impact at boundaries not addressed
Hazards classification questionable
SAFETY BENEFITS OF NORMAL OPERATIONS?
How shall the new system/change be operated?
What are the interfaces? What impact foreseeable?
How and who will assess hazards?
In what way is the proposed operational concept different from
current one?
Safety Assessment
How did we do things so far?
Good
Specifications
We have
tested the
system
System OK
We have
We have
RevisedWhat
trained
wethe
used
procedures
staff
to
We have
a fall-back
do
system
Staff
OK if
What
we
concluded
OK
breakdown
New center
will start
operations
Decision
to go
operational
On XX/XX/XX
We have
temporary
procedures
Switching over
should be OK
Safety Assessment
What are we asked to do today?
Good
Specifications
We have
tested the
system
System OK
Good
Specifications
We have
tested the
system
We have
Revised
procedures
It will be safe to
We have
We have
provide
operations
trained the
Contingency
from
staffnew center measures
Staff
OK
We have
Revised
procedures
OK if
breakdown
New center
We have
We have
will
start
operations
trained the
Contingency
staff
measures
On XX/XX/XX
We have
temporary
procedures
Switching over
should be OK
We have
temporary
procedures
Safety Assessment
OPS Concept
(concept
elements)
Initial safety argument
Is there anything that we
know we will only be able to prove
after implementation but
we are confident we are right
Caveats
Arg0
We need to
demonstrate that
change will be safe
Criteria for safety
(ESARR4)
Why do we want
to do this change?
CONOPS
How are we
going to do that?
Arg1
Safe by design
How are we
going to do that?
Arg2
Safe after
implementation
How are we
going to do that?
Arg3
Safe to migrate
operations
How are we
Life cycle
going to do that?
Safety Plan
Arg4 On-going
operations will be
safe
How are we
going to do that?
Safety Assessment
Safety Assessment for DQR
[DQR-REQ-300] The safety assessment process to support
the establishment of new or updated data quality
requirements shall be documented and include all the
necessary steps to derive the data quality requirements
to ensure data of sufficient quality are provided to meet
the intended use for each data item under
consideration, as a minimum:
Safety Assessment
Safety Assessment for DQR
1. Identify all relevant uses for the aeronautical data item or dataset.
2. Conduct Hazard Identification and Analysis.
3. Determine accuracy and resolution requirements taking into consideration:
a) The functionality, performance and availability required by the intended use
to achieve an acceptable level of safety.
b) The inherent limitations in originating the data item or dataset.
4. Determine the data integrity level, based on the results of step 1 and step 2, for
the most stringent use.
5. Consider the necessity to assign requirements for the ability to determine the
origin of the data, other than the ones already defined in Annex I Part C of
Commission Regulation (EU) 73/2010.
6. Consider the necessity to assign requirements for the level of assurance that the
data is made available to the next intended user prior to its effective start
date/time and not deleted before its effective end date/time, other than the ones
already defined in Article 7(3) and Article 7(4) of Commission Regulation (EU)
73/2010.
Safety Assessment
Initial safety argument
Let’s have a look at the MS-Visio figures
Safety Assessment
Change/Project
using the « data »
is « safe »
Arg – 1
Design of the
« Change/
Project » is safe
… Further development of Arg-1 ...
Arg – 1.X.X.Y.N
Data and associated quality
requirements are “adequate “
“
Arg – 2
Implementation of
the « Change/
Project » is safe
Arg – 3
Migration of the
« Change/
Project » is safe
Arg – 3
On-going
operations of the
« Change/
Project » are safe
Safety Assessment
C: Adequate is defined in the
context of the project
J :Introduction of new
applications require
changes to the DQR
Cr: Criteria for
Safety (ESARR4)
Data and
associated quality
requirements are
“adequate “
Risk assosiated
with this data is
managed
Risk assessment
has been
performed
Mitigation means
are in place
Data Quality
Requirements (as
in HL) are
« enough »
Process is trustful
Conops: User
Requirements
FHA/PSSA
FHA/
PSSA
New Data has
NOT yet a quality
label (i.e.: is not in
the HL)
Data is in the HL
SMS
Procedures
Data Quality Requirements (as in
HL) are NOT « enough »; risk has
been mitigated through additional
risk reduction measures
Data Quality
Requirements are
defined
FHA/
PSSA
FHA/
PSSA
Change/Project
Design
documentations
Process defining
the « Data Quality
Requirements » is
thrustworthy
SMS
Procedures
Change/Project
Design
documentations
Project
Management
Procedures
Safety Assessment
Q&A
The European Organisation for the Safety of Air Navigation
Download