Aviation Safety Cases The Safety Case and Safety Argument Dr Tim - - PowerPoint PPT Presentation

Aviation Safety Cases

The Safety Case and Safety Argument

Dr Tim Fowler 29 November 2005

Version Slide 2 01 December 2005

Overview

Why Consider Safety? Safety Assessment: What is

Required?

Safety and the System Life Cycle. The Safety Argument. Goal Structured Notation (GSN) in

Practice.

Approaches to Safety Assessment.

• Absolute or Relative.
• Strengths and Weaknesses.

Safety Objectives and Safety

Requirements.

Benefits of the Safety Case. Summary.

Version Slide 3 01 December 2005

Why Consider Safety?

To most people this is a question with

an obvious answer.

Today we have to formally consider

safety because:

• Need to be able to demonstrate to

stakeholders that safety has the highest priority.

• Safety documentation will be examined if

an accident occurs.

• The safety reputation of civil aviation is

crucial to the industry.

Version Slide 4 01 December 2005

Safety Assessment: What is Required?

To show that the proposed system change is “safe”.

• Safe: To some this could mean zero risk. Clearly this is not attainable.
• Acceptably safe: The risk level achieved is shown to be less than one or more

criteria (such as a target level of safety, or currently accepted levels of

• perational safety), and the risk level is reduced as far as is reasonably

practicable.

To use a reasoned argument to substantiate why a proposed system

change is considered to be acceptably safe to implement.

• Acceptably safe in principle – all aspects of the proposed system change

have been considered prior to implementation and nothing that might be unacceptably safe has been identified.

• Acceptably safe in practice – analysis of post switch-over operational data,

and re-evaluation of the safety assessment if appropriate, has shown that the

• peration is safe in practice.

Whilst safety has the highest priority, there is inevitably a balance to be

drawn between safety, capacity, environmental impact, economic, security and other relevant factors.

Version Slide 5 01 December 2005

Safety and the System Life Cycle

Specific, State ANSP Level Generic, European Level Post- Implementation Safety Case: Acceptably Safe in Practice System Operation (Maintenance) National Safety Case Acceptably Safe in Principle Outline Safety Case Acceptably Safe in Principle System De- commissioning System Implementation Concept Development Concept Identification

Switch-over FHA PSSA SSA

State led concept development and safety assessment activities.

Version Slide 6 01 December 2005

The Safety Argument

What is it? A reasoned and well-structured accumulation of data, analysis

and judgement that shows that the objective of the safety case has been met.

How is it developed? Using the skill and experience of the safety

analysts by considering

• What can go wrong? – hazard identification.
• How bad could it be? – consequence analysis for each hazard.
• How often will it occur? – frequency analysis of each hazard.

How is it presented? EUROCONTROL favour the use of Goal Structured

Notation for the presentation of the Safety Argument. This helps:

• To clearly show the structure and inter-dependencies of the safety

assessment.

• To identify logical gaps in the safety argument structure.
• To ensure that safety evidence is complete.

Version Slide 7 01 December 2005

GSN in Practice

e-FUA OI-1B is acceptably safe in principle to implement in ECAC States Arg 0

Fig 2a

Direct evidence based on analysis of the results of the safety assessment processes and specification of the necessary risk-reduction measures in Outline Safety Case (OSC)

St 001

Cr004 Acceptably safe means that:

• the risks under e-FUA OI-1B are

no greater than for b-FUA

• the risks under e-FUA are further

reduced as far as reasonably practicable Backing evidence based on adequacy of the safety assessment processes and competence of the project team

St 002

Evidence from safety assessment and analysis is trustworthy Arg 4 e-FUA OI-1B will improve

• perational efficiency of controllers

J001 The risk levels under b-FUA are acceptably safe. A001

Fig 5

e-FUA OI-1B is capable of being acceptably safe in principle (proof of concept) Arg 1 All necessary risk-reduction (NRR) measures related directly to the system have been specified as Safety Requirements or recorded as Assumptions Arg 2 Sufficient measures have been taken by EUROCONTROL to enable consistent implementation of Safety Requirements by States Arg 3

Fig 3

All assumptions made in the safety assessment and OSC have been explicitly documented and responsibility for their validation has been assigned. Arg 5 OSC Sect 7 Ev

Fig 4

C002 Applies to Class C airspace (excluding VFR traffic) and above FL195 only. Excludes cross-border coordination C001 In principle means subject to complete and correct implementation e-FUA OI-1B is acceptably safe in principle to implement in ECAC States Arg 0 e-FUA OI-1B is acceptably safe in principle to implement in ECAC States Arg 0

Fig 2a Fig 2a

Direct evidence based on analysis of the results of the safety assessment processes and specification of the necessary risk-reduction measures in Outline Safety Case (OSC)

St 001

Cr004 Acceptably safe means that:

• the risks under e-FUA OI-1B are

no greater than for b-FUA

• the risks under e-FUA are further

reduced as far as reasonably practicable Backing evidence based on adequacy of the safety assessment processes and competence of the project team

St 002

Evidence from safety assessment and analysis is trustworthy Arg 4 Evidence from safety assessment and analysis is trustworthy Arg 4 e-FUA OI-1B will improve

• perational efficiency of controllers

J001 The risk levels under b-FUA are acceptably safe. A001

Fig 5 Fig 5

e-FUA OI-1B is capable of being acceptably safe in principle (proof of concept) Arg 1 e-FUA OI-1B is capable of being acceptably safe in principle (proof of concept) Arg 1 All necessary risk-reduction (NRR) measures related directly to the system have been specified as Safety Requirements or recorded as Assumptions Arg 2 All necessary risk-reduction (NRR) measures related directly to the system have been specified as Safety Requirements or recorded as Assumptions Arg 2 Sufficient measures have been taken by EUROCONTROL to enable consistent implementation of Safety Requirements by States Arg 3 Sufficient measures have been taken by EUROCONTROL to enable consistent implementation of Safety Requirements by States Arg 3

Fig 3 Fig 3

All assumptions made in the safety assessment and OSC have been explicitly documented and responsibility for their validation has been assigned. Arg 5 All assumptions made in the safety assessment and OSC have been explicitly documented and responsibility for their validation has been assigned. Arg 5 OSC Sect 7 Ev OSC Sect 7 Ev

Fig 4 Fig 4

C002 Applies to Class C airspace (excluding VFR traffic) and above FL195 only. Excludes cross-border coordination C001 In principle means subject to complete and correct implementation

Version Slide 8 01 December 2005

Approaches to Safety Assessment

Absolute Safety Assessment.

• A comprehensive assessment of all

issues that could impact on accident risk and a comparison to an absolute safety target (apportioned if necessary).

• Relatively resource intensive to

perform as need to evaluate risks from all hazards.

How large is it? Which is larger?

Relative Safety Assessment.

• A comparative safety assessment of

(usually) a proposed operational concept to a functioning operational concept.

• Enables resources to be focussed on

parts of the system that will be changed.

Version Slide 9 01 December 2005

Absolute Safety Assessment

Total Risk Risk from hazard 1 Risk from hazard n

Outcome Yes 1 Yes No 2 Yes 3

Hazard

No No 4 Outcome Yes 1 Yes No 2 Yes 3

Hazard

No No 4

Target Level of Safety Apportioned Target Level of Safety Comparison: Is the risk acceptable?

Version Slide 10 01 December 2005

Relative Safety Assessment

Within a hazard If “before” and “after” hazards are all matched and, at each comparison point, can show that risks are lower “after”, then total risk for “after” must be lower.

Outcome

Yes 1 Yes No 2 Yes 3

Hazard

No No 4

Hazard by hazard Eliminate hazards that form matching pairs. “Balance” remaining hazards to assess relative risk “Before” “After”

Yes 1 Yes No 2 Yes 3 No No 4 Yes 1 Yes No 2 Yes 3 No No 4

= Hazard n Hazard m Hazard x Hazard n Hazard m Hazard y

Version Slide 11 01 December 2005

Strengths and Weaknesses

Absolute Approach

Resource intensive – need to assess

all risk contributors for an entire part

• f the system

Requires an agreed TLS and an

agreed approach to apportioning the TLS.

Provides a transparent basis for

“relaxation” of established practices whilst continuing to be acceptably safe Relative Approach

Comparative approach allows safety

analysis to concentrate on the system change

Assumes that the current system is

acceptably safe

Cannot provide a basis for

“relaxation” of established practices

Version Slide 12 01 December 2005

Safety Objectives and Safety Requirements

Class 1 – Most Severe Class 5 – Least Severe

Σ

Max allowable frequency of the hazard effects / consequences Compare to Overall System Safety Target

Targets

Are risks reduced as far as reasonably practicable? Mitigation measure (barrier) causes

Objectives Requirements Hazard

Safety Requirements, Objectives and Targets are all explicitly documented in the safety case

Version Slide 13 01 December 2005

Benefits of the Safety Case

Often identifies potential safety issues not identified during concept

development.

Provides a systematic framework for the identification of safety

mitigations.

Provides a framework for communication and understanding of safety

• issues. Promotes buy-in from stakeholders.

Provides a documentation trail of why concept design or implementation

decisions were made.

Demonstrates that all reasonable steps have been taken to ensure

safety.

Version Slide 14 01 December 2005

Summary

Consideration of safety and the structure of the safety case is best done

near the start of the concept development cycle.

Safety issues should be regularly re-considered through the concept

development process.

Choose the form of the safety argument that best matches the type of

project.

Version Slide 15 01 December 2005

A Final Word

The safety case aims to avoid comments such as the following:

“It is a collection of ideology and subjective mumbo jumbo, debunked by most of the aviation industry”

Flight International, November 2005

Version Slide 16 01 December 2005

Version Slide 17 01 December 2005