risk assessment and mitigation in atm - ida.dk de rede... · · 2017-01-04risk assessment and...
TRANSCRIPT
The European Organisation for the Safety of Air Navigation
Risk Assessment and Mitigation in ATM
Jean-Michel DE REDE
EUROCONTROL
Copenhagen, Feb.4th 2010
Risk Assessment and Mitigation in ATM 2
Plan
• What is Eurocontrol?
• The Regulatory Context• The Safety Assessment Methodology
• Managing risk
• Providing Safety Assurance
Risk Assessment and Mitigation in ATM 3
EUROCONTROL
The European Organisation for the Safety of Air Navigation.
Created in 1960, now
counts 38 European
Member States.
Our objective is the
development of a uniform
pan-European air traffic
management (ATM) system, perfectly
embodied in the concept
of a Single European Sky.
Risk Assessment and Mitigation in ATM 4
Safety Regulation
WORLDWIDEWORLDWIDE
NATIONALNATIONAL
ServiceProvider
States: National Regulations
ICAO Annexes
EUROPEAN LEVELEUROPEAN LEVEL
ESARRs SES
Internal Standards and Rules
Risk Assessment and Mitigation in ATM 5
EUROCONTROL Safety Regulatory
Requirements
ESARR 6Software in ATM
ESARR 4Risk ass. & Mitigation
ESARR 2Reporting and assessmentof ATM safety occurrences
ESARR 5ATM personnel competency
(ATCO, ATSEP)
ESARR 1Safety Oversight
National Supervisory
Authority
Service
ProviderESARR 3
Safety Management System
Risk Assessment and Mitigation in ATM 6
ESARR4
Risk Assessment and Mitigation
• Any change to the ATM System
• Addressing People, Procedures and Equipment elements
• Proactive, Systematic, Formalized• Entire Lifecycle of the system
Risk Assessment and Mitigation in ATM 7
Risk Management
Hazard
Severity ofEffects
Risk
Acceptable?Yes/No
Risk Criteria
Frequency of occ.of Effects
Identification of Hazards
& existing Mitigation Means
NOAdditional Mitigation
MeansYES
What about overall risk?
Risk Assessment and Mitigation in ATM 8
PROCEDURES PEOPLE
EQUIPMENT
ATC
Maintenance
Operating
Surveillance
CommunicationsNavaids
Information
ATCOs
Support
Engineers
Managers
Pilots
Airspace
ENVIRONMENT
Total system Approach
Risk Assessment and Mitigation in ATM 9
System Implementation
Operation / Maintenance
Transfer into Operations
System Design
System Definition
Decommissioning
System Lifecycle
Risk Assessment and Mitigation in ATM 10
Safety Assessment Process
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Risk Assessment and Mitigation in ATM 11
Safety Considerations
Gathering the inputs for the Safety Assessment
- The scope- The context
- The Operational Concept- The stakeholders/Interfaces- Applicable regulations
- …
Risk Assessment and Mitigation in ATM 12
Risk Assessment and Mitigation in ATM 13
Safety Assessment Process
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Risk Assessment and Mitigation in ATM 14
Initial Safety Argument
Safety Assessment Plan
Arg0
Change(xy) will be
acceptably safe in
operations
A001
(Assumptions)
Cr001
Safety criteria
J001
(reason for the change)
C001
Concept of operations
Arg1
Change(xy)
has been specified
to be acceptably
safe in operations
Arg2
Change(xy)
has been
implemented
to be acceptably
safe in operations
Arg3
Migration to the
use of Change(xy)
in operations
will be acceptably
safe
Arg4
On-going
use of Change(xy)
in operations
will be acceptably
safe
Risk Assessment and Mitigation in ATM 15
Safety Assessment Process
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Risk Assessment and Mitigation in ATM 16
SAM – Framework
• SAM-Task Force Works started in the late 90s• Good practices from safety critical industries
• Tailored to the reality of ATM
Results:
- Set of tools- A framework
- NOT rocket Science- Support the Decision Making Process
- SAM V2 =
Acceptable Means of Compliance to ESARR4
Risk Assessment and Mitigation in ATM 17
FHA
SSA
PSSA
SAFETY ASSURANCESYSTEM LIFECYCLE
System Implementation
Operation / Maintenance
Transfer into Operations
System Design
System Definition How safe does the system need to be?
Is the proposed architecture able to
achieve an acceptable
level of safety?
Does the system achieve an
acceptable level of safety?
Decommissioning
SAM & System Lifecycle
Functional Hazard Assessment
Preliminary System Safety Assessment
System Safety Assessment
Risk Assessment and Mitigation in ATM 18
SSA
H
Hazard
How does it work?
Causes Effect
Effect A
SC5
Effect B
SC4
Effect C
SC3
Effect D
SC2
Effect E
SC1
FHAPSSA
Mitigations
Safety Objective
D3
D2
D1E1
E2
E3
E…
Safe
ty
Re
qu
irem
ents
Risk Assessment and Mitigation in ATM 19
Who should be involved?
PEOPLE
ATCOs
Support
Engineers
Managers
Pilots
Risk Assessment and Mitigation in ATM 20
Setting Safety Requirements
ESARR4ESARR4
SAFETYOBJECTIVES
SAFETYOBJECTIVES
SAFETY
REQUIREMENTS
SAFETY
REQUIREMENTS
ASSURANCE LEVELASSURANCE LEVEL
System (People, Proc, Eqmt)
Per ArchitectureElement
FHA
PSSA
SW
People
QUANTITATIVE SRQUANTITATIVE SR ESARR6
ESARR5
Risk Assessment and Mitigation in ATM 21
Assurance Level
PAL-SWAL-(HAL-HWAL)
S
F
S
FS
F
FTACauses
ETAConsequences
“Pivotal”
Event
S
F
S
FS
F
S
F
S
F
S
FS
F
S
F
FTACauses
ETAConsequences
HAZARD Effect A
Effect B
Effect C
Effect DPhPe
Risk Assessment and Mitigation in ATM 22
e.g.: Objectives per PAL
V3 Ensure minimum proficiency
levelsV2 Establish a reporting system
covering occurrences relating to the
procedure
V1 Ensure documentation control
Iv3 Ensure dissemination of
contingency measuresIv2 Ensure documented contingency
measures
Iv1 Ensure that feedback
concerning the transfer process is
provided to involved staff
Iii2 Ensure an acceptable
quality assurance levelIii1 Establish an
Implementation Plan which
includes quality assurance
activities
Ii3 Ensure suitable validation
Ii2 Ensure that HMI has been assessed
Ii1 Establish an acceptable risk
level (in qualitative terms)
I3 Establish a proven and well-
documented starting point for the definition phase
I2 Ensure a minimum set of quality
assurance activities
I1 Ensure involvement of relevant
operational expertisePAL 4
V5 Ensure promulgation of related incident investigations
V4 Ensure validity of assumptions
Iv4 Ensure enhanced competence levels of staff to perform the transfer
Iii4 Ensure training levelsIii3 Ensure stakeholder
acceptance
Ii4 Ensure robustnessIi3 Ensure suitable validation at
different levelsPAL 3
V7 Ensure minimum competency levels of staff to operate the
procedure
v6 Ensure acceptable
performance levels
Iv7 Ensure stakeholder acceptance of the Transfer Plan
Iv6 Ensure approval of the Transfer
Plan at management level
Iv5 Ensure incremental transfer
Iii6 Establish evidence of acceptable design maturity
Iii5 Ensure approval at the
Corporate level of
management
Ii7 Ensure stakeholder acceptanceIi6 Ensure enhanced competence
levels of designers
Ii5 Ensure external expert
acceptance
I4 Ensure stakeholder acceptance
PAL 2
V8 Ensure that the application of the
procedure is reduced to its minimum
Iv8 Ensure application of an
approved and systematic method to verify the transfer process
Iii8 Ensure corporate level of
approval by stakeholdersIii7 Ensure independent
auditing of the procedure
Ii8 Ensure independency in design
and validation
I5 Ensure an approved and
systematic specification
PAL 1
vOperation
ivTransfer into Operations
iiiImplementation
iiDesign and Validation
iDefinition
•Objectives to be fulfilled during the Procedure Life Cycle Phases:
Procedure Assurance
Level
Risk Assessment and Mitigation in ATM 23
Lifecycle
Risk Assessment and Mitigation in ATM 24
Need for Verification & Validation
Risk Assessment and Mitigation in ATM 25
SSA Core Activities
• Build and Collect Evidence that:
• Safety Requirements / ALs are met
• Safety Objectives are satisfied
• Assumptions are correct
• Users Expectations are satisfied
• System achieves an Acceptable Level of Safety
• For the whole lifecycle of the change/system!
Risk Assessment and Mitigation in ATM 26
Safety Assessment Process
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
Project
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Safety Considerations
Operational Concept
Initial Safety
Argument
FHA
PSSA
Implementation
Transfer into Operation
Safety Plan
System
Safety
Case
UnitSafetyCase
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety Monitoring
Reports
Update
UpdateEvidence
SSA
Integration
Operation & Maintenance
Risk Assessment and Mitigation in ATM 27
What is a Safety Case?
• Present a structured argument to demonstrate a top
claim, and associate it with the supporting evidence and assurance
• Combination of:
• Structured argument to support an overall claim
• Associated available evidence and assurance
• Description of the context
• Known shortcomings & limitations
A Management /
Decision Making T
ool
Risk Assessment and Mitigation in ATM 28
Risk Assessment and Mitigation in ATM 29
Linking Success & Failure PSSA
B
Initiating
Event
Senses
impossibly
rapid
change to
zero
Senses
engine load
incompatible
with zero
speed
Gearbox
recognises
failure flag
Gearbox
mechanical
interlocks
function
correctly
Warning
lampPossible
outcomes
Sensor
Fails
Handled by S/W. Warning. No risk.
Responses
AY
N
Y
N
Handled by S/W. No warning. No risk.
D
Interlocks work. Warning. No risk.C
Interlocks work. No warning. No risk.
F
Interlocks fail. Warning. Accident risk.E
Interlocks fail. No wrn'g. Accident risk.
Y
N
Y
N
B
Handled by S/W. Warning. No risk.A
Handled by S/W. No warning. No risk.
D
Interlocks work. Warning. No risk.C
Interlocks work. No warning. No risk.
F
Interlocks fail. Warning. Accident risk.E
Interlocks fail. No wrn'g. Accident risk.
Y
N
Y
N
Y
N
Y
N
Y
N
Y
N
Y
N
Interlocks work. No warning. No risk.
Interlocks fail. No wrn'g. Accident risk.
D
F
Y
N
Y
N
J
TOP
E1
E3
E2
E4
A BE F
E5
G H
IC
E6 E6 E7
DK E F M
J
TOP
E1
E3
E2
E4
A BE F
E5
G H
IC
E6 E6 E7
DK E F M
J
TOP
E1
E3
E2
E4
A BE F
E5
G H
IC
E6 E6 E7
DK E F M