Prof. Dr. Oliver Straeter

University KasselDepartment of Mechanical EngineeringHuman & Organisational Engineering

Heinrich-Plett-Strasse 40D-34132 KasselTel: +49 561 804 4211eMail: straeter@ifa.uni-kassel.de

withHenk Korteweg (Eurocontrol)Jos Nollet (IVW)Mariken Everdij (NLR)Bert Kraan (QSA)

Safety Fundamentals and basic safety regulatory principles for a resilient planning of system changes in transportation

Safety in Transportation

Workshop

1. and 2. December 2009

IVEF – TU Braunschweig

EUROCONTROL DIVISION DED4 1997 DATE:04/11/97

1997 FORECASTMean IFR Flights per day

in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100

TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES7 500 000 flights estimated Based on STATFOR 97

CH

ART: D

Y_97_97

EUROCONTROL DIVISION DED4 2000 DATE:04/11/97

2000 FORECASTMean IFR Flights per day

in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100

TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES8 600 000 flights estimated - Based on STATFOR 97

CH

ART: D

Y_97_00

EUROCONTROL DIVISION DED4 2010 DATE:04/11/97

2010 FORECASTMean IFR Flights per day

in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100

TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES11 900 000 flights estimated - Based on STATFOR 97

CH

ART: D

Y_97_10

EUROCONTROL DIVISION DED4 2020 DATE:04/11/97

2020 FORECASTMean IFR Flights per day

in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100

TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES15 800 000 flights estimated - Based on STATFOR 97

CH

ART: D

Y_97_20

1997 2000

2010 2020

DIVISION DED 4 - 4/11/97

7.0 Mio Flights 8.0 Mio Flights

11.9 Mio Flights 15.8 Mio Flights

Flights 150 or more

Flights 100 to 150

Flights 50 to 100

TrafficGrowth

The Aviation Vision for 2020 - SESAR

SESAR= Single European Sky ATM Research

Safety of entire

Framework

Safety of entire

Framework

SESAR Concept and SAFETY

Safety of entire

Framework

Users

ANSPs

Ground Systems

Airports

AirborneSystems

Regulators

Civil and MilitaryWithin and between domains Variations on international, European and national levels

Typical Safety related questions

- Safety regulation– Are regulations sufficient for a change?– e.g., integration of assessment and certification approaches

- Safety Management– Is the system manageable with respect to safety?– e.g., increasing sluggishness if increasing coupling of entities

- System Safety - Safety Performance– Does the System contain any inherent hazards?– e.g., increased interdependencies

- System Safety – Operational Safety – How will it work in the real environment (people and

operational context)– e.g., Human role for Safety

How to answer the questions ?

SafetyProposed or

existingSystem

The reactive safety approach…

First:Safety Assessment Method(Fault Trees / Event Trees)

Second:Mitigations

Role of Regulatory oversight: • stamp off whether the method was applied correctly• regulator has the final responsibility for the validity of the method and

effectiveness of mitigations

Safety Assessment

Proactive support of development

- Current Approach for Safety – Safety treated rather reactive – Safety provides stamp off, but only superficial

mitigations within systems – Impact on system planning and design rather low

- Safety Fundamentals – Some kind of “predictive display” needed to judge

about safety impact of planned developments

Integrating fundamental safety rules in planning that will show off as critical in later safety cases anyhow?

How to answer the questions ?

SafetyProposed or

existingSystem

The proactive safety approach…

First:Safety Fundamentals

Second:Safety Evidence

Role of Regulatory oversight: • ask appropriate questions• service provider has the final responsibility for the validity of the method and

effectiveness of mitigations

Safety Scanninng

• to provide a proactive safety approach

• to show whether a certain change (e.g., ATM, Traffic,..) will lead to a safety issue (safety feasibility)

• to give a general answer on the safety measures required for future ATM (no detailed quantitative assessment)

• to prepare later stages of safety assessment (scope, issues)

• to be applicable as a minimum to the current level of description of the proposed changes

• to be applicable to any change and any ATM subsystem (technical, human, organizational = managerial/procedural/institutional)

Approach: Safety Fundamentals

Safety Fundamentals - Development of the approach

Compilation of essential Safety Fundamentals based on regulatoryrequirements, international standards and experiences in safety relevant industries (Eurocontrol & RO for Safety)

All development steps fully documented and traceable

2004

2005

2006

2007

2008

2009

Broad applications and specific ATM validation studies (Eurocontrol, NLR, DNV)

Endorsement by SESAR as appropriate for the concept definition (SESAR CIT & WP 1.6)

Application to SESAR concept elements; results are building the SESAR safety register (SESAR consortium)

Typical problem of risk assessment – how to meet the issues revealed: yielding the issues or yielding the method (ICAO: management of safety different to safety management)

Today‘s meeting Also: applications in Australian CAA; German Rail, ongoing developments at ATSPs and for multi actor change management

Safety Fundamentals - Regulatory Basis

The global layer- ICAO- ISO- (other UN organisations & OECD)

The European layer- EU law, SES- CEN-(ongoing activities)

The National layer- National Regulations- Engineering associations- (scientific booklets)

LayerICAO SMMIAEA Safety StandardsOECD best practices

IEC 60300 / ISO 31010SES regulationsESARRs

Considered (examples)

Industrial norms (HSE, VDI, NUREG)

ISO Chemical

EU Regulations (DGTren WS)

Safety Booklets

ISO Rail

American Standards

Regulations and Framework

SAFETY PERFORMANCE

Safety Management

+ Institutional

Architecture +Technology

OperationalSafety Fundamentals+Basic SafetyRegulatoryPrinciples

Safety Fundamentals - Structure

System of interest

Adjacent Systems

Interdependence

Functionality

Transparency, Predictability, Clarity

Redundancy& Diversity

Maintainability

IntegrityIntegrity

Fundamentals on Safety Architecture

Achieve-ment

Assurance Planning

Promotion Policy

Responsiveness, Learning

Completeness,Unbiasedness

Understanding,Openness

Responsibility,Practicability

Detectability, Feedback

Fundamentals on Safety Management

Task Human TechnicalSystem

Competence

Organization

Reliability

Procedures

Communication

Human-machine interaction

Adjacent Human-Machine Systems

OperatingEnvironment

OverallPerformance

Fundamentals on safety operations

Duty of care

Basic principles of Regulation

Concept

Development

Validation

Implementation

Operation

Are means

to proof and

ensure safety

sufficient?

Build Opinion

Safety issues

Occurrences

Impact of Change on Regulations

Safety Assessment Methods

Mitigations

Review

Evaluate

Investigate

Oversight

Product developmentRegulatory tasksLegal perspective

Clear responsibility for

safety

Independent Oversight and

body

Responsiveness

Independence

Transparency

Safety Requirement

Are the legal responsibilities clearly laid out?

Can regulators or providers act upon safety issues timely?

Is an independent oversight of the system ensured?

e.g., ICAO-SMM, 2007

e.g., ESARR1, 2004

e.g., IAEA, 2006

Guiding Question

How Fundamentals work

A view on the tool

ExplanationQuestion

High-level question

Possible answers

Low-level questions

Room for providing justification

Safety fundamental applicable to this page of questions

Hypothetical example of result (Safety Architecture and Technology perspective)

Transparency

Redundancy

Interdependence

Functionality

Integrity

Maintability

Average safety effort expected area

ATM change 1

ATM change 2

Basic principles of Regulation

Example: Air Ground Data link results

Likelyimproved

safety

Likely morecomplicated

Likely equalto todayssituation

Issues to expect and

resolve

Issues to expect and

resolve

Likely equalto todayssituation Screening provides

negative as well as positive indications for

safety performance

Experiences

- Throughout positive response on the structure and use of the method

- Applied to key SESAR operational concepts to build the Safety Register of SESAR (mandatory for development and implementation)

- Regain of momentum in Galileos’ EGNOS safety issues

- Currently build into a regulatory tool for SESAR developments

And not to forget…… a price in Rail-applicartionBy Nicolas Petrek

Two working modes

Screening licensee use

for definition phase of a project (e.g., SESAR)

Scanning regulatory use

for coordination regulator-licensee interaction throughout life-cycle

including also: suitability of safety methods

Rail:

European discussions on ETCS

Restructuring of Orgnisations

Rail:

Regulatory acceptance process

Phases

System Implementation

Operation

Integration

System Design

System Definition FHA

SSA

PSSA

Decommissioning

Safety Approach

Concept Definition Screening- Safety considerations- System decomposition- Scope of safety plan

- Safety Objectives- Hazards

- Safety Requirements- Importance based

mitigations

- Evidence basedmitigations

Output

Screening in the SESAR Definition phase

Fundamentals versus safety assessment

Not a mutual exclusive approach but complementary:

- Due to the efforts for detailed Safety Assessments, none is made without a screening for the most important issues (best practice: nuclear)

- Finding critical information early enough (see medicine, organisational design)

Approach:

- Turning regulatory requirements into questions for considerations- Effective planning by involving all stakeholders

Purpose:

- Inform succeeding steps about critical issues and managerial needs- Judge about the required capabilities of safety assessment methods- Steer resources effectively

= Not making a safety decision but avoiding a wrong path or a too late recognition of severe issues

Scanning on Safety Fundamentals and suitability of safety methods

Regulatory Tasks

Scanning of licensee activities through life-cycle

Licensee Activities

Questions?