technical proposal for unmanned aircraft systems (uas ... · technical proposal for unmanned...

Commercial in Confidence

Response to Task Requirement Sheet 08-112565-T

Technical Proposal for Unmanned

Aircraft Systems (UAS) Safety

Case Development

Reference S08033.2.1

Date: 15 Dec 2008

Issue: V1.0

Prepared by:

Alan Simpson

Checked by:

Joanne Stoker

Authorised by:

Mike Sotirakos

Distribution: EUROCONTROL Ebeni Holger Matthiesen Sales File Christopher Machin

Technical Proposal for Unmanned Aircraft

Systems (UAS) Safety Case Development S08033.2.1

Commercial in Confidence of 61

© Copyright

The layout, style, logo and contents of this document are copyright of Ebeni Limited 2008. No part of this document may be reproduced without the prior written permission of Ebeni Limited. All rights reserved.

Configuration Control

Issue Date Comments

v0.1 Draft 10 Dec 2008 Initial draft for internal review

v1.0 Definitive 15 Dec 2008 Definitive Issue for Release




Table of Contents

1 Introduction 4

1.1 General 4 1.2 Background 4 1.3 Ebeni UAS and ATM Experience 4 1.4 Overview of Ebeni Limited 5 1.5 Contents of this Proposal 7

2 Technical Approach 8 2.1 Technical Appreciation 8

2.1.1 Introduction 8 2.1.2 Understanding of the Key Safety Issues 8 2.1.3 Overall Safety Argument 9

2.2 Implementation Plan 10 2.2.1 Overview 10 2.2.2 Safety Assessment 11 2.2.3 FHA/PSSA Workshop 12 2.2.4 Post Workshop Activities 12

2.3 Staffing the Study 12 3 Meeting the Required Experience Criteria 14

3.1 Experience Requirement 1. 14 3.2 Experience Requirement 2. 15 3.3 Experience Requirement 3. 15 3.4 Experience Requirement 4. 16 3.5 Experience Requirement 5. 16 3.6 Experience Requirement 6. 16 3.7 Experience Requirement 7. 16 3.8 Experience Requirement 8. 17 3.9 Experience Requirement 9. 17 3.10 Experience Requirement 10. 17

4 Work Plan and Project Management 18 4.1 Work Breakdown 18 4.2 Schedule of Deliverables 19 4.3 Meetings 19 4.4 Assumptions 19 4.5 Dependencies 20 4.6 Risks 20 4.7 Working Arrangements 20

Appendix A Curriculum Vitae 23




1 Introduction

1.1 General

This technical proposal is submitted by Ebeni Limited in response to EUROCONTROL‟s Task Requirement Sheet 08-112565-T on Development of an Unmanned Aircraft Systems (UAS) Safety Case [1].

A financial proposal is provided under separate cover within Form AF3/2TRS (Financial

Proposal and Price Declaration).

1.2 Background

The evolution of aerospace technologies in the field of Unmanned Aircraft Systems

(UAS), including automatic/autonomous operations, will impact European ATM as regards new military and civil UAS applications. UAS will represent new challenges as well as new opportunities for ATM design in the future in the context of both SESAR and beyond (vision 2050), for the benefit of both manned and unmanned aviation.

The EUROCONTROL Agency, in executing its responsibilities associated with the management of the pan-European ATM network, must ensure that UAS do not negatively impact overall levels of ATM security, safety, capacity and efficiencies.

Assuring the safety of UAS operations in non-segregated airspace requires a significant update to key elements of extant regulations and standards. UAS have yet to establish a good safety record and there are many challenges both regulatory and technological to be resolved before such operations can become common place. Development of a coherent regulatory framework (i.e. regulations, standards, etc.) for certifying UAS systems must be argued as acceptably safe within the context of the whole operational Air Traffic environment.

1.3 Ebeni UAS and ATM Experience

Having assessed the TRS requirements and noted the timeframe and need for flexibility, Ebeni believes it possesses all the necessary attributes to perform the task and offers:

Extensive experience in assessing the safety of actual and theoretical UAS operations in all classes of airspace

In-depth competence in the areas of safety assessment and the development of safety requirements, especially within the EUROCONTROL environment for a whole range of projects including Military UAV OAT Task Force, Overall ATM/CNS Target Architecture (OATA), Mode S, ACAS II, EUROAT, RVSM, etc.

Substantial experience in the UAS industry with subject matter experts in, for

example, UAS airworthiness, ground control system and control link safety

A wealth of analytical and reporting capability consistent with a commitment to the provision of a high-quality consultancy service

Practical knowledge of EU Commission directives in regards the European Aviation Safety Regulatory environment including ESARRs, SES and associated Implementing Rules

Availability of personnel with the necessary expertise and flexibility to accommodate change.




Ebeni proposes Alan Simpson as the technical lead for the work supported by Joanne Stoker, Ed Macfarlane and Vicky Brennan.

Alan has over 20 years experience as a safety engineer and has worked in the UAS industry for the last 7 years specialising in the safety issues associated with operating UAS in non-segregated airspace and taking an active role in

helping the UAS industry to understand the safety issues of UAS operations in the ATM environment.

Jo has over 10 years experience as a safety engineer extensively in the ATM

domain and has worked with Alan on a number of EUROCONTROL safety tasks including the development of safety requirements for the EUROCONTROL Military UAV OAT Task Force deliverable.

Vicky is an experienced Safety Consultant and Independent Safety

Advisor/Auditor with a strong background in the assessment of military aircraft and other military systems for certification, including synthetic environments and simulator training systems. Over the last 5 years Vicky has specialised in the assessment and development of unmanned air vehicle systems (UAVS), dealing with new systems and operating environments and their affect on safety. Vicky‟s last role was as the Technical Authority for the Safety Case Development Programme for the Watchkeeper System. She led a team of

Safety Engineers dedicated to the assessment of this highly complex and extensively integrated UAV System and her expertise is frequently sought by

new suppliers of UAV‟s to the MOD.

Ed is a Safety Engineer with four years practical safety engineering experience gained within the Air Traffic Management (ATM), Nuclear and Oil industries. Ed has worked across a wide range of different industries concentrating on safety

and risk assessment. Most recently Ed has been supporting EUROCONTROL‟s Regulatory Unit on a task to assess the data integrity requirements of Data Items published in Aeronautical Information Publications (AIP) that are not covered by ICAO Annex 15 et al. This task supports the development of the harmonised list of data items for use between Data Providers and Data Users. This work forms part of the DQR Means of Compliance for the ADQ Implementing Rule.

Additional specialist engineers/experts can be called upon to support the team if

necessary, including experts in UAS operations, UAS security and Air Traffic Control. Further detail of all team members is provided in Section 3 below together with specific roles and working arrangements. A copy of each CV can be found at Appendix A.

1.4 Overview of Ebeni Limited

Ebeni Limited was established in 2004 by a team of professional engineers with extensive experience across the ATM, Aerospace, Defence, Rail and Finance markets. Since that time Ebeni has grown year on year and expanded its customer base to include many blue chip companies and organisations including: EUROCONTROL (HQ and CFMU), NATS, SELEX SI, Terma, Thales and BAE Systems. Ebeni provides high-level expertise in safety and operational risk assessment and management, mission or

business critical applications offering a reliable, high-quality capability. We offer a very high level of practical experience, know-how, contacts, and confidentiality. Clients

know that working with Ebeni will provide them an innovative solution whist providing excellent value for money. Ebeni‟s business is built on the principle of providing real benefit to its customers and prides itself on understanding what the client needs and going the extra mile to ensure it is delivered to the client.

The Ebeni team has worked successfully within the UAS domain on a number of

projects including:




Derivation of safety requirements and development of a Safety Assurance Report on the Draft EUROCONTROL Specifications for the Use of Military Unmanned Aerial Vehicles as Operational Air Traffic Outside Segregated Airspace

Safety assessment supporting research into the requirements for Sense and

Avoid systems from an ATM perspective in all classes of airspace as part of the UK funded Autonomous Systems Technology Related Airborne Evaluation and Assessment (ASTRAEA) project

Ongoing support to a UK Defence Contractor in various UAS development programmes

Safety assessment and safety case development for the WATCHKEEPER Tactical UAS, both air vehicle and ground control systems, operating in

segregated and non-segregated airspace

Preliminary safety assessment of NATO specifications for Sense and Avoid Systems

Participants in the EUROCONTROL/JAA taskforce for UAVS operations

Ongoing association with the work of EUROCAE Working Group 73

In addition, Ebeni has worked successfully with EUROCONTROL on a number of projects including:

Undertaking the safety assurance of the EUROCONTROL Harmonised Rules for Operational Air Traffic (OAT) under Instrument Flight Rules (IFR) inside controlled Airspace of the ECAC Area (EUROAT)

Developing the Safety Summary Report and undertaking the safety assessment of the Overall ATM/CNS Target Architecture (OATA)

Developing a Post-Implementation Safety Argument for ACAS II

Developing outline safety cases for European Commission Interoperability Mandate Implementing Rules for Initial Flight Planning, Co-Ordination and

Transfer, Aeronautical Data Quality, Mode S Interoperability and Surveillance Performance and Interoperability

Provision of ongoing safety support to EUROCONTROL‟s Regulatory Unit (RU) in relation to the development of several European Commission Interoperability Mandates, primarily for Aeronautical Information Services

Developing a retrospective safety case and undertaking safety assessments for the EUROCONTROL European Aeronautical Information Service (AIS) Database (EAD) System and its associated Services

Ongoing in-service maintenance of the EAD Safety Case to reflect new releases of the system and providing safety guidance to support member state ANSPs using EAD

Updating the EUROCONTROL Safety Case Development Manual

In addition Ebeni works extensively with ATM equipment manufacturers and ANSPs across Europe and in other industries such as Aviation and Defence.




1.5 Contents of this Proposal

Section 2 contains our analysis of the task, the requirements that must be taken into account in developing a solution and our detailed technical approach.

Section 3 demonstrates how our proposed team and approach meets EUROCONTROL‟s required experience for the project.

Section 4 contains information on how we will implement the work including details of our proposed Work Breakdown Structure for the project, project resources, a schedule

of deliverables, assumptions and dependencies.

Annex A contains full CVs for each member of our core team.




2 Technical Approach

This section presents our understanding of the technical issues associated with undertaking the task and our approach for delivering all outputs in a timely and efficient manner. The approach detailed below has been written in response to the Task Specification [1].

2.1 Technical Appreciation

2.1.1 Introduction

Unmanned Aerial Systems (UAS) are set to become part of everyday air traffic operations perhaps within the next few years / decades; however there are significant challenges that need to be addressed in order to seamlessly introduce UAS into non

segregated airspace. Ebeni has already conducted significant research to identify some of the safety challenges in achieving this objective in the context of the current regulatory framework as part of the UK funded ASTRAEA project. That research was based on how one might rigorously argue the safety of UAS operations in non-segregated airspace from an Air Traffic Management (ATM) perspective; adapting the EUROCONTROL UAS OAT TF safety work1 and using the EUROCONTROL combined success and failure approach.

Current UAS operations are largely constrained to designated danger areas or within

temporary restricted areas of airspace, commonly known as segregated airspace, or are flown under special arrangements over the sea or high altitude. On some occasions, UAS operations are permitted in an extremely limited environment outside segregated airspace. To exploit fully the unique operational capabilities of current and future UAS and thus realise the potential commercial benefits of UAS, there is a desire to be able to access all classes of airspace and operate across national borders and airspace

boundaries. Such operations must be acceptably safe but regulation should not become so inflexible or burdensome that the commercial benefits are unnecessarily lost. The viability of the commercial market for UAS especially is heavily dependent on unfettered access to the same airspace as manned civilian operations, at least in like for like operations, for example in overnight cargo transportation.

Whilst it is essential that UAS demonstrate an equivalent level of safety compared to

manned operations the current regulatory framework has evolved around the concept

of the pilot-in-the-cockpit. There is a need to develop UAS solutions that assure an equivalent level of safety for UAS operations, which in turn will require adaptation of the current regulatory framework to allow for the concept of the pilot-not-in-the-cockpit without compromising the safety of other airspace users.

2.1.2 Understanding of the Key Safety Issues

One of the major issues facing UAS operations is the demonstration of equivalence (in particular for See and Avoid) in the context of an evolving ATM environment. It is very important that all involved in the UAS industry understand that the current ATM environment is not static. Achieving equivalence with manned operations is not a fixed target as there are many significant changes proposed (e.g. through SESAR) that aim to improve operational efficiency and performance or enhance safety. On the whole

proposed changes to the ATM environment could be seen as advantageous to UAS

operations as more and more functions within the environment are automated thus there is a significant opportunity for the UAS industry and ANSPs to influence the shape of the future ATM environment to support wider UAS operations.

1 The research looked more closely at the role of collision avoidance and the interaction with separation provision functions, although excluded the landing/take-off phase of flight as there are currently specific issues associated with UAS operations at this stage, necessitating the provision of separate automatic landing aids for UAVs.




Other safety issues to be addressed include, but are by no means limited to:

The reliability of the UAV and Data Link as this is key to minimising the workload impact on ATC arising from excessive instigation of emergency or contingency procedures.

Interaction with ACAS II. Whilst current TCAS cannot be fitted to UAVs (for a

variety of performance and integrity reasons), a substantial increase in the amount of non-fitted aircraft could undermine the overall efficacy of ACAS II. Although an automated response to a Resolution Advisory (RA) improves the

performance of TCAS (poor pilot response is a major contributor to inadequate RA response) the current system still relies on the pilot as the final arbiter on Collision Avoidance manoeuvres. The EUROCONTROL UAV specifications imply that automated responses should be the exception (see UAV8 in [Error!

Reference source not found.]) although the NATO Sense & Avoid specifications suggest otherwise (see CAS8 and CAS9 in [8]).

An equivalent to pilot visual acquisition, even if only operating in controlled airspace, remains a major barrier to unfettered UAS operations.

2.1.3 Overall Safety Argument

The task as defined within the Task Requirement Sheet is “to develop an ATM safety assessment for UAS so as to identify a set of ATM safety requirements, over and above

the existing ATM regulatory safety requirements, which, if implemented, will ensure that the introduction of UAS into non-segregated airspace will be acceptably safe”. The safety assessment will consider two defined UAS operating scenarios in order to provide a realistic context into which UAS will be operated.

Scenario 1 – covers UAS operations in Class A, B or C airspace flying IFR in

en-route only which may also be beyond the visual line of sight of the pilot-in-command

Scenario 2 – covers UAS operations in airspace where VFR flight is permitted and the pilot-in-command has direct line of sight of the UAV2

For ease of understanding a separate safety argument and Preliminary Safety Case (PSC) are to be produced for each scenario. A separate report summarising the findings

for non-safety experts will also be produced aimed at a broad readership within the UAS community. The safety assessment and the PSCs will be carried out in line with ESARR 4 [6] using the EUROCONTROL Safety Assessment Methodology (SAM) [3], including the “success” and “failure” safety argument approaches. The high-level safety argument will be developed in the early stages of the project and will address the overall claim that UAS operations are acceptably, in principle, in the context of the scope of operations defined for each scenario. The PSC will only focus on the evidence

for the adequacy of safety requirements for each operational scenario and include guidance on issues associated with satisfaction of this argument in TMA and other argument strands, i.e. for implementation, transition and operational safety monitoring. Each safety argument will aim to show that:

1. The UAS Concept in the given scenario is intrinsically sound.

2. Everything necessary has been specified, as safety requirements for functionality and performance of the various elements (covering airspace,

equipment, people and procedures) of the UAS concept of operations, to

2 It may be of interest to EUROCONTROL that we have already conducted safety assessments on VFR operations beyond the pilot visual line of sight and the implications therefore for UAS operations. We would be happy to discuss inclusion of this work in the consideration of this scenario, if appropriate.




ensure that the eventual implementation will be safe, in the absence of failure of/within those elements.

3. The UAS concept of operations, at a functional and logical-architecture level, is complete, coherent and operates correctly (in a dynamic sense) under all foreseeable normal operational conditions.

4. The UAS concept of operations is robust against all foreseeable abnormal conditions (including failures external to the UAS concept of operations).

5. Any risks introduced as a result of failures internal to the UAS concept of operations, have been assessed, and mitigated adequately, and that those mitigations have been captured as additional safety requirements.

6. All safety requirements have been shown to be realisable i.e. are capable of being satisfied by the various elements of a typical implementation (using

people, procedures, available technology as appropriate).

7. All Evidence relating to the arguments is trustworthy.

2.2 Implementation Plan

2.2.1 Overview

Our proposed approach is based on the tasks identified in the TRS. The initial activity will be to determine an appropriate safety criteria and high-level safety argument for each scenario. The Military UAV OAT safety assessments utilised a relative safety criteria in order to derive safety requirements. The approach taken was based on assuring the risk to airspace users “with UAS” operating being no worse than the risk

when no UAS are operating i.e. ”without UAS” and that all identified risks being reduced as far as reasonably practicable (ESARR 3 [5]). This relative safety argument approach may also be appropriate, and is recommended, for this TRS but will be re-examined in consultation with the relevant stakeholders.

Step 1 Safety Assessment Plan including:

The Safety Criteria, defining what is safe in the context of the UAS concept of

operations, taking account of the objectives of various stakeholders

A Safety Argument, using Goal-Structuring Notation (GSN), as to why the UAS concept of operations would in principle (i.e. subject to proper implementation) satisfy the specified Safety Criteria

A definition of the Safety Activities needed to gather the Evidence required to support each strand of the Safety Argument, as well as the links and relationships between Safety Activities and the Safety Argument

A clear description of the proposed safety methodologies and techniques, and

precisely how they will be employed on the safety assessment

A clear description of the proposed human-factor methodologies and

techniques, and precisely how they will be integrated into the safety assessment

The means and resources (including those required from EUROCONTROL) to carry out Safety Activities within the Project

Responsibilities and accountabilities for Safety Activities




The safety deliverables associated with the safety activities

The allocation of safety activities and safety deliverables in the progression of the UAS project

The relationships and dependencies between successive safety activities and associated safety deliverables

The detailed schedule and milestones for conducting safety activities and releasing associated safety deliverables

Step 2 Perform safety assessments in accordance with the Safety

Assessment Plan including:

Undertaking the activities to address all elements of the safety argument

Perform a FHA and PSSA on the UAS operational concepts, which shall include all fact finding, workshops and meetings with experts

Presentations to identified working groups

Step 3 - Production of the Preliminary Safety Cases including

Development of a Preliminary Safety Case for each of the two scenarios as

defined in the SCDM [2]

The detail of the Safety Assessment Plan and schedule will be presented for agreement at the kick-off meeting at EUROCONTROL HQ, which is to be organised at the beginning of the contract. Once agreed we will remain flexible and adaptable to respond to

changing circumstances, within the scope of the study. Any changes will be agreed in advance with the EUROCONTROL UAS Activity Manager.

2.2.2 Safety Assessment

The overall objectives for the FHA/PSSA activity will be as follows to ensure that sufficient and necessary evidence is gathered to substantiate that the safety

requirements are adequate in the context and scope of the defined operational scenarios. This approach below is based on a relative safety criterion but is also largely

applicable to an absolute safety criterion although there would be no need to develop models, hazards etc for the “without UAS” situation.

Define and verify the scope and boundary of the analysis being undertaken.

Define and validate the UAS Operational Models, Functional and logical

architecture models applicable to the present (“without UAS”) and new (”with UAS”) situations.

Identify and confirm the hazards applicable to UAS operations in the “without-UAS” and “with UAS” situations.

Categorise hazards into those that are common to both and those that are

unique.

Where UAS could credibly alter the consequences or causes of the common

hazards then:

o Identify the potential consequences of each hazard, taking into account the available mitigations, using Event Tree Analysis.




o Identify the possible causes of each hazard, using Fault Tree Analysis.

Identify potential consequences and possible causes for any unique hazards.

Compare the hazards, consequences and causes for the “without UAS” and “with UAS” situations to determine the risk delta.

Identify any potential safety issues from the introduction of UAS to segregated

airspace or particular known safety issues with current technology.

Document results and conclusions in the FHA/PSSA Report.

2.2.3 FHA/PSSA Workshop

The FHA/PSSA Workshop will need to be organised as soon as possible following contract award and should be attended by key EUROCONTROL stakeholders in addition

to our ATM and UAS domain specialists. Other stakeholders from, for example, the Military UAV OAT Task Force, EUROCAE WG73 and NATO should also be invited but attendance is not mandatory. We propose that the workshop is facilitated by safety specialists from Ebeni and chaired by EUROCONTROL. The location of the workshop could be EUROCONTROL HQ or in the UK as deemed appropriate.

A briefing pack for the workshop will be issued one week prior to the workshop for all attendees. The briefing pack will contain the proposed agenda, the outputs of the pre-

workshop activities and an overview of the workshop objectives and methodology.

FHA/PSSA workshop minutes will be produced one working week after the workshop capturing the results of the discussions and the validated versions of outputs from the pre-workshop activities.

2.2.4 Post Workshop Activities

Following the FHA/PSSA Workshop all the output will be consolidated and reviewed, followed by further, more detailed, safety and risk analysis activities. This will include the derivation of the „Bow-Tie‟ model through construction of Fault Trees and Event Trees using the appropriate software tools, to complete the cause/consequence models. These models will then be used to derive the necessary risk mitigations to maintain present (“without UAS”) safety levels and identify areas for practicable risk

reduction. The results of the risk assessment will be used to derive safety

requirements.

The results of the above activities will be documented in the FHA/PSSA Report together with the derivation of safety requirements for UAS operations in each of the two scenarios.

A final version of the FHA/PSSA Report will be produced based on incorporation of EUROCONTROL review comments

2.3 Staffing the Study

Ebeni proposes to deploy a small team of safety specialists to undertake the safety

activities. The Ebeni team comprises a number of specialists who have the appropriate skills with which to address the issues contained in the TRS. Short profiles of these

team members are provided below and full CVs can be found at Appendix A.

Alan Simpson BSc (Hons), CEng, MIET, MSaRS

Alan is a highly experienced safety engineer with over 20 years experience in critical systems engineering, analysis and project management. He has




detailed knowledge of many mission, avionics, armament, unmanned air vehicle and air traffic management systems as well as automotive, metro signalling and train control systems. Alan has controlled and implemented a variety of Safety Engineering, System Engineering and Assurance programmes within the Air Traffic, aviation and rail industries, in the UK and

overseas, encompassing a range of roles and responsibilities, specialising in complex high integrity systems and concepts. Alan has worked directly with EUROCONTROL on all of ATM Safety projects referred to in section 1.3 of this proposal, as well as the UAS research projects for ASTRAEA and UAS operational safety assessments for UK and US based defence contractors.

Jo Stoker BSc (Hons), MIET, MSaRS

Jo is an experienced System Safety Engineer and Project Manager with over

10 years experience across the whole system safety lifecycle in a number of different industries, specifically the Air Traffic Management, Avionics and Automotive sectors. Jo has also supported all of the EUROCONTROL safety projects referred to in section 1.3.

With Alan, Jo carried out the safety assurance of draft specifications for flying Military Unmanned Aerial Vehicles in non-segregated airspace. She has also contributed to safety assessments of avionic equipments for military aircraft

upgrades.

Ed Macfarlane BEng (Hons) MSc

Ed is a Safety Engineer and has 4 years safety engineering experience gained predominately within the Nuclear and Oil industries. Ed has worked across a wide range of different industries concentrating on safety and risk assessment. This has involved the running and co-ordination of HAZOP

(HAZard & OPerability), HAZID (HAZard IDentification) and Process FMEA studies, mechanical assessment and design of items, risk & reliability assessment and fault tree analysis on oil and gas projects. ED has worked with EUROCONTROL on the ADQ Mandate (DQR Community Specification and Safety Assessments) and worked with Alan on the ASTRAEA UAS research project.

Vicky Brennan BSc MSc

Vicky is an experienced Safety Consultant and Independent Safety Advisor/Auditor with a strong background in the assessment of military aircraft and other military systems for certification, including synthetic environments and simulator training systems. She has specialised in Safety and Software and has contributed significantly to committees forming policy for safety critical systems, software development and certification, particularly within the MOD. She is the Technical Authority and a Project Safety Authority

for a number of major programmes and is also responsible within those roles for the training and mentoring of more junior staff.

Over the last 5 years Vicky has specialised in the assessment and development of unmanned air vehicle systems (UAVS), dealing with new systems and operating environments and their affect on safety. Vicky‟s last

role was as the Technical Authority for the Safety Case Development

Programme for the Watchkeeper System. She led a team of Safety Engineers dedicated to the assessment of this highly complex and extensively integrated UAV System and her expertise is frequently sought by new suppliers of UAV‟s to the MOD.




3 Meeting the Required Experience Criteria

This section presents how our proposed team meets all the required experience specified within the Task Requirement Sheet [1]. We propose this work is led by Alan Simpson as the main contact, supported by Jo Stoker and Ed Macfarlane, with additional in-depth UAS domain knowledge from Vicky Brennan.

We strongly believe that our team is ideally qualified to undertake this work and that there are a number of compelling reasons for selecting Ebeni to undertake this project:

Our extensive experience in the UAS field, specifically in undertaking safety

assessments for ATM and UAS related projects

Our involvement in UAS and ATM related projects which we believe significantly reduces the learning time and report preparation cost for EUROCONTROL

Our experience and familiarity with the development of safety cases for a wide variety of EUROCONTROL programmes

We have previously demonstrated that we deliver the required quality deliverables on time and to budget

We will apply an innovative, effective, pragmatic and proven technical

approach

Our commitment to deliver to quality, budget and time

The proven track record of the team within EUROCONTROL and wider industry

We provide excellent value for money

Ebeni believe that subject to the stated risks, assumptions and dependencies, we can provide the safety engineering excellence necessary to support the work successfully on this contract.

3.1 Experience Requirement 1.

Demonstrate thorough and exhaustive competence in the field of aviation and ATM safety and safety risk assessment.

The team has over 50 years experience in safety engineering and management with significant experience in constructing safety cases and conducting safety and risk assessments in the ATM, aviation and other domains as highlighted in section 1.3 and in addition:

Safety assessments of Unmanned Air Vehicle and Ground Control Stations for

UK and US based defence contractors

Independent Safety Assessments for military aircraft and avionics systems

Study into the integration of Safety and Security Evaluation

System and Software Safety Cases for safety-critical avionics equipment





Demonstrate a thorough and exhaustive understanding of the legal and regulatory framework for aviation safety.

Through involvement in a number of EUROCONTROL and related ANSP and aerospace manufacturer based projects the team is aware of the specific roles of European Aviation Safety Agency (EASA) and the EUROCONTROL Safety Regulation Commission (SRC) and Regulatory Unit (RU) and has working knowledge of ESARRs, Single European Sky (SES) regulations and associated Implementing Rules and ICAO Annexes

(specifically Annexes 2, 3, 4, 8, 10, 11, 12, 14 & 15) as well as a number of Acceptable Means of Compliance (AMCs; previously Temporary Guidance Leaflets or TGLs) issued

by EASA as guidance material to Aircraft Operators in meeting requirements for airworthiness and operational approvals for specific flight operations.


Demonstrate thorough and exhaustive experience in the field of the application of the

EUROCONTROL Safety Assessment Methodologies in ATM.

The team has over 20 years experience in safety engineering and management with significant experience in constructing safety cases and conducting safety and risk assessments in ATM and other domains. The team has extensive experience of producing FHAs and PSSAs which require analytical skills the results of which lead to

the identification of key issues which were then addressed in the associated safety case

including:

Undertaking the safety assurance process on the Draft EUROCONTROL Specifications for the Use of Military UAVs as OAT outside segregated airspace

RVSM Pre-implementation and Post Implementation safety cases at EUROCONTROL HQ

Development of a Post-implementation safety argument for ACAS II

Conceptual operations of Tactical Unmanned Air Vehicles (TUAV) in Civil

Airspace

Safety analysis for European Commission Mandates Implementing Rules for Aeronautical Data Integrity (ADI), Mode S Interrogator Code Allocation, Co-Ordination and Transfer and Initial Flight Planning

EUROCONTROL Safe Aeronautical Data study

Development and maintenance of the safety case for the European Aeronautical Information Service (AIS) Database (EAD) system for

EUROCONTROL

Safety assessment of many systems used for ATC including Primary and Secondary Radars, ATC display and information systems, CCTV and precision time systems

Study into the integration of Safety and Security Evaluation

System and Software Safety Cases for safety-critical avionics equipment

The team was also responsible, with EUROCONTROL HQ, for the development and update of the Safety Case Development Manual [2], based on 10 years experience of developing and reviewing safety cases in various industries.





Demonstrate thorough and exhaustive understanding of the environment and constraints which apply to conducting safety-related work within the EUROCONTROL

and its Stakeholders.

In all our work with clients including EUROCONTROL we are committed to getting the right result within the scope and objectives of the work, recognising that plans often need to adapt. For this study we will remain flexible and adaptable to changing circumstances in order to achieve a mutually acceptable outcome.

Our practical skills and knowledge have given us extensive experience of both the technical and political challenges with safety regimes in operational environments and

through our previous work with EUROCONTROL and other clients we understand these challenges.


Provide clear evidence of skills and expertise to provide the support required, as

described in the specification [1].

Please refer to sections 1 and 2 of this proposal.


Demonstrate fluency in reading and writing English and excellent report drafting skills.

All of the core project team are native English speakers. All of the team are experienced in writing clear, well-structured reports on complex issues, for example the EUROCONTROL Safety Case Development Manual. We are happy to provide examples of their skills in this area on request.


Propose personnel which are:

a) Able to work in an international environment within the confines of being multi-cultural and multi-disciplinary

b) Autonomous and resourceful

c) Excellent in interpersonal and communication skills (listening)

d) Consensus-seeking

e) Solution-oriented

f) Respected as safety3 professional within the aviation community

The key members of the Ebeni Team are well known to EUROCONTROL and have

continually demonstrated capabilities in these areas as part of the ongoing successful delivery of a variety of EUROCONTROL projects as listed in section 1.3.

3 Task Requirement Sheet 08-112656-T [1] states „security professional‟ however it has been confirmed that this should read „safety professional‟.





Provide detailed C.V.’s of relevant personnel.

Please refer to the CVs provided in Appendix A.


Original thinking, additional ideas and individuality towards the specifications will be considered an important factor in the tender assessment

Please refer to all sections of this proposal.


Demonstrate a strong commitment to quality.

Ebeni operates an ISO 9001 accredited Quality Management System (QMS).

In addition, the team proposed to carry out this contract have successful track records

of working in highly regulated industries following strict quality and safety standards.

Overall, EUROCONTROL can be confident that the work performed under this Task

Requirement Sheet will be carried out to the highest standards and within the required timescales.




4 Work Plan and Project Management

4.1 Work Breakdown

Ebeni will carry out the tasks by means of the following work packages.

Work Package & Sub-tasks Task Description

1000 - Missions

1100 Kick-off meeting

1200 FHA/PSSA Workshop

1300 Ad hoc/Progress Meetings

1400 Presentation of findings

2000 - Study Plan (WP 01)

2100 Study Plan

2200 Project monitoring and scheduling

3000 - Structured Safety Argument (WP 02)

3100 Develop safety argument

3200 Review CONOPS and other EUROCONTROL documents

4000 - Safety Assessment Plan (WP 03)

4100 Develop Safety Assessment Plan

4200 Finalise Safety Assessment Plan

5000 - Safety Assessment (WP 04)

5100 Develop functional and logical models

5200 Produce FHA/PSSA Workshop Briefing Material

5300 Produce FHA/PSSA Workshop Minutes

5400 Consequence analysis

5500 Causal analysis

5600 Safety Objectives and requirements definition

5700 Produce Draft FHA/PSSA Report

5800 Produce Final FHA/PSSA Report

6000 - Preliminary Safety Case SCEN1 (WP 05)

6100 Produce Draft Preliminary Safety Case (SC1)

6200 Produce Final Preliminary Safety Case (SC1)

7000 - Preliminary Safety Case SCEN2 (WP 06)

7100 Produce Draft Preliminary Safety Case (SC2)

7200 Produce Final Preliminary Safety Case (SC2)

8000 - High Level UAS Domain Report

8100 Draft UAS domain report

8200 Final UAS domain report

9000 - Presentation of findings

9100 Develop presentation of findings

Table 4-1 – Work Breakdown Structure




4.2 Schedule of Deliverables

The expected timescale for task based on our work breakdown and estimated effort is approximately 6 months following contract award.

The following table shows the key milestones along with a proposed payment profile. This profile is based on the profile provided in the TRS.

Ref Deliverable Percentage Payment

Proposed Date

D1 (WP01) Study Plan 10% 01 April 2009

D2 (WP02) Structured Safety Argument 10% 15 April 2009

D3 (WP03) Safety Assessment Plan 10% 15 May 2009

D4 (WP04) Safety Assessment 10% 01 September 2009

D5 (WP05) Preliminary Safety Case (SC1) 10% 01 September 2009

D6 (WP06) Preliminary Safety Case (SC2) and UAS Industry Summary Report

20% 01 September 2009

D7 Final acceptance of all deliverables Presentation of findings

30% 01 October 2009

Table 4-2 – Proposed Payment Profile

All documents will be written in English and be delivered as hardcopies (x2) as well as on soft copy on a CD-ROM and via electronic transfer.

4.3 Meetings

The following meetings have been identified and will be required throughout the

project:

Kick off meeting where Ebeni Limited and EUROCONTROL will agree on the details of the Study Plan (1 day meeting, 2 people)

FHA/PSSA Workshop to be held at EUROCONTROL HQ, Brussels or the UK as

agreed (2 day workshop, 3 people)

Ad hoc progress meetings to be held at EUROCONTROL HQ, Brussels at dates to be agreed between Ebeni Limited and EUROCONTROL (2, 1 day meetings, 1

person)

Final Presentation of Findings to be held at EUROCONTROL HQ, Brussels (1 day meeting, 1 person)

Ebeni Limited will take notes/minutes for each meeting and manage any actions agreed during each meeting.

4.4 Assumptions

The following assumptions have been made in order to scope the work to be carried out:

The duration of the project for will not exceed 6 calendar months

For each deliverable document the WBS includes one revision following incorporation of comments, unless otherwise stated




No additional meetings other than those specified in section 4.3 will be required

It is assumed that all meetings will be held at EUROCONTROL HQ, Brussels. EUROCONTROL will be responsible for any venue costs for any meeting (e.g. room hire)

Deliverables are deemed to be acceptable to EUROCONTROL if either EUROCONTROL notify acceptance of the document or comments are not received within the defined return period for comments. The default period is

10 working days (2 weeks)

Mission costs will be charged according to EUROCONTROL‟s mission guidelines

4.5 Dependencies

The successful delivery of the task depends on the following:

1. Provision of identified input to tasks when required

2. Timely access to relevant documentation and personnel (as necessary)

3. Any programme slippage (due to non-availability of dependencies) will result in delays to work completion and could result in additional costs

4. The proposed team is currently available to undertake this work; however, availability is subject to change. Any proposed staff changes will be discussed and agreed with EUROCONTROL beforehand

4.6 Risks

The following risks have been identified:

1. Timescales cannot be met

Whilst the timescales presented in the Technical Specification [1] are not challenging, the Ebeni Project Manger will liaise closely with the

EUROCONTROL UAS Activity Manager to identify any difficulties in meeting them.

2. Increases in scope

The Ebeni project manager will be closely monitoring the project. In case the scope of the work being undertaken needs to change, this will be communicated immediately to EUROCONTROL with a justification and estimated impact of the changes.

3. Additional Meetings required by EUROCONTROL

We will be in regular contact with EUROCONTROL to identify and cost any additional meetings that EUROCONTROL may require over and above those

outlined above.

4.7 Working Arrangements

The work will be carried out mainly at Ebeni‟s premises in the UK, with visits to EUROCONTROL HQ, Brussels as required. Provision has been made within the financial

proposal for up to 6 person trips to support the TRS.




Ebeni will provide electronic mail project status reports to the EUROCONTROL UAS Activity Task Manager on a regular basis which will detail project progress, action status, identified risks and any issues that require resolution from EUROCONTROL. This will enable the EUROCONTROL UAS Activity Manager to have a clear picture of the projects progress and an awareness of any issues that need to be resolved.




References

No Reference Document Title Issue/Date

1 TRS 08-112565-T Unmanned Aircraft Systems (UAS) Safety Case Development

November 2008

2 DAP/SAF/091 Safety Case Development Manual

Version 2.2 13 Nov 2006

3 SAF.ET1.ST03.1000

-MAN-01

Air Navigation System Safety Assessment

Methodology

Edition 2.1

03 October 2006

4 ESARR 2 Reporting and Analysis of Safety Occurrences in ATM

Edition 2.0

3 Nov 2000

5 ESARR3 Use of Safety Management System by ATM Service Providers

Edition 1.0

17 July 2000

6 ESARR4 Risk Assessment and Mitigation in ATM

Edition 1.0 05 Apr 2001

7 EUROCONTROL Specifications for the Use of Military Unmanned Aerial Vehicles as Operational

Air Traffic Outside Segregated Airspace

Version 0.6

8 PfP (NNAG-JCGUAV)

WP(2006)0002REV002

Sense And Avoid Requirements For

Unmanned Aerial Vehicle Systems Operating In Non-Segregated Airspace

15 April 2007




Appendix A Curriculum Vitae




Alan Simpson BEng, CEng, MIEE, MSaRS

Résumé

Alan is a highly experienced safety engineer with over 20 years in critical systems engineering, analysis and project management. He has detailed knowledge of many mission, avionics, armament, unmanned air vehicle and air traffic management systems as well as automotive, metro signalling and train control systems. Alan has controlled and implemented a variety of

Safety Engineering, System Engineering and Assurance programmes within the aviation and rail

industries, in the UK and overseas, encompassing a range of roles and responsibilities, specialising in complex high integrity systems.

For the past 10 years as a principal safety consultant, mainly in the Aerospace & Defence markets, Alan has carried out a significant number of Safety Engineering and Safety Management roles and assignments including:

Safety consultant to major projects developing safety critical systems in the Defence and ATM domains including WATCHKEEPER TUAV, Radar and other ATCE at aerodromes and

Enroute centres in the UK;

Safety consultant for a number of EUROCONTROL ATM programmes including: OATA, Military

UAVS Specifications, ACAS II, EAD, RVSM Implementation, EC Mandates for Data link Integrity, Aeronautical Data, Coordination and Transfer and Initial Flight Planning, Safe Aeronautical Data and the EUROCONTROL Safety Case Development Manual;

Lead UK Advisor on Safety to one of the WATCHKEEPER TUAV programme (SIAP Phase) prime contractors and their major sub-contractors;

Lead Consultant for the Independent Safety Evaluation of Hawk Trainer for the Royal Australian Air Force;

Lead Systems and Safety Engineer responsible for the development of a SIL4 Stores Management System for Tornado CSP;

Designated Safety Authority for a major safety critical systems consultancy;

Expert Witness;

Safety consultant to a range of other Aerospace & Defence Programmes, for example;, ASTOR, Electronic Flight Strips, Engine Health Monitoring, Primary/Secondary Radar and IFF systems;

Review or construction of over 100 (mostly GSN based) Safety Cases;

Representative on the JAA / EUROCONTROL Task Force for Certification of UAVS in civilian airspace.

Alan has led several research studies in safety and reliability for next generation avionics

systems, including the Certification of Integrated Modular Avionics based architectures and COTS

components. He is one of the key figures behind the development of several risk-directed engineering approaches including: “White-Box” safety engineering, Safety requirements using Jackson, the MoD sponsored SafSec Methodology and a safety-oriented approach to Operational Risk modelling.

Whilst at Westinghouse Signals Alan was the Systems Assurance Manager for a number of signalling and train control programmes including the Jubilee Line Extension Re-signalling




Project.

Alan is a chartered engineer and member of the Institute of Electrical Engineers. He has

published and presented numerous papers on specifying system and software safety requirements, safety engineering and safety assurance.

Professional History

Director Ebeni Limited 2004 – Present

Company Safety Authority Praxis Critical Systems – ALTRAN Group 2002 – 2004

Safety & Reliability Consultant

Praxis Critical Systems – ALTRAN Group 1998 – 2003

Safety & Reliability

Consultant

Praxis Plc 1996 – 1997

Department Safety Manager

Westinghouse Signals Limited 1995 – 1996

Project Safety Engineer Westinghouse Signals Limited 1992 – 1995

Senior Reliability & Flight Safety Engineer

Smiths Industries Aerospace & Defence 1985 – 1991

Profile

Company Director and Safety Authority for Ebeni Limited.

Company Safety Authority - Praxis Critical Systems Ltd – Member of the ALTRAN Group.

Managed several multi-million pound safety programmes in Rail, Aerospace and Defence industries.

Developed and brought to market several best practice methodologies in risk - Safety Service Line Manager.

Involved in multi-national programmes for Unmanned Air Vehicle Systems.

Career History

Ebeni Limited

Director and Senior Safety Consultant

October 2008 – present Technical Safety Lead EUROCONTROL – Mode S

Technical safety lead for the safety assurance process to support updates to the Mode S Safety Case. The work includes Safety Assessment and Safety Case development for Mode S operations using Secondary Surveillance Radars (Mode S).

September 2007 – March

2008

Technical Safety Lead

Safety Assessment of Sense and Avoid Concepts for UAS Operations

Technical safety lead supporting a major UK company with the safety aspects of Sense and Avoid System concepts for future civil and military Unmanned Air System operations in all classes of airspace. The work includes Design Safety Assessment of




UAS operations in segregated and non-segregated airspace, from the ATM and air vehicle perspective. This work is part of the UK funded ASTRAEA project.

May 2007 – present Technical Safety Consultant ATM Systems for New Civil Aerodrome

Technical safety consultant for a major project to install ATCE including radar and

other NAV AIDs at a regional airport in the UK. The work includes development of the system and operational Safety Cases and supporting safety assessments to comply with CAP 760, CAP 670 and CAP 168.

April 2007 – March 2008 Technical Safety Lead EUROCONTROL – European OAT rules for Military IFR

Flights in Controlled Airspace

Technical safety lead for the safety assurance process to support and underpin the

draft EUROCONTROL Specifications for the harmonised European OAT rules for IFR flights in controlled airspace. The work includes Safety Case development and Safety Assessment (including facilitation of a Safety workshop) of Military OAT operations, from the Pilot and ATCO perspectives.

March 2007 – August 2008 Independent Safety Assessor RAF Aeronautical Data

Lead Safety Assessor for the UK RAF Aeronautical Information Document Unit. The

work involves assessing the unit against the requirements of ICAO Annex 15 and

EUROCAE ED-76.

April 2006 – present Technical Safety Consultant Aerodrome Radar Replacement

Technical safety consultant for a major project to install a Primary and Secondary Radar at a regional airport in the UK. The work includes development of the system

and operational Safety Cases and supporting safety assessments to comply with CAP 760 and CAP 670.

December 2005 – present Technical Safety Lead EUROCONTROL – EC Interoperability Mandates

Technical safety lead for safety support for the European Commission Mandates concerning Data Link Services, Voice Channel Spacing, Aeronautical Data Integrity

and Surveillance Performance and Interoperability. The EUROCONTROL Agency has

been given further mandates to assist the European Commission in the development of Implementing Rules pursuant to Regulations adopted by the European Council and the European Parliament on the Single European Sky (SES). The objective of the safety analysis to be carried out for the mandates is to define safety-related requirements to be integrated into each Implementing Rules.

September 2005 – present Technical Safety Lead

TUAV Ground Control Station

Technical safety lead of safety activities for the safety-related software development of a Ground Control Station for a Tactical UAV System for a major UK Defence supplier. Alan is responsible for overseeing safety activities including safety planning, hazard analysis, risk assessments,

Safety Case development and providing expert advice on COTS certification strategies.

May 2005 – present Technical Safety Lead Various Safety Related ATC

Equipment Development Projects

Technical safety lead for a number of projects seeking to replace or upgrade systems for the new ATCC at Swanwick and other programmes developing equipment for ATC Radar Systems. Alan is responsible for all safety activities including safety planning, FHA/PSSA/SSA and Safety Case development. The systems are mostly based on a mixture of bespoke and COTS/legacy software




components required to meet CAP670 SW01 and ED109.

March 2005 – March

2006

Technical Safety Lead

EUROCONTROL – Data Chain

Technical safety lead for a project to prepare a Preliminary Safety Case for the CHAIN programme. The work includes Functional Hazard Assessment and Preliminary System Safety

Assessment (including facilitation of FHA/PSSA workshops) of the Aeronautical data chain. The project involved a detailed assessment of the safety requirements for CHAIN and the data integrity and safety issues associated with the preparation and publication of Aeronautical Data by State AIS, in relation to the requirements of ICAO Annex 15 and ED-76.

August 2004 – present Technical Safety Lead

EUROCONTROL – EAD

Technical safety lead for a project to prepare the Safety Case for the European Aeronautical Database (EAD). EAD provides a centralised resource to support the preparation and distribution of Aeronautical Information necessary for the safety and efficient operation of European Air Travel. The first objective of the safety case activities was to define safety and security requirements that were then integrated with existing analyses to support the generation of a

Safety Case for EAD with evidence compliant with the EUROCONTORL Safety Assessment Methodology. The second objective was to review the adequacy of the supporting evidence against the safety and security requirements. This work include the production of a System Safety Assessment covering all EAD activities, ranging from the software development activities for the EAD database through to Aeronautical data processes and procedures. This was followed

by construction of the EAD Safety Case for the current release of EAD.

April 2005 – August 2005 Technical Safety Lead

EUROCONTROL – Military UAVS

Technical safety lead for the safety assurance process to support and underpin the draft EUROCONTROL Specifications for the use of Unmanned Air Vehicles as OAT outside segregated airspace. The work includes Functional Hazard Assessment and Preliminary System Safety Assessment (including facilitation of FHA/PSSA workshops) of UAV operations in non-segregated

airspace, from the ATM perspective.

February 2005 – October 2005 Technical Safety Lead

EUROCONTROL

Technical safety lead for a project to prepare a post-implementation safety argument for an airborne safety system. The objective of the work is to review the completeness of the

supporting evidence available and to generate a safety argument for the equipment operations in European Airspace, followed by construction of the Safety Case itself.

January 2004 Safety Consultant – NATS

Safety Consultant supporting an independent review of the Safety and Software Assurance activities for a major programme for NATS currently in the Project Definition Phase. The project included a review of key documentation against the internal and external safety and software

standards (e.g. EUROCAE ED109) and good practice for Air Traffic Management Systems.

September 2004 – March 2006 Technical Safety Lead

EUROCONTROL

Technical safety lead for a project to update the EUROCONTROL Safety Case Development Manual. The SCDM was originally developed with EUROCONTROL in 2002/2003 as detailed

under the entry for July 2002 to April 2003, below. The Manual requires updating to reflect lessons learnt from practical application and changes to the EUROCONTROL SMS. It will cover all aspects of EUROCONTROL operations and provide guidance on the scope, purpose and application of safety case methodology to projects covering ATM concepts through to changing ongoing operations.




September 2004 Safety Consultant – CVF

Safety Consultant supporting a major UK Defence Systems IPT develop an outline Ship Safety Strategy advising on technical and resource planning for the development of a Whole Ship Safety Case.

June 2004 – October 2004 Technical Safety Lead

EUROCONTROL

Technical safety lead carrying out a preliminary safety impact study for the Safe Aeronautical Data programme for EUROCONTROL AIS (Aeronautical Information Services). The objective of

the Safety Impact Study is to identify ways to improve the quality and integrity of aeronautical data throughout the data supply chain. The aim of the first phase of the study is to assess the

relationship of data with the main target user applications, establish relevance with respect to safety; and assess the potential safety impact of data not meeting the pre-defined (safety) requirements.

June 2004 – September 2004 Safety Consultant

Safety Consultant supporting a major UK defence contractor in the ongoing development of their

Design Certification practices towards the integration of the roles and processes required to ensure that the organisation has and maintains an adequate level of organisational and individual competence to conduct its business efficiently and effectively. The work is based on an application of the IEE Guidelines for Safety Competencies although its remit is wider, covering all aspects of Design Certification.

June 2004 – January 2005 Technical Safety Lead

EUROCONTROL

Technical safety lead for two of the European Commission Mandates concerning Coordination and Transfer and Initial Flight Planning. The EUROCONTROL Agency has been given an initial set of seven mandates to assist the European Commission in the development of implementing rules pursuant to Regulations adopted by the European Council and the European Parliament on the Single European Sky (SES). The objective of the safety analysis to be carried out for the

mandates is to define safety-related requirements to be integrated into each Implementing Rules for Initial Flight Planning and Co-ordination and Transfer.

May 2004 – August 2004 Safety Engineer

Westinghouse Rail Systems Limited

Consultant to Westinghouse Rail Systems Limited supporting the commissioning certification

activity for the Kiel to Bad Railway with the German Railway Inspectorate (EBA). The work involved review an update of existing Functional Failure Analyses and support to WRSL in reviewing comments with EBA in Berlin.

Praxis Critical Systems Limited

December 2002 – April 2004 Safety Authority

Safety Authority for Praxis Critical Systems responsible for approval of project safety classifications, safety plans and all safety documents in which Praxis Critical Systems gives an opinion on the safety of a system or makes a claim for the safety of a system. Also, appointing Safety Assessors/Auditors for internal projects and Safety Competency Assessors for the Praxis Critical Systems Safety Competency Scheme.

This role also included the Safety Service Line Management with responsibility for planning and implementation of the Safety Service Line strategy in collaboration with Business Managers and

senior safety consultants.

As Safety Authority Alan was responsible for the day to day reviewing or support of all safety related projects either directly or through delegation to one of several Safety Managers.




Specific projects with direct involvement included:

Safety Engineering (“white box”) activities undertaken for the Successor Identification Friend or Foe system;

Development of retrospective safety cases for the ALM IPT using eSafetyCase technology;

System Certification Plan for a proposal to supply the Flight Control Computer for the 7E7.

Praxis representative on the JAA/EUROCONTROL Task Force for Certification of UAVS in civilian airspace;

Preliminary Safety Case for the EUROCONTROL P-RNAV concept;

Development of the Target Level of Safety Apportionment Method for EUROCONTROL;

Application of the TLS Methodology to the Maastricht Upper Area Control Centre Safety Case.

Research into Certification of AAvA System Elements;

Safety Programme Management and Engineering for a tactical Air Command and Control

System;

Safety Engineering consultancy to the ERTMS project on safety critical data handling.

April 2003 – December 2003 Lead Safety Consultant

WATCHKEEPER

Lead Safety Consultant to one of the two-remaining consortium bidding for down-selection on

the UK MoD WATCHKEEPER programme. The work followed on from previous safety support work for the same consortium in the previous assessment phase and was split in to two elements supporting the overall system and the development of the Ground Element.

Alan led a team of safety engineers tasked with supporting the Prime Contract and Major subcontractors with development of a Defence Standard 00-56 compliant approach to Safety Management and Engineering. This involved:

review of existing safety management practices;

development of safety arguments to effectively and efficiently marry UK and US safety engineering approaches;

a comprehensive Preliminary Hazard Analysis, which involved construction of an integrated risk model of the Unmanned Air Vehicle System and its operational environment, and;

a preliminary Safety Case (using eSafetyCase technology) for the proposed system design.

April 2002- June 2003 Technical Authority

STORM ®

Technical Authority for an internally funded activity to research the translation of safety methodology to the operational risk environment of the finance domain. Alan lead the team that developed the technical aspects of the STORM® approach to Operational Risk modelling resulting in a successful trial, conducted in collaboration with a major high street bank.

July 2002 – April 2003 Lead Consultant

EUROCONTROL

Lead Consultant for a project developing the Safety Case Guidance Manual for the EUROCONTORL Safety Management System. The Manual covered all aspects of EUROCONTROL operations and provided guidance on the scope, purpose and application of safety case

methodology to projects from concepts and to changing ongoing operations.

May 2002 – April 2003 Project Manager and Safety Lead

MoD FBG




Project Manager and Safety Lead for a MoD DPA Future Business Group funded research programme investigating the feasibility of integrating Safety Certification and Security Accreditation. The open source methodology developed to enable integration of Safety and Security became known as SafSec. The SafSec study looked at the integration of Safety & Security Certification in the context of IMA/MoD and the production of a methodology for use in

both certification domains to enable easier re-certification, and realise potential economies of time and cost.

More information on SafSec can be found on the web site, www.safsec.com

May 2002 – July 2003 Safety Consultant

EUROCONTROL

Safety Consultant to the RVSM Post Implementation Safety Case project, developing a revised approach to conducting hazard identification brainstorms, based on what became known as the “bow-tie” model and later formed the basis of Eurocontrol‟s Target Level of Safety Apportionment method. This work included planning and facilitating a number of Hazard Identification workshops attended by a cross section of Air Traffic Controllers, Service Providers and Eurocontrol HQ staff.

November 2002 – December 2003 Safety Manager

Safety Manager for the Aerospace and Defence Business Unit responsible for the maintenance and implementation of the Praxis Critical Systems Safety Management System, safety strategy and culture within the unit. Primarily this involved taking the role of Safety Authority or Safety

Engineering Consultant for a variety of aviation, rail, medical and automotive industry projects including:

Independent Assessment of the next generation wireless throttle control for Jaguar Cars and

also for the Ford Motor Company in the US;

Independent Safety Assessment of an airborne communication and battlefield command centre covering air and ground platforms;

Risk assessment of rail infrastructure updates;

Preliminary Safety Assessment and Safety Case for a next generation Engine Health Monitoring system at Rolls Royce;

A variety of EUROCONTROL RVSM (Reduced Vertical Separation Minima) work including

updates to the Pre-Implementation Safety Case; a study of the Safety-Related Indicators to be monitored to verify the safe performance before, during and after EUROCONTROL‟s implementation of RVSM and the Safety Case for the implementation of RVSM at the Maastricht Upper Area Control Centre;

Updates to the Safety Management Handbook for NAV CANADA;

Safety Engineering (“white-box”) activities undertaken for the Successor Identification Friend

or Foe system;

Preliminary Safety Analysis of the application of Microwave Landing Systems to Military installations;

System and Software Safety Analysis of Medical Devices;

Preparation and presentation of workshops on assigning Safety Integrity Levels;

Independent Review of Fault Tree Analyses produced for a Military Aircraft Stores Management System.

http://www.safsec.com/




January 2002 – May 2002 Safety Consultant

WATCHKEEPER

Safety consultant to one of the four-consortium bidding for down-selection on the UK MoD WATCHKEEPER programme. The WATCHKEEPER system will provide accurate, timely and high

quality imagery and IMINT, collected, collated, exploited and disseminated to satisfy land manoeuvre commanders critical information and intelligence requirements throughout a range of environments and across the spectrum of conflict, using Tactical Unmanned Air Vehicles (TUAV). The work involved production of System and Software Safety Management Plans, Preliminary Safety Cases and Preliminary Accident Models for proposed operation of TUAVs on the range, in

tactical situations and in Civilian Airspace. The work involved collaboration between UK and US

companies and the development of a common safety engineering approach to suit all parties whilst meeting UK MoD requirements.

November 2001 – January 2002 Safety Consultant

EUROFIGHTER

Safety Consultant to QinetiQ at Boscombe Down reviewing and constructing safety arguments

for safety critical software components of the Eurofighter aircraft. The work involved creation of safety arguments using Goal Structure Notation, based on evidence put forward by suppliers.

November 1999 – December 2001 Lead Consultant

DERA

Lead consultant for a programme of research into the certification of COTS Software for next

generation Integrated Modular Avionics for the Defence Evaluation and Research Agency at Farnborough. The first phase of the study, completed in February 2001, looked at the feasibility of producing a safety case for COTS software components. The second phase of research focused on gathering additional evidence to provide a reasoned justification for the use of a COTS RTOS in an IMA based architecture running a safety critical (SIL4) application. The study is also gathering additional evidence required to support the safety case outlined in Phase 1.

September 1999 – December 2002 Project Manager and Lead Consultant

Royal Australian Air Force

Project Manager and Lead Consultant for the Independent Safety Evaluation of the BAe Hawk Lead in Fighter for the Royal Australian Airforce. The project is split into 4 stages; the first stage covered initial planning of the evaluation activities and the remaining 3 stages cover the 3 levels of Operational Clearance (OC). The overall aim of the evaluation activities is to establish the

adequacy of the safety engineering and safety certification activities undertaken for the development of the Hawk trainer aircraft. The project includes evaluation of the:

identification and decomposition of safety requirements to the sub-system designs including hardware, software, procedures (operational, maintenance and training) and to the aircraft maintenance operations;

software and associated development processes being used to for components determined as safety critical;

System Safety Case for the aircraft as a whole and for each of the safety-critical components.

The evaluation is in support of the review and assessment undertaken by the RAAF resident

team and involves comprehensive safety assessment of all safety engineering actives, sample re-analysis and the provision of independent advice on the safety of the software and system architectures and development processes employed.

Stage 2 of the Evaluation activities was completed in September 2000 with the successful approval of the Hawk LIF aircraft for OC1 by the Australian Airworthiness Board. Stage 3 of the Evaluation activities commenced in September 2000.

March 2001 – April 2001 Project Manager and Lead Safety Consultant




Project Manager and Lead Safety consultant developing the safety plan, proposal and schedule on behalf of an international Air Traffic Service Provider bidding to supply an Electronic Flight Progress Strip System to the UK Air Traffic Services provider, NATS.

November 2000 – February 2001 Project Manager and Lead Safety

Consultant

Project Manager and Lead Safety consultant developing the safety management strategy on behalf of a multi-national consortium bidding to take over a major UK Air Traffic Services Provider.

December 2000 – April 2001 Lead Safety Consultant

Lead safety consultant assisting a major international aerospace and defence contractor with the

safety engineering of a system for POEMS, which incorporates a Monopulse Secondary Surveillance Radar and digital data link. POEMS is currently a concept system for passing air traffic management data between air and ground based platforms. Gathered data is passed to Air Traffic Control systems where it is used to provide advisory information on aircraft position and identification. Based on the success of the trials, future developments of POEMS will be used to facilitate a reduction in safe separation in critical air traffic locations.

August 2000 – April 2001 Technical Consultant

Technical consultant supporting a major defence manufacturer‟s development of the next level of an Engineering Safety Management System. The project is a follow-on activity from the initial

Scoping Study undertaken in June/July 1999. This project focused on the system and safety-related aspects of safety management, providing support for the generation of the codes of practice, procedures, processes and guidance documents required to implement the top-level

ESMS strategy.

June 1999 – July 1999 Lead Consultant

Lead consultant for a project to develop the top level Engineering Safety Management System for a major defence manufacturer. The project was an initial Scoping Study focussing on the system and safety-related aspects of safety management, to provide the client with an outline Safety Management System infrastructure, giving a list of the codes of practice, procedures,

processes and guidance documents, and an outline plan for the implementation of the SMS, showing how the SMS will be integrated with the evolving Quality Management System and Integrated Product Development Processes.

October 1998 – August 1999 Safety Engineer

Safety engineering support to a major Defence contractor with the preparation of a System Safety Assessment Report for a SIL 4 system. Alan lead a team of safety engineers and co-

ordinated with the client's project team, and liaised with the client's safety authority. This work lead to the recommendation of the system for service release for flight trials. Alan continued to provide technical safety support for a proposed modification of the system to overcome a known weakness. The modification was novel in its approach and involved re-engineering and certifying non-safety related software to perform a safety critical (SIL 4) function. The 'white-box' safety methods used to successfully demonstrate the design were evolved from previous work, and

represented a practical application of the research work performed for DERA as mentioned below.

September 1998 – December 2000 Project Manager

MoD DPA

Project Manager for a strategic study on behalf of the MoD Procurement into the certification of

safety critical software for a military aircraft programme. The objective of the study is to investigate a strategy for achieving Military Airworthiness Release for safety critical software, and then acting as independent brokers in obtaining agreement for the strategy from each of the key parties. This involves establishing the current views of both suppliers and approval authorities through interviews. Then to assess the actual situation with the suppliers to establish




the conformance to standards, to determine what work is being carried out by the them, to assist the Airworthiness case, and ultimately to scope an effective strategy for achieving MAR.

June 1998 – November 1998 Lead Consultant

DERA

Lead consultant for a second research study of Software Reliability Modelling for the Defence Evaluation and Research Agency at Farnborough. This study is looking at the applicability of a variety of Reliability Measurement and Modelling techniques at each stage in the software lifecycle.

May 1998 – December 1998 Safety Engineer

BRITISH AEROSPACE

Safety engineering support to the Airworthiness department at British Aerospace Military Aircraft division at Warton. This work has involved reviewing hazard analysis and assessment reports and the production of a System Hazard Analysis.

February 1998 – December 1998 Lead Consultant

DERA

Lead consultant for a research study into Partitioning of Safety Related Software for the Defence Evaluation and Research Agency - Avionics and Sensors Department at Farnborough. The study has involved researching issues involved in certification of Integrated Modular Avionics with respect to the segregation of software with differing safety integrity levels.

January 1998 – May 1998

Alan continued the Software Safety Analysis, and Software Safety Case activities from the safety critical project he was involved in, with the major Defence contractor as mentioned below. This work involved production of a Software Safety Case and guiding the development of a Software Safety Analysis method and overseeing its implementation. The Software Safety Case was developed to current standards using DEF-STAN-0055 with reasoned claim structures to present the arguments.

June 1997 – January 1998 Lead Systems Engineer

Lead systems engineer for a safety critical project for a major Defence contractor. Alan led a team of systems engineers with responsibilities for; the overall system design requirements capture, specification and design, and the safety engineering. The project is using DEF-STAN-

0056 and DEF-STAN-0055 as a guide for the safety and software engineering processes. He has broadened his experience in the safety-engineering field and gained significance skills in system

engineering for software based safety critical systems. Alan‟s work included development of the safety critical software‟s safety case, and the process and software safety analysis activities, as required by DEF-STAN-0055. The software development utilised the Rational Toolset for supporting the Booch Object Oriented methodology and the Rational VADS safety critical compilers for creating object code on a PowerPC platform.

February 1997 – June 1997 Safety and System Consultancy

Safety and System assurance consultancy for several major railway systems contractors involved in tendering for major railway signalling and train communications contracts.

Praxis Plc

November 1996 – February 1997 Lead Consultant

Lead consultant for a research study into Software Reliability for the Defence Research Agency

Avionics and Sensors Department at Farnborough. The study has involved researching current best practise across industry and academia in the growing subject of Software Reliability Measurement. He has gained significant skills in the processes of Software Reliability Engineering including failure rate modelling, operational profiles, and development of reliability




improvement methods and techniques. Combined with previous experience in reliability he is now capable of providing an integrated approach to modelling reliability, from requirements to service demonstration.

September 1996 – November 1996 Safety Auditor

Heathrow Express

Involved in the Safety Audit for the Heathrow Express Rolling Stock project for Siemens STSL in Sunbury. The audit has been carried out in line with Railtrack standards for Process audits of safety related projects. The work has involved detailed assessment of safety engineering processes and how they have been applied within a multi-national consortium.

During this time he has extended his experience with Risk Assessment and Failure Analysis, and

provided technical consultancy for the Carstairs Interface SSI Review project.

September 1996 Safety and Reliability Engineer

Joined Praxis as a safety & reliability engineer. Presenter of the Railtrack EE&CS ESMS (Yellow Book) training course.

Westinghouse Signals Limited

December 1993 – September 1996 Project System Assurance Engineer

Project System Assurance Engineer for the Jubilee Line Extension Project (JLEP) Signalling Contract.

Head of the project system assurance team, reporting to the project manager and Company Safety Assurance Manager. He was responsible for two teams specialising in safety, reliability and maintainability (SRM) engineering and assessment. One team was responsible for signalling

system level SRM activities, the other for the Transmission based Moving Block signalling sub-system SRM activities. His role involved „ownership‟ of the entire system assurance process covering both Safety Engineering and Safety Assurance activities. This role included assessment of performance and functionality in the system, to provide evidence for the Safety Case. In detail this meant:

Performing and co-ordinating all levels of safety analysis from accident and hazard scenarios down to detailed analyses of the designs;

Effecting methods for control of very complex safety/ reliability critical systems development;

Control and implementation of the System Assurance Programme covering both system wide and product development activities;

Providing technical support to the system and equipment design teams with respect to safety, reliability and maintainability aspects of the design and the design processes;

Representing the Project for External Safety Audits and HMRI approvals, and regular

meetings with the customer (LUL Client and JLEP).

In addition to the above, he acted as Safety Assurance Manager for Mass Transit Systems responsible to the Contracts‟ Director on Safety matters. This role involved overseeing other projects in the Mass Transit sector and attending the Company Safety Review Panel which was

the primary “steering committee/ authority” for system/ product safety matters in the company.

December 1992 – December 1993 Safety Assurance Engineer

Safety Assurance Engineer, Contracts' Group, working with the Company Safety Assurance Manager (CSAM) and the R&D Safety Assurance Engineer towards formalising the Company Safety Standard, in line with current International standards including IEC SC65 WG9 and WG10 (now IEC 1508). Much of the output formed the basis of the emerging CENELEC standard




prEN50129, of which the CSAM was editor. Alan‟s responsibilities were:

Chair of the Contracts Group (System Engineering, covering Mass Transit, Main Line and Train Management Systems) committee for Safety Management. The committee developed the Safety Strategy for this area of the Company and produced procedures for all aspects of Safety Engineering including Safety Planning, Fault Tree Analysis, FMECA, Risk Assessment,

Occupational Health and Safety, Functional Safety Integrity Requirements and formal Safety Justifications. This also involved developing a Relational Database for FMECAs, which is now being used throughout the Company. The committee fulfilled its purpose and ceased meeting in March 1994.

Project Safety & Reliability Engineer for several projects including the trial running of a

Siemens‟ Intermittent Automatic Train Protection (IATP) system and the application of the next generation Signal Interlocking system (WESTRACE, a very high integrity programmable

logic controller) on LUL. This included Safety and Reliability Assurance tasks; defining the requirements and planning, Fault Tree Analysis and Common Cause Failure Analysis to model the failure effects associated with the implementation of IATP and WESTRACE (down to component level) to produce hazard occurrence rates and to assess design trade-offs. He was responsible for supervising other tasks including for identifying design improvements to enhance the safety and reliability aspects of the design and FMECAs and reliability analysis.

Safety Assurance Consultant, supporting other projects and activities including: Safety

planning and preliminary hazard investigations for contract tenders, Safety assessment for the Waterloo & City Line (Network South East) signalling and train control, Docklands' Light Railway, Central Line Re-signalling; and supporting the R&D Safety Assurance Engineer in activities relating to new developments.

January 1992 – November 1992 Safety and Reliability Engineer

Safety and Reliability Engineer, Mass Transit Systems, initially employed to manage the Safety

and Reliability Programme for the Re-signalling Project on the Central Line Railway for London Underground Limited (LUL). He also became involved with the Jubilee Line Extension Signalling and Control Centre Tenders, producing the Safety, Reliability and Maintainability Strategy and the preliminary hazard investigations and design trade-off studies for the proposed Moving Block Signalling and Train Control & Protection System. For the Central Line he advised and assisted the Project safety engineers in producing appropriate safety analyses in order to formally

document the Safety Case for the project.

Smiths Industries Aerospace & Defence Systems

June 1991 – December 1991 Senior Reliability Engineer

Senior Reliability Engineer, responsible to the Head of R&M for the Reliability and Flight Safety aspects of several Electronic Cockpit Display Projects, including F18/AV-8B and EuroFighter Head

Down Displays and F-15 Head Up Display. He was responsible for producing the Programme plans for Reliability and Flight Safety and the implementation of the various programme tasks. He performed and supervised various Reliability and Safety activities including; predictions, stress analysis, Reliability Growth and Demonstration testing, FMECA and Fault Tree Analysis.

For the FMECA he generated the methodology, using a PC based Relational Database, for automating the administrative aspects of the analysis that meant that more time could be spent in analysing the design.

In the two years before leaving Smiths Industries he was a Lecturer in Maintainability for the Reliability I course run by Birmingham University.

February 1989 – June 1991 Reliability Engineer

Reliability Engineer, responsible for Reliability Growth Tests on the F18/AV8B Head Down Display. This involved fault diagnostics, trend assessment, and correcting any reliability problems, whether caused by design, vibration, temperature or poor quality components and

methods. He took part in module design reviews, carried out vibration tests, thermal design discussions and meetings with component manufacturers to determine better methods of both manufacture and application of components. He performed some maintainability tasks, such as




creating Test Flow Diagrams. In addition, when the development project moved into full production he assisted Production Liaison engineers in ironing out early production problems.

August 1988 – February 1989 Assistant Reliability Engineer

Assistant Reliability Engineer, working in the Reliability, Maintainability & Flight Safety department of the Electronic Displays Group. He was actively involved in many different tasks,

from proposal writing to post development design (for improved reliability). He was responsible for writing Reliability Predictions, Stress Analysis, Worst Case Stress Analysis, and Thermal Survey reports.

September 1984 – August 1988 Lead Consultant

In September 1984, after leaving school, he joined Smiths Industries as a Student Apprentice,

having successfully gained entry to the University of Newcastle Upon Tyne. Training involved helping engineers in various activities related to their jobs. After graduation he spent two months working for Research and Product Technology, designing high-speed fibre optic communication systems.

Education and Qualifications

CEng MIEE Chartered Engineer and Member of the Institute of Engineering Technology

Member of the Safety and Reliability Society

BEng (Hons) in Microelectronics and Microprocessor Applications (1988) University of Newcastle upon Tyne, Department of Electrical Engineering and Department of

Computer Science

Papers and Publications

M Ainsworth and A J Simpson, Integrated Modular Avionics — A View on Safe Partitioning, In Towards System Safety, ed. F Redmill and T Anderson, Springer-Verlag, 1999.

A J Simpson and M Ainsworth, White Box Safety, Avionics Conference 1999, ERA Technology, 1999.

A J Simpson, COTS Software for High Integrity Applications, Safety Critical Systems Club Seminar, April 2001.

A J Simpson, K. Harrison, J. Stoker, The safety certification of aircraft and their

subsystems using a safety argument approach, 19th International Safety Conference (USA), September 2001.

A J Simpson and J. Stoker, Will it be Safe? An approach to Engineering Safety Requirements, Safety Critical Systems Club Symposium, February 2002.

A J Simpson, Integration of higher SIL functions on lower SIL systems, IEE SILs Symposium, April 2002

D Fowler, C. Sandom, A J Simpson, Challenging Safety Regulation – a Wake-up Call, 20th International Safety Conference (USA), July 2002

Key Safety and Reliability Standards

ARP 4754 Certification Considerations for Highly-Integrated or Complex Aircraft

Systems




ARP 4761 Guidelines and Methods for Conducting the Safety Assessment Process on

Civil Airborne Systems and Equipment

AvP67 Flying Orders to Contractors

BS DD 57 Reliability Testing

BS5760 Reliability Programme Planning

CAP 670 Air Traffic Services Safety Requirements

CAP 670 SW01 Regulatory Objectives for Software Safety Assurance in ATS Equipment

CAP 722 Unmanned Aerial Vehicle Operations in UK Airspace - Guidance

DEF-STAN 00-56 Safety Management Requirements for Defence (Issues 1, 2 and 3)

DEF-STAN 00-54 Requirements For Safety Related Electronic Hardware In Defence Equipment

DEF-STAN 00-55 Requirements For Safety Related Software In Defence Equipment

DEF-STAN 00-58 HAZOP Studies on Systems Containing Programmable Electronics

DEF-STAN 00-70 Design and Airworthiness Requirements for Service Aircraft

ED-109 Guidelines for Communication, Navigation, Surveillance and Air Traffic

Management CNS/ATM) Systems Software Integrity Assurance, Mar 2002

EN50128 Railway Applications - Software for railway control and protection systems

EN50129 Railway Applications - Safety related Control and Protection Systems

ESARR 3 Use Of Safety Management Systems By ATM Service Providers

ESARR 4 Safety Regulatory Requirement for Risk Assessment and Mitigation in ATM

ESARR 6 Software in ATM Systems

IEC 61508 Functional Safety of Safety Related Systems

IEE Publications Safety, Competency and Commitment, Competency Standards for Safety-Related System Practitioners

JAR 23 Normal, Utility, Aerobatic, and Commuter Category Aeroplanes

JAR 25 Large Aeroplanes

JAR 27 Small Rotorcraft

JSP 375 Health and Safety Handbook

JSP 390 Military Laser Safety

JSP 430 Ship Safety Management handbook

JSP 454 Procedures for Land systems Equipment Safety Assurance

JSP 520 Ordnance, Munitions and Explosives Safety Management System

JSP 550 series (was 318)

The Regulation of Airworthiness of MOD Aircraft

MIL-HDBK-217 Reliability Predictions for electronic components

MIL-HDBK-338 Reliability Handbook for Electronic Systems

MIL-STD-1629 Failure Modes Effects and Criticality Analysis

MIL-STD-470 Maintainability Programme Planning

MIL-STD-471 Maintainability Demonstrations

MIL-STD-472 Maintainability Predictions




MIL-STD-781 Reliability Demonstration Testing

MIL-STD-882 System Safety Programme Requirements

NPRD91 Non electronic Parts Reliability Data

NUREG 0492 Fault Tree Handbook

RIA No. 23 Safety Related Software for Railway Signalling

RTCA DO-178B Software Considerations in Airborne Systems and Equipment Certification

RTCA DO-254 Design Assurance Guidance for Airborne Electronic Hardware

RTCA DO-160D Environmental Conditions and Test Procedures for Airborne Equipment

RTCA DO-200A Standards for Processing Aeronautical Data

RTCA DO-201A Standards for Aeronautical Information

SAM EUROCONTROL ANS Safety Assessment Methodology

Safety/System Engineering Tools

Various PC and UNIX based Packages including; Isograph FaultTree+, Safety Argument Manager (SAM), Adelard ASCE (including GSN), MILSTRESS, FAILMODE, MKV (Markov Modelling), SoftRel and HUGIN (BBN modelling), STATEMATE, Relational Databases (for Hazard Logs, Safety Cases and other analyses)

Interests

Qualified Scuba diver, enjoys all forms of DIY (including plumbing, electrics and carpentry), keeping fit, counselling, church, walking, reading and learning to play clarinet.




Joanne Stoker BSc (Hons), MIEE, MSaRS

Résumé

Joanne is an experienced System Safety Engineer and Project Manager with nearly 10 years experience across the whole system safety lifecycle in a number of different industries. To date Joanne has been involved in carrying out a number of safety-engineering tasks and project management roles in the Air Traffic Management, Avionics and Automotive industries. Joanne has been involved in safety work with EUROCONTROL and its implementation of a Reduced Vertical

Separation Minima (RVSM) across European airspace and more recently in the safety assurance of

draft specifications for flying Military Unmanned Aerial Vehicles in non-segregated airspace. Joanne has managed teams of safety engineers in both a project and technical management position, more specifically in the production of safety cases for the installation of a communications system across all Military Land Mobile Platforms.

Joanne has successfully applied safety analysis techniques including Fault Tree Analysis, Event Tree Analysis, Failure Mode and Effects Analysis and Goal Structure Notation for constructing Safety Arguments on a number projects and programmes. Joanne has constructed a number of

System Safety Cases and contributed towards Software Safety Cases for the Aerospace and Air Traffic Management industries. Joanne has practical experience of Defence Standards 00-55 and 00-56, ICAO Annexes 11 and 15, European Safety and Regulatory Requirements (ESARR) 2, 3, 4 and 6, EUROCONTROL Safety Methodology, the MISRA Guidelines and PASSPORT. Joanne is familiar with IEC 61508, DO-178B and ED-109.

Undertaking Project Management roles successfully has been key to Joanne‟s career progression. Joanne has led various Independent Safety Auditor roles evaluating safety documentation

produced at various stages of the system safety lifecycle has also broadened her knowledge of aircraft systems to include Stores Management Systems, Engine Control Systems, On-Board Oxygen Generation Systems, Communications Systems, Fuel Systems and Environmental Control Systems and has more recently become involved in Military Land Systems Safety work.

Joanne has co-authored three technical publications, is currently applying for the Engineering Council Chartered Engineer status. Joanne has MoD Security Clearance.


Safety Engineer & Founder

Ebeni Limited 2004 - Date

Senior Consultant HVR Consulting Services Limited 2003 - 2004

Safety Engineer & Project Manager

Praxis Critical Systems – ALTRAN Group 1998 - 2003

Graduate Engineer Praxis Critical Systems – ALTRAN Group 1997 - 1998




Profile

Managed team as part of a multi-million pound land system communications safety programme.

Developed and brought to market application of safety methodology to the new markets.

Managed team producing safety case for RVSM implementation at Maastricht Upper Area Control Centre.

Involved in multi-national programme for Unmanned Air Vehicle Systems.

Involved in a number of programmes for EUROCONTROL.

Excellent leadership, organisational and communication skills.

Career History

Ebeni Limited

Safety Engineer & Founder

January 2008 – August 2008 Safety Engineer

NATS (formerly National Air Traffic Services)

Joanne has recently been working for NATS as a Safety Engineer supporting a number of

programmes within the Communication, Navigation and Surveillance (CNS) business area. Joanne has been involved in the developed of Safety Management and Assurance Plans, Safety Assessment and Safety Cases requiring approval by both NATS internal Division of Safety and the CAA Safety Regulation Group (SRG).

Specific projects that Joanne has been involved within include the following:

Providing safety assurances for the relocation of a major Civil Aviation Communication facility from Heathrow to the NATS Swanwick Centre. The facility provides an Aeronautical Messaging

service as a major mode of the world wide AFTN network. This includes the distribution of ATS, ATFM, MET and AI message traffic.

Providing safety assurance for the replacement of NATS Communication Towers as part of a long term strategic asset improvement programme. The communications towers are fundamental to ensuring the provision of on-going air ground air voice communications.

October 2007 – December 2007 Safety Engineer and Project Manager

Terma A/S – Safety Training Course

Joanne was responsible for the development and presentation of two safety training courses to sales, management and engineering staff at Terma A/S Integrated System Division in Denmark.

Joanne developed a 1 day safety overview course aimed at project managers and sales staff along with a more detailed 2 day course on the principles of safety engineering. Constructing the course involved construction of a series of exercise to be carried out by participants and examples to use

when demonstrating key points. The course took into account the companies already existing Safety Management System and was based on international good practice compatible with the requirements of IEC 61508.




May 2007 – February 2008 Safety Engineer and Project Manager

EUROCONTROL – Safety Assurance of EUROAT

Joanne undertook the role of Project Manager and Safety Engineer to carry out a safety assurance process to support and underpin the draft EUROCONTROL Harmonised Rules for Operational Air

Traffic (OAT) under Instrument Flight Rules (IFR) inside controlled Airspace in the ECAC Area (EUROAT). The activity involved developing the overarching safety argument for EUROAT operations and to provide evidence to demonstrate that necessary and sufficient safety requirements have been identified within the intended scope of the rules.

September 2006 – September 2007 Safety Engineer and Project Manager

EUROCONTROL – EAD Release 4 Safety

Assessment

Joanne undertook the role of Project Manager and Safety Engineer responsible for the delivery of the European AIS Database (EAD) Release 4 Safety Assessment; further work to support the on-going assurance of the safety of the EAD. The objectives of this work are to perform a safety

assessment activity in accordance with the EUROCONTROL Safety Assessment Methodology (SAM) demonstrating that any changes incorporated into EAD for Release 4 that affect safety are adequately addressed.

The safety assessment activity for EAD Release 4 builds on the already complete Functional Hazard Assessment (FHA) and Preliminary System Safety Assessment (PSSA) and focuses on the demonstration of requirements satisfaction via the design of the equipment and training and

operational procedures that form the EAD System; and the implementation of the design and the

procedures and training for and during operation.

July 2006 – present Safety Engineer and Project Manager

Terma A/S – Safety Case for New Support

Information System (nSIS)

Joanne undertook the role of Safety Engineer and Project Manager for the production of a safety case for a New Support Information System (nSIS) being installed for a major UK Air Navigation Service Provider.

The nSIS system integrates and displays data from a variety of data sources while providing access to static information data in the form of documents and images. The safety case provides the safety argument, supporting evidence and assumptions to show that the nSIS system is, and

will continue to be, acceptably safe. Production of the safety case involved hazard identification

activities, causal analysis using Fault Tree Analysis, safety requirements derivation apportioned to elements of the system and the review of supporting evidence to demonstrate satisfaction of the safety requirements.

The safety case for nSIS also involved constructing safety arguments for the software, a large portion of which was Commercial Off The Shelf (COTS) software. An assessment against the NATS COTS Scoring criteria and software lifecycle requirements of ED-109 was also required as additional backing evidence to support the safety case.

June 2006 – present Safety Engineer and Project Manager

EUROCONTROL – Preliminary Safety Case for the Overall

ATM/CNS Target Architecture (OATA) Programme

EUROCONTROL is developing a target architecture for future Air Traffic Management (ATM) and

Communications, Navigation and Surveillance (CNS) systems. OATA is a high-level design for future ATM systems of European States, representing an integrated ATM “system of systems”, towards which the current collection of national systems will evolve. This is intended to improve integration and interoperability, and facilitate the introduction of Operational Improvements. During 2006, OATA Phase 2 will be completed, addressing ATM to the year 2020.

Joanne recently undertook the role of Safety Engineer and Project Manager in the production of

the Preliminary Safety Case for the Overall ATM/CNS Target Architecture (OATA) Programme.




The OATA Preliminary Safety Case will document the safety argument and evidence to substantiate the top-level claim up to and including the derivation of initial safety requirements for each of the OATA architecture elements. The PSC will summarise and reference evidence as appropriate from the set of OATA framework documentation, as well as the safety assessment activities.

November 2005 – present Safety Engineer and Project Manager

EUROCONTROL – European Commission

Interoperability Mandates

Joanne undertook the role of Project Manager and Safety Engineer carrying out the safety work for a number of European Commission Interoperability Mandates. The EUROCONTROL Agency has

been given an initial set of mandates to assist the European Commission in the development of implementing rules pursuant to Regulations adopted by the European Council and the European Parliament on the Single European Sky (SES). The objective of the safety analysis to be carried out for the mandates is to define safety-related requirements to be integrated into each Implementing Rule, one such rule covers Aeronautical Data Integrity (ADI). This work is currently on-going.

September 2005 – present Safety Engineer

Selex SI – Safety Case for Replacement CCTV

System

Joanne undertook the role of Safety Engineer in the production of a safety case for a Replacement

Closed Circuit Television System (CCTV) being installed for a major UK Air Navigation Service Provider.

The Replacement CCTV System provides Air Traffic Controllers with digital video images of Support Information (including: airport, weather, arrival and departure data) as well as Stack Displays for major UK airport approaches. The safety case provided the safety argument, supporting evidence and assumptions to show that the replacement CCTV system is acceptably safe to operate. Production of the safety case involved hazard identification activities, causal

analysis using Fault Tree Analysis, safety requirements derivation apportioned to elements of the system and the review of supporting evidence to demonstrate satisfaction of the safety requirements.

The safety case for the Replacement CCTV System also involved constructing safety arguments for the software, a large portion of which was Commercial Off The Shelf (COTS) software. An assessment against the software lifecycle requirements of ED-109 was also required as additional

backing evidence to support the safety case.

July 2005 – March 2006 Safety Engineer and Project Manager

EUROCONTROL – EAD System Safety Assessment

Joanne undertook the role of Project Manager and Safety Engineer responsible for the delivery of the European AIS Database (EAD) System Safety Assessment (SSA); further work to support the delivery of the EAD Safety and Security Case. The objectives of this work were to perform a

System Safety Assessment (SSA) activity in accordance with the EUROCONTROL Safety Assessment Methodology (SAM) and address issues identified within the first draft EAD Safety and Security Case.

The System Safety Assessment activity built on the already complete Functional Hazard Assessment (FHA) and Preliminary System Safety Assessment (PSSA) and focused on the demonstration of requirements satisfaction via the design of the equipment and training and

operational procedures that form the EAD System; and the implementation of the design and the procedures and training for and during operation.

April 2005 – March 2006 Safety Engineer and Project Manager

EUROCONTROL – UAVS Safety Specifications

Joanne undertook the role of Project Manager and Safety Engineer to carry out a safety assurance

process to support and underpin the draft EUROCONTROL Specifications for the use of UAVS as




OAT outside segregated airspace. The activity involved developing the overarching safety argument for UAVS operations in non-segregated airspace and to provide evidence to demonstrate that necessary and sufficient safety requirements have been identified within the intended scope of the specification.

April 2005 Safety Engineer

European Radar Provider

Joanne undertook the role of Safety Engineer providing safety review effort for a large multi-national radar provider.

Solid state radars supplied by this provider are designed and built in Europe and have yet to be sold into the UK market, hence there has been no requirement for the radars to be subject to UK

Civil Aviation Authority (CAA) safety regulation and approval. Joanne‟s role involved providing an independent view as to the extent to which their Radar System Safety documentation meets the UK CAA safety objectives and regulatory requirements within the relevant section of CAP670.

January 2005 – March 2005 Safety Engineer

CVF – Development of Platform Safety Functions

Joanne undertook the role of Safety Engineer providing engineering support to the CVF Platform Safety Manager to develop safety functions for the Platform Systems area. The role involves attending and providing minutes for HAZOP/HAZID meetings, population of platform system hazard logs, deriving safety functions and performing a preliminary, high level, qualitative risk assessment. The roles involves liaison with Engineering Leads for each platform system to agree the safety functions and document these as safety requirements within the Sub-System

Specification (SSS) Reports.

November 2004 – March 2006 Safety Engineer and Project Manager

EUROCONTROL – EAD Safety and Security

Case

Joanne undertook the role of Project Manager and Safety Engineer responsible for the delivery of

the European AIS Database (EAD) Safety and Security Case. EAD provides a centralised resource to support the preparation and distribution of Aeronautical Information necessary for the safety and efficient operation of European Air Travel. The first objective of the safety case activities is to define safety and security requirements to be integrated with existing analyses to support the generation of a Safety Case for EAD. The second objective is to review the adequacy of the supporting evidence (particularly with respect to the software development activities) against the safety and security requirements, followed by construction of the EAD Safety Case itself.

October 2004 – March 2005 Safety Engineer and Project Manager

EUROCONTROL – Safety Case Development

Manual

Joanne undertook the role of Project Manager and Safety Engineer to update the Safety Case

Development Manual constructed by EUROCONTROL, with the intention being to apply the Safety Case Manual to all EUROCONTROL Safety-Related programmes.

October 2004 – December 2004 Safety Engineer and Project Manager

General Dynamics UK – Design Certification

Competency

Joanne recently undertook the role of Project Manager and Safety Engineer addressing

engineering competencies as part of General Dynamics UK (GDUK) Lean Certification initiative. The role involves research into related design certification competency schemes, elicitation interviews from discipline leads to identify competencies requires and the development of concepts and structures.




June 2004 – October 2004 Safety Engineer and Project Manager

European Commission Interoperability Mandates

Joanne undertook the role of Project Manager and Safety Engineer carrying out the safety work for two European Commission Mandates. The EUROCONTROL Agency has been given an initial set

of seven mandates to assist the European Commission in the development of implementing rules pursuant to Regulations adopted by the European Council and the European Parliament on the Single European Sky (SES). The objective of the safety analysis to be carried out for the mandates is to define safety-related requirements to be integrated into each Implementing Rule, one covering Initial Flight Planning the other Co-ordination and Transfer.

The technical role involved undertaking a Functional Hazard Analysis activity, the results of which

were verified and validated at a Functional Hazard Analysis Workshop involving identified stakeholders. Further system safety analysis was then carried out in order to derive a set of safety requirements for each of the Implementing Rules, followed by construction of a Safety Analysis Report, support by a Safety Argument constructed using Goal Structure Notation.

HVR Consulting Services Limited

July 2003 – June 2004 Senior Consultant

BOWMAN Land Mobile Installation Safety Lead

Joanne was taken on in the role of Installation Safety Lead for the BOWMAN and CIP project. This work involved project managing a team of safety engineers in the construction of safety cases for BOWMAN installation on all military land mobile platforms in accordance with JSP454 and Defence

Standard 00-56. The role involved routine project management tasks including liaison with the

Prime Contractor, General Dynamics, the Ministry of Defence and the Independent Safety Auditor. The role also involved ensuring that the technical approach is consistent, safety documentation templates are kept up to date and mentoring junior safety engineering staff. Joanne more recently constructed a high level safety argument to demonstrate that the safety risks associated with BCIP Installation on Land Mobile Platforms is acceptably safe.

Praxis Critical Systems Limited

January 2003 – July 2003 Deputy Technical Authority

Air Launch Munitions Safety Cases

Joanne was primarily involved on a large safety engineering project that involved the delivery of 83 safety cases for Air Launched Munitions for the Ministry of Defence. Joanne dealt with the

resolution of safety and project related issues on a daily basis, provide training to less

experienced staff when required and ran project meetings. Joanne has also run Hazard Review Meetings with the client to obtain technical information from domain experts in constructing the safety cases.

March 2002 – July 2003 Safety Treated Operational Risk Modelling

Joanne was part of a team researching and developing the application of safety risk modelling techniques to operational risk in the finance sector. The idea was developed in conjunction with a

corporate operational risk department of a major high street bank.

September 2002- July 2003 Project Manager

EUROCONTROL Safety Case Guidelines

Joanne was assigned Project Manager for the development of a set of Safety Case Guidelines for Eurocontrol. Working alongside a Senior Chartered Safety Engineer this involved detailing the

activities involved in constructing Safety Cases at any stage of the programme lifecycle. The work involved obtaining stakeholder requirements of the guidelines at a workshop carried out during the early stages of the project. The manual was for use by all Eurocontrol stakeholders.




July 2002 – September 2002 EUROCONTROL RVSM

Post Implementation Safety Case

Joanne was involved in developing the post-implementation safety case for Reduced Vertical Separation Minima (RVSM) between en-route air traffic in European Airspace, for EUROCONTROL.

This involvement included running a Functional Hazard Assessment Workshop identifying top-level accidents and hazards, and associated causes and consequences. The information gathered provided input into an FHA Report.

July 2002 – August 2002 Integrated Safety and Security Certification

(SafSec) Research Study

SafSec is a study researching the possible integration of Safety Certification and Security Accreditation into one process as there is a great deal of commonality between the two. If this can be achieved through one combined process, the MoD Defence Procurement Agency sees a huge saving and cost effectiveness that would ripple throughout the whole life cycle of the system.

Joanne was involved in the preliminary SafSec Workshop involving a number of significant clients and specialists in the field of Safety and Security. My role involved presenting a preliminary high

level technical approach as to how and where the two might be combined.

March 2003 – April 2003 Watchkeeper Tactical Unmanned Air Vehicle (TUAV)

Safety Case

I have recently been involved in the development of a Preliminary Safety Case and safety analysis

work for the Watchkeeper Tactical Unmanned Air Vehicle (TUAV) System for one of the four

developers bidding for the WATCHKEEPER SIAP contract. Initial work has involved Fault Tree Analysis in the identification of Watchkeeper accidents and the development of a top-level safety argument.

October 2001 – February 2003 Project Manager - EUROCONTROL Maastricht

UAC RVSM Safety Case

Maastricht Upper Area Control Centre (MUAC) in the Netherlands provides an air traffic service to aircraft operating above Flight Level 245 for the Hanover (Northern Germany), Brussels and Deco (Amsterdam) sectors. Maastricht UAC has successfully operated this uninterrupted service for 28 years and is one of the busiest regions in Europe. I recently took on the role of Project Manager ensuring the production of the Reduced Vertical Separation Minima (RVSM) Safety Case for the Maastricht UAC.

The Maastricht UAC RVSM Safety Case involved assessing the changes to the Maastricht UAC

airspace design, ATS training, ATS procedures and ATS equipment that resulted from the implementation of RVSM. The work involved developing a top-level safety argument which, supported by documented evidence, demonstrated that RVSM had been successfully implemented at Maastricht UAC.

The Maastricht UAC RVSM Safety Case was successfully completed against tight timescales in time for RVSM Switchover in January 2002.

August 2001 – October 2001 EUROCONTROL Reduced Vertical Separation

Minima (RVSM) Study

I was involved in a study identifying the Safety-Related Indicators to be monitored to verify the safe performance before, during and after EUROCONTROL‟s implementation of RVSM (Reduced Vertical Separation Minima) within European Airspace. I was involved in the identification of safety

monitoring goals and the specification of safety indicators. Further work has used the Event Tree

Analysis and Fault Tree Analysis to identify various chains of hazardous events that could lead to RVSM related accidents.




October 2000 – July 2001 Project Manager

Hawk Lead-In Fighter Safety Evaluation

Taken on the role of Project Manager for Stage 3 of the Hawk Lead-In Fighter Safety Evaluation Project. The overall aim of the Stage 3 evaluation activities is to establish the adequacy of the

safety engineering and safety certification activities undertaken for the development of the Hawk trainer aircraft for Operational Capability 2.

February 2001 – July 2001 Swedish Civil Aviation Administration

Safety Analysis Work

I was involved in providing support to the Safety Manager for System 2000. My responsibilities

included undertaking an assessment and present an argument as to the integrity of all Commercial Off The Shelf software (COTS) and Non-Developmental Items (NDI) within System 2000.

January 2001 – February 2001 Swedish Civil Aviation Administration

Production of Safety Argument

I provided support to the Safety Manager in the construction of a Safety Case for System 2000, an air traffic management system currently being developed for the Swedish Civil Aviation Administration by a third party supplier. The system will become operational at two new air traffic control centres at Stockholm and Malmö, and will handle radar and flight plan data for all controlled airspace in Sweden.

I constructed a safety argument using Goal Structure Notation demonstrating that all System

2000 risks had been reduced to an acceptable level. The construction of the argument involved gathering evidence from the client, and identifying the safety analysis work that had been carried out during the project lifecycle.

November 2000 – August 2001 Independent Safety Audit Support

I was involved in providing support to the Independent Safety Auditor working for a major UK defence contractor for a next generation airborne communications system. The system is being

developed in accordance with Defence Standard 00-55, 00-56 and DO-178B.

I carried out various Independent Safety Analysis activities, as requested by the ISA, including the construction of a top aircraft level fault tree and the assignment of Safety Integrity Levels to specific sub-systems. I constructed a database that tracked all ISA actions throughout the project and contained audit checklists and compliance matrices for Defence Standards 00-55, 00-56 and

DO-178B.

September 2000 – November 2000 Independent Safety Review

Jaguar AJ61 Electronic Throttle

I undertook an Independent Safety Review of the Detailed Safety Analysis for the Jaguar AJ61 Electronic Throttle, which was developed using the MISRA (Motor Industry Software Reliability Association) Guidelines and the PASSPORT (Promotion and Assessment of System Safety and Procurement of Operable and Reliable road transport Telematics) Methodology.

The aim of this work was to address the Detailed Safety Analysis carried out by Jaguar to determine whether good practice was used, and whether the work satisfactorily demonstrated that Jaguars safety requirements had been met. This included a detailed review of Jaguars documentation; the design Failure Mode and Effects Analysis (FMEA) and Fault Tree Analysis (FTA) performed on the AJ61 Electronic Throttle.

September 1999 – September 2000 Hawk Lead-In Fighter Independent

Safety Evaluation

I was part of a project team carrying out an Independent Safety Evaluation of the British Aerospace (BAe) Hawk Lead-In Fighter for the Royal Australian Air Force (RAAF). The overall aim of the Stage 2 evaluation activities was to establish the adequacy of the safety engineering and safety certification activities undertaken for the development of the Hawk trainer aircraft for




Operational Capability 1. The project included evaluation of the:

identification and decomposition of safety requirements to the sub-system designs including hardware, software, procedures (operational, maintenance and training) and to the aircraft maintenance operations;

software and associated development processes being used to for components determined as

safety critical;

System Safety Case for the aircraft as a whole and for each of the safety-critical components.

June 1999 – July 1999 Project Manager

Engineering Safety Management System

I successfully project managed this work, which involved structuring a company wide Engineering

Safety Management System for a defence manufacturer. I managed a team of senior consultants throughout the project and provided significant input into all deliverables.

January 1999 – August 1999 Tornado ADV CSP

Safety Work

The Tornado ADV PS8 Missile Management System is a high integrity, SIL 4 system containing

around 18,000 lines of code, which has been developed in accordance with MOD Defence Standard 00-55. I worked alongside a Chartered Senior Safety Engineer developing a System and Software Safety Case for the PS8 MMS.

Tornado ADV CSP

Production of Software Safety Case

I was involved in developing a Preliminary Software Safety Case for the PS8 MMS Safety Related Software. This document set out the arguments used in the development and validation of the process followed and provided technical detail for the MMS. I produced various Goal Structure Notation diagrams to model the overall top-level safety argument for the Safety Case, as well as gathering evidence together to support these arguments.

Tornado ADV CSP

System Safety Assessment Report

The System Safety Assessment Report was produced in conjunction with the Software Safety

Case. The SSAR provided reference to and a summary of evidence of the PS8 MMS safety integrity. I was involved in gathering information on the PS8 system as a whole and providing evidence of its safety integrity.

May 1998 – December 1998 Tornado ADV CSP

MMS IV&V

I was part of a project team employing the baseline requirements for the PS8 MMS to derive a set of Software Test Descriptions. These were in a format agreed with the client, in order to facilitate validation testing on the test environment. The aim being to provide an independently derived set of test descriptions for validation purposes, such that the set of tests covers all the testable

conditions in the most efficient manner. The expected result from each test was recorded, so that the validation activity consisted of execution of the set of validation tests, followed by comparison of the actual results achieved with those anticipated be the analyst.

April 1998 Tornado ADV CSP

MMS IV&V

This was a manual activity involving code walkthrough, performed in conjunction with reviewing the source code to ensure that it is written in SPARK and consistent with its mandatory annotations. In reviewing the source code, certain questions within a checklist were used as a basis for consideration of each Ada package in turn, with the results being recorded in an Excel




spreadsheet in tabular form.

January 1998 – March 1998 Islay Airport Safety Case

I compiled and completed a Safety Analysis Report which provided evidence for the operational safety of Islay Airport. The analysis consisted of information gathering, the development of process diagrams with the subsequent identification of hazardous events, the development of fault trees, the assignment of probabilities to fault trees as well as stating any conclusions or

recommendations identified throughout. The analysis phase took three months to complete, in which time I had to absorb a large amount of information and terminology relating to Air Traffic Control procedures.

October 1997 – January 1998 Tornado ADV CSP

Fault Tree Analysis

The analysis of a Statemate Specification produced for the Tornado ADV PS8 MMS system. The objective being to demonstrate the functional correctness of the model in respect of safety-critical outputs. Identifying all aircraft hazards contained in the Tornado Hazard log and tracing the hazards to distinguish the final enabling outputs through fault tree analysis. The fault trees are then subjected to an automated analysis, by a fault tree tool in order to produce cut-sets.


MIEE Institute of Electrical and Electronic Engineers

Member of the Safety and Reliability Society

BSc (Hons) in Computer Science/Software Engineering – 1997 University of Newcastle upon Tyne, Department of Computer Science

Durham High School for Girls 1992 10 GCSEs (A – C): French, Music, Computer Studies, Religious Studies, English Language, English Literature, Mathematics, Biology, Physics and Chemistry. 1994 3 A-Levels: Computer Science, Music and Economics.

Papers and Publications

Joanne Stoker, Final Year Dissertation: Development of a safety critical protection system for a Nuclear Power Station. Aim of the project being to combine the modelling notation of

finite state machines, with certain safety analysis techniques to produce a model of the Nuclear Protection System.

A J Simpson, K. Harrison, J. Stoker, The safety certification of aircraft and their subsystems using a safety argument approach, 19th International Safety Conference (USA), September 2001.

A J Simpson and J. Stoker, Will it be Safe? An approach to Engineering Safety Requirements, Safety Critical Systems Club Symposium, February 2002.

A J Simpson and J Stoker, Safety Challenges in Flying UAVS (Unmanned Aerial Vehicles) in Non-Segregated Airspace, 1st IET International Conference on System Safety, June 2006

Achievements and Distinctions

1996 Newcastle University Second Year Group Project Prize

Winner of the Department of Computer Science industry sponsored group project prize. The role




involved chairing project meetings, project planning as well as taking on a technical role.

Achievements

March 2006 Competed in the Bath Half Marathon

March 2005 Competed in the Bath Half Marathon

2003 – 2004 Member of Bath Buccaneers Hockey Club

Competed in a number of sprint Triathlons

2001 – 2002 Competed in the Commonwealth Rowing Trials 2002. Member of Bath Buccaneers Hockey Club.

1997 – 2001 Represented England rowing at the Home Countries International Regatta. National Championships Gold Medallist in Women‟s Lightweight Coxless Four.

Women‟s Henley Regatta Women‟s Lightweight Coxless Four Winner. Competed at Henley Royal Regatta in The Henley Prize. Represented Avon County Rowing Club at a number of National Competitions.

1995 – 1997 Member of Newcastle University Boat Club including coaching the University Novice Men‟s Squad. Competed in the Women‟s GB U23 Lightweight Squad Trials.

Member of the University of Newcastle Elite Athletes Squad.

1994 Represented Great Britain in Belgium as part of the GB Junior Rowing Squad. Voted Regional Sports Person of the Year. Durham High School House Games Captain.

1992 – 1994 Represented England rowing against France at Henley. Captain of Durham High School Hockey team, going on to play hockey at County Level.

Captain of Durham High School Netball Team. Grade 6 Flute, Grade 5 Piano (ABRSM Certificates) and Member of school Orchestra.

Interests

Sailing, Golf, Surfing, Running and Cycling




Ed Macfarlane BEng (Hons) MSc

Résumé

Ed is a Safety Engineer and has 4 years safety engineering experience gained predominately within the Nuclear and Oil industries. Ed has worked across a wide range of different industries concentrating on safety and risk assessment. This has involved the running and co-ordination of HAZOP (HAZard & OPerability), HAZID (HAZard IDentification) and Process FMEA studies, mechanical assessment and design of items, risk & reliability assessment and fault tree analysis

on oil and gas projects.


Safety Engineer Ebeni Limited 2007 - present

Self-Employed Adept Space Engineering Ltd. 2005 - 2007

Research Engineer Flying Pictures Space Limited 2004 - 2005

MSc Student Cranfield University in Astronautics and Space Engineering

2003 - 2004

Safety Engineer Abbott Risk Consulting Limited 2002 - 2003

Safety Engineer Amey Vectra Limited 2000 - 2002

Profile

Safety Engineering with 4 years experience.

Experienced in Hazard Identification and Reliability Analysis.

Experience in Aerospace, Defence, Nuclear, Oil & Gas, Petrochems and Transport industries.

Practical experience of a variety of projects.

Career History

Ebeni Limited

Safety Engineer

October 2008 – present Safety Engineer

Safety engineer performing safety analysis for a new European Interoperability Regulation relating to Aeronautical Data quality and integrity. The work is being performed on behalf of

EUROCONTROL and involves liaison with stakeholders across Europe.

January 2008 – October 2008 Safety Engineer

Safety engineer supporting NATS on the new Prestwick Centre project. Performing a number system safety engineering tasks including safety analysis, independent review of safety documentation and production of system safety cases. Systems considered include the Traffic Load Prediction Device (TLPD) and the Flight Data Management System (FDMS).




September 2007 – January 2008 Safety Engineer

Worked on the development of the safety case the nSIS (new Support Information System) for a display and information system for use by Air Traffic Controllers supplied by Terma to NATS. This project involved a significant amount of novelty as it required gaining safety approval for a complex, software intensive system that had not previously been used within

the UK. In addition the system was a COTS product which meant that a novel safety argument had to be presented;

Production of a provisional SMS for the Materials & General Stores IPT;

Series of studies under the ASTRAEA program looking at separation provision and collision avoidance of UAVs in controlled airspace;

Secretary duties on PHI Study for Newquay Airport;

Support for MoD PELS safety and environmental impact study.

Adept Space Engineering Ltd.

November 2005 – August 2007

HAZOP secretary on a HAZOP study, over two and a half months in the Netherlands, of a polyethylene production plant for Aker Kvaerner

Self study in systems engineering looking at design for maintainability, reliability as well theoretical support for queuing modelling and statistics in support of activities for

consultancy work.

Flying Pictures Space Limited

November 2004 – August 2005

Flying Pictures Space Ltd. is a small aerospace engineering firm based in Glastonbury specialising primarily in record attempt balloon design and construction.

Continued work from individual research project on the thermal analysis of a manned space capsule.

Construction and outfitting of manned space capsule.

Thermal analysis of a pressurised high altitude balloon gondola.

Design, assembly and running of a test rig for a balloon envelope to assess the thermal

effects of envelope colour on fuel consumption and climb rate.

Design of a large vacuum test chamber for testing of high altitude burners.

Thermal analysis of a balloon envelope and other items of assessment of the balloon design for a successful altitude record attempt in India.

Cranfield University MSc in Astronautics and Space Engineering

October 2003 – September 2004

The Group Design Project (GDP) was to design a swarm type mission for asteroid belt exploration. On this project I had responsibility for the system design, liaising between the science and design groups. I also had responsibility for the risk assessment portion of the

project.

My Individual Research Project (IRP) title was „In-orbit Thermal Analysis of a Manned Space

Capsule‟, where I used computer simulations to assess the thermal environment within the capsule. I also performed gun tunnel supersonic tests on a model of the capsule to assess shock formation during launch.

While at the university I was a member of Cranfield University Rocketry Society (CURS) and




put together the risk assessment for the launch system.

Abbott Risk Consulting Limited

September 2002 – September 2003

Assisted in the management of a project to review and rewrite the Technical Workbook for the production of site safety cases for Total Nederland BV. This involved researching the

most up to date modelling techniques for the different hazards experienced by installations in the Dutch North Sea sector, and the co-ordination of a number of engineers producing the Technical Workbook.

Assisted in the production of the safety management system for the European Marine Energy Centre (EMEC) on Orkney.

Amey Vectra Limited

August 2000 – August 2002

Engineer on projects including:

Critical load path analysis for a nuclear lift crane at HMNB Clyde (Faslane).

PCSR (Pre Construction Safety Report) for building work at Faslane to ensure integrity of NSI (Nuclear Safety Implicated) services.

Preparation work for the safety case of the proposed REDF (Radioactive Effluent Disposal

Facility) at Faslane.

Survey of the Perimeter Monitoring System (PMS) at Faslane and production of a Design Safety Report for the same.

HAZOP (HAZard and OPerability) studies for large number of clients including: Deutag Drilling (Germany, study on an artificial drilling island in the Caspian Sea), AGIPKCO (Netherlands and Kazakhstan, follow on study from Deutag Drilling again on the artificial

drilling island in the Caspian Sea), BP Grangemouth (Scotland, series of studies across the refinery site, including Finnart terminal on the west coast) and Total Nederland BV (Netherlands, study on platform in the North Sea).

HAZID (HAZard IDentifcation) studies for BNFL (British Nuclear Fuels Ltd.).

Assisted in the production in an assessment of the rescue at sea capabilities in the Dutch North Sea Sector for NOGEPA.

Assessment of the safety case impact of cumulative platform modifications (Chevron Texaco,

Aberdeen).

Fault tree analysis of a HIPS (High Integrity Protection System) for an oil rig platform.

Harkers Aerospace Limited

September 1997 – June 1998

Industrial placement as part of first degree. Worked on projects including:

Implementation of a new manufacturing management system, Infolo.

Designed and sourced production of a table extension for a 3 axis milling machine table top, to allow production of outsize rocket rings.

Assisted with presentations to potential clients with senior management.

Assistance with quality checks.

Process FMEA on the production programme for engine casings.

Clients worked for include:




Aljo Aluminium & Matra Marconi Space, Spelda rings for Ariane 4.

BAe Systems, Avro RJ landing legs.

Saab, Gripen landing legs.

Volvo, engine casing rings.

Rolls Royce, Pegasus engine casings.

Pratt and Whitney, engine casings.


Graduate Member of the Royal Aeronautical Society

Member of the British Interplanetary Society

MSc Astronautics and Space Engineering – October 2003 to September 2004 - Cranfield University

BEng (Hons) Aerospace Engineering – Liverpool University

Graphs, Networks and Design - OU Level 3 Maths Course

First part of Russian Pre 1 - University of Bristol

Currently enrolled on the CPDA - University of Bristol (started May 2007) – Modules:

Aerospace Risk Management

Introduction to Systems Engineering

Training Courses

Reliability Analysis Course - Cranfield University

Failure Modes & Effects Analysis (FMEA) Course – Smallpeice Ltd.

EGAD/SIA US Export Control Compliance Workshop

Basic French.

Interests

Scuba diver qualified to PADI Divemaster level

Novice freediver

Amateur interest in food production (especially chiles and fungi) and permaculture




Vicky Brennan BSc MSc

Résumé

Vicky is an experienced Safety Consultant and Independent Safety Advisor/Auditor with a strong background in the assessment of military aircraft and other military systems for certification, including synthetic environments and simulator training systems. She has specialised in Safety and Software and has contributed significantly to committees forming policy for safety critical systems, software development and certification, particularly within the MOD. She is the Technical

Authority and a Project Safety Authority for a number of major programmes and is also

responsible within those roles for the training and mentoring of more junior staff.

Over the last 5 years Vicky has specialised in the assessment and development of unmanned air vehicle systems (UAVS), dealing with new systems and operating environments and their affect on safety. Vicky‟s last role was as the Technical Authority for the Safety Case Development Programme for the Watchkeeper System. She led a team of Safety Engineers dedicated to the assessment of this highly complex and extensively integrated UAV System and her expertise is frequently sought by new suppliers of UAV‟s to the MOD.

Vicky has provided advice to the MOD and to the CAA SRG and their suppliers on future systems requiring new approaches and significant innovation, particularly with respect to certification problems and solutions. This work included the development of Safety Case Arguments for Safety Critical Systems involving COTS equipment, ground based equipment, safety related systems and software intensive programs.

Vicky is experienced in safety assessment techniques including HAZOPS, GSN, FTA, FMEA, FFA etc and in the application of a wide range of standards including Def Stans 00-55 and 56, RTCA 178B,

IEC 61508 and CAP670 SW01.


Principal Safety Engineer Ebeni Limited 2008 - present

Principal Safety Engineer & Project Safety Authority

Praxis High Integrity Systems Limited 2003 - 2008

Senior Safety Consultant Praxis High Integrity Systems Limited 2001 - 2003

Principal Engineer Defence Evaluation Research Agency, Boscombe Down

2001 - 2001

Senior Safety Engineer to

Chief Scientist

Defence Evaluation Research Agency,

Boscombe Down

1997 - 2001

Group Leader for Safety of Combat Aircraft

Defence Evaluation Research Agency, Boscombe Down

1995 - 1997

Group Leader for Safety of All Aircraft Types

Defence Evaluation Research Agency, Boscombe Down

1993 - 1995

Higher Scientific Officer for Safety

Transport and Road Research Laboratory

1988 - 1993

Scientific Officer Transport and Road Research Laboratory

1978 - 1988




Profile

Highly experienced safety engineer with 30 years practical experience

Proven experience in gaining certification / approval for complex military and civilian systems in the air, sea and land domains

Forward thinking with demonstrable ability to introduce novel approaches to deliver safety assurance more effectively

Experienced in working as both a safety engineer and an independent safety assessor

Proven ability to lead the safety activities for high profile programmes and to provide advice at

the highest levels of an organisation (eg answering questions to Parliamentary committees)

Career History

Ebeni Limited

Safety Engineer

September 2008 – present Safety Engineer

Tornado

Vicky is supporting Ultra Electronics with their Safety Engineering and Safety Management efforts for a Tornado related project.

September 2008 Independent Technical Assessment

Welsh Assembly

Vicky was required to provide an independent view of the technical innovation, application and

development potential for projects seeking funding as part of the Welsh Development Agency work.

June 2008 – present Technical Authority for HELIX

Vicky is responsible for the Technical Management and development of all the initial startup safety and environmental management documentation for a new programme. The programme requires

innovative use of existing documentation and certification and will result in delivery of safety and environmental plans, strategies, arguments and cases.

Praxis High Integrity Systems Limited

March 2007 - June 2008 Project Safety Authority

Blade UAV Project

Vicky acted as independent reviewer and mentor for the Blade UAV safety assessment programme for Ultra UK during the demonstrator phase. This role ensures the correct application of techniques, procedures and standards in accordance with the requirements of the customer, the customer‟s customer and the Praxis procedures. This project required an understanding of both UAV operations and munitions.

May 2005 - June 2008 Technical Authority

Watchkeeper DMIS Programme

Principally responsible for the application of innovation and technical management to the Watchkeeper DMIS Programme providing, to the Prime Contractor, the safety support and the Watchkeeper Safety Case which will enable flight trials in the UK and ultimately support full Release To Service. Additionally providing safety liaison between the Prime Contractor and their

subcontractors and the MOD. The programme will take seven years and involves a complex integration of sub-systems for the overall system which will then be integrated directly with other systems in theatre. The work has taken a focussed risk directed approach and includes the




identification and derivation of safety requirements, application of a wide range of safety techniques, software safety assessment, integration of safety cases and hazard logs from all the subsystem, sub contractor training and a wide range of interpersonal skills both in the UK and overseas.

October 2003 - August 2004 Technical Authority

ALM IPT Weapon Safety Case Programme

Providing leadership, guidance and advice to the multi-disciplined Praxis team and to the ALM IPT on the application of safety assessment to the specific domain. The programme delivered 80 safety cases in 12 months in electronic web based format using a range of military standards

relating to aircraft, munitions, environment and H&S. The project required consideration of a wide

range of standards including those for munitions and the environment.

March 2003 - June 2008 Safety Manager

TDL NATO ACCS Programme

Vicky acted as independent reviewer and mentor for the NATO ACCS safety assessment programme that involves the assessment of a Military Air Traffic Control System incorporating

assessment of situational awareness and airspace integration. This is a multi-national program that employs a range of standards and certification requirements relative to each nation.

September 2002 - March 2003 Safety Engineer

TDL NATO ACCS Programme

This task was principally involved with the development of Safety Arguments and Fault Trees in

support of the safety assessment. It also included representation at a series of meetings with the certifying authorities representing the customer for the product.

March 2003 - November 2003 Principal Safety Engineer and Project Manager

Watchkeeper SIAP Phase

Vicky was employed by Thales Defence Ltd (TDL) in Crawley to provide a complete safety

assessment of the Watchkeeper System including the ground based system to enable TDL to bid to supply a complete UAV system to the MOD as a replacement for Phoenix. This work was to be completed in half the time originally planned but the application of an innovative approach led to a very successful program. TDL was subsequently selected as the preferred bidder for Watchkeeper by the MOD.

March 2002 - April 2002 Independent Safety Auditor

BATES

Vicky was employed by Alenia Marconi Systems (AMS) at the request of their customer (MOD) to provide advice and guidance on the development of a safety case for BATES. As the ISA Vicky fulfilled the requirement for an independent auditor in accordance with Defence Standard 00-56. A more important role associated with this work was to advise the MOD on the process and on the implications of the results. This enabled the MOD to have increased confidence in the safety of

the system. Advice to AMS resulted in some process improvement and recommendations included aspects of the range procedures.

January 2002 - April 2002 Technical Authority

Windows XP Study

An extended Scoping Study was required by three customers, the MOD, CAA and HSE, to

investigate the use of a general purpose operating system in a safety related application and consider its suitability compared to the CAA software regulation document SW01. The study was to identify the requirements for a full study to produce a common view between all parties in order to maximise the reuse of certification and minimise on cost. Vicky was able to use her extensive knowledge of all the domains that were to be considered and of the domain standards that would normally be applied. This together with an innovative approach to the reuse of existing evidence provided a comprehensive preliminary assessment of Windows XP. This identified the range within




which certification of systems using Windows XP might be possible.

November 2001 - December 2001 Specialist Software Advisor

Implementation of Maastricht UAC RVSM

Maastricht UAC required support for the development of a Safety Case to cover the implementation and integration of RVSM. This project required an understanding of the process of

controlling air traffic, familiarisation of the controller‟s role. Vicky led a software audit of the process and products that made up the integrated systems for ATC. She subsequently provided advice on process improvement to MUAC that are to be embodied in the Safety and Quality Management Systems. Vicky advised the Safety Case process and the systems were certified and

put into service on schedule.

August 2001 - September 2001 Senior Safety Consultant

Vicky was the Safety and Certification Engineer for a programme of research into the certification of COTS Software for next generation Integrated Modular Avionics for the Defence Evaluation and Research Agency at Farnborough. This research Project was set up to investigate the feasibility of using a COTS RTOS in an IMA architecture for future aircraft and to identify requirements for provision of a safety case and for certification. Tasks on this project included the Development of a Safety Argument for the use of a COTS RTOS through the application of Goal Structured

Notation and advising on future certification. The safety argument identified specific evidential requirements with which a COTS system will have to comply. The research also identified functional, safety, and certification requirements that will drive the decision on the choice of COTS systems in the future and provide implications for system integration and integrity for the future.

This program of research will influence many projects both nationally and internationally.

November 2002 - April 2002 Technical Authority

Submarine Safety Case

The customer required a Safety Case to be developed to cover the installation and operation of new equipment on a submarine. This project provided a full Safety Case to meet the requirements of our customer and the MOD and in accordance with JSP 430 and Defence Standard 00-56. In order to identify the safety requirements for the system it was necessary to gain some understanding of the operation and procedures of the relevant activities on board. Vicky

developed the safety argument identifying the evidence that would be required and acted as adviser to the processes which were required to generate significant proportions of the evidence. This included the formation and conduct of the Project Safety Committee through the detailed hazard reviews. Vicky compiled and presented the evidence in a Safety Case to the satisfaction of

the customer and the system was approved for use within the allocated schedule.

Independent Safety Reviewer

Vicky acts as an Independent Reviewer for Safety and Certification aspects of many diverse projects requiring knowledge of several different domains. She has also used her understanding of Safety to develop an understanding in new domains and makes useful and significant contributions to a range of projects. Recent projects have included Unmanned Air Vehicles, on board Aircraft Identification System and Real Time Operating Systems.

DERA Boscombe Down

February 1998 - August 2001 Advisor to the Chief Scientist

In this role Vicky was acting as advisor to the Chief Scientist on subjects related to safety and

software certification. This work was concentrated on the implementation of the Strategic Defence Review (SDR) published in 1998. The SDR redefined the traditional MOD procurement cycle, incorporating more early development of prototypes and demonstrators in order to reduce risk of

failed development and escalating costs in order to meet requirements for evidence and certification. The SDR was intended to lead to reduced costs, risks and time to service. This was to impact project management, systems development, test and evaluation and certification. Innovation was required to manage and implement the changes.




Part of the strategy was to incorporate more synthetic environments for training, testing, operational analysis etc. Vicky‟s innovative approach was applied to the assessment and validation requirements for simulations and the reapplication of traditional assessment in a new and innovative way. This resulted in contributions to the AMS and ITOPS which subsequently formed the basis for the NATO STANAGs.

April 2001 - August 2001 Principal Safety Engineer

Responsible for the Safety Management of a team working on military projects (predominately Aircraft and future systems). The team was set up to support the certification effort by providing new methods and techniques for test and evaluation. Members of the team were selected on their

ability to provide new thinking and innovative reapplication of existing techniques. Continuing support was provided to the MOD and industry in support of many Software, Safety and Systems

engineering problems.

February 1998 - April 2001 Senior Safety Engineer

Safety Consultant to the Chief Scientist, Combat Aircraft Department, Rotary Wing Department and Patrol and Support Aircraft Department. Providing advice in areas of special concern requiring innovation and lateral thinking and a deep and broad based understanding of safety and associated operational military issues. Additional support was provided to the MOD and industry

in support of many Software, Safety and Systems engineering problems.

Projects included:

Consultant to MOD on Safety and Software Policy

UK Software expert on International Test and Operability Procedures working group developing procedures for the adoption of 4 nations and incorporation in NATO STANAGs

Generation of Certification Arguments for UAVs

Advise MOD and individual systems companies on future systems with respect to future

certification problems and solutions

Research into the use of Models and Simulations in Certification of Systems

Application of established techniques to the Accreditation of Models and Simulations

Development of Safety Case Arguments for:

Safety Critical Systems involving COTS equipment

Ground based equipment

Safety related systems

Software intensive programs

Auditing safety critical software projects and verification tools

Consultant to Military Land and Sea Systems with respect to Safety Assessment and use of COTS

Trainer in the Empire Test Pilots School on Safety Cases and Goal Structured Notation




DERA Boscombe Down for Combat Aircraft Department

April 1995 - February 1997 Group Leader for Safety of Combat Aircraft

Leading a group of Safety Engineers performing analysis and providing recommendations for service release. This work covered the full range of combat aircraft from refitted in-service

aircraft to future aircraft development.

A significant amount of this work involved the review and assessment of safety critical systems for Eurofighter from development, through generation of evidence, to provision of Service Release Recommendations. As group leader tasks also included:

Mentoring staff

Staff reporting

Management of work schedules

Providing high profile advice on Certification and Safety Policy (particularly for software) including answering Parliamentary questions and providing evidence for committees in the House of Commons.

DERA Boscombe Down for Engineering Division

February 1993 - April 1995 Group Leader

Safety of Aircraft - All Types

Similar to the role above with added responsibility for Rotary Wing Aircraft and Heavy Aircraft. Notable projects included the assessment of:

EH101

Attack Helicopter - tender assessment

Chinook Mk2

Puma

Gazelle

Use of NVG

August 1988 - April 1993 Higher Scientific Officer

All Aircraft Types

Acting as part of an Engineering Assessment Team, this role was predominately for Safety Critical Software. It included the Verification and Validation of software using Static Code analysis.

Transport and Road Research Laboratory

December 1978 - August 1988 Scientific Officer

Research into Air Pollution from Traffic. Predominately aimed at providing Pollution Dispersion Prediction models. This work included:

Equipping and maintaining a mobile laboratory

Specifying and purchasing equipment




Organising and undertaking roadside surveys

Equipping and testing cars (dynamometer and public roads)

Data analysis

Model development

Presentation of results

Marketing the modelling product

Providing training and advice to Councils and Contractors


MSc – Safety Critical Systems Engineering - 2000

BSc - University of York, Department of Computer Science 1997 – 2000

HNC - Mathematics, Statistics and Computing - 1982

Farnborough Technical College 1980 – 1982

Key Safety and Reliability Standards

ARP 4754 Certification Considerations for Highly-Integrated or Complex Aircraft

Systems

ARP 4761 Guidelines and Methods for Conducting the Safety Assessment Process on

Civil Airborne Systems and Equipment

DEF-STAN 00-56 Safety Management Requirements for Defence

DEF-STAN 00-55 Requirements For Safety Related Software In Defence Equipment

DEF STAN 00-57 Electronic Hardware Assessment

DEF STAN 0058 HAZOPS for Electronic Systems

JSP 430 Ship Safety

IEC 61508 Functional Safety of Safety Related Systems

IEE Publications Safety, Competency and Commitment, Competency Standards for

Safety-Related System Practitioners

MIL-HDBK-217 Reliability Predictions for electronic components

MIL-HDBK-338 Reliability Handbook for Electronic Systems

MIL-STD-1629 Failure Modes Effects and Criticality Analysis

MIL-STD-882 System Safety Programme Requirements

RTCA DO-178 A and B Software Considerations in Airborne Systems and Equipment Certification

Safety & System Engineering Tools

Various PC based packages including; ITEM FaultTree, EventTree, Safety Argument Manager (SAM), RELEX, HUGIN (BBN modelling), STATEMATE, Matrix X, SPARK, MALPAS

Interests

Dog Agility Training, Horse riding

technical proposal for unmanned aircraft systems (uas ... · technical proposal for unmanned...

Documents