Safety Fundamentals and basic safety regulatory principles for a resilient planning of system changes in transportation Prof. Dr. Oliver Straeter University Kassel Department of Mechanical Engineering Human & Organisational Engineering Heinrich-Plett-Strasse 40 D-34132 Kassel Tel: +49 561 804 4211 email: straeter@ifa.uni-kassel.de with Henk Korteweg (Eurocontrol) Jos Nollet (IVW) Mariken Everdij (NLR) Bert Kraan (QSA) Safety in Transportation Workshop 1. and 2. December 2009 IVEF TU Braunschweig EUROCONTROL DIVISION DED4 1997 DATE:04/11/97 EUROCONTROL DIVISION DED4 2000 DATE:04/11/97 7.0 Mio Flights 1997 8.0 Mio Flights 2000 1997 FORECAST Mean IFR Flights per day in 6 by 10 rectangles Flights 150 OR MORE Flights 100 TO 150 Flights 50 TO 100 2000 FORECAST Mean IFR Flights per day in 6 by 10 rectangles Flights 150 OR MORE Flights 100 TO 150 Flights 50 TO 100 Flights 150 or more Flights 100 to 150 TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES 7 500 000 flights estimated Based on STATFOR 97 DED4 2010 DATE:04/11/97 EUROCONTROL DIVISION Flights 50 to 100 2010 FORECAST Mean IFR Flights per day in 6 by 10 rectangles Flights 150 OR MORE Flights 100 TO 150 Flights 50 TO 100 Traffic Growth CHART: DY_97_97 TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES 8 600 000 flights estimated - Based on STATFOR 97 EUROCONTROL DIVISION DED4 2020 DATE:04/11/97 2010 2020 2020 FORECAST Mean IFR Flights per day in 6 by 10 rectangles Flights 150 OR MORE Flights 100 TO 150 Flights 50 TO 100 CHART: DY_97_00 11.9 Mio Flights 15.8 Mio Flights TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES DIVISION DED 4-4/11/97 11 900 000 flights estimated - Based on STATFOR 97 CHART: DY_97_10 TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES 15 800 000 flights estimated - Based on STATFOR 97 CHART: DY_97_20
The Aviation Vision for 2020 - SESAR SESAR= Single European Sky ATM Research SESAR Concept and SAFETY Users Ground Systems Airborne Safety Safety of of of Systems entire entire Framework Framework Airports ANSPs Regulators Civil and Military Within and between domains Variations on international, European and national levels
Typical Safety related questions - Safety regulation Are regulations sufficient for a change? e.g., integration of assessment and certification approaches - Safety Management Is the system manageable with respect to safety? e.g., increasing sluggishness if increasing coupling of entities - System Safety - Safety Performance Does the System contain any inherent hazards? e.g., increased interdependencies - System Safety Operational Safety How will it work in the real environment (people and operational context) e.g., Human role for Safety How to answer the questions? The reactive safety approach First: Safety Assessment Method (Fault Trees / Event Trees) Safety Safety Assessment Proposed or existing System Second: Mitigations Role of Regulatory oversight: stamp off whether the method was applied correctly regulator has the final responsibility for the validity of the method and effectiveness of mitigations
Proactive support of development - Current Approach for Safety Safety treated rather reactive Safety provides stamp off, but only superficial mitigations within systems Impact on system planning and design rather low - Safety Fundamentals Some kind of predictive display needed to judge about safety impact of planned developments Integrating fundamental safety rules in planning that will show off as critical in later safety cases anyhow? How to answer the questions? The proactive safety approach Second: Safety Evidence Safety Safety Scanninng Proposed or existing System First: Safety Fundamentals Role of Regulatory oversight: ask appropriate questions service provider has the final responsibility for the validity of the method and effectiveness of mitigations
Approach: Safety Fundamentals to provide a proactive safety approach to show whether a certain change (e.g., ATM, Traffic,..) will lead to a safety issue (safety feasibility) to give a general answer on the safety measures required for future ATM (no detailed quantitative assessment) to prepare later stages of safety assessment (scope, issues) to be applicable as a minimum to the current level of description of the proposed changes to be applicable to any change and any ATM subsystem (technical, human, organizational = managerial/procedural/institutional) Safety Fundamentals - Development of the approach All development steps fully documented and traceable 2004 2005 2006 2007 2008 2009 Compilation of essential Safety Fundamentals based on regulatory requirements, international standards and experiences in safety relevant industries (Eurocontrol & RO for Safety) Broad applications and specific ATM validation studies (Eurocontrol, NLR, DNV) Endorsement by SESAR as appropriate for the concept definition (SESAR CIT & WP 1.6) Application to SESAR concept elements; results are building the SESAR safety register (SESAR consortium) Typical problem of risk assessment how to meet the issues revealed: yielding the issues or yielding the method (ICAO: management of safety different to safety management) Today s meeting Also: applications in Australian CAA; German Rail, ongoing developments at ATSPs and for multi actor change management
Safety Fundamentals - Regulatory Basis Layer The global layer -ICAO -ISO - (other UN organisations & OECD) The European layer - EU law, SES -CEN -(ongoing activities) The National layer - National Regulations - Engineering associations - (scientific booklets) Considered (examples) ICAO SMM IAEA Safety Standards OECD best practices ISO Chemical ISO Rail IEC 60300 / ISO 31010 SES regulations ESARRs American Standards EU Regulations (DGTren WS) Industrial norms (HSE, VDI, NUREG) Safety Booklets Safety Fundamentals - Structure SAFETY PERFORMANCE Safety Fundamentals + Basic Safety Regulatory Principles Architecture + Technology Safety Management + Institutional Operational Regulations and Framework
Fundamentals on Safety Architecture Transparency, Predictability, Clarity Maintainability System of interest Redundancy & Diversity Functionality Integrity Interdependence Adjacent Systems Fundamentals on Safety Management Responsiveness, Learning Promotion Policy Understanding, Openness Detectability, Feedback Assurance Planning Responsibility, Practicability Achievement Completeness, Unbiasedness
Fundamentals on safety operations Procedures Competence Human-machine interaction Operating Environment Task Human Technical System Overall Performance Reliability Communication Adjacent Human- Machine Systems Organization Basic principles of Regulation Legal perspective Regulatory tasks Product development Build Opinion Impact of Change on Regulations Concept Are means to proof and ensure safety sufficient? Review Evaluate Investigate Safety issues Safety Assessment Methods Occurrences Development Validation Implementation Oversight Mitigations Operation Independent Oversight and body Duty of care Clear responsibility for safety
How Fundamentals work Safety Requirement Transparency Independence Responsiveness Guiding Question Are the legal responsibilities clearly laid out? e.g., ICAO-SMM, 2007 Is an independent oversight of the system ensured? e.g., ESARR1, 2004 Can regulators or providers act upon safety issues timely? e.g., IAEA, 2006 A view on the tool Explanation Question Safety fundamental applicable to this page of questions Possible answers Room for providing justification High-level question Low-level questions
Basic principles of Regulation Hypothetical example of result (Safety Architecture and Technology perspective) Transparency Maintability Redundancy Average safety effort expected area ATM change 1 ATM change 2 Integrity Interdependence Functionality Example: Air Ground Data link results Likely equal to todays situation Issues to expect and resolve Likely improved safety Likely more complicated Likely equal to todays situation Screening provides negative as well as positive indications for safety performance
Experiences - Throughout positive response on the structure and use of the method - Applied to key SESAR operational concepts to build the Safety Register of SESAR (mandatory for development and implementation) - Regain of momentum in Galileos EGNOS safety issues - Currently build into a regulatory tool for SESAR developments And not to forget a price in Rail-applicartion By Nicolas Petrek Two working modes Screening licensee use Rail: European discussions on ETCS Restructuring of Orgnisations for definition phase of a project (e.g., SESAR) Scanning regulatory use Rail: Regulatory acceptance process for coordination regulator-licensee interaction throughout life-cycle including also: suitability of safety methods
Screening in the SESAR Definition phase Phases Concept Definition System Definition System Design Safety Approach Screening FHA PSSA Output - Safety considerations - System decomposition - Scope of safety plan - Safety Objectives - Hazards - Safety Requirements - Importance based mitigations System Implementation Integration SSA - Evidence based mitigations Operation Decommissioning Fundamentals versus safety assessment Not a mutual exclusive approach but complementary: - Due to the efforts for detailed Safety Assessments, none is made without a screening for the most important issues (best practice: nuclear) - Finding critical information early enough (see medicine, organisational design) Approach: - Turning regulatory requirements into questions for considerations - Effective planning by involving all stakeholders Purpose: - Inform succeeding steps about critical issues and managerial needs - Judge about the required capabilities of safety assessment methods - Steer resources effectively = Not making a safety decision but avoiding a wrong path or a too late recognition of severe issues
Scanning of licensee activities through life-cycle Licensee Activities Scanning on Safety Fundamentals and suitability of safety methods Regulatory Tasks Questions?