presentation sst os - tu braunschweigifev.rz.tu-bs.de/.../web/7_presentationstraeter.pdf ·...
TRANSCRIPT
Prof. Dr. Oliver Straeter
University KasselDepartment of Mechanical EngineeringHuman & Organisational Engineering
Heinrich-Plett-Strasse 40D-34132 KasselTel: +49 561 804 4211eMail: [email protected]
withHenk Korteweg (Eurocontrol)Jos Nollet (IVW)Mariken Everdij (NLR)Bert Kraan (QSA)
Safety Fundamentals and basic safety regulatory principles for a resilient planning of system changes in transportation
Safety in Transportation
Workshop
1. and 2. December 2009
IVEF – TU Braunschweig
EUROCONTROL DIVISION DED4 1997 DATE:04/11/97
1997 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES7 500 000 flights estimated Based on STATFOR 97
CH
ART: D
Y_97_97
EUROCONTROL DIVISION DED4 2000 DATE:04/11/97
2000 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES8 600 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_00
EUROCONTROL DIVISION DED4 2010 DATE:04/11/97
2010 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES11 900 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_10
EUROCONTROL DIVISION DED4 2020 DATE:04/11/97
2020 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES15 800 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_20
1997 2000
2010 2020
DIVISION DED 4 - 4/11/97
7.0 Mio Flights 8.0 Mio Flights
11.9 Mio Flights 15.8 Mio Flights
Flights 150 or more
Flights 100 to 150
Flights 50 to 100
TrafficGrowth
The Aviation Vision for 2020 - SESAR
SESAR= Single European Sky ATM Research
Safety of entire
Framework
Safety of entire
Framework
SESAR Concept and SAFETY
Safety of entire
Framework
Users
ANSPs
Ground Systems
Airports
AirborneSystems
Regulators
Civil and MilitaryWithin and between domains Variations on international, European and national levels
Typical Safety related questions
- Safety regulation– Are regulations sufficient for a change?– e.g., integration of assessment and certification approaches
- Safety Management– Is the system manageable with respect to safety?– e.g., increasing sluggishness if increasing coupling of entities
- System Safety - Safety Performance– Does the System contain any inherent hazards?– e.g., increased interdependencies
- System Safety – Operational Safety – How will it work in the real environment (people and
operational context)– e.g., Human role for Safety
How to answer the questions ?
SafetyProposed or
existingSystem
The reactive safety approach…
First:Safety Assessment Method(Fault Trees / Event Trees)
Second:Mitigations
Role of Regulatory oversight: • stamp off whether the method was applied correctly• regulator has the final responsibility for the validity of the method and
effectiveness of mitigations
Safety Assessment
Proactive support of development
- Current Approach for Safety – Safety treated rather reactive – Safety provides stamp off, but only superficial
mitigations within systems – Impact on system planning and design rather low
- Safety Fundamentals – Some kind of “predictive display” needed to judge
about safety impact of planned developments
Integrating fundamental safety rules in planning that will show off as critical in later safety cases anyhow?
How to answer the questions ?
SafetyProposed or
existingSystem
The proactive safety approach…
First:Safety Fundamentals
Second:Safety Evidence
Role of Regulatory oversight: • ask appropriate questions• service provider has the final responsibility for the validity of the method and
effectiveness of mitigations
Safety Scanninng
• to provide a proactive safety approach
• to show whether a certain change (e.g., ATM, Traffic,..) will lead to a safety issue (safety feasibility)
• to give a general answer on the safety measures required for future ATM (no detailed quantitative assessment)
• to prepare later stages of safety assessment (scope, issues)
• to be applicable as a minimum to the current level of description of the proposed changes
• to be applicable to any change and any ATM subsystem (technical, human, organizational = managerial/procedural/institutional)
Approach: Safety Fundamentals
Safety Fundamentals - Development of the approach
Compilation of essential Safety Fundamentals based on regulatoryrequirements, international standards and experiences in safety relevant industries (Eurocontrol & RO for Safety)
All development steps fully documented and traceable
2004
2005
2006
2007
2008
2009
Broad applications and specific ATM validation studies (Eurocontrol, NLR, DNV)
Endorsement by SESAR as appropriate for the concept definition (SESAR CIT & WP 1.6)
Application to SESAR concept elements; results are building the SESAR safety register (SESAR consortium)
Typical problem of risk assessment – how to meet the issues revealed: yielding the issues or yielding the method (ICAO: management of safety different to safety management)
Today‘s meeting Also: applications in Australian CAA; German Rail, ongoing developments at ATSPs and for multi actor change management
Safety Fundamentals - Regulatory Basis
The global layer- ICAO- ISO- (other UN organisations & OECD)
The European layer- EU law, SES- CEN-(ongoing activities)
The National layer- National Regulations- Engineering associations- (scientific booklets)
LayerICAO SMMIAEA Safety StandardsOECD best practices
IEC 60300 / ISO 31010SES regulationsESARRs
Considered (examples)
Industrial norms (HSE, VDI, NUREG)
ISO Chemical
EU Regulations (DGTren WS)
Safety Booklets
ISO Rail
American Standards
Regulations and Framework
SAFETY PERFORMANCE
Safety Management
+ Institutional
Architecture +Technology
OperationalSafety Fundamentals+Basic SafetyRegulatoryPrinciples
Safety Fundamentals - Structure
System of interest
Adjacent Systems
Interdependence
Functionality
Transparency, Predictability, Clarity
Redundancy& Diversity
Maintainability
IntegrityIntegrity
Fundamentals on Safety Architecture
Achieve-ment
Assurance Planning
Promotion Policy
Responsiveness, Learning
Completeness,Unbiasedness
Understanding,Openness
Responsibility,Practicability
Detectability, Feedback
Fundamentals on Safety Management
Task Human TechnicalSystem
Competence
Organization
Reliability
Procedures
Communication
Human-machine interaction
Adjacent Human-Machine Systems
OperatingEnvironment
OverallPerformance
Fundamentals on safety operations
Duty of care
Basic principles of Regulation
Concept
Development
Validation
Implementation
Operation
Are means
to proof and
ensure safety
sufficient?
Build Opinion
Safety issues
Occurrences
Impact of Change on Regulations
Safety Assessment Methods
Mitigations
Review
Evaluate
Investigate
Oversight
Product developmentRegulatory tasksLegal perspective
Clear responsibility for
safety
Independent Oversight and
body
Responsiveness
Independence
Transparency
Safety Requirement
Are the legal responsibilities clearly laid out?
Can regulators or providers act upon safety issues timely?
Is an independent oversight of the system ensured?
e.g., ICAO-SMM, 2007
e.g., ESARR1, 2004
e.g., IAEA, 2006
Guiding Question
How Fundamentals work
A view on the tool
ExplanationQuestion
High-level question
Possible answers
Low-level questions
Room for providing justification
Safety fundamental applicable to this page of questions
Hypothetical example of result (Safety Architecture and Technology perspective)
Transparency
Redundancy
Interdependence
Functionality
Integrity
Maintability
Average safety effort expected area
ATM change 1
ATM change 2
Basic principles of Regulation
Example: Air Ground Data link results
Likelyimproved
safety
Likely morecomplicated
Likely equalto todayssituation
Issues to expect and
resolve
Issues to expect and
resolve
Likely equalto todayssituation Screening provides
negative as well as positive indications for
safety performance
Experiences
- Throughout positive response on the structure and use of the method
- Applied to key SESAR operational concepts to build the Safety Register of SESAR (mandatory for development and implementation)
- Regain of momentum in Galileos’ EGNOS safety issues
- Currently build into a regulatory tool for SESAR developments
And not to forget…… a price in Rail-applicartionBy Nicolas Petrek
Two working modes
Screening licensee use
for definition phase of a project (e.g., SESAR)
Scanning regulatory use
for coordination regulator-licensee interaction throughout life-cycle
including also: suitability of safety methods
Rail:
European discussions on ETCS
Restructuring of Orgnisations
Rail:
Regulatory acceptance process
Phases
System Implementation
Operation
Integration
System Design
System Definition FHA
SSA
PSSA
Decommissioning
Safety Approach
Concept Definition Screening- Safety considerations- System decomposition- Scope of safety plan
- Safety Objectives- Hazards
- Safety Requirements- Importance based
mitigations
- Evidence basedmitigations
Output
Screening in the SESAR Definition phase
Fundamentals versus safety assessment
Not a mutual exclusive approach but complementary:
- Due to the efforts for detailed Safety Assessments, none is made without a screening for the most important issues (best practice: nuclear)
- Finding critical information early enough (see medicine, organisational design)
Approach:
- Turning regulatory requirements into questions for considerations- Effective planning by involving all stakeholders
Purpose:
- Inform succeeding steps about critical issues and managerial needs- Judge about the required capabilities of safety assessment methods- Steer resources effectively
= Not making a safety decision but avoiding a wrong path or a too late recognition of severe issues
Scanning on Safety Fundamentals and suitability of safety methods
Regulatory Tasks
Scanning of licensee activities through life-cycle
Licensee Activities
Questions?