Prof. Dr. Oliver Straeter University Kassel Department of Mechanical Engineering Human & Organisational Engineering Heinrich-Plett-Strasse 40 D-34132 Kassel Tel: +49 561 804 4211 eMail: [email protected]with Henk Korteweg (Eurocontrol) Jos Nollet (IVW) Mariken Everdij (NLR) Bert Kraan (QSA) Safety Fundamentals and basic safety regulatory principles for a resilient planning of system changes in transportation Safety in Transportation Workshop 1. and 2. December 2009 IVEF – TU Braunschweig TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES 8 600 000 flights estimated - Based on STATFOR 97 CHART: DY_97_00 CHART: DY_97_10 CHART: DY_97_20 1997 2000 2010 2020 DIVISION DED 4 - 4/11/97 7.0 Mio Flights 8.0 Mio Flights 11.9 Mio Flights 15.8 Mio Flights Flights 150 or more Flights 100 to 150 Flights 50 to 100 Traffic Growth
13
Embed
Presentation SST OS - TU Braunschweigifev.rz.tu-bs.de/.../WeB/7_PresentationStraeter.pdf · Microsoft PowerPoint - Presentation SST OS.ppt Author: straeter Created Date: 12/8/2009
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Prof. Dr. Oliver Straeter
University KasselDepartment of Mechanical EngineeringHuman & Organisational Engineering
Safety Fundamentals and basic safety regulatory principles for a resilient planning of system changes in transportation
Safety in Transportation
Workshop
1. and 2. December 2009
IVEF – TU Braunschweig
EUROCONTROL DIVISION DED4 1997 DATE:04/11/97
1997 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES7 500 000 flights estimated Based on STATFOR 97
CH
ART: D
Y_97_97
EUROCONTROL DIVISION DED4 2000 DATE:04/11/97
2000 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES8 600 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_00
EUROCONTROL DIVISION DED4 2010 DATE:04/11/97
2010 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES11 900 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_10
EUROCONTROL DIVISION DED4 2020 DATE:04/11/97
2020 FORECASTMean IFR Flights per day
in 6’ by 10’ rectanglesFlights 150 OR MOREFlights 100 TO 150Flights 50 TO 100
TRAFFIC DISTRIBUTION FORECAST ASSUMING FLIGHTS ON DIRECT ROUTES15 800 000 flights estimated - Based on STATFOR 97
CH
ART: D
Y_97_20
1997 2000
2010 2020
DIVISION DED 4 - 4/11/97
7.0 Mio Flights 8.0 Mio Flights
11.9 Mio Flights 15.8 Mio Flights
Flights 150 or more
Flights 100 to 150
Flights 50 to 100
TrafficGrowth
The Aviation Vision for 2020 - SESAR
SESAR= Single European Sky ATM Research
Safety of entire
Framework
Safety of entire
Framework
SESAR Concept and SAFETY
Safety of entire
Framework
Users
ANSPs
Ground Systems
Airports
AirborneSystems
Regulators
Civil and MilitaryWithin and between domains Variations on international, European and national levels
Typical Safety related questions
- Safety regulation– Are regulations sufficient for a change?– e.g., integration of assessment and certification approaches
- Safety Management– Is the system manageable with respect to safety?– e.g., increasing sluggishness if increasing coupling of entities
- System Safety - Safety Performance– Does the System contain any inherent hazards?– e.g., increased interdependencies
- System Safety – Operational Safety – How will it work in the real environment (people and
operational context)– e.g., Human role for Safety
How to answer the questions ?
SafetyProposed or
existingSystem
The reactive safety approach…
First:Safety Assessment Method(Fault Trees / Event Trees)
Second:Mitigations
Role of Regulatory oversight: • stamp off whether the method was applied correctly• regulator has the final responsibility for the validity of the method and
effectiveness of mitigations
Safety Assessment
Proactive support of development
- Current Approach for Safety – Safety treated rather reactive – Safety provides stamp off, but only superficial
mitigations within systems – Impact on system planning and design rather low
- Safety Fundamentals – Some kind of “predictive display” needed to judge
about safety impact of planned developments
Integrating fundamental safety rules in planning that will show off as critical in later safety cases anyhow?
How to answer the questions ?
SafetyProposed or
existingSystem
The proactive safety approach…
First:Safety Fundamentals
Second:Safety Evidence
Role of Regulatory oversight: • ask appropriate questions• service provider has the final responsibility for the validity of the method and
effectiveness of mitigations
Safety Scanninng
• to provide a proactive safety approach
• to show whether a certain change (e.g., ATM, Traffic,..) will lead to a safety issue (safety feasibility)
• to give a general answer on the safety measures required for future ATM (no detailed quantitative assessment)
• to prepare later stages of safety assessment (scope, issues)
• to be applicable as a minimum to the current level of description of the proposed changes
• to be applicable to any change and any ATM subsystem (technical, human, organizational = managerial/procedural/institutional)
Approach: Safety Fundamentals
Safety Fundamentals - Development of the approach
Compilation of essential Safety Fundamentals based on regulatoryrequirements, international standards and experiences in safety relevant industries (Eurocontrol & RO for Safety)
All development steps fully documented and traceable
2004
2005
2006
2007
2008
2009
Broad applications and specific ATM validation studies (Eurocontrol, NLR, DNV)
Endorsement by SESAR as appropriate for the concept definition (SESAR CIT & WP 1.6)
Application to SESAR concept elements; results are building the SESAR safety register (SESAR consortium)
Typical problem of risk assessment – how to meet the issues revealed: yielding the issues or yielding the method (ICAO: management of safety different to safety management)
Today‘s meeting Also: applications in Australian CAA; German Rail, ongoing developments at ATSPs and for multi actor change management
Safety Fundamentals - Regulatory Basis
The global layer- ICAO- ISO- (other UN organisations & OECD)
The European layer- EU law, SES- CEN-(ongoing activities)
The National layer- National Regulations- Engineering associations- (scientific booklets)
LayerICAO SMMIAEA Safety StandardsOECD best practices
Can regulators or providers act upon safety issues timely?
Is an independent oversight of the system ensured?
e.g., ICAO-SMM, 2007
e.g., ESARR1, 2004
e.g., IAEA, 2006
Guiding Question
How Fundamentals work
A view on the tool
ExplanationQuestion
High-level question
Possible answers
Low-level questions
Room for providing justification
Safety fundamental applicable to this page of questions
Hypothetical example of result (Safety Architecture and Technology perspective)
Transparency
Redundancy
Interdependence
Functionality
Integrity
Maintability
Average safety effort expected area
ATM change 1
ATM change 2
Basic principles of Regulation
Example: Air Ground Data link results
Likelyimproved
safety
Likely morecomplicated
Likely equalto todayssituation
Issues to expect and
resolve
Issues to expect and
resolve
Likely equalto todayssituation Screening provides
negative as well as positive indications for
safety performance
Experiences
- Throughout positive response on the structure and use of the method
- Applied to key SESAR operational concepts to build the Safety Register of SESAR (mandatory for development and implementation)
- Regain of momentum in Galileos’ EGNOS safety issues
- Currently build into a regulatory tool for SESAR developments
And not to forget…… a price in Rail-applicartionBy Nicolas Petrek
Two working modes
Screening licensee use
for definition phase of a project (e.g., SESAR)
Scanning regulatory use
for coordination regulator-licensee interaction throughout life-cycle
including also: suitability of safety methods
Rail:
European discussions on ETCS
Restructuring of Orgnisations
Rail:
Regulatory acceptance process
Phases
System Implementation
Operation
Integration
System Design
System Definition FHA
SSA
PSSA
Decommissioning
Safety Approach
Concept Definition Screening- Safety considerations- System decomposition- Scope of safety plan
- Safety Objectives- Hazards
- Safety Requirements- Importance based
mitigations
- Evidence basedmitigations
Output
Screening in the SESAR Definition phase
Fundamentals versus safety assessment
Not a mutual exclusive approach but complementary:
- Due to the efforts for detailed Safety Assessments, none is made without a screening for the most important issues (best practice: nuclear)
- Finding critical information early enough (see medicine, organisational design)
Approach:
- Turning regulatory requirements into questions for considerations- Effective planning by involving all stakeholders
Purpose:
- Inform succeeding steps about critical issues and managerial needs- Judge about the required capabilities of safety assessment methods- Steer resources effectively
= Not making a safety decision but avoiding a wrong path or a too late recognition of severe issues
Scanning on Safety Fundamentals and suitability of safety methods
Regulatory Tasks
Scanning of licensee activities through life-cycle