North European Functional Airspace Block Avinor, Norway EANS, Estonia Finavia, Finland LGS, Latvia. NEFAB Project SAFETY CASE REPORT. Version 3.

Transcription

1 NEFAB Project SAFETY CASE REPORT Version 3.01 Page 1 of 40

2 Revision history Version Date Description Approved /12/2011 Page 2 of 40

3 TABLE OF CONTENTS 1. INTRODUCTION AIM PURPOSE METHOD SAFETY CASE LIFECYCLE SCOPE SYSTEM DESCRIPTION JUSTIFICATION COST EFFICIENCY FLIGHT EFFICIENCY SAFETY ENVIRONMENT BARGAINING POWER CUSTOMER ORIENTATION NEFAB SAFETY CASE MAINTENANCE SAFETY ARGUMENT STRUCTURE THE MAIN SAFETY ARGUMENT ARGUMENT 1. NEFAB SAFETY MANAGEMENT AND OVERSIGHT ARRANGEMENTS ARE SUFFICIENT AND APPROPRIATE TO ENABLE SAFE NEFAB DECLARATION ARGUMENT 2 ALL CHANGES ARE MANAGED IN A SAFE AND SYSTEMATIC WAY ARGUMENT 3 NEFAB ON-GOING OPERATIONS ARE ACCEPTABLY SAFE CAVEATS/LIMITATIONS CONCLUSIONS Page 3 of 40

4 1. Introduction 1.1. Aim The aim of the Safety Case is to show that implementation and operation of North European Functional Airspace Block (NEFAB) is acceptably safe according to ICAO, EC and EUROCONTROL safety requirements. The Safety Case will be developed in accordance to NEFAB Safety Plan and EUROCONTROL Safety Case Development Manual (SCDM) Purpose Safety Case is addressed to all stakeholders of NEFAB to demonstrate that planned ATM system changes in all participating states are acceptably safe to launch NEFAB and to maintain safe NEFAB operation in the future. Broadly, the Safety Case is the documented assurance (i.e. argument and supporting evidence) of the achievement and maintenance of safety. It is primarily the means by which those who are accountable for service provision or projects assure themselves that those services or projects are delivering (or will deliver), and will continue to deliver, an acceptable level of safety. The Safety Case is not an alternative to carrying out a Safety Assessment; rather, it is a means of structuring and documenting a summary of the results of a Safety Assessment, and other activities (e.g. simulations, surveys etc), in a way that a reader can readily follow the logical reasoning as to why a change (or on-going service) can be considered safe Method The technical core of the GSC will be a structured Safety Argument. A Safety Argument is a hierarchical set of arguments and evidence supporting a claim that the proposed system is acceptably safe, as shown in outline below. Page 4 of 40

5 A001 Current ATM service is accepted as being safe Cr001 The risk of an accident following Change_SGxy shall be: 1.Within the regulatory requirements eg: a. such that the whole ATM service meets ESARR 4 Design Safety Targets (SAM-FHA ch3 GM E); OR b. no greater (and preferably lower) than currently exists. AND 2. reduced as far as reasonably practicable. Arg 0 Change_SGxy will be acceptably safe in operational service St 001 Specify safety criteria for each of the 4 main life-cycle stages and show that each stage is / will be acceptably safe ie the safety criteria are sufficient to achieve the required level of safety, and are satisfied J001 Change_SGxy is being introduced to meet a legitimate operational need C001 Operational concept (SAM-FHA ch1-gm A) C002 Subject to declared Assumptions, Limitations and outstanding Issues Arg 1 Change_SGxy Concept is acceptably safe, in principle Arg 2 Change_SGxy Implementation is acceptably safe Arg 3 Migration to Change_SGxy will be acceptably safe Arg 4 On-going Operation of Change_SGxy will be shown to be acceptably safe St003 St002 Show that the Safety St004 Show that Safety Requirements are satisfied: Show that risk during Requirements satisfy Cr001: 1. Initially in system design (and immediately item 1 (Args 1.1 & 1.2); 2. Subsequently in the following) Migration will Item 2 (Arg 1.3) realisation of that design satisfy Cr001 item 2 Fig 2 Fig 7 Fig 10 Figure 1-1 Generic safety argument structure St005 Safety Monitoring will satisfy Cr001 items 1 and 2 Fig 11. The Criteria define what is meant by acceptably safe in the Claim, i.e. how safe is safe enough. The Justification explains why the change is being made for example in terms of safety, capacity, efficiency or environmental benefits. Assumptions set out high level, overarching dependencies on other systems that are outside the control of those proposing the change. More detailed assumptions, for example about data such as the range of temperatures and pressures encountered, or the validity of certain mathematical models, are often more conveniently shown within the specific Arguments to which they apply. Systems are only safe within certain contexts. The Argument therefore includes definition of the Context: The current operational environment in which the new system will be implemented. The Arguments supporting the Claim are developed (i.e. expanded into subarguments) to a point at which Evidence to substantiate them is available, or could realistically be gathered, or where a gap is apparent. Page 5 of 40

6 1.4. Safety Case Lifecycle The safety case will be a living document, also after the completion of the NEFAB project. This is to ensure the provision of sufficient evidence for the argument that the on-going services will be acceptably safe. The argument structure will be developed based on EUROCONTROL guidelines, along with parts of the evidence claiming for an acceptably safe concept and design. The criteria, justification, context and assumptions are relevant to agreed environment and in the context of existing legislation framework. The evidence for safe implementation will continue into the implementation phase of the project along with the evidence for a safe migration into operations. Page 6 of 40

7 2. Scope As required by SES legislation, this safety case will form a part of the file that will be submitted to the European Commission for the NEFAB. It is therefore limited to arguing that those elements of safety that are required to ensure compliance with all applicable safety regulations are adequately addressed within the NEFAB development. This Safety Case covers a description of the identified framework with relation to the following safety aspects: The Framework for safety regulation from the States perspective Safety oversight of the NEFAB ANSPs and arrangements for NSAs agreement Safety management arrangements on NEFAB level, and within each ANSPs, and how this is developing, including interfaces with NSAs and adjacent FABs NEFAB modification process Because the NEFAB is implemented at the States level, the oversight of ANSPs within NEFAB is included within the scope of the safety case. Taking into account EC guidance materials as well as EUROCONTROL proposed approach for developing FAB safety cases, NEFAB safety case is not considered to be a safety related change as defined by EC 1315/2007. As a consequence, the NEFAB safety case does not need to be approved by the NEFAB NSAs and the creation of NEFAB does not require the formal acceptance of the NEFAB NSAs within the framework of Commission regulation 1315/2007. This safety case excludes quantified arguments of safety for NEFAB. The reason being that the NEFAB is considered to be an institutional change to regulation, airspace, and ANSPs, and how they cooperate, hence quantified claims cannot be substantiated within this context. However, NEFAB safety case will address the safety management processes that will be established and refined within NEFAB in order to enable such claims to be made as the NEFAB continues to develop and mature. This safety case covers the safety arguments in case of provision of air navigation services in all or part of NEFAB airspace without certification. This safety case covers the safety arguments in case of involvement in FAB of the non-eu states. This safety case demonstrates, whenever applicable, at least by means of a list of approved safety assessments, that the following operational aspects of NEFAB have been covered: Migration from the current situation to NEFAB Airspace design aspects Procedural aspects Coordination aspects Common situational awareness aspects Human resources aspects Equipment/technical aspects Continuous maintaining of the systems Service aspects Page 7 of 40

8 Contingency planning In particular, information on safety assessments for NEFAB modifications having an impact on neighbouring FABs or third countries is included. This safety case identifies the specific point of responsibility for continuous maintenance of FAB safety case. This Safety Case contains high level description of the NEFAB safety issues. To find more detailed information, for example safety cases of individual ANSPs or new NEFAB airspace changes please refer to other related documents. 3. System Description The different Initiative Working Papers (IWP) delivered at this stage of the NEFAB Feasibility study gives an overview of the current situation within different areas as well as an overview of proposed changes that could be brought forward to the NEFAB design and implementation phase. The nature and planned implementation of changes will depend on management decisions made after completion of the feasibility study. Below a reference to the IWP-documents is provided. For all of the IWP s the chapters describing the current situation as well as chapters outlining proposed changes are as follows: Chapter 4: Chapter 5: Chapter 6: Chapter 9: Description of the current state Ongoing development Future Service Concept High level time line for realization The relevant IWP s are the following: IWP-01 ATS routes and sectorisation IWP-03 Optimisation of ATS IWP-04 Optimisation of ASM and ATFCM IWP-05 Optimisation of ancillary services IWP-06 Harmonisation of rules and procedures IWP-07 Optimisation of training services IWP-08 Supervision and monitoring of CNS infrastructure IWP-09 Commonality of CNS/ATM systems IWP-10 Joint evaluation of new technology and joint strategies planning within CNS and ATM IWP-11 Common System Maintenance IWP-12 Joint procurement IWP-13 Safety Management Systems 4. Justification The justification behind the NEFAB declaration is described in this section with each sub section giving a breakdown of the corresponding topic Cost efficiency Improved air traffic management and support functions Page 8 of 40

9 Sectorisation based on operational needs and traffic demand without regard to national borders or existing areas of responsibility Standardization of processes and procedures Common ATM development planning and shared validation process Standardization of processes and procedures Common development and/or common procurement of training Common or harmonized AIS Reduction of overall costs by common and/or harmonized procurement and maintenance of CNS Flexible operations through common/harmonized processes and procedures as well as common use of resources and systems Regional contingency solution to support uninterrupted ANS provision Common charging policy to ensure predictable and transparent cost for the users Flight efficiency Optimization and consistent route network and direct routes through the total NEFAB area Regional ASM and Air Traffic Flow and Capacity management Flexible use of airspace across the NEFAB area User preferred flight trajectories with more efficient and economic flight profiles Optimized use of airspace structure Improved operational cooperation and interoperability between systems Cross border military training areas enabling more efficient use of airspace for military and civil operators Safety Higher safety level by common and harmonized procedures Improved information and data exchange between ANSPs and NSAs 4.4. Environment Optimisation of airspace structure, direct routing and user preferred trajectories reducing emissions 4.5. Bargaining power Better position through common strength, size and strategic importance Customer orientation Common/harmonized customer consultation System-wide information management with transparency and user focus. Page 9 of 40

10 5. NEFAB safety case maintenance The main responsibility for keeping NEFAB safety case up-to-date lies on NEFAB Programme management office (PMO). NEFAB safety management manual will describe the responsibilities for maintaining this safety case after NEFAB implementation, and the circumstances when updates will be required. As NEFAB safety case is overall responsibility of all NEFAB involved states, therefore each individual State, NSA and ANSPs is responsible for providing relevant information to NEFAB PMO for it to deal with arrangements for managing such changes, updating the safety case, and informing Member States, EASA and the Commission and other interested parties of these changes. 6. Safety argument structure The following sections give an overview and short descriptions of the safety arguments and evidences to show how each of the arguments are going to be met, together with criteria, justifications, assumptions and contexts. The NEFAB safety argumentation provides the structure and top-level view of the safety argument that the NEFAB is and will be maintained acceptable safe. It is assumed that establishment of NEFAB is being an organisational change, and hence, in order to argue the NEFAB is implemented safely, compliance with these high level safety regulatory requirements needs to be shown. The three pillars of the safety strategy relate to the regulatory framework for the NEFAB, the safety oversight of NEFAB ANSPs, and the safety of services provided by those ANSPs. This includes inter and intra coordination between the regulators, NSAs, ANSPs and adjacent airspace users. For better clarification on evidences referring to each afore mentioned level, colour-coding is introduced. Page 10 of 40

11 6.1. The main safety argument The main safety argument for which overall assurance is required is the following: Arg 0. NEFAB is and will be maintained acceptably safe This argument is subsequently based on several lower-level arguments, and is supported by criteria, justifications, assumptions and contexts for NEFAB, see GSN diagrams below: Figure 1. Argument 0: NEFAB is and will be maintained acceptably safe, Criteria Safety criteria define what is safe in the context of the main argument (to decide what will constitute acceptably safe ). The criteria for judging if NEFAB main argument (Arg 0) is acceptably safe are: Criteria Cr001. At least as safe as today. Page 11 of 40

12 There is no increase in the number of incidents/accidents induced by implementing NEFAB. Criteria Cr RCS and SOCS (Ref Safety Plan, Sec 3.3) 2. As low as reasonably practical (ALARP) The common Risk classification schemes (RCS) and Safety objective classification schemes (SOCS) will be followed. Currently there are differences in the RCS and SOCS used by the different ANSPs in NEFAB. Therefore it has been agreed to use the RCS recommended in ED-125 for the scope of the NEFAB and common SOCS for the NEFAB was derived according to ED- 125 Fixed Prescriptive model. Details for agreed RCS and SOCS are described in NEFAB Project Safety Plan sec 3.3 Not all risks are manageable to the extent that they are no longer a factor. It may also be economically impractical to use a certain mitigation strategy (the cost overcomes the benefit). Generally, risks have to be managed to a level known as as low as reasonably practicable or ALARP. This means that the risk must be balanced against the time, cost and difficulty of taking measures to reduce or eliminate the risk. Criteria Cr003. Fulfilling SES requirements. The SES requirements are and will be fulfilled as required by EC Context Context describes the operational context (environment) for the main argument. Context C001. Existing rules and regulations, NEFAB feasibility study, current infrastructure, current safety culture. The context we have to consider for the main argument for NEFAB is: Existing rules and regulations which has to be followed today, NEFAB feasibility study with possible concepts, the current infrastructure being operated today and safety culture differences Justification Describes the main goal why to introduce NEFAB. Justification J001. Improve costs and flight efficiency, satisfy regulatory requirements. The main goal of implementing NEFAB is to increase the effectiveness, efficiency and cost effectiveness and to fulfill regulatory requirements Assumptions This section describes assumptions on which the main argument relies. During the work with the safety assessment the project track has made the following assumptions. Page 12 of 40

13 Assumption A001 Oversight is organized in proper and effective way. Assumption A002 Within NEFAB there are seven ANSP-organizations, each with an individual Safety Management System. Assumption A003 All ANSP s within NEFAB are certified providers, designated to provide Air Navigation Services within the airspace of their respective States and the airspace where the state concerned is responsible for the provision of Air Traffic Services; Assumption A004 For the first phase NEFAB will be a loose cooperation between the ANSP s. Mapping is done by identifying areas relevant for the NEFAB-project. This implies that the project has not considered Common Requirements in any other context than safety. Assumption A005 Operational manuals and procedures will be a part of the local documentation, including the bilateral agreements. Assumption A006 The project in itself will not affect the way third party or external services are being dealt with locally. Assumption A007 Issues related to responsibility and accountability need to be addressed both for the project and for NEFAB. The issues related to NEFAB must be analysed at a later stage based on scenarios for different business models and FAB governance principles. Assumption A008 In developing the FAB with associated Safety Management Systems, a certification or approval from one NSA is automatically accepted by any other NSA in the FAB based on multilateral agreements and mutual recognition of all NSA s within the FAB. Assumption A009 In assigning tasks or activities to ANSP s within the FAB, the certification and designation of each ANSP is not limited to the state within which the ANSP is located but extended to the entire FAB or to parts thereof as considered required for each state and ANSP Strategy Strategy is describing which logic was used to derive the sub arguments for main argument (Arg 0). Strategy St001. We are looking at 3 phases: How it is, how it will be and how we are getting there. The strategy used for NEFAB main safety argument is to take care of three different phases: The current one, how to handle the changes and after the certain change is implemented, how to prove that the future operation is acceptably safe Sub arguments for main safety argument To support the main argument, three main sub-arguments are derived: Page 13 of 40

14 Arg 1. NEFAB safety management and oversight arrangements are sufficient and appropriate to enable safe NEFAB declaration. The purpose of that argument is to assure that air navigation services currently provided in all involved NEFAB countries are acceptably safe. It will mainly be done by showing that safety management and oversight arrangements are sufficient and appropriate. Arg 2. All changes are managed in safe and systematic way. The purpose is to show that all planned changes for NEFAB will be managed in an acceptably safe and systematic way. Arg 3: NEFAB on-going operations are acceptably safe The purpose is to show that after the implementation of a certain change, the on-going operations will be acceptably safe. Page 14 of 40

15 6.2. Argument 1. NEFAB safety management and oversight arrangements are sufficient and appropriate to enable safe NEFAB declaration. Argument 1 demonstrates that NEFAB safety management and oversight arrangements are sufficient and appropriate to enable safe NEFAB declaration and set the base for further operations on the NEFAB level. This argument shows that safety regulatory framework, safety oversight and safety management arrangements meet SES legislation requirements. Arg 1.1 NEFAB has a common safety policy Safety policy reflects that NEFAB will establish and maintain a high and uniform level of ATM safety, contributing to overall aviation safety. It is expected to result in enhanced levels of safety from current ones. NEGAB safety policy defines relevant lines of responsibility and accountability of Sate, the NSAs and ANSPs. Arg 1.2 Adequate arrangements exist for reporting & investigation of accidents and incidents, including data collection, analysis and exchange. This argument addresses these aspects only in the area of ATM/ANS, covering all 2 levels: State, NSA and ANSP. Arg 1.3 Safety is managed to prevent degradation in NEFAB safety performance. This argument demonstrates that processes/ procedures are in place to anticipate future changes to services or systems. Such changes can arise from gradual, incidental changes accuring in the operational environment. Arg 1.4 Adequate arrangements exist and responsibilities are assigned for safety targets setting and safety oversight. This argument demonstrates that there are arrangements in place to deal with target setting, monitoring and oversight function within NEFAB.

16 Figure 2. Argument 1: Present ANS are acceptably safe in all countries involved in NEFAB Page 16 of 40

17 Arg 1.1 NEFAB has a common safety policy North European Functional Airspace Block Fig 1.1 Arg 1.1 NEFAB has a common safety policy Argue that NEFAB has a common safety policy agreed by ANSPs, NSAs and States, and that there is safety policy change control process Arg The NEFAB safety policy is published Arg A process exist to modify NEFAB safety policy Ev Safety Policy Document Ev NEFAB SMS Ev State Agreement Ev NSA Agreement Ev ANSP Agreement Page 17 of 40

18 Arg 1.2 Adequate arrangements exist for reporting & investigation of accidents and incidents, including data collection, analysis and exchange. Page 18 of 40

19 Evidence Ev Safety policy will be developed and published with close cooperation of all involved states. Refer to IWP13 Safety management Systems. Ev Safety policy is integral part of NEFAB Safety Management System Ev Ev Ev NEFAB safety policy is document that is published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with safety policy changes. NEFAB safety policy is document that is published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with safety policy changes. NEFAB safety policy is document that is published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with safety policy changes. The AIBs for each State within NEFAB are as follows: Norway: Havarikommisjonen for Sivil Luftfart og Jernbane (HSLB) Ev Finland: Onnettomuustutkintakeskus - Accident Investigation Board Finland Estonia: Aircraft Accident Investigation Department, Ministry of Economic Affairs and Communications of Estonia Latvia: Aircraft Accident and Incident Investigation Bureau of the Republic of Latvia (AAIIB) Page 19 of 40

20 Arg Provision for reporting & investigation of accidents and incidents, and plans for safety data collection, analysis and exchange exist at state level. Fig Arg Provisions for reporting & investigation of A & SI and plans for safety data collection, analysis and exchange exist at State level Argue that NEFAB SIAs have appropriate and documented arrangements & procedures for A & SI reporting and investigation, as well as plans / arrangements (as applicable) for safety data collection, analysis and exchange Arg SIAs have documented procedures for A & SI investigation in compliance with Annex 13 and Regulation 996/2010 requirements Arg Plans / arrangements exist for safety data collection, analysis and exchange at State/SIA level Ev SIA manuals Ev NEFAB State agreement Page 20 of 40

21 Please address each AIB individually: Evidence Norway: Statens Havarikommisjon for Transport - Accident Investigation Board Norway Ev Finland: Onnettomuustutkintakeskus - Accident Investigation Board Finland Estonia: Aircraft Accident Investigation Department, Ministry of Economic Affairs and Communications of Estonia Latvia: Aircraft Accident and Incident Investigation Bureau of the Republic of Latvia (AAIIB) Ev Refer to NEFAB State agreement. Page 21 of 40

22 Arg Procedures for dealing with accidents and incidents reporting & investigation and plans for safety data collection, analysis and exchange exist at NSA level. Page 22 of 40

23 Evidence Ev ESIMS audits and Peer reviews programme are executed. NSA annual reports to EC are provided in each States LSSIP. Ev Refer to NSA Agreement. Page 23 of 40

24 Arg Procedures for accidents and incidents reporting & investigation and plans for safety data collection, analysis and exchange exist at ANSP level. Fig Arg Procedures for A & I reporting and incident investigation. and plans for safety data collection, analysis and exchange exist at ANSP level Argue that NEFAB ANSPs have appropriate and documented arrangements & procedures for A &SI reporting and incident investigation, as well as plans / arrangements (as applicable) for safety data collection, analysis and exchange Arg ANSPs have documented procedures for A & I reporting and incident investigation Arg ANSPs have plans / arrangements for safety data collection, analysis and exchange Ev ANSP SMMs Ev ANSP SMMs Ev IPW13 SMS Page 24 of 40

25 Evidence Ev Each ANSP within NEFAB is certified according EC regulation Nr. 1035/2011 Ev Each ANSP has arrangements for executing safety data collection, analysis according SES legislation. Within NEFAB there will be agreement on information exchange principles set in IWP13 Safety Management Systems. Ev Refer to IWP13 Safety Management Systems Page 25 of 40

26 Arg 1.3 Safety is managed to prevent degradation in NEFAB safety performance. Page 26 of 40

27 Evidence Ev Each ANSP is certified according EC Reg. 1035/2011. Ev Refer to NEFAB Change Management Manual (CMM). Ev Refer to NSA Manuals. Page 27 of 40

28 Arg Adequate safety monitoring arrangements procedures exist at NSA and ANSP level. Page 28 of 40

29 Evidence Ev Ev Ev Ev NEFAB Programme Management Office will have responsibility for target setting and monitoring function. Refer to NEFAB Business model. Refer to IWP13 Safety Management Systems NEFAB Performance Indicators are published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Performance Indicators. NEFAB Performance Indicators are published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Performance Indicators. NEFAB Performance Indicators are published by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Performance Indicators. NEFAB Programme Management Office will have responsibility for Performance Indicator coordination function. Refer to NEFAB Business model. Refer to IWP13 Safety Management Systems Ev Refer to NSA Agreement Ev Refer to NSA manuals Ev Each ANSP is certified according EC Reg. 1035/2011 Page 29 of 40

30 Arg 1.4 Adequate arrangements exist and responsibilities are assigned for safety targets setting and safety oversight. Fig 1.4 Arg 1.4 Adequate arrangements exist and responsibilities are assigned for safety targets setting and safety oversight Argue that NEFAB partners have allocated responsibilities and documented arrangements for safety target setting at NEFAB and/or State level, and that safety oversight of ANS provision in the NEFAB is adequate Arg Responsibilities for safety target setting in NEFAB are identified and allocated Arg Safety targets have been defined at State and/or NEFAB level Arg Responsibilities & arrangements for safety oversight in NEFAB are adequate and documented Ev State Agreement Ev NSA Agreement Ev ANSP Agreement Arg Arrangements, processes and the interfaces for safety target setting are documented Fig Ev State Agreement Ev NSA Agreement Ev ANSP Agreement Ev State Agreement Ev NSA Agreement Ev ANSP Agreement Page 30 of 40

31 Evidence Ev NEFAB target setting id done by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Target setting. Ev NEFAB target setting id done by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Target setting. Ev NEFAB target setting id done by States. Refer to State/NSA/ANSP agreement for arrangements dealing with Target setting. NEFAB Programme Management Office will have responsibility for target setting and monitoring coordination function. Refer to NEFAB Business model. Refer to IWP13 Safety Management Systems Ev Refer to State Agreement Ev Refer to NSA Agreement Ev Refer to ANSP Agreement. NEFAB Programme Management Office will have responsibility for target setting and monitoring coordination function. Refer to NEFAB Business model. Refer to IWP13 Safety Management Systems. Ev Refer to State Agreement. Ev Refer to NSA Agreement Ev Refer to ANSP agreement. NEFAB Programme Management Office will have responsibility for target setting and monitoring coordination function. Refer to NEFAB Business model. Refer to IWP13 Safety Management Systems. Page 31 of 40

32 Arg responsibilities & arrangements for safety oversight in NEFAB are adequate and documented. Page 32 of 40

33 Evidence Ev Refer to NSA Agreement Ev Refer to NSA Agreement Ev Refer to NSA Agreement Ev Refer to NSA Agreement Page 33 of 40

34 6.3. Argument 2 All changes are managed in a safe and systematic way Argument 2 demonstrates how and why changes to the existing ANS/ATM baseline will be managed in order to assure that the safety of ANS/ATM delivered by states in NEFAB will be maintained. The strategy to show Arg2, i.e. that all the planned changes for NEFAB will be managed in an acceptably safe and systematic way, is to define relevant safety objectives, secure that all changes and stakeholders are identified and secure that all changes are assessed. Hence argument 2 is divided into three sub-arguments: Arg 2.1. Safety objectives are defined, Arg 2.2. All changes and stakeholders are identified, Arg 2.3. All changes are assessed Arg 2.1 Safety objectives are defined In order to have a common level of safety within the project, the need to define NEFAB common safety objectives has been identified. To be able to define these safety objectives, an agreed methodology to derive these safety objectives has to be agreed upon. It is also necessary that the safety objectives are established within the NEFAB project and by the ANSP s i.e. they are approved by the project team and the ANSP s. Arg 2.1. is divided into the following four sub-sub-arguments: Arg Safety objectives are defined, Arg Methodology in place to derive safety objectives, Arg Safety objectives are approved by project team and ANSPs, Arg Safety Objectives are kept updated Arg 2.2 All changes and stakeholders are identified and arg. 2.3, all changes are assessed To have a complete safety case, it is necessary to assess all changes, even though not to the same level. Subsequently it is important that all changes are identified. To make sure that the changes and their effect on safety are well established within the NEFAB project and by the ANSP s, all relevant stakeholders have to be identified and responsibilities defined. Arg 2.2 is divided into the following three sub-sub-arguments: Arg Responsibilities are defined, Arg Changes are identified, Arg Stakeholders are identified.

35 Figure 3. Argument 2: All changes are managed in safe and systematic way Figure 4.

36 Ev Ev Ev Evidence Necessary evidence to prove that safety objectives are defined is: List of Objectives, i.d. FHA report, List of high level hazards, i.d. FHA report, Necessary evidence to prove that methodology to derive safety objectives is in place is: Description in Safety plan Necessary evidence to prove that Safety objectives are approved by project team and ANSPs are: Reviewed meeting minutes by the meeting participants and those from ANSPs not represented at the meeting. This will ensure that the discussions and conclusions of the meeting are correct, and thus the foundation for the report itself is correct. Review and approval of FHA report by all ANSPs. Ev Ev Ev Ev Ev Necessary evidence to prove that Safety Objectives are kept updated is: Records of reviewing, Safety plan Necessary evidence to prove that responsibilities are defined is: List of responsibilities, which could be found in the governance document. Necessary evidence to prove that Changes are identified is: List of changes (project track action plan) Necessary evidence to prove that Stakeholders are identified is: List of stakeholders Necessary evidence to prove that all changes are assessed is: Safety Assessment Records, Safety Cases, meeting minutes etc Safety Plan Page 36 of 40

37 6.4. Argument 3 NEFAB on-going operations are acceptably safe Arg 3.1 NEFAB SMS is in place The project has identified and determined all essential components of SMS organisations and existing procedures to ensure that the accountabilities as well as the responsibilities are clearly known and understood. This is to ensure that the ongoing and future operations will be properly managed and remain safe. Each organisation as well as the project has a systematic SMS in line with SES regulation. The project will deliver sufficient processes and documentation including the NEFAB declaration document and SMS project track action plan to demonstrate that the Safety issues will be managed to ensure that the operations will remain safe. This argument is supported by the following two sub arguments; Arg Accountabilities and responsibilities between states, NSAs and providers are identified Arg SMS Processes in place Arg 3.2 Harmonisation of ANSPs SMSs SMS harmonisation process is being studied in accordance with SES regulation and presented as an initiative for the project. The essential parts and differences of individual SMS procedures are identified and will be managed by co-operative activities between the ANSP organisations including the revision of documentation Arg 3.3 Agreed operational concepts in place Agreed operational concepts will be in place to meet the demands of prevailing conditions. The competency and training schemes will be harmonised to an adequate level. System commonality and interoperability is ensured to meet the regulatory as well as the operational demands and will be presented in form of technical files, lists and agreements. Harmonized rules and procedures will be in place and will be presented as revised ops/tecmanuals. This argument is supported by the following two sub arguments; Arg Accountabilities and responsibilities between states, NSAs and providers are identified Arg SMS Processes in place Arg Harmonized rules and procedures in place

38 Figure 1. Argument 3: NEFAB on-going operations are acceptably safe Page 38 of 40

39 Ev Ev Ev Ev Ev Ev Evidence Necessary evidence to prove that accountabilities and responsibilities between states, NSAs and providers are defined is: NEFAB declaration document Necessary evidence to prove that SMS processes is in place is: SMS project track action plan (Initiative 13) Necessary evidence to prove that the ANSPs SMSs are harmonised is: Revised ANSP local documents Necessary evidence to prove that the competency/training schemes are harmonised is: Schemes, training records Necessary evidence to prove that system commonality and interoperability is in place is: Technical files, Lists of agreements Necessary evidence to prove that rules and procedures are harmonised is: Agreements, Revised documents (incl. ops/technical manuals) Page 39 of 40

40 7. Caveats/Limitations This is the first draft of the safety case and thus the safety arguments might not be complete. Further iterations and reviews of the safety case will provide confidence that the arguments are complete and correct. The evidence to support the safety arguments are, at this stage of the project, not yet produced, thus it is not possible make any conclusion on the achievement of the set goals. At this stage in the safety case development the NEFAB project is still in an early stage of development and the actual changes are not yet clearly defined. The scope of the safety case might therefor change as the project matures. 8. Conclusions Considering the scope, assumptions, caveats and given the current limitations, the NEFAB safety case in this first edition is complete to the extent possible taking into account the early stage of the NEFAB project. This safety case describes future activities within the project that are considered required in order to ensure a safe implementation of changes and a continued safe operation within NEFAB. By completing the activities described to provide the evidence listed to support the arguments, it is considered that the top claim, NEFAB is and will be maintained acceptably safe, will be achievable. Page 40 of 40