SRC POSITION PAPER. Review of the Product Safety Case for Local And sub-regional ASM Support System (LARA) Version 1.2, dated 08 December 2010

Transcription

1 E U R O C O N T R O L SRC POSITION PAPER Review of the Product Safety Case for Local And sub-regional ASM Support System (LARA) Version 1.2, dated 08 December 2010 Edition March 2011 Released Issue

2 Position Paper and Advice to States This paper denotes the SRC Position and advice to ATS implementers and National Supervisory Authorities ensuing from a review of the Product Safety Case (PSC) for Local And sub- Regional ASM Support System (LARA) Version 1.2, dated 08 December The review was conducted by nominees from NSA/Member States of the SRC Coordination Group following a mandate approved at the 17 th meeting of the Safety Regulation Commission s Coordination Group held on 15 September In accordance with SRC DOC 6, the NSAs of Member States were involved in the review task force. Belgium (BSA-ANS) and Romania provided their expertise during the review of LARA safety case. The comments and positions contained in this Position Paper are for information purposes only. They do not constitute formal approval, acceptance or certification or other legal commitment, which remain the responsibility of the authorities and entities concerned, and shall not be interpreted, or inferred as being such. This Position Paper is provided without any warranty of any kind, either express or implied. EUROCONTROL shall not be held liable for any direct or indirect loss resulting from the use of the review. SRC Position The Product Safety Case (hereafter referred to as PSC ) for Local And sub-regional ASM Support System (LARA) presents a credible set of generic arguments for the improvement of airspace management processes by providing mutual visibility on civil and military airspace requirements, by increasing mutual understanding and by enabling a more efficient collaborative decision-making process. LARA is a EUROCONTROL software application intended to support and enhance the airspace management process. It provides real-time exchange of airspace management data between involved actors enabling collaborative decision making and an enhanced situational awareness throughout the airspace management process. LARA s functionality encompasses all phases of airspace management reaching from long-term event planning to airspace management at levels 2 and 3 - including real-time coordination of airspace activation. The capability to connect a national LARA system to neighbouring LARA systems allows seamless coordination between different states and facilitates efficient cross border operation. LARA provides a user friendly interface to allow online airspace reservation, enable transparent coordination and maximise automation of routine tasks. Through a shared real-time airspace status display, situational awareness of all players is enhanced. The system is designed to allow configuration of all relevant system parameters to adapt to national procedures. The safety assessment for LARA was completed using a generic implementation scenario, where LARA was assessed as it would be used in a typical environment. It was not assessed in a specific environment for a specific Air Navigation Service Provider (ANSP) implementation. For this reason, assumptions were made that need to be validated. Also, the safety case for LARA does not include a specific change or implementation being described in this case.

3 It focuses on functionalities derived from the requirements for the development of the LARA system itself, and does not focus on either human or procedural aspects, other than to state requirements for procedures to be implemented by LARA users. The SRC reminds Implementers/ANSPs and other potential users that a PSC is not a stand-alone document and Implementers are responsible for developing their own Local Safety Case. Valuable guidance material is provided throughout the PSC to assist Implementers and National Authorities to identify issues that need to be resolved at a local level. Several key assumptions are made in the PSC to support the safety arguments in the specific operational environments described in the PSC. Implementers are reminded that key assumptions and the operational scenarios described in this PSC need to be compared to the Implementer s current environment and subsequent target environment(s) and operational scenarios and validated accordingly. In particular, the SRC draws attention to the: Assumptions and arguments in this PSC; Concept of use; Operational environment description and scenarios; Hazard severities and apportionment of risk; Mitigation means, and the effectiveness of such mitigation; Characteristics of the airspace management, as a basis for comparative assessment should be made according to each individual State/NSA criteria. Notwithstanding the SRC s Position and comments expressed in this paper, the SRC upholds the individual liberty of Implementers to use alternative safety assessment methodologies and document structure to those presented in this PSC: It is the responsibility of the Implementer to develop a documented body of evidence that: Provides a convincing and valid argument that the LARA system is adequately safe for a specific use in a given environment, In accordance with specific requirements set by their National Authority. Contingent upon consideration to the key issues and advice identified in this paper which is based upon Guidance Material contained in the PSC, the SRC concurs that the LARA PSC is: A valuable source of information for National Supervisory/Approving Authorities, and An important document for Implementers, ANSPs and other potential users that may be used as a reference and framework to develop Local Safety Assessments and Local Safety Cases for LARA. LARA PSC Context and Development The PSA summaries the results of the Functional Hazard Analysis (FHA), Preliminary System Safety Assessment (PSSA) and the software part of the System Safety Assessment (SSA). The results of the FHA, as well as the PSSA, were used to define the integrity requirements for the development of the LARA software as defined by ESARR 4 and more specifically by ESARR 6 (SWAL). The results of the verification of whether the development of LARA is compliant with the related SWAL requirements is summarised in this PSC.

4 The goals of the safety assessment were the: Identification of the operational services and system functions, within the scope of the system component for which this Preliminary Safety Case is the basis, for further safety assessments; Definition of qualitative safety objectives per hazard; Apportionment of safety objectives to the ATM system components to be further assessed; Determination of safety requirements at the ATM system function level within the scope of the ATM system components to be further assessed; Derivation of the SWAL requirements based on the safety requirements identified; Provision of evidence that the SWAL requirements have been fulfilled during the development of the software. The safety assessment of changes to ATM systems needs to address the three aspects of system, procedures and human aspects. This PSC is generic as it focuses neither on the procedural nor human aspects. It focuses on the implemented functionality derived from the requirements for the development of the LARA system itself. It is assumed that the procedures for operational usage to be implemented by LARA users are adequate and correct and no Procedures Assurance Levels are derived (although this may be undertaken by an individual ANSP user). Human factors have only been taken into account as positive mitigation of risks. It is assumed that the humans involved are well trained and adequately skilled to mitigate risks. SRC Advice The PSC sets out a generic argument to support LARA. The SRC notes that the PSC provides arguments and evidence that LARA is safe subject to correct implementation by the ANSP, and therefore provides a basis for the ANSP safety case. This local safety case will be in due course part of the safety arguments presented by the ANSP to the National Supervisory Authority (NSA) before the introduction into service of the local changes due to LARA implementation. However, ANSPs choosing to deploy LARA are responsible for developing their own Local Safety Case and cannot rely on the PSC. Guidance material is developed throughout the PSC to identify the issues that need to be addressed at local level. The SRC recognises that LARA s functionality encompasses all phases of airspace management reaching from long-term event planning to airspace management at levels 2 and 3 - including real-time coordination of airspace activation. The capability to connect a national LARA system to neighbouring LARA systems allows seamless coordination between different states and facilitates efficient cross border operation. The SRC considered that the LARA software is covered by the scope of Regulation (EC) No. 552/2004 Annex 1 as it is part of Systems and procedures for airspace management. In accordance with the article 9 of the oversight regulation (EC) No. 1315/2007, the NSA will ascertain that such systems are accompanied by a Declaration of Conformity or Suitability for use as well as a Declaration of Verification. The compliance with the interoperability requirements will be verified by the NSA before the entry into service of the LARA software, this includes the: Declaration of suitability for use of the LARA software; Technical file of the LARA software and its related documentation.

5 The SRC acknowledges that LARA provides a user friendly interface to allow online airspace reservation, enable transparent coordination and maximise automation of routine tasks. Moreover, situational awareness of all players is enhanced through a shared real-time airspace status display. The LARA system is designed to allow configuration of all relevant system parameters to adapt to national procedures. Therefore, several key assumptions are made in the PSC to support the safety argument. It will be necessary for each implementer to validate the applicability of these assumptions in their own operational environment, and if not valid, address them in their local safety case. Applicable Regulations and Standards for LARA Standards and Manuals Established for LARA to be Used by States and ANSPs When Considering Implementation are: Local And sub-regional ASM system User Manual / CIM/DOC-EC10O9-1.0b / 1.0 / EUROCONTROL, September 2010 Error reporting process LARA Software Centre Operator Manual, document reference LARA/SCOM, issue 1, draft 1, July LARA Release notes Software Safety Assessment Report for LARA, GL/LARA/C0102/R/1, version 1.0,Graffica Ltd, August 2010; Local And sub-regional ASM system Training syllabus / CIM/DOC-EC10O8-1.0b / 1.0 / EUROCONTROL, September 2010 LARA Technical File, suitability for use supporting documents. Related Regulatory Requirements Commission Regulation (EC) No. 2150/2005 laying down common rules for the flexible use of airspace; Commission Regulation (EC) No. 1315/2007 on safety oversight in air traffic management; Regulation (EC) No. 552/2004 Interoperability Regulation, amended by Regulation (EC) 1070/2009; ESARR 4 Risk Assessment and Mitigation in ATM ; Commission Regulation (EC) No. 2096/2005 Common Requirements ; ESARR 6 Software in ATM Functional Systems; Commission Regulation (EC) No. 482/2008 establishing a software safety assurance system to be implemented by air navigation service providers. ESARR 2 Reporting and Assessment of Safety Occurrences in ATM ; Other Related Documentation LARA-specific documentation produced to support the product safety case (LARA Product Safety Case - Version 1.2, 08/12/2010) EUROCONTROL Safety Assessment Methodology (Sam) version 2

6 2011 The European Organisation for the Safety of Air Navigation (EUROCONTROL) This document is published by EUROCONTROL for information purposes. It may be copied in whole or in part, provided that EUROCONTROL is mentioned as the source and it is not used for commercial purposes (i.e. for financial gain). The information in this document may not be modified without prior written permission from EUROCONTROL.