Your Guide to the Safety Considerations Process v1.0

Transcription

1 11 Does this project need a Safety Plan or not? YES NO If there are any items in the list in section 9 that require significant work to resolve, then the project will need a formal safety plan. This decision should be made by the Project Manager and endorsed by the Safety Support Staff member. Project Manager name: Project Manager Signature: EUROCONTROL Experimental Centre Your Guide to the Safety Considerations Process v1.0 Date: Safety Support Staff name: Safety Support Staff Signature: Date: This booklet will take you through the EEC Safety Considerations Process. Use it as the first step in identifying the Safety issues that need to be considered in your activity. It will help you: Describe the project Identify where it may have an impact on Safety Decide if the project needs a formal safety plan or not Identify what needs to be done to ensure that the project is safe 16

2 The Safety Considerations Process The objective of the Safety Considerations Process is to ensure that each project or activity undertaken by the EEC makes sufficient provision for safety in the design phase. Different projects require different levels of safety activity, and the safety considerations process is designed to surface safety issues as quickly as possible in the project lifecycle. The Safety Team will use the output of this assessment to ensure that the correct level of safety support is made available. Even if the project does not need any specific safety activities, the results of this process will, at least, ensure that it has been assessed systematically. To supplement the information in this booklet it is advisable to refer to the EEC Safety Handbook. The handbook contains an overview of safety in the EEC, and also explains, at a high level, the different safety techniques and tools that are available. This will help you to decode safety jargon and allow you to embed realistic safety activities into your project plans. The following EUROCONTROL references have been used in the development of this booklet. [1] Safety Screening Technique, v0.5, Final draft, 1st March 2006 [2] Main Report for the 2005/2012 Integrated Risk Picture for Air Traffic Management in Europe, v1.0, April What is next? The usual approach is to construct a Safety Case that covers all the operational hazards of the project. This is structured in the form of a Safety Argument. The Structure of a Safety Argument [With links to sections of this booklet] Criteria Is it absolutely safe? Or at least as safe as before? Sub-Argument 1 Safety Impact that needs to be addressed (Model) [See point 8] Argument Safety Claim that we aim to prove Sub-Argument 2 Safety Impact that needs to be addressed (Study Results) [See point 3] [See point 10.1] [See point 10.2] [From addressing 10.1] [From addressing 10.2] Assumptions Context Phase of flight Type of operation, boundaries etc Strategy What we are going to do to prove the argument Sub-Argument 3 Safety Impact that needs to be addressed Each thread in the argument requires supporting evidence to demonstrate that the risks are managed to a level that is as low as reasonably practicable. Details on how to construct a safety argument and Safety Plan are given in the Safety Case Development Manual. A decision now has to be made as to the level of safety planning that is required in the project Safety Plan? [See point 6] [See points 2, 4 & 9 ] [Discuss with the Safety Team] 15

3 Next steps for Safety 10 Refer to points 5 & 9 What can we do about project concept issues and hazards? Taking the list of issues from the project concept noted in section 5 and the benefits and hazards you have detailed in section 9 and prioritise the issues. Space is given for up to 5 in the table below. Against each of the items listed, describe what might be done to address the item. You should refer to the Safety Handbook for an overview of the different methodologies you may use to address the priority items. Top Priority Items How to address the Item Using this booklet You should answer all the questions that are contained in this booklet. You will get better results by going through this booklet together with a member of the Safety Team; however it is acceptable to do this on your own. A Project Manager may wish to spend half a day with project team members to discuss and answer the questions together. Space has been provided so that notes can be taken directly in this booklet. This will be useful, as you will be able to use this as raw material for any formal safety documentation that may be needed later. Once you have finished this process, the back page of this booklet should be signed and kept as part of the project record. If your project needs to consider safety more formally, the next steps to the process are to build an initial safety argument and to create a safety plan. The first steps towards this are discussed in the section entitled What is next? at the end of this booklet. A summary of the top safety issues is given above, but what does that mean for a project? What's next? The first part of this booklet defines what the project is intended to achieve. The Project 14 3

4 The Project 1 What is the name of the Project or Activity? 2 Is there a defined operational concept for the project? The concept of the project is a high level statement of what the project will actually deliver. Ideally a defined operational concept should already be documented, but a short synopsis should be recorded here, along with a suitable reference. 4 13

5 3 Where does the project bring quantifiable improvements to ATM? A short description of quantifiable benefits should be stated here. Remember that increasing capacity may increase your safety risks (they are calculated on a per flight basis). Capacity Efficiency Safety Environmental Other 4 What are the main deliverables of the project? Here you should record what tangible deliverables will be produced from the project and who will use these outputs. Deliverable Stakeholder Now we should have a clear picture of what the project is trying to achieve. The next section looks in more detail. More Detail 12 5

6 Looking in more detail 5 Refer to point 2 Source reference [1] Is it clear how the concept will be realised? The following checklist should be used as an aide-memoir, note possible safety impacts where appropriate. You should consider each question, but mark specific points not applicable as necessary. Resources: 5.1 Will it (the concept) require changes to roles and responsibilities? e.g. between Pilots/ATCOs/Planners 5.2 Will it need additional personnel or roles? Competence: 5.3 Will it change the competence requirements for ATM personnel? 5.4 Will it need more, better or changed training and development? Human-system interaction: 5.5 Will it change the humansystem interactions? (e.g. Computer interfaces, radar screens, etc) 5.6 Will it affect workstation ergonomics and working environment? 6 Identifying Hazards in the Project Context 9 Source reference [2] What are the hazards in the project context? Overleaf a matrix is given. You can use this matrix to consider where your project may have an effect on accidents. The matrix contains six rows which are classifications of accidents (the relative importance of each accident class to ATM is given in percentage terms). From left to right the columns of the matrix represent a barrier model. You can use this matrix in the following way: 1. Tick the accident categories that your concept may influence. 2. For each row that you tick, work your way along and consider each box. 3. If your concept may have an impact on a particular box, mark with a letter (A,B,C etc) and make an appropriate note in the accompanying table. Try to note both positive and negative features. e.g. hazards, consequences, benefits and causes. You can use the following sentences as a guide: Hazards: These are something that can contribute to an accident. [A-] I am worried that [Hazard] will lead to [negative Consequence] Benefits. These are positive effects. [B+] This project will improve [Benefit] because [Cause]. 11

7 7 Have interdependencies with other activities been identified at this stage? Any interdependencies (between projects, equipment, processes or organisations) should also be noted along with possible synergies and possible adverse effects. Human reliability: 5.7 Will it increase workload or workload variability? 5.8 Will it increase task complexity? 5.9 Will it increase error potential? 5.10 Will it reduce error prevention/detection/recovery? Procedures: 5.11 Will it require changes to procedures? 8 Is this project/activity producing a concept equivalent in functionality to an existing or previous system? To demonstrate that the new concept is an improvement on existing arrangements, performance data may have to be obtained which describes the current situation. Communication: 5.12 Will it need additional teamwork, co-ordination and operational communication? 5.13 Will it change communication phraseology and language issues? 5.14 Will it shift the communication workload? (e.g. to a system from a human) Independence: 5.15 Does it interact with other systems, which may result in interdependent failures? The next section looks hazards in the project context in more detail. Hazards 10 7

8 Transparency: 5.16 Are written design specifications available for the concept? 5.17 Has the design taken account of possible failure modes of the system? 5.18 Does it use standardised designs, consistent with other systems? Redundancy: 5.19 Does it have any possibility of single point failures? 5.20 Will it be possible to maintain service in the event of failures, e.g. by switching to alternative inputs? 5.21 Will it have continuity, i.e. operate for long periods without service interruptions? Maintainability: 5.22 Can the changed ATM system be maintained in working order throughout its life? 5.23 Can it be quickly repaired to a working state after a failure has occurred? 5.24 Can it be preventatively maintained without degrading system safety or introducing latent failures? Integrity: 5.25 Are the system outputs trustworthy, i.e. free from errors/faults? 5.26 Does it allow checking to guard against loss of data integrity? 5.27 Will the operation of software components affect the safety of the system? 8 Operating Environment 5.28 Is terrain a consideration for this project? 5.29 Will the concept work with different projected traffic levels? (e.g. stable, x2, x5, x10) 5.30 Will this work in all types of weather? 6 Have the results of any previous work been considered at this stage? Often previous work will have considered relevant Safety issues. Research should include internal work in EUROCONTROL and external work in the industry or research area. 9