12
13
Articles
Articles
This article explains why a new approach is needed for the safety assessment of the major operational and
technology changes that are planned for introduction into European ATM up to 2020 and beyond.
This approach has to satisfy two conditions: firstly it has to be much broader than that traditionally followed
in ATM in that it must address the positive contribution that a fully functioning ATM service makes to aviation
safety and not just consider the negative effects that failures within the ATM systemmight have on the risk of an
accident; and secondly, rather than rely simply on current, process-based safety-assessments, it must be based
on a framework which, in accordance with European safety regulatory requirements, requires that “correct and
complete arguments be established to demonstrate that the overall ATM System, as well it constituent parts, are
(and will remain) tolerably safe”. The article presents the theoretical basis for satisfying these two conditions – it
explains from first principles how current techniques such as Fault Tree Analysis can be adapted to model ATM’s
positive, as well as negative, contribution to aviation safety, and describes how a rigorous safety argument can
be derived from sound systems-engineering principles and be used to drive the whole safety assessment /
assurance process. The article also gives an overview of how these principles were developed for application to
the safety assessment of ATM development projects within the scope of SESAR - the Single European Skies ATM
Research programme, equivalent to the US NextGen programme. This approach has already been applied by
EUROCONTROL to a number of safety assessments including enabling projects for SESAR.
Introduction
European airspace is fragmented and will become
increasingly congested as traffic is forecast to grow
steadily over the next 10 years or so. ATM services
and systems are not sufficiently integrated and are
based on overstretched technologies. Therefore, in
order to meet future air traffic needs, the European
ATM services must undergo a massive operational
change, enabled and supported by innovative
technologies.
SESAR - the Single European Sky ATM Research
Programme, equivalent to the US NextGen
programme - is the means of delivering the required
operational and technological changes, by the year
2020. The early safety work on SESAR came to three
very important conclusions:
• that in order to meet forecast demand,
the capacity of the European ATM systemwould
need to increase by 1.7-fold by 2020 [SESAR, 2006]
• that for most ATM-related accident types, the risk
of an accident per flight would need to reduce by
3-fold – i.e. the square of the traffic increase
[EUROCONTROL, 2008]
• merely improving the reliability / integrity of the
current ATM systemwould not make significant
inroads into the required safety improvement –
additional functionality and improved
performance of existing functions would also be
required.
2020 Foresight
A Systems-engineering Approach to Assessing the Safety of
the SESAR Operational Concept
Derek Fowler, Eric Perrin, and Ron Pierce
In 2008-09, as part of this early work for SESAR,
EUROCONTROL Brétigny undertook an initial,
a priori safety assessment of the SESAR Concept of
Operations, in order to:
• develop a safety assessment methodology that
would be suitable for the SESAR programme
• apply it, as far as practicable in the time available,
in order to validate its completeness and
correctness and to investigate the degree and
extent to which the SESAR Concept of Operations
had the potential to be at least tolerably safe.
The first major problem for this initial SESAR safety
assessment was that, for reasons explained in the
next section, most (if not all) extant ATM safety
assessment methodologies focused almost entirely
on proving the reliability and integrity of ATM sys-
tems – by analysing what could “go wrong”within
those systems - with very little attention paid to sys-
tem functionality and performance and what needs
to “go right”! What was needed, therefore, was what
became known as the “broader approach” to safety
assessment.
The second major problem was the sheer complex-
ity of the SESAR Concept, the evolutionary nature
of its implementation (the phased introduction of
more than 180 distinct operational improvement
steps) and the dispersed and disparate nature of the
many different organisations contributing to the
SESAR Programme. What was needed, therefore,
was a common framework for safety assessment;
since this was based on a safety argument it became
known also as the “argument-driven approach” to
safety assessment.
“correct and complete arguments
be established to demonstrate that
the overall ATM System, as well it
constituent parts, are (and will
remain) tolerably safe”.
Clearly, as with any safety process, the safety
assessment approach for SESAR has to be soundly
based from a theoretical perspective, as well being
pragmatic and of maximum benefit to SESAR
Stakeholders.
This article, therefore, explains the theoretical basis
for the broader, argument-driven approach to safety
assessment and then shows, at a relatively high
level, how it is intended to be applied to the SESAR
Operational Concept circa 2020.
This article originally appeared in ATC Quarterly #4 2011. You can read the rest
of this article online at ATC Network. Please use this link 2020 Foresight.