A safety assessment is to be carried out for planned significant airspace reorganizations, for significant changes in the provision of ATS procedures applicable to an airspace or an aerodrome, and for the introduction of new equipment, systems or facilities, such as:
- a reduced separation minimum to be applied within an airspace or at an aerodrome;
- a new operating procedure, including departure and arrival procedures, to be applied within an airspace or at an aerodrome;
- a reorganization of the ATS route structure;
- a resectorization of an airspace;
- physical changes to the layout of runways and/or taxiways at an aerodrome; and
- implementation of new communications, surveillance or other safety-significant systems and equipment, including those providing new functionality and/or capabilities.
When, due to the nature of the change, the acceptable level of safety cannot be expressed in quantitative terms, the safety assessments may rely on operational judgement.
Proposals shall be implemented only when the assessment has shown that an acceptable level of safety will be met.
The safety assessment shall consider relevant all factors determined to be safety-significant, including:
- types of aircraft and their performance characteristics, including aircraft navigation capabilities and navigation performance;
- traffic density and distribution;
- airspace complexity, ATS route structure and classification of the airspace;
- aerodrome layout, including runway configurations, runway lengths and taxiway configurations;
- type of air-ground communications and time parameters for communication dialogues, including controller intervention capability;
- type and capabilities of surveillance system, and the availability of systems providing controller support and alert functions. Where ADS-B implementation envisages reliance upon a common source for surveillance and/or navigation, the safety assessment shall take account of adequate contingency measures to mitigate the risk of either degradation or loss of this common source (i.e. common mode failure); and
- any significant local or regional weather phenomena.
Any actual or potential hazard related to the provision of ATS within an airspace or at an aerodrome, whether identified through an ATS safety management activity or by any other means, shall be assessed and classified by the appropriate ATS authority for its risk acceptability.
Except when the risk can be classified as acceptable, the ATS authority concerned shall, as a matter of priority and as far as practicable, implement appropriate measures to eliminate the risk or reduce the risk to a level that is acceptable.
The two main methodologies for identifying hazards are:
- Reactive. This methodology involves analysis of past outcomes or events. Hazards are identified through investigation of safety occurrences. Incidents and accidents are an indication of system deficiencies and therefore can be used to determine which hazard(s) contributed to the event.
- Proactive. This methodology involves collecting safety data of lower consequence events or process performance and analysing the safety information or frequency of occurrence to determine if a hazard could lead to an accident or incident. The safety information for proactive hazard identification primarily comes from flight data analysis (FDA) programmes, safety reporting systems and the safety assurance function.
A typical safety risk probability classification table may include five categories to denote the probability related to an unsafe event or condition, the description of each category, and an assignment of a value to each category.
The table to the right uses qualitative terms; however, quantitative terms could be defined to provide a more accurate assessment. The use of quantitative terminology rather than qualitative terms can depend on the availability of appropriate safety data and the sophistication of the organization and operation.
Severity assessment should consider all possible consequences related to a hazard, taking into account the worst foreseeable situation. The example table to the right presents a typical safety risk severity table. It includes five categories to denote the level of severity, the description of each category, and the assignment of a value to each category.
A safety risk index rating is created by combining the results of the probability and severity scores, in the example given it is represented as an alphanumeric designator.
The respective severity/probability combinations are developed into a safety risk assessment matrix as shown. The safety risk assessment matrix is used to determine safety risk tolerability.
The data from the safety risk assessment matrix should then be exported to a safety risk tolerability table that describes the tolerability criteria for the particular organization.
