skyguide, the Swiss air navigation service provider (ANSP)
For many years, safety was defined and measured more by its absence than by its presence. Today, ‘Safety II’ considers safety as an inherent function of the air traffic service and builds on the premise that the everyday activities of staff and the functionality of the technology deliver a safe service to customers.
ANSPs use a range of approved procedures to manage change to the air traffic management service and system (people, procedures and equipment) under their control. These include a Safety Assessment Framework (SAF) which facilitates a consistent and thorough approach to showing that the changes will be acceptably safe.
In 2017 the EU Implementing Regulation 2017/373 entered into force. It directs ANSPs to describe safety criteria based on the harmful effect to humans (the passengers, the crew, the public) and has led to a new Severity Scheme that directly addresses fatalities and injuries to humans.
The Safety II and ‘severity of hazards’ requirements led skyguide to undertake an overhaul of its SAF and commissioned Egis to assist.
Role of Egis
We developed and documented a new SAF, provided training on the use of the new SAF and developed baseline risk models for the ANSP to use when assessing safety of changes. The risk models represent the understanding of the safety risk levels of the steady state operations and form the basis of all safety assessments of change conducted under the new SAF.
The risk models were formulated as Service Hazard Logs using the Bowtie method which depicts risk, providing an opportunity to identify and assess the existing key controls or those that are lacking between a threat and its consequences. The Bowtie diagram in Figure 1 shows the relationship between threats, hazardous activities, hazards and consequences, and is designed to support the communication of a complex risk picture to multiple stakeholders.
Figure 1 – Bowtie Diagram
The risk models were developed in a multi-step process, shown in Figure 2 below.
Figure 2 – Risk Model Development
The scope of the service hazards was defined at the air traffic service (ATS) provision level and Service Context diagrams were developed for each ATS Unit. The Service Context diagrams had an operational interface perspective representing all internal and external relationships i.e. identified links between all human, machine and environment elements.
Figure 3 – Service Context Diagram
Hazardous activity was identified for each of the ATS services; the identified hazards represented scenarios directly linked to the provision of different services where a loss of control may occur, eg. CFIT.
We developed the content of the risk models through a series of workshops with ATCOs and subject matter experts and by analysing technical documents. This led to the identification of threats, preventive and recovery controls, escalation factors and escalation controls for the relevant hazards. Once the baseline risk models were developed, the quantitative and qualitative values of the elements within them could be added.
Our team also developed a framework for assessing the effectiveness of controls with specific approaches for assessing human-based controls and equipment-based controls. The hazard frequency, consequence severity and likelihood can be derived from existing data and was directly linked to skyguide’s own Risk Classification Scheme.
The risk models represent the understanding of the safety risk levels of the steady state operations and form the basis of all safety assessments of change conducted under the new SAF. This gave the ANSP a consistent and structured method of assessing changes against a model that can be easily updated to reflect the evolving nature of the ATS and its supporting systems. It facilitates a direct assessment against the harmful effect in line with 2017/373 and is compatible with the requirements of this regulation. The risk models were used to determine change in risk, i.e. mapping changes in the system to the different elements of the risk model to understand whether controls were more or less effective as a result, and what the overall impact on safety risk was in terms of the change in hazard frequency and consequence severity and likelihood. The updated risk models then contribute to situational awareness of risk by displaying areas of concern or high effectiveness very clearly via the use of colours to highlight specific issues or controls with very high effectiveness. This in turn facilitates good management of risk of changes and enables more efficient use of safety resources.
The development of the risk models based on an operational interface view brings a new perspective of looking at risk – it represents all internal and external relationships as potential threats and everyday activities as preventive and recovery controls. While Safety I takes accidents and incidents as the focus point and tries to prevent negative outcomes, Safety II concentrates on the activities and functions that contribute to successful/nominal operation. Therefore, the preventive and recovery controls in the risk models help in the understanding of what goes right, which controls are effective and contribute to successful behaviours.
In addition, the risk models using the Bowtie approach show the risk within one visual representation and create structured links between key internal and external elements of the safety assessment. This approach can be used not only in ANSP organisations, but for all aviation stakeholders including airports, airlines, maintenance organisations and providers of support information or supporting infrastructure. The risk models provide a basis for understanding and assessing the risk associated with changes to operational interfaces including those to external stakeholders. This approach facilitates the development of an integrated safety risk assessment that recognises the contribution of all stakeholders to a specific hazard and moves the industry forward toward a more integrated assessment of risk for the total aviation system.