3|
3 |
4.1 Summary of what needs to be standardised
The methodology proposed above recommends that some standards should be decided for ATM systems. They are summarised below.
· Standards related to expression and assessment of safety requirements. These standards should be international.
¨ Standard way of expressing safety requirements (e.g. standard, and practical, metrics). This includes the definition of standard safety levels and a standard checklist of rules that these requirements must respect (including rules not specific to safety, such as consistency, and their verifiability).
¨ When possible, standard recommended safety requirements for each high level function (e.g. communication between components of the system), in order to prevent too much heterogeneity in operational ATM systems.
¨ Standard risk classification scheme.
¨ Standard equivalence between safety characteristics (safety level, etc.) required and the kind and level of supporting evidence justifying these safety characteristics.
· Standards used for ensuring safety. These standards may be either international recommendations, or specific to each manufacturer. When they are referred to in the first category standards, they should have an international definition. In any case, they should not be made mandatory, as each manufacturer is responsible for techniques it uses for meeting requirements, and they must be free to use innovative and most appropriate techniques. Such "standards" mentioned in this documents are:
¨ standard list of system specification rules, for ensuring safety;
¨ standard list of design rules, for ensuring safety;
¨ standard recommendations for hardware selection;
¨ standard contents of a Safety Plan, and of a Safety Case.
This document does not discuss responsibilities, but most activities recommended should obviously be undertaken by manufacturers.
As these activities have been designed to be as cost-effective as possible and they belong to the kind of activities normally performed by manufacturers, their implementation is considered realistic.
Of course, the effectiveness of the recommended activities is also dependent on the degree of commitment and collaboration with the buyers, users, and regulators, who should provide information required. Manufacturers also need to provide information about the limitations of use of the system supplied to the service provider so that they can make decisions ensuring the safety of their service provision.
However, some of the validation activities mentioned (such as eye-tracking) belong more to the field of activity of research institutes, and require availability of operational controllers, of specialists of the techniques, and specific equipment, which are not usually available at the manufacturers. Therefore, these activities normally are the responsibility of service providers.
As with other techniques, manufacturers should be left free to use them or not and, if they choose to use them, to perform relevant activities themselves or by collaborating with high-level external specialists.
In some cases, ATM service providers may also have to perform tasks described here because integration requires it (e.g. integration of technical subsystems that are property of different ATM service providers and delivered by different manufacturers).
Further work is mainly on the development of recommended standards.
The major challenge is the development of an objective correspondence between safety levels and supporting evidence that allows confidence that some safety level has been reached. This requires a safety forecasting model, using, as only inputs, indicators that are both measurable and available before this system is operationally used. To build and improve this model, data and feedback from operational systems is necessary.
Depending on the results of this study, the development of some new validation techniques could be required too.
The schedule of implementation might be divided into three phases:
First
phase:
· Development of an interim version of recommended standards, based on best current practices, and on improvements which can be implemented quickly.
· Organisation of a study to develop the second version of standards, including a first model for safety forecasting.
Second
phase:
· Implementation of interim standards in relevant organisations.
· Collection of feedback information from this implementation.
· Development of the second, improved, version of standards.
Third
phase:
· Implementation of definitive standards in relevant organisations.
The associated schedule might be:
However, this schedule is probably too optimistic for the definition of mandatory standards, given the delay generally required for standardisation by ICAO and other worldwide organisations.
Therefore, as a first step, it is proposed that standards should be developed and recommended, but not made mandatory, until the definitive international decisions.
|
3 |
