7 |
8.Appendix: Comparison of this document with EUROCONTROL Safety Assessment Methodology
This appendix identifies main differences between the methodological framework presented in this document, and the corresponding features of the EUROCONTROL safety assessment methodology.
This comparison is based on working draft 0.5 of EUROCONTROL document.
Readers should be aware that this short analysis might sometimes be disputable, due to:
· the differences in objective, scope and focus of both documents (not mentioning something in a document does not always mean that it has been rejected or forgotten, but often means that it has not been considered as relevant to the document),
· the fact that the edition of the EUROCONTROL document used (0.5) is still in a development stage.
|
In the present ARIBA document |
Associated feature in EUROCONTROL methodology |
Comments |
|
1st part of the framework: "indirect" safety assurance, through the development process. (Not detailed in this table). |
Not included. Sometimes a short mention such as "the absence of errors cannot be demonstrated by testing only" or the mention of five Development Assurance Levels. Engineering principles are considered, but always with the safety "filter". |
Clearly not considered as in the scope of the EUROCONTROL document. ARIBA felt this point impacts very much the level of safety of the system and so needed to be addressed. . |
|
How to deal with the use of COTS. |
Not included. |
It would be worth including it, for practical reasons. |
|
2nd part of the framework: specific safety assurance |
This is what the EUROCONTROL methodology focuses on. |
|
|
Initial safety assessment (to complete and finalise safety requirements, preferably in a standard way) |
Meaningful only if considering that some organisation provides requirements to another one. This kind of problem is not considered (higher level). |
Standardising the way of expressing safety requirements (e.g. criticality of services and functions, risk classification, etc.) is felt of high importance. |
|
Assessment of safety activities to be performed. Before planning safety activities, it is important to identify what activities are necessary, according to the specific case. |
The EUROCONTROL document addresses this in the "safety planning" section, and mentions only the required safety level as a criterion. |
It could be interesting to discuss activities to be performed, in some important practical cases: various safety levels, but also use of COTS products, changes in an existing system, re-use of the same system in a different context, etc. |
|
Planning of safety programme |
More detailed in EUROCONTROL document. It mentions competency, but not briefing and training about the safety policy. |
Discussing briefing and training about the safety policy could be useful, because important in practice. |
|
Identification of hazards, risk assessment and specification of mitigation solutions: (a) risk classification scheme. A verification that the standard scheme is adapted to the system and context considered is mentioned. |
The EUROCONTROL document proposes such a standard scheme. It also mentions NATS and CENA approaches, which deal with the adaptation of the scheme to ground systems through different definitions of severity. |
Severity levels defined in the scheme are well adapted to aircraft, but their association of their definitions to a ground system needs further clarification. |
|
(b) identification of hazards and failure modes |
The EUROCONTROL document approach is to use FHA (described in detail, with an example). |
Does not explain how to deal with practical application problems related to the complexity or the size of the system. |
|
(c) estimation of hazard likelihood |
Dealt with in PSSA (see below). |
|
|
(d) risk assessment (combining severity and likelihood). PSSA is mentioned as an example of risk assessment practice. |
The EUROCONTROL document approach is to use PSSA (described in detail, with an example), including failure condition evaluation, common cause analysis, and zonal safety analysis. Then to use SSA (continuation of PSSA during the detailed design and implementation). Detailed descriptions (parts III and IV) are still missing. |
Here too, practical application to specific cases (complex systems, very large systems, systems including COTS products, etc.) should be discussed in the next version, for practical reasons. Also, PSSA-like activities, which can impact the system, should continue the implementation phase. |
|
(e) risk reduction |
This is included in the SSA, which is an iterative process. |
|
|
Monitoring and tracking of hazard and safety issues. |
This is dealt with in safety assurance principles. |
|
|
Verification that the system complies with safety requirements. |
Addressed in SSA safety assurance activities. |
|
|
Safety-related support during installation, commissioning, overall validation, transition, operation. |
Not addressed in EUROCONTROL document yet (unless it is considered to be addressed in SSA). |
These points should be explicitly addressed in the missing detailed description parts. |