GUIDELINES TO A SYSTEMATIC MANAGEMENT OF

SAFETY ON AERODROMES
WP 093
Page 1

1. BACKGROUND

It is the assumption that the Safety Management System requirements will be the pri-
mary safety oversight document covering the way an Aerodrome licensee manages
safety. ”How” the Aerodrome will be operated, whilst meeting these requirements, is
strictly the business of the Aerodrome licensee. Since the application of Safety Man-
agement Systems as described below is generic in the sense of enterprises or organi-
sations the word “Aerodrome” can easily be substituted to represent whatever area it
is used within.

The main issue of the requirements is that the burden of proof lies with the Aerodrome
licensee. The licensee has to state the facts, analyse and assess and prove to the Na-
tional Aviation Safety Authority that, all existing operations and all future changes,
additions or replacements are safe or will be at an acceptable risk level.

Whilst the National Aviation Safety Authority only has a safety mandate this should not
stop an Aerodrome Manager to apply a Total Management approach; the Safety
Management Requirements are also designed to reflect contemporary Quality System
Standards. An overall management system inherently comprising an identifiable and
easily audited systematic solution to the management of safety at an Aerodrome will
be able to display to the Aerodrome organisation and prove to the National Aviation
Safety Authority that the Safety Assurance activities leads to continuous compliance
with the safety requirements. In this approach the safety aspect shall be appropriately
emphasised.

In line with this overall management approach an Aerodrome licensee should identify
the safety significant issues analyse and assess safety risks as a result of their moni-
toring and thereafter take remedial action affecting either objectives or procedures.

Safety Management is that part of the overall management function, which determines
and implements an organisation's safety policy.

The most senior level of management within the organisation and follow a logical pro-
gramme that ensures that should endorse the implementation of a safety manage-
ment system by an organisation:

• Safety policy statements should define the organisation's fundamental approach to

the management of safety and should commit the organisation at all levels to the
fulfilment of its stated safety policy.

• From the policy statements the organisation should define its safety management
strategy.

• Having defined the policy statements and the organisation's strategy the proce-
dures designed to achieve this should be clearly documented.
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 2
• The responsibilities and accountabilities of all individuals in respect of safety
should be clearly defined.

2. APPLICATION

The Licensing of Aerodromes from an authority point of view should preferably aim for
the Commercial Air Transport segment since this is where the major part of passen-
gers and cargo travel.
It has therefore been found appropriate to apply the requirements for all licensed
Aerodromes intended for Commercial Air Transportation.

3. SAFETY OBJECTIVES

The prime concern of both the National Aviation Safety Authority and the Aerodrome
must be focused on eliminating or minimising failure conditions at an Aerodrome that
contributes to an unacceptable risk level for aircraft.

In order to provide assurances that this is the case, safety assessments will be re-
quired both at set-up of an organisation and during change. The following describes a
process that covers both quantitative and qualitative based assessments.

JAR 25.1309 is the basis for the process used in these guidelines, there may be oth-
ers, but whatever system is used it is important to use language that is aircraft safety
orientated and in common use in aviation.

In FAR/JAR 25.1309 the expression ”failure condition” is used. It signifies the failure
condition at the unit aircraft level arising as a result of failures of sub-systems.

Failure conditions in Aerodrome systems can be defined quantitatively for certain as-
pects but not all, particularly those that are procedurally and human based.

AMJ to JAR 25. /1309 (JAA Advisory Material) states the probabilities per Flight hour
allowed for failure conditions with various Flight safety consequences. For instance an
a/c system failure condition, which implies a catastrophe, may not occur more fre-
9
quently than once in a billion (10 ) Flight hours. One underlying condition is that nor-
mally there are less than 100 such failure conditions that can occur in an aircraft,
which makes it possible that the total probability for a catastrophe due to all failures in
an aircraft’s systems is less than once in 10 million (107) flight hours. This is also the
present statistical result for modern aircraft in the Western world.

In order to draw up the corresponding allowed probabilities for failure conditions in

Aerodrome systems the following assumptions could be made:

To start out with, a comparison can be made with applications in the field of Air Traffic
Services. The example below is there to give insight into the calculation principle for
quantitative determination.
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 3
One single active sector or single ATS unit is responsible for 10 aircraft on each occa-
sion on the average. This supports the idea that a failure condition in one single sector
or one single ATS unit should not be allowed to contribute to a catastrophe for an air-
craft more frequently than once in a hundred million (108) working hours. This pro-
vided that the number of failure conditions that might lead to catastrophe does not ex-
ceed 100 in a single sector or in a single ATS unit. This assumption may be valid for
an Aerodrome where quantitative methods are suitable.

Normally a sector/area has not even traffic intensity. It might therefore be more suit-
able to start from the maximum traffic intensity. For that reason the concept ”operative
hour” will be used as defined below instead of ”working hour”, maintaining the same
goals concerning safety.

An operative hour comprises an hour when the most engaged sector or area, which
will use the system, has its maximum approved traffic intensity. That maximum inten-
sity shall be determined and stated by the Aerodrome.

It is assumed that the system maintains the safety level that is a consequence of the
goal for an operative hour also during other times.

The following are goals for the design of technical systems or Aerodrome systems and
equipment:

- A failure condition, which can lead to a catastrophic event, may not occur in a sec-
tor/area more frequently than 1x10-8 per operative hour (once in 100 million operative
hours).

- A failure condition, which can lead to a hazardous event, may not occur in a sec-
tor/area more frequently than 1x10-6 per operative hour.

-A failure condition that can lead to a major event may not occur in a sector/area
more frequently than 1x10-4 per operative hour.

- A failure condition which can lead to a minor event may not occur in a sector /area
more frequently than 1x10-2 per operative hour.

It can sometimes be hard to differentiate between failure conditions which can lead to
catastrophe and those which can lead to a hazardous event, alternatively between
failure conditions which can lead to a hazardous event and those which can lead to a
major event. Analyses shall be made however, with the highest possible grade of de-
tail.

As an alternative to the term ”operative hour”, an Aerodrome could sensibly use num-
ber of movements as incidents and accidents on or near aerodromes necessarily take
place in connection with landings or take-offs, i.e. movements. Aerodromes will also
have highly reliable data on movements, whereas, especially smaller aerodromes may
find it difficult to define operational hour.
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 4
When a System Safety Analysis is presented to the National Aviation Safety Authority
it can be based on a Qualitative or a Quantitative basis, depending on the circum-
stances, and be based on the principle of ALARP, ”As Low As Reasonably Practica-
ble”. It is up to the Aerodrome management to choose which basis that is the most
suitable with reference to expected achievements.
This takes us into the area of qualitative assessment or definition, which is also cov-
ered, in the following suggested process concerning the “Safety Assessment Method-
ology”.

Safety Assessment Methodology

Introduction

The Management of an Aerodrome requires that the organisation should assess all
aspects of its operation, and changes to it, for safety significance.

Safety Assessments should be performed and documented to ensure that due con-
sideration is given to the safety of all parts of the system.

The Safety Assessment should be conducted to ensure that the management of any
hazards is commensurate with the risk involved and the safety objectives that have
been identified.

Risk Management Process.

The generic process is as follows and is illustrated in the flow chart below:

• Systematically identify Possible Hazards to aircraft.

• Evaluate the seriousness of the consequences of the hazard occurring.
• Consider the chances of it happening.
• Determine whether the consequent risk is acceptable and within the organisation's
and the National Aviation Safety Authority’s safety performance criteria. If not, take
action to reduce the severity of the hazard or the probability of it arising to reduce
the risk to an acceptable level.

1. Hazard identification
Identify the hazards to aircraft

2. Severity/Criticality
Evaluate the seriousness of the conse-
quences of the hazard occurring

3. Probability of occurrence
What are the chances of it happening?

4. Tolerability
Is the consequent risk tolerable and
within the organisation’s safety perform-
ance criteria?

5. Risk Management
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 5
YES! Accept the risk.
NO! Take action to reduce the risk to
acceptable level.

Hazard identification

Initially, a high level assessment of the reasonably foreseeable hazards should be car-
ried out. Suitable techniques might include:

• Checklists

Review experience and available data from accidents, incidents or similar systems
and draw up a hazard checklist. Checklists identify potentially hazardous areas, which
will require further detailed evaluation.

• Group Review

This may be a true brainstorming session or may be based on a review of the check-
list. The group should consist primarily of people with as wide a background as possi-
ble and chosen for their relevant experience and competence.

Evaluate the seriousness of the consequences of the hazard occurring.

The consequence of each identified hazard occurring should be assessed for its effect
on aircraft safety. The table below provides the safety criticality classification scheme
(JAR 25) that systems on aerodromes shall be assessed against.

Consider the chances of it happening

The probability of occurrence can be defined in both qualitative and quantitative terms.
Numerical (quantitative) methods may be required to further support the analysis of
systems, which have the potential to produce catastrophic or hazardous results. For
lower levels of classification of risk, qualitative methods will often produce valid and
acceptable results.

It will be noted that many of the hazards identified are acceptably mitigated by the ap-
plication of existing Standards, regulations, procedures or practices.

The figure below illustrates the relationship between qualitative and quantitative prob-
ability of occurrence.

Determine whether the consequent risk is tolerable and within the organisation's ac-
ceptable safety performance criteria?

Once the severity of a hazard has been assessed and the probability of it arising has
been estimated, a judgement can be made on whether the consequent risk is accept-
able or not and whether it can be further reduced at reasonable cost. Common sense
dictates that a major consequence of an undesired event with a high probability of oc-
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 6
currence is unacceptable, however it may be tolerable if the probability of occurrence
is very low although it may be undesirable.

The process of judging tolerability of risks and the results can be presented in tabular
form as illustrated below.

Actions to reduce the severity of the hazard or the probability of it arising to reduce the
risk to a tolerable level (managing risks). Where the table indicates that the risk is
currently unacceptable, action must be taken to reduce the probability of occurrence
and/or the severity of the hazard. If neither mitigating measure is available, the system
clearly does not satisfy the safety objectives. In any process where judgement is
applied there will be situations where the tolerability is not clearly defined. An issue
that falls into this area of uncertainty is likely to require, before implementation, the
endorsement of the individual ultimately accountable for safety within the organisation.

Safety Criticality Classification (JAR 25) that results in one or more of the following ef-
fects;

Catastrophic Hazardous Major Minor

• The loss of the • A large reduction in • A significant reduc- • Nuisance
aircraft safety margins tion in safety mar- • Operating limita-
• Multiple fatalities • Physical distress or gins tions: emergency
a workload such that • A reduction in the procedures
the flight crew can- ability of the flight
not be relied upon to crew to cope with
perform their tasks adverse conditions
accurately or com- as a result of in-
pletely crease in workload
• Serious injury or or as a result of
death of a relatively conditions impair-
small proportion of ing their efficiency
the occupants • Injury to occupants

Tolerability Matrix

Catastrophic Review Unacceptable Unacceptable Unacceptable Unacceptable

Hazardous Review Review Unacceptable Unacceptable Unacceptable
Major Acceptable Review Review Review Review
Minor Acceptable Acceptable Acceptable Acceptable Review
Extremely Extremely Remote Reasonably Frequent
Improbable Remote Probable

Probability of occurrence definitions

Probability of Extremely Extremely Remote Reasonably Frequent

Occurrence improbable Remote probable
Classifica-
tion
Qualitative Should vir- Unlikely to occur Unlikely to occur May occur May occur
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 7
definition tually never when considering during total opera- once or a few once or sev-
occur in the several systems of tional life of each times during eral times
whole fleet the same type, but system but may oc- total opera- during op-
life. nevertheless, has cur several times tional life of a erational life
to be considered when considering single system
as being possible several systems of
the same type
-9
Quantitative < 10 per 10-7 to 10-9 per 10-5 to 10-7 per flight 10-3 to 10-5 10-3 per
definition flight hour flight hour hour per flight hour flight hour

The table above is reproduced from JAR 25 and is specifically related to the probabil-
ity of an event occurring during flight. It is considered that the definitions are equally
valid for aircraft movements at an aerodrome but with probabilities decreased as
stated in the Safety Objectives in paragraph 3.

Note. The actual classification used in a safety assessment must be indicated in the
safety assurance document.

It is worth noting that either Quantitative or Qualitative methods, as tools of analysis,

can achieve more than a demonstration of figures or reasoning based on
assumptions. Clearly both ways are indicative and the assessments must be
acceptable to the National Aviation Safety Authority.

4. SAFETY MANAGEMENT POLICY STATEMENTS

To assure the proper function of a Safety Management System the implementation

process and the continuous improvement process must be a Top Down process in
any organisation striving to do business. The responsibility rests with the higher level
of management to see to that all staff has knowledge and understanding of the Busi-
ness Plan. The business plan can comprise all sorts of objectives that will be the
guideline for all staff to operate by.

Any type of organisation should not allow things go wrong in their operation. Of course
mistakes can happen but nevertheless it is very important from a safety point of view
to be pro-active rather than reactive since safety failures have more grave conse-
quences to people than other mistakes normally have.

To reflect responsibility and accountability in an organisation safety cannot be re-

garded as something odd made to the responsibility of a special function in the or-
ganisation. Where a procedure accommodates a safety requirement the operator shall
be aware of the consequences of mistakes and the procedure must eliminate such
risks.

It comes natural to any safety conscious individual that safety cannot be compromised
and safety must always have the appropriate priority. Organisations that do not man-
age their safety risks carry a business risk.

It must be the duty and obligation of all aerodrome staff, without hesitation to comply
with safety standards and requirements. The competitive strength of an organisation
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 8
not only depends on efficiency rests with low pricing and glossy appearance but also
on a commitment to safety.

When establishing agreements with service providers the delivery of services and
products must comply with the safety objectives of the Aerodrome, and have a safety
management system. If not, these services and products will be the weak link in the
operations process.

5. SAFETY MANAGEMENT PRINCIPLES

The Safety Management principles constitute two major issues, safety achievements
and safety assurance coupled with the promotion of a safety awareness culture. The
safety achievement and the results from the process of identifying and defining safety
requirements, analysing and assessing the safety content of the processes will give
the Aerodrome management a tool for production monitoring of the operation. Safety
levels need to be defined, in quantitative or qualitative terms in order to be able to
measure the performance of the organisation and consequently render input to
change in procedures or objectives.

In a state of continued operation there is also a requisite for maintaining, improving

and recording of the processes. When there is safety significance in a procedure the
organisation must continuously assure that the level of safety is maintained or im-
proved. All safety critical procedures should be described both in writing and by word
of mouth training.

Since both the Aerodrome Licensee and the National Aviation Safety Authority has an
interest in how the Aerodrome organisation will be operated, whether it concerns the
existing operation or introduction of new elements at the Aerodrome, the Aerodrome
must present evidence through a safety assessment process.

A System Safety Analysis best conducts both requirements, assessment of existing

operations and introduction of new elements. It is understood that this analysis can be
performed as quantitative or qualitative or combinations thereof. Quantitative reason-
ing can more generally be applied to infrastructures and qualitative where individuals
and human processes are involved.

The requirement for system safety assessment processes can at an Aerodrome cre-
ate a competency and a personnel resource gap within the Aerodrome organisation.
Apart from this element in the requirement there is always a requirement for staff to
remain adequately trained and qualified for the their work assignments. Consequently,
it is not advisable that the system safety assessment be outsourced to consultants, al-
though it is recognised that this may have to be the case while the aerodrome licensee
builds a skill base.

All activities need to be documented in order to be able to demonstrate effective

safety management when required from the National Aviation Safety Authority.
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 9

6. SAFETY ASSURANCE

In the medium to large Aerodromes organisations the Aerodrome Manager seldom

possesses all the operational and technical skills or qualifications needed to fulfil the
role as general manager. Top management is generally geared towards economical,
financial and managerial business issues. However, it has been found necessary that
safety management accountability is needed at senior level in the organisation to pre-
pare and emphasise safety significant matters.

In the context of overall management systems an internal audit function must be es-
tablished as a tool with direct communication possibilities to the Aerodrome manager
to provide indications and safety significant occurrences for remedial action to be
taken.

Another requirement is safety monitoring which has the function of measuring the
process performance against established safety levels. Without such a monitoring
system neither the Aerodrome Management nor the National Aviation Safety Authority
can observe the performance of operations. It should be appreciated that such indica-
tors are also to some extent a measure of the trend to report minor occurrences. They
should be evaluated carefully in order not to penalise those organisations with a low
reporting threshold. The National Aviation Safety Authority should also appraise how
effective and quick the organisation is in finding out the causes of occurrences and
implementing corrections.

In order to facilitate for others in the Aerodrome community lessons learned should be
disseminated not only within the Aerodrome organisation but also to others including
the National Aviation Safety Authority through the means of accident/incident report-
ing.

When it comes to safety improvements in an Aerodrome organisation one usually re-

lies upon the experience and competence of the staff. To accomplish and channel
proposals for solutions to malpractice in the procedures it is essential that the staff be
encouraged to do so.

7. SAFETY ASSURANCE DOCUMENTATION

As mentioned earlier all safety activities shall be documented. An Aerodrome organi-

sation has the total freedom to organise its manual system as long as it is functional
and the results from safety monitoring and corrective actions can be displayed to the
National Aviation Safety Authority.

Operational Safety Assurance and Safety Assurance Documentation should state

safety goals and objectives, roles and functions, a safety based risk assessment of all
the roles and functions, a safety performance measurement and finally corrective ac-
tion. Such a system gives continuous opportunities to maintain and improve safety.

When addressing the System Safety Analysis, especially when it comes to huge and
complex systems, the task can seem to be to enormous to deal with. The wise thing to
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 10
do might be to establish a plan, although it is not a requirement per se. Since the
Analysis process can be rather lengthy in time and comprising several subsystems to
be dealt with it is convenient to handle the systems in small portions when seeking the
approval from the National Aviation Safety Authority.

The Safety Case

In order to satisfy the Safety Management Requirements it is advisable to establish a

plan that corresponds to the work to be accomplished. The National Aviation Safety
Authority may require that the System Safety Analysis be manifested as a Case i. e. a
Safety Assurance or Safety Case

The Safety Case is a document giving evidence that systems or equipment fulfil the
requirements for Aviation Safety.

The Safety Case can comprise analysis reports, test protocols, certificates of test, cal-
culations or descriptions of constructions and so forth. If judged appropriate reference
can be made to other collections of documents.

The Safety Plan

The Safety Plan should present and define safety responsibility, procedures for man-
agement and operators engaged in the design, installation and maintenance of a sys-
tem with its components for the duration of its technical and operational life.

The Safety Plan can be,

• Included as a part of a Safety Management System, preferably within or

at least referenced to the Aerodrome Manual
• Included as a separate document or part of a Quality System, but identifiable as a
safety plan cross-referenced to the SMS

The Safety Plan should at least present statements concerning;

a) Scope and purpose of the Safety Plan.

b) Policies and strategies along with the methods for analysis and assessment and in
which way this is going to be disseminated throughout the organisation to create a
safety culture.
c) Organisational entities and staff with defined safety responsibilities to oversee the
procedures and take action at detection of variations.
d) Description of the relation between the National Aviation Safety Authority and the
Aerodrome.
e) Description of the established safety procedures.
f) Procedures for;
 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 11
• How the organisation’s safety plan will apply through the life cycle of a sys-
tem.
• Assurance of the competency of the staff with regard to design, installation
and maintenance of a system with its components.
• Analysis and assessment of hazardous and potentially hazardous events to
eliminate or minimise reoccurrence of risks.
• Monitoring and analysis of operation and maintenance for systems.
• Initiation of modifications to systems with internal approval for systems
• Measures for training and information both internally and externally.

Connection between the Safety plan and the Safety Case

The figure below describes the connection between the Safety Plan and the Safety
Case and other Aviation Safety related documentation at the Aerodrome.

Aerodrome

• System
Description

National Aviation Aerodrome Aerodrome

Safety Authority
• Internal Safety • Risk Analysis
• Requirements Requirements and Safety
• Safety Plan Assessments
• Safety Case

National Aviation
Safety Authority

• Approval

To assist when introducing new systems for approval a checklist can be used. A Sys-
tem Assessment Analysis can be rather lengthy process. It is therefore essential to
parties, the applicant and the authority, that the process runs smoothly and effectively.
It is suggested that it should comprise two phases, the planning phase and the ap-
proval phase.

In this case the following check list can be utilised:

1. In the planning phase, the following must be submitted.

 GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 12
a) A description of the applicant’s organisation and distribution of responsibility includ-
ing the internal assessment function.
b) Time schedule
c) Brief description of the system
d) System specifications
e) Methodology to be used for analysis of the system
f) Preliminary analysis of safety hazards and their consequences to the system or a
time schedule when this will be available
g) Assessed classification of risks or a time schedule when this will be available

2. Before completion of the approval phase the applicant must submit and demon-
strate to the National Aviation Safety Department, what is stated under items a)-h) be-
low, when available for examination.

The Aerodrome shall, through its internal assessment function show compliance with
the safety requirements for any system to be operationally used. This can only take
place after the applicant has been convinced that the safety requirements are met.

a) A description of the system to a level of detail accepted by the National Aviation

Safety Department
b) How hard ware and soft ware is validated
c) Compliance with safety objectives
d) How configuration control of facilities and equipment will be maintained
e) Documented operational procedures
f) How competency will be maintained for operational use of the system including
remedial action in the event of failures
g) A maintenance system
h) A maintenance agreement for the expected life of the system.

END