Documentos de Académico
Documentos de Profesional
Documentos de Cultura
SAFETY ON AERODROMES
WP 093
Page 1
1. BACKGROUND
It is the assumption that the Safety Management System requirements will be the pri-
mary safety oversight document covering the way an Aerodrome licensee manages
safety. ”How” the Aerodrome will be operated, whilst meeting these requirements, is
strictly the business of the Aerodrome licensee. Since the application of Safety Man-
agement Systems as described below is generic in the sense of enterprises or organi-
sations the word “Aerodrome” can easily be substituted to represent whatever area it
is used within.
The main issue of the requirements is that the burden of proof lies with the Aerodrome
licensee. The licensee has to state the facts, analyse and assess and prove to the Na-
tional Aviation Safety Authority that, all existing operations and all future changes,
additions or replacements are safe or will be at an acceptable risk level.
Whilst the National Aviation Safety Authority only has a safety mandate this should not
stop an Aerodrome Manager to apply a Total Management approach; the Safety
Management Requirements are also designed to reflect contemporary Quality System
Standards. An overall management system inherently comprising an identifiable and
easily audited systematic solution to the management of safety at an Aerodrome will
be able to display to the Aerodrome organisation and prove to the National Aviation
Safety Authority that the Safety Assurance activities leads to continuous compliance
with the safety requirements. In this approach the safety aspect shall be appropriately
emphasised.
In line with this overall management approach an Aerodrome licensee should identify
the safety significant issues analyse and assess safety risks as a result of their moni-
toring and thereafter take remedial action affecting either objectives or procedures.
Safety Management is that part of the overall management function, which determines
and implements an organisation's safety policy.
The most senior level of management within the organisation and follow a logical pro-
gramme that ensures that should endorse the implementation of a safety manage-
ment system by an organisation:
• From the policy statements the organisation should define its safety management
strategy.
• Having defined the policy statements and the organisation's strategy the proce-
dures designed to achieve this should be clearly documented.
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 2
• The responsibilities and accountabilities of all individuals in respect of safety
should be clearly defined.
2. APPLICATION
The Licensing of Aerodromes from an authority point of view should preferably aim for
the Commercial Air Transport segment since this is where the major part of passen-
gers and cargo travel.
It has therefore been found appropriate to apply the requirements for all licensed
Aerodromes intended for Commercial Air Transportation.
3. SAFETY OBJECTIVES
The prime concern of both the National Aviation Safety Authority and the Aerodrome
must be focused on eliminating or minimising failure conditions at an Aerodrome that
contributes to an unacceptable risk level for aircraft.
In order to provide assurances that this is the case, safety assessments will be re-
quired both at set-up of an organisation and during change. The following describes a
process that covers both quantitative and qualitative based assessments.
JAR 25.1309 is the basis for the process used in these guidelines, there may be oth-
ers, but whatever system is used it is important to use language that is aircraft safety
orientated and in common use in aviation.
In FAR/JAR 25.1309 the expression ”failure condition” is used. It signifies the failure
condition at the unit aircraft level arising as a result of failures of sub-systems.
Failure conditions in Aerodrome systems can be defined quantitatively for certain as-
pects but not all, particularly those that are procedurally and human based.
AMJ to JAR 25. /1309 (JAA Advisory Material) states the probabilities per Flight hour
allowed for failure conditions with various Flight safety consequences. For instance an
a/c system failure condition, which implies a catastrophe, may not occur more fre-
9
quently than once in a billion (10 ) Flight hours. One underlying condition is that nor-
mally there are less than 100 such failure conditions that can occur in an aircraft,
which makes it possible that the total probability for a catastrophe due to all failures in
an aircraft’s systems is less than once in 10 million (107) flight hours. This is also the
present statistical result for modern aircraft in the Western world.
To start out with, a comparison can be made with applications in the field of Air Traffic
Services. The example below is there to give insight into the calculation principle for
quantitative determination.
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 3
One single active sector or single ATS unit is responsible for 10 aircraft on each occa-
sion on the average. This supports the idea that a failure condition in one single sector
or one single ATS unit should not be allowed to contribute to a catastrophe for an air-
craft more frequently than once in a hundred million (108) working hours. This pro-
vided that the number of failure conditions that might lead to catastrophe does not ex-
ceed 100 in a single sector or in a single ATS unit. This assumption may be valid for
an Aerodrome where quantitative methods are suitable.
Normally a sector/area has not even traffic intensity. It might therefore be more suit-
able to start from the maximum traffic intensity. For that reason the concept ”operative
hour” will be used as defined below instead of ”working hour”, maintaining the same
goals concerning safety.
An operative hour comprises an hour when the most engaged sector or area, which
will use the system, has its maximum approved traffic intensity. That maximum inten-
sity shall be determined and stated by the Aerodrome.
It is assumed that the system maintains the safety level that is a consequence of the
goal for an operative hour also during other times.
The following are goals for the design of technical systems or Aerodrome systems and
equipment:
- A failure condition, which can lead to a catastrophic event, may not occur in a sec-
tor/area more frequently than 1x10-8 per operative hour (once in 100 million operative
hours).
- A failure condition, which can lead to a hazardous event, may not occur in a sec-
tor/area more frequently than 1x10-6 per operative hour.
-A failure condition that can lead to a major event may not occur in a sector/area
more frequently than 1x10-4 per operative hour.
- A failure condition which can lead to a minor event may not occur in a sector /area
more frequently than 1x10-2 per operative hour.
It can sometimes be hard to differentiate between failure conditions which can lead to
catastrophe and those which can lead to a hazardous event, alternatively between
failure conditions which can lead to a hazardous event and those which can lead to a
major event. Analyses shall be made however, with the highest possible grade of de-
tail.
As an alternative to the term ”operative hour”, an Aerodrome could sensibly use num-
ber of movements as incidents and accidents on or near aerodromes necessarily take
place in connection with landings or take-offs, i.e. movements. Aerodromes will also
have highly reliable data on movements, whereas, especially smaller aerodromes may
find it difficult to define operational hour.
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 4
When a System Safety Analysis is presented to the National Aviation Safety Authority
it can be based on a Qualitative or a Quantitative basis, depending on the circum-
stances, and be based on the principle of ALARP, ”As Low As Reasonably Practica-
ble”. It is up to the Aerodrome management to choose which basis that is the most
suitable with reference to expected achievements.
This takes us into the area of qualitative assessment or definition, which is also cov-
ered, in the following suggested process concerning the “Safety Assessment Method-
ology”.
Introduction
The Management of an Aerodrome requires that the organisation should assess all
aspects of its operation, and changes to it, for safety significance.
Safety Assessments should be performed and documented to ensure that due con-
sideration is given to the safety of all parts of the system.
The Safety Assessment should be conducted to ensure that the management of any
hazards is commensurate with the risk involved and the safety objectives that have
been identified.
The generic process is as follows and is illustrated in the flow chart below:
1. Hazard identification
Identify the hazards to aircraft
2. Severity/Criticality
Evaluate the seriousness of the conse-
quences of the hazard occurring
3. Probability of occurrence
What are the chances of it happening?
4. Tolerability
Is the consequent risk tolerable and
within the organisation’s safety perform-
ance criteria?
5. Risk Management
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 5
YES! Accept the risk.
NO! Take action to reduce the risk to
acceptable level.
Hazard identification
Initially, a high level assessment of the reasonably foreseeable hazards should be car-
ried out. Suitable techniques might include:
• Checklists
Review experience and available data from accidents, incidents or similar systems
and draw up a hazard checklist. Checklists identify potentially hazardous areas, which
will require further detailed evaluation.
• Group Review
This may be a true brainstorming session or may be based on a review of the check-
list. The group should consist primarily of people with as wide a background as possi-
ble and chosen for their relevant experience and competence.
The consequence of each identified hazard occurring should be assessed for its effect
on aircraft safety. The table below provides the safety criticality classification scheme
(JAR 25) that systems on aerodromes shall be assessed against.
The probability of occurrence can be defined in both qualitative and quantitative terms.
Numerical (quantitative) methods may be required to further support the analysis of
systems, which have the potential to produce catastrophic or hazardous results. For
lower levels of classification of risk, qualitative methods will often produce valid and
acceptable results.
It will be noted that many of the hazards identified are acceptably mitigated by the ap-
plication of existing Standards, regulations, procedures or practices.
The figure below illustrates the relationship between qualitative and quantitative prob-
ability of occurrence.
Determine whether the consequent risk is tolerable and within the organisation's ac-
ceptable safety performance criteria?
Once the severity of a hazard has been assessed and the probability of it arising has
been estimated, a judgement can be made on whether the consequent risk is accept-
able or not and whether it can be further reduced at reasonable cost. Common sense
dictates that a major consequence of an undesired event with a high probability of oc-
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 6
currence is unacceptable, however it may be tolerable if the probability of occurrence
is very low although it may be undesirable.
The process of judging tolerability of risks and the results can be presented in tabular
form as illustrated below.
Actions to reduce the severity of the hazard or the probability of it arising to reduce the
risk to a tolerable level (managing risks). Where the table indicates that the risk is
currently unacceptable, action must be taken to reduce the probability of occurrence
and/or the severity of the hazard. If neither mitigating measure is available, the system
clearly does not satisfy the safety objectives. In any process where judgement is
applied there will be situations where the tolerability is not clearly defined. An issue
that falls into this area of uncertainty is likely to require, before implementation, the
endorsement of the individual ultimately accountable for safety within the organisation.
Safety Criticality Classification (JAR 25) that results in one or more of the following ef-
fects;
Tolerability Matrix
The table above is reproduced from JAR 25 and is specifically related to the probabil-
ity of an event occurring during flight. It is considered that the definitions are equally
valid for aircraft movements at an aerodrome but with probabilities decreased as
stated in the Safety Objectives in paragraph 3.
Note. The actual classification used in a safety assessment must be indicated in the
safety assurance document.
Any type of organisation should not allow things go wrong in their operation. Of course
mistakes can happen but nevertheless it is very important from a safety point of view
to be pro-active rather than reactive since safety failures have more grave conse-
quences to people than other mistakes normally have.
It comes natural to any safety conscious individual that safety cannot be compromised
and safety must always have the appropriate priority. Organisations that do not man-
age their safety risks carry a business risk.
It must be the duty and obligation of all aerodrome staff, without hesitation to comply
with safety standards and requirements. The competitive strength of an organisation
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 8
not only depends on efficiency rests with low pricing and glossy appearance but also
on a commitment to safety.
When establishing agreements with service providers the delivery of services and
products must comply with the safety objectives of the Aerodrome, and have a safety
management system. If not, these services and products will be the weak link in the
operations process.
The Safety Management principles constitute two major issues, safety achievements
and safety assurance coupled with the promotion of a safety awareness culture. The
safety achievement and the results from the process of identifying and defining safety
requirements, analysing and assessing the safety content of the processes will give
the Aerodrome management a tool for production monitoring of the operation. Safety
levels need to be defined, in quantitative or qualitative terms in order to be able to
measure the performance of the organisation and consequently render input to
change in procedures or objectives.
Since both the Aerodrome Licensee and the National Aviation Safety Authority has an
interest in how the Aerodrome organisation will be operated, whether it concerns the
existing operation or introduction of new elements at the Aerodrome, the Aerodrome
must present evidence through a safety assessment process.
The requirement for system safety assessment processes can at an Aerodrome cre-
ate a competency and a personnel resource gap within the Aerodrome organisation.
Apart from this element in the requirement there is always a requirement for staff to
remain adequately trained and qualified for the their work assignments. Consequently,
it is not advisable that the system safety assessment be outsourced to consultants, al-
though it is recognised that this may have to be the case while the aerodrome licensee
builds a skill base.
6. SAFETY ASSURANCE
In the context of overall management systems an internal audit function must be es-
tablished as a tool with direct communication possibilities to the Aerodrome manager
to provide indications and safety significant occurrences for remedial action to be
taken.
Another requirement is safety monitoring which has the function of measuring the
process performance against established safety levels. Without such a monitoring
system neither the Aerodrome Management nor the National Aviation Safety Authority
can observe the performance of operations. It should be appreciated that such indica-
tors are also to some extent a measure of the trend to report minor occurrences. They
should be evaluated carefully in order not to penalise those organisations with a low
reporting threshold. The National Aviation Safety Authority should also appraise how
effective and quick the organisation is in finding out the causes of occurrences and
implementing corrections.
In order to facilitate for others in the Aerodrome community lessons learned should be
disseminated not only within the Aerodrome organisation but also to others including
the National Aviation Safety Authority through the means of accident/incident report-
ing.
When addressing the System Safety Analysis, especially when it comes to huge and
complex systems, the task can seem to be to enormous to deal with. The wise thing to
GUIDELINES TO A SYSTEMATIC MANAGEMENT OF
SAFETY ON AERODROMES
WP 093
Page 10
do might be to establish a plan, although it is not a requirement per se. Since the
Analysis process can be rather lengthy in time and comprising several subsystems to
be dealt with it is convenient to handle the systems in small portions when seeking the
approval from the National Aviation Safety Authority.
The Safety Case is a document giving evidence that systems or equipment fulfil the
requirements for Aviation Safety.
The Safety Case can comprise analysis reports, test protocols, certificates of test, cal-
culations or descriptions of constructions and so forth. If judged appropriate reference
can be made to other collections of documents.
The Safety Plan should present and define safety responsibility, procedures for man-
agement and operators engaged in the design, installation and maintenance of a sys-
tem with its components for the duration of its technical and operational life.
The figure below describes the connection between the Safety Plan and the Safety
Case and other Aviation Safety related documentation at the Aerodrome.
Aerodrome
• System
Description
National Aviation
Safety Authority
• Approval
To assist when introducing new systems for approval a checklist can be used. A Sys-
tem Assessment Analysis can be rather lengthy process. It is therefore essential to
parties, the applicant and the authority, that the process runs smoothly and effectively.
It is suggested that it should comprise two phases, the planning phase and the ap-
proval phase.
2. Before completion of the approval phase the applicant must submit and demon-
strate to the National Aviation Safety Department, what is stated under items a)-h) be-
low, when available for examination.
The Aerodrome shall, through its internal assessment function show compliance with
the safety requirements for any system to be operationally used. This can only take
place after the applicant has been convinced that the safety requirements are met.
END