Safety Case Development Manual V2.2_RI_13Nov06 EUROCONTROL
EUROCONTROL%20Safety-case-development-manual
User Manual:
Open the PDF directly: View PDF .
Page Count: 66
EUROPEAN ORGANISATION FOR THE SAFETY OF
AIR NAVIGATION
EUROPEAN AIR TRAFFIC MANAGEMENT
Safety Case Development Manual
DAP/SSH/091
Edition : 2.2
Edition Date : 13 Nov 2006
Status : Released Issue
Class : EATM Stakeholders
Safety Case Development Manual
Page ii Released Issue Edition: 2.2
DOCUMENT CHARACTERISTICS
TITLE
Safety Case Development Manual
EATMP Infocentre Reference:
Document Identifier Edition Number:
2.2
DAP/SSH/091
Edition Date:
13 Nov 2006
Abstract
This Safety Case Development Manual provides the reader with an overview of the methodology
being proposed for the construction and development of Safety Cases. Version 2.2 is a complete
rewrite of Version 1.3 which was published in 2003, taking into consideration user needs and recent
experience with Safety Case developments.
This Manual includes the concept of a Safety Case as presenting the entirety of argument and
evidence needed to satisfy oneself and the regulator with respect to safety. It does not provide
guidance on the generation or documentation of the evidence itself. Where separate guidance is
available, such as the ANS Safety Assessment Methodology (SAM) then this is referenced
accordingly. For further guidance on Safety Assessment see the SAM, or contact DAP/SSH.
Keywords
ESARR 3 Safety Argument Safety Case Lifecycle Safety Objectives
Goal Structuring Notation Safety Case Safety Management Safety Requirements
Contact Person(s)
Tel
Unit
Dr. Bernd TIEMEYER 95038 DAP/SSH
STATUS, AUDIENCE AND ACCESSIBILITY
Status Intended for Accessible via
Working Draft General Public
Intranet
Draft EATM
Stakeholders
Extranet
Proposed Issue Restricted
Audience
Internet (www.eurocontrol.int)
Released Issue
ELECTRONIC SOURCE
Path:
Host System Software Size
Windows_XP Microsoft Word 2002 1127 Kb
Edition: 2.2 Released Issue Page iii
DOCUMENT APPROVAL
The following table identifies all management authorities who have successively approved
the present issue of this document.
AUTHORITY NAME AND SIGNATURE DATE
Co-ordinator
Agency & EATM SMS
DAP/SSH
Bernd TIEMEYER
Chairman of the
SAMTF
Patrick MANA
Chairman of
Safety Team
Erik MERCKX
Director
DAS
Bo REDEBORN
Director
DAP
Guido KERKHOFS
Safety Case Development Manual
Page iv Released Issue Edition: 2.2
DOCUMENT CHANGE RECORD
The following table records the complete history of the successive editions of the present
document.
EDITION
NUMBER EDITION
DATE REASON FOR CHANGE PAGES
AFFECTED
1.3 07.07.03 Proposed Issue – Including editorial corrections All
1.41 29.11.04 Initial Draft of Revised Version All
1.42 13.12.04 Working Draft of Revised Version All
1.43 23.12.04 Further Draft of Revised Version All
1.44 01.02.05 Update following DAP/SAF internal review All
1.45
11.02.05
Chapter 5 and Appendix updated following DAP/SAF
internal review
Chap 5
and
Appdx C
1.5 25.02.05 Minor changes following final DAP/SAF internal review All
2.0 28.09.05 Proposed Issue following external stakeholder review All
2.1
03.09.06
Proposed Issue, incorporating further stakeholder
comments 4, 6, 8,
19
2.2 13.11.06 Released Issue, incorporating final stakeholder
comments 8, 17, 25
Safety Case Development Manual
Edition: 2.2 Released Issue Page v
CONTENTS
PREFACE..............................................................................................................................1
CHAPTER 1 – INTRODUCTION............................................................................................3
1.
Purpose of the Manual ..................................................................................3
2.
Structure of the Manual.................................................................................4
CHAPTER 2 – ESSENTIALS – GETTING STARTED...........................................................5
1.
What is a Safety Case for?............................................................................5
2.
Which Kind of Safety Case? .........................................................................6
3.
Safety Cases and the Project Safety Lifecycle............................................7
4.
Contents of a Safety Case.............................................................................9
5.
Defining the Scope and Boundaries for the Safety Case..........................10
6.
Setting the Context......................................................................................10
CHAPTER 3 – ESSENTIALS – ARGUMENT AND EVIDENCE..........................................13
1.
Introduction..................................................................................................13
2.
Safety Argument..........................................................................................13
3.
Safety Evidence...........................................................................................14
CHAPTER 4 – GUIDANCE – PROCESS AND TECHNIQUES ..........................................17
1.
Overview ......................................................................................................17
2.
Determining the Safety Criteria ..................................................................18
3.
Constructing a Safety Argument................................................................19
4.
Gathering, Assessing and Presenting Safety Evidence ...........................23
5.
Evidence – Safety Requirements Determination.......................................24
6.
Evidence – Safety Requirements Satisfaction...........................................26
7.
Developing a Safety Plan ............................................................................29
8.
Format, Structure and Layout of the Safety Case .....................................30
9.
Verifying the Safety Case............................................................................32
10.
ESARR Compliance.....................................................................................33
CHAPTER 5 GUIDANCE - GSN SAFETY ARGUMENT EXAMPLES.................................35
Safety Case Development Manual
Page vi Released Issue Edition: 2.2
1.
Example Application of GSN – A “Project” Safety Case...........................35
2.
Example Application of GSN – Unit Safety Cases.....................................45
3.
Example Application of GSN – Preliminary Safety Cases ........................48
APPENDIX A
REFERENCES .........................................................................................51
APPENDIX B
GLOSSARY AND ABBREVIATIONS.......................................................53
GLOSSARY ....................................................................................................................53
ABBREVIATIONS...........................................................................................................55
APPENDIX C
SAFETY CASE DEVELOPERS AND REVIEWERS CHECKLIST............57
Safety Case Development Manual Preface
Edition: 2.2 Released Issue Page 1
PREFACE
Background
Related Documents
EATM SMS Context
User Community
Feedback
“Health Warning” !!
Version 2.2 of the Safety Case Development Manual has been
developed based on recent experience, user feedback and
lessons learned since Version 1.3 was published in July 2003.
The new Manual tries to explain in simple terms the ‘Essentials’
of how to construct a Safety Case and then provides supporting
‘Guidance’ and ‘Examples’. It is intended primarily for use within
the EUROCONTROL Agency but may also be used (where
appropriate
1
11
1
) by the Member States.
The provisions of the Manual are intended to be consistent with
ESARRs and the EUROCONTROL ANS Safety Assessment
Methodology (SAM), to which numerous references are made
herein. In particular, the Manual as a whole is intended to
satisfy the requirements of paragraph 5.3 of ESARR 4
concerning the documentation of the arguments and evidence
associated with the risk assessment and mitigation processes.
The Manual provides a product description for the Safety Case
described in Element 5 (Risk Assessment and Mitigation) of the
EATM Safety Management Handbook. Organisational issues
are dealt with in Element 3 (Organisation and Structure).
The Manual is intended primarily for safety professionals who
have received training in SMS and the EUROCONTROL SAM.
We believe that it will be of most immediate use to the willing
developer but accept that it could present some difficulties for
the uncertain starter; we also believe that it has something to
offer to the confident adopter
2
.
Therefore, the contents of the Manual will be supported by
related training, and readers (particularly, but not exclusively
willing developers and uncertain starters) are urged to
undertake this training and the related EUROCONTROL SAM
training before embarking on the development of a Safety Case
for an operational application.
The users of this Manual are invited to provide any feedback
and suggestions for improvement on this current version to me,
which will be taken into consideration when a future updated
Version is produced.
Finally, this Manual cannot give a complete insight into all
aspects of Safety Assessment and Safety Case development
nor provide ready made solutions to fit every situation.
1
“Where appropriate” is inserted here because there is no explicit requirement in ESARRs for ANSPs
to produce Safety Cases. EUROCONTROL has chosen the Safety Case approach for EATM
Programmes and Domain Activities because experience has shown this approach to be effective for
these applications.
2
See EUROCONTROL SAM [5] for explanation of these terms
Preface Safety Case Development Manual
Page 2 Released Issue Edition: 2.2
PAGE INTENTIONALLY LEFT BLANK
Safety Case Development Manual Introduction
Edition: 2.2 Released Issue Page 3
CHAPTER 1
– Introduction
1. Purpose of the Manual
What does it do?
Who is it for?
What is it for?
What does it not do?
This Safety Case Development Manual provides guidance on
the development of Safety Cases as a means of structuring and
documenting the demonstration of the safety of an ATM service
or new / modified System
3
.
The Manual is intended for use by those, employed on projects
or in service-provider organisations, who have to:
• Produce Safety Cases – eg safety practitioners;
• Approve Safety Cases – eg programme managers and
heads of ATSUs;
• Review Safety Cases – eg safety department staff.
The aim is to achieve sound, well-presented Safety Cases
through the adoption of a logical, rigorous, consistent and
accurate approach that is based on good safety practice.
Whereas this Manual should aid the process of developing and
presenting a Safety Case, it cannot give assurance of the
validity of the end product, and it does not, therefore, relieve its
users of their responsibility to provide such assurance.
The Manual does not provide guidance on how to carry out a
safety assessment – see the EUROCONTROL SAM [5] for that
– rather it describes how to present the results of a safety
assessment, in the context of a Safety Case.
Chapter 1 Safety Case Development Manual
Page 4 Released Issue Edition: 2.2
As the Manual is intended to be used within the framework of a
Safety Management System (SMS), it does not address
questions, such as what is a change and when should a Safety
Case be produced – these are assumed to be addressed by the
SMS
4
. Rather, the starting point for the Manual is the point at
which it has been decided to produce a Safety Case for a
particular ATM service or change (a so-called “substantial
change” in this document).
2. Structure of the Manual
Essentials - Getting
Started
Essentials – Argument
and Evidence
Guidance – Process
and Techniques
Guidance - Examples
References
Glossary
Checklists
The remainder of this Manual is presented in a further 4
Chapters, covering the Essentials of Safety Case Development
and supporting Guidance, as follows.
Chapter 2 explains the background to Safety Cases and
provides the key points in planning the development of a Safety
Case.
Chapter 3 presents the essentials of the Safety Case itself.
Chapter 4 provides guidance in support of Chapters 2 and 3,
including the use of Goal-structuring Notation (GSN). The
Guidance may be accessed directly or via links embedded in
the relevant parts of those Chapters.
Chapter 5 provides generic examples of structured Safety
Arguments using GSN. The main example is the introduction of
a substantial change to an ATM service / system. Variations of
that Safety Argument for an on-going ATM service and for a
typical limited-scope Safety Case are also explained.
Appendix A provides a list of the references called up in the
Manual.
The EATMP Glossary document [4] facilitates the search and
use of acronyms, abbreviations, terms and definitions most
frequently used within the EATM Programme. As the EATMP
Glossary document includes more than 5,800 acronyms and
2,000 definitions, a summary of the terms commonly used in
Safety Case development is provided at Appendix B.
Appendix C contains checklists for use by Safety Case
developers, reviewers and approvers in assessing the quality of
the argument structure and presentation of the Safety Case.
3
The term ‘System’ is used throughout this manual to include airspace, equipment, people and
procedures.
4
For guidance on “what is a change” please see the SAM [5] Guidance Material, Part IV, Appendix H.
Safety Case Development Manual Getting Started
Edition: 2.2 Released Issue Page 5
CHAPTER 2
– Essentials –
Getting Started
1. What is a Safety Case for?
A Lesson from History
ICAO Obligation
The Burden of Proof
In the investigation into the Piper Alpha accident [14] Lord
Cullen wrote:
“Primarily the Safety Case is a matter of ensuring that every
company produces a formal safety assessment to assure
itself that its operations are safe.
Only secondarily is it a matter of demonstrating this to a
regulatory body. That said such a demonstration both meets a
legitimate expectation of the workforce and the public and
provides a sound basis for regulatory control.”
ICAO Annex 11 places an obligation on the providers of Air
Traffic Management services to ensure the safety of air traffic,
in respect of those parts of the ATM System and supporting
services within their managerial control.
Implicit to this obligation is the requirement on those with
managerial control to demonstrate positively that the relevant
Safety Regulations are satisfied. In essence there is a “burden
of proof” on Air Navigation Service Providers to show that
acceptable levels of safety
5
are, and continue to be, achieved.
5
As defined by the Safety Criteria – see Chapter 4, section 2
Chapter 2 Safety Case Development Manual
Page 6 Released Issue Edition: 2.2
Primary Purpose
Relationship with
Regulatory Approval
Relation to Safety
Management System
Relation to Safety
Assessment
Broadly, the Safety Case is the documented assurance (ie
argument and supporting evidence) of the achievement
and maintenance of safety. It is primarily the means by
which those who are accountable for service provision or
projects
6
assure themselves that those services or
projects are delivering (or will deliver), and will continue to
deliver, an acceptable level of safety.
As the main objective of safety regulation is to ensure that
those who are accountable for safety discharge their
responsibilities properly, then it follows that a Safety Case
which serves the above primary purpose should also
provide an adequate means of obtaining regulatory
approval for the service or project concerned.
In the context of a Safety Management System, the Safety
Case can be a means of documenting and recording the
safety of a service or system. Conversely, the
implementation of a Safety Management System would
provide evidence to support a Safety Case.
The development of a Safety Case is not an alternative to
carrying out a Safety Assessment, in accordance with, for
example, the EUROCONTROL SAM [5]; rather, it is a
means of structuring and documenting a summary of the
results of a Safety Assessment, and other activities (eg
simulations, surveys etc), in a way that a reader can readily
follow the logical reasoning as to why a change (or on-
going service) can be considered safe.
2. Which Kind of Safety Case?
Types
Safety Cases may come in many forms but most, if not all, can
be thought of as falling into one of two categories, as follows:
• those which are used to demonstrate the safety of an on-
going service – these are known herein as Unit Safety
Cases; and
• those which are used to demonstrate the safety of a
substantial change to that service (and/or underlying
system) – these are known herein as Project Safety Cases.
Unit Safety Case
The two categories are interrelated, as explained below.
An ATSU (or other major, safety-related service / facility) may
decide to produce, and maintain, a (Unit) Safety Case in order
to show that the on-going, day-to-day operations are safe and
that they will remain so indefinitely.
Safety Case Development Manual Getting Started
Edition: 2.2 Released Issue Page 7
Project Safety Case
A Unit Safety Case would include typically an a priori safety
assessment (to show that service / system is predicted to be
safe), together with the results of safety audits, surveys and
operational monitoring (to show that, up that point in time, it
actually has been safe). It should also demonstrate that
processes are in place to ensure that all future changes to the
ATSU’s system will be managed safely through, inter alia,
Project Safety Cases.
An ATSU (or other responsible organisation) may also decide to
produce a Project Safety Case when a particular substantial
change to an existing safety-related service / system (including
the introduction of a new service / system) is to be undertaken.
A Project Safety Case would normally consider only those risks
created or modified by the change and rely on an assumption
(or evidence from the corresponding Unit Safety Case) that the
pre-change situation is at least tolerably safe.
Project Safety Cases are used to update, and are usually
subsumed into, Unit Safety Cases
7
.
Further details of both Unit Safety Cases and Project Safety
Cases are given in section 3 below and in Chapter 5.
3. Safety Cases and the Project Safety Lifecycle
A simplified view of a typical project lifecycle is shown in the
diagram overleaf.
Safety Considerations
This is an EATM SMS process to identify the main safety issues
associated with a project as soon as possible after an
Operational Concept has been developed and to help in
deciding whether a full Safety Plan and Safety Case are
required. It provides an initial assessment of the safety
implications of the project, as the basis for developing a Safety
Plan in which the detailed safety activities will be specified. It
should address, inter alia, what the project is seeking to achieve
(eg to deliver benefits in capacity, efficiency and/or safety), the
possible impact on safety (in general terms only, since a safety
assessment would not have been started at this stage), the
criteria for deciding what is “safe” in the context of the Project
and, in broad terms, the strategy for demonstrating safety.
6
The distinction between services and projects / systems is to emphasise the difference between Unit
and Project (or System) Safety Cases – see section 2. The generic term “project” should be taken to
include EATM Programmes and Domain Activities.
7
However, this is not meant to imply that a Unit Safety Case is merely a collection of project Safety
Cases!
Chapter 2 Safety Case Development Manual
Page 8 Released Issue Edition: 2.2
Safety
Considerations Operational
Concept
Initial
Safety
Argument
FHA
PSSA
Implementation
Transfer into
Operation
Safety
Plan
Project
Safety
Case
Unit
Safety
Case
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety
Monitoring
Reports
Update
Update
Evidence
SSA
Integration
Operation &
Maintenance
Safety
Considerations Operational
Concept
Initial
Safety
Argument
FHA
PSSA
Implementation
Transfer into
Operation
Safety
Plan
Project
Safety
Case
Unit
Safety
Case
Evidence
Approval
Evidence
Evidence
Evidence
Evidence
Update, if required
Safety
Monitoring
Reports
Update
Update
Evidence
SSA
Integration
Operation &
Maintenance
Initial Safety Argument
Safety Plan
Safety Assessment:
FHA
PSSA
Building on the Safety Considerations, the initial Safety
Argument should be as complete as possible and at least
sufficient to provide a set of goals for the Safety Plan to
address. It also provides the starting point, and framework, for
the development of the Project Safety Case, although it needs
to be recognised that the initial view of what the Safety
Argument should look like may need to change, depending on
the results of the subsequent safety assessment.
Specifies the safety activities to be conducted throughout the
project lifecycle and the responsibilities for their execution.
The three main phases of safety assessment (FHA, PSSA and
SSA) provide much of the Evidence needed for the Project
Safety Case, as follows:
o FHA produces Safety Objectives to limit the frequency of
occurrence of hazards, such that the associated risk would
be acceptable, and the external means of mitigating the
effects of the hazards
8
.
o PSSA produces Safety Requirements and Assurance Levels
for the system elements.
o SSA produces the assurance that the Safety Requirements
8
88
8
See further discussion on “external mitigation means” in the Note at end of this Chapter
Safety Case Development Manual Getting Started
Edition: 2.2 Released Issue Page 9
SSA
Implementation &
Integration
Transfer into Operation
Operational Service
Unit Safety Case
and Safety Objectives are met in the implemented system
and that risk is acceptable.
For further information on safety assessment, see the SAM [5].
This phase covers all the preparation needed in order to bring
the new / modified system – the subject of the Safety Case –
into operational service.
Transfer into Operation of the new/modified system would
normally be subject to a risk assessment and mitigation for this
phase itself (part of the Project Safety Case) and be concluded
by finalisation and regulatory approval of the Project Safety
Case.
Because most, if not all, of the preceding safety assessment
work is predictive in nature, it is important that further assurance
of the safety is obtained from what is actually achieved in
operational service. If the operational experience differs
significantly from the results of the predictive safety
assessment, it may be necessary to review and update the
Project Safety Case.
Once a satisfactory steady state has been achieved, it would be
appropriate to update the Unit Safety Case (if one exists) with
the information from the Project Safety Case thus establishing a
new safety baseline for the on-going operational service.
4. Contents of a Safety Case
Aim
Purpose
Scope
System Description
Justification
Argument
Evidence
Caveats
A good Safety Case (of whichever type) should include, at least:
• what the Safety Case is trying to show - this should be
directly related to the Claim that the subject of the Safety
Case is acceptably safe;
• why is the Safety Case being written and for whom;
• what is, and is not, covered - see section 5 below;
• a description of the system / change and its operational /
physical environment, sufficient only to explain what the
Safety Case addresses and for the reader to understand the
remainder of the Safety Case – see section 6 below;
• for project Safety Cases, the justification for introducing the
change (and therefore potentially for incurring some risk);
• a reasoned and well-structured Safety Argument showing
how the Aim is satisfied – see Chapter 3, section 2 below;
• supporting Safety Evidence to substantiate the Safety
Argument – see Chapter 3, section 3 below;
• all Assumptions, outstanding safety Issues, and any
Limitations or restrictions on the operation of the system;
Chapter 2 Safety Case Development Manual
Page 10 Released Issue Edition: 2.2
Conclusions
• a simple statement to the effect that the Aim has been
satisfied, subject to the stated Caveats.
Chapter 4, section 8 provides further guidance on the content,
structure and layout of a Safety Case
5. Defining the Scope and Boundaries for the Safety Case
Scope Definition
Lifecycle Limitations
Defining the scope and boundaries of the Safety Case is an
essential first step in the development of the Safety Case. It
should explain clearly:
• what the Safety Case covers (and does not cover);
• boundaries of responsibility with respect to managerial
control and other stakeholders;
• relationship with other Safety Cases, if applicable;
• applicability and compliance with safety regulations and
standards;
• any assumptions made in defining the scope, boundaries or
safety criteria.
A Safety Case may be (temporarily) restricted to the safety of a
new concept, and therefore be conditional on the subsequent
complete and correct implementation of that concept by the
responsible organisation. This is the situation on those EATM
Programmes (and similar activities) for which EUROCONTROL
is not responsible for implementation; the output would then be
a validated set of Safety Requirements (from the PSSA).
The term Preliminary Safety Case is used herein to cover such
situations, and it should be supported by guidance material for
the subsequent implementation of the Safety Requirements and
for the development of a full Safety Case. An example of a
Preliminary Safety Case, and the sort of guidance that should
accompany it, are given in Chapter 5, section 3.
6. Setting the Context
Rationale
Content
It is vital to fully describe the operational environment to which
the Safety Case applies and the system configuration on which
the Safety Case (and underlying Safety Analysis) is based.
The description of the Context should include:
Safety Case Development Manual Getting Started
Edition: 2.2 Released Issue Page 11
• the purpose of the system from a safety perspective;
• the interfaces with other systems including people,
procedures and equipment;
• the operational environment – including all characteristics
that may be affected and elements that are relied upon,
when assessing acceptable levels of safety;
• A reference to (together with a summary of) Concept of
Operations that explain how the system, and the service that
it supports, are intended to operate
Note on External Mitigation Means (§3 of this chapter):
External Mitigation Means are those mitigations of the consequences of a hazard that lie outside of the
scope of the service / system covered by the FHA. They are often recorded as "assumptions"
concerning, for example, the Operational Environment (levels, type and patterns of traffic etc), other
elements of the system (aircraft equipage, airline compliance to some operation requirements, aircraft
equipment certification etc) and other service providers (adjacent ATSUs, CFMU, Military etc). They
may be either pre-existing or newly identified because of the nature of the "change" covered by the
FHA.
Two matters are crucial to the safety assessment: firstly, as the Assumptions have an impact on the
way the Safety Objectives were set, then the latter are valid only if the former are met; and secondly,
therefore, these Assumptions must be properly recorded, demonstrated as being valid / satisfied prior
to operations, and then continuously monitored and confirmed in operational service, along with the
Safety Requirements that emerge from the PSSA.
Chapter 2 Safety Case Development Manual
Page 12 Released Issue Edition: 2.2
PAGE INTENTIONALLY LEFT BLANK
Safety Case Development Manual Argument and Evidence
Edition: 2.2 Released Issue Page 13
CHAPTER 3
– Essentials –
Argument and Evidence
1. Introduction
Overview
Non-prescriptive
This Chapter presents the essential points of:
• the construction of Safety Arguments;
• the collation, review and presentation of Safety Evidence.
The information presented draws on current good practice
without prescribing a particular methodology, and is supported
by references to the Guidance in Chapter 4.
2. Safety Argument
What is a Safety
Argument?
Making the Claim
Supporting the Claim
A Safety Argument is a statement (or a set of statements) that is
used to assert that the service or system concerned is safe, and
should be developed as follows.
The Safety Argument must start with a top-level statement
(Claim) about what the Safety Case is trying to demonstrate in
relation to the safety of the service or system.
The Claim must be supported by:
• Safety Criteria, which define what is safe in the context of
the Claim;
• for Project Safety Cases, the Justification for introducing
Chapter 3 Safety Case Development Manual
Page 14 Released Issue Edition: 2.2
Structuring the
Argument
Guidance
the change to the service or system concerned;
• the Operational Context for the Claim;
• any fundamental Assumptions on which the Claim relies.
The decomposition of the Claim into lower-level Arguments
provides the essential links between the Claim and the wealth of
Evidence needed to show that the Claim is valid.
In performing this decomposition, it is important that:
• each Argument in the structure is expressed as a simple
predicate – ie a statement that can be only true or false;
• the Argument structure does not contain any negative or
inconclusive Arguments
9
;
• the set of Arguments at each level of decomposition is
necessary and sufficient to show that the parent Argument is
true;
• a valid counter-Argument, which would negate the parent
Argument, does not exist
10
;
• where the rationale for decomposition of an Argument into
lower-level Arguments is not self evident, it is explained by
supporting text;
• the number of levels of decomposition is appropriate to the
complexity of the Safety Case and/or supporting Evidence;
• each branch of the Safety Argument structure is terminated
in supporting Evidence;
• there is a clear distinction between, and correct use of,
Direct (product-based) and Backing (process-based)
Arguments and related Evidence.
Further guidance on the structuring of Safety Arguments is
given in Chapter 4, section 3, and generic ATM examples are
presented in Chapter 5.
3. Safety Evidence
What is Safety
Evidence?
Safety Evidence is information, based on established fact or
expert judgement, which is presented to show that the Safety
Argument to which it relates is valid (ie true).
The essential rules of Evidence are as follows:
Necessity
• Evidence must be presented only to the degree and extent
Safety Case Development Manual Argument and Evidence
Edition: 2.2 Released Issue Page 15
Sufficiency
Appropriateness
Rigour
Relevance
Guidance
necessary to support the related Argument;
11
• Evidence must show that the related Argument is true in a
way that is clear, unequivocal, conclusive and, wherever
possible, objective;
• the type of Evidence – from safety analysis, design,
simulation, test, previous usage, compliance with standards
etc – must be appropriate to the Argument;
• the rigour of the Evidence must be appropriate to the
associated risk;
• Evidence must actually relate to the correct configuration of
the system under consideration.
Further guidance on the gathering, assessing and presenting
Evidence is given in Chapter 4, section 4.
9
The main point here is that lack of Evidence of risk is not Evidence of lack of risk!
10
This point is concerned only with the sufficiency of the Argument – sufficiency of the Evidence is
covered in section 3.
11
The point here concerns only irrelevant Evidence. Clearly any Evidence which actually counters the
Argument must not be ignored; on the contrary, the validity (or at the very least the phrasing) of an
Argument must be reconsidered in the light of such Evidence
Chapter 3 Safety Case Development Manual
Page 16 Released Issue Edition: 2.2
PAGE INTENTIONALLY LEFT BLANK
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 17
CHAPTER 4
– Guidance –
Process and Techniques
1. Overview
Context
Scope
This Chapter provides guidance in support of the requirements
stated in Chapters 2 and 3 above. Whereas this guidance is
based on experience gained on the development of Safety
Cases by EUROCONTROL on a wide range of EATM
Programmes, it is intended to be applicable also to other
environments – eg service provision.
The guidance covers the following areas:
• determining the Safety Criteria - section 2;
• constructing a Safety Argument, using a recognised
notation that is considered to be good practice – ie Goal-
structuring Notation (GSN) - section 3;
• general issues concerning gathering, collating,
assessing and presenting Safety Evidence - section 4;
• specific issues concerning Evidence of Safety
Requirements determination - section 5;
• general issues concerning Safety Requirements
satisfaction - section 6;
• developing a Safety Plan - section 7;
• deciding the format, structure and layout of a Safety
Case - section 8;
Chapter 4 Safety Case Development Manual
Page 18 Released Issue Edition: 2.2
• verifying the Safety Case - section 9;
• ESARR compliance - section 10.
2. Determining the Safety Criteria
Absolute
Relative
Reductive
Selecting Criteria
Safety Criteria are essential to the definition of what is safe in
the context of the top-level Safety Claim
Basically, they fall into three categories as follows:
• Compliance with a defined target – eg the ESARR 4 Risk
Classification Scheme (RCS) or ICAO Target Level of Safety
(TLS) – or portion thereof. Such criteria are usually
quantitative;
• Relative to an existing (or previous) level of safety. Such
criteria may be quantitative or qualitative;
• Where the risk is required to be reduced as far as
reasonably practicable. Such criteria are usually qualitative.
In general, absolute criteria are preferred since satisfaction of
them does not depend on proof of past safety achievement and
such proof may be difficult if a suitable baseline does not exist
or sufficient historical data is not available.
However, in some cases, there may be a problem in
establishing what would be a suitable target on which to base
the criterion because either:
• a regulatory target has not been set for the operational
environment concerned
12
; or
• for Project Safety Cases, it may not be feasible to determine
what portion of the overall target it would be reasonable to
allocate to the system concerned.
As an alternative to the absolute approach, a relative Safety
Argument (ie based on a relative criterion) could be use for a
Project Safety Case
13
if:
• a well-defined baseline, prior to the introduction of (or
change to) a ‘system’, could be established; and
• it can be shown, or at least reasonably be assumed, that the
baseline situation was safe.
The justification for a relative approach is the ATM 2000+ [1]
Safety Objective which requires that risk shall not increase and
preferably decrease, relative to historical achievement. The
12
This is being addressed by the current (2005) EUROCONTROL TLS study
13
For Unit Safety Cases an absolute approach should always be the primary criterion.
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 19
Multiple Criteria
ESARR 4 RCS, although normally considered to be an absolute
measure, is actually a quantified interpretation of the ATM
2000+ Safety Objective
14
.
A reductive approach is called for by ESARR 3 (paragraph
5.1.4), which requires ANSPs to reduce risk as far as
reasonably practicable. It is an important criterion for in-service
safety monitoring – especially regarding incident investigation
and corrective action.
It is usual to specify more than one type of criterion, and
sometimes all three. In ATM, reducing risk as far as reasonably
practicable is rarely adequate on its own
15
but it is often useful in
support of one (or both) of the other two criteria.
Use of Risk
Classification Schemes Risk classification schemes (RCS)
16
are often used as criteria
on which to base absolute Arguments. However, experience
has shown that a lack of understanding by the user as to how
the RCS was originally derived can lead to inappropriate use. If
RCS are used, it is important that the user understands:
• at what level in the system hierarchy the values are intended
to be applied;
• where the probability/frequency values used in the scheme
came from and whether they are (still) valid;
• to what operational environment the values apply – eg type
of airspace, traffic patterns, traffic density, spatial dimension,
phase of flight etc;
• how the aggregate risk, as specified in ESARR 4 for
example, can be deduced from analysis of individual
hazards, in restricted segments of the total system.
These issues should not be a problem for the user in an
organisation that has a single, well-founded RCS, applicable to
all operational environments.
All other RCS users should be aware of, and address, the
issues raised in each of the above bullets.
For further guidance on RCS, please see SAM FHA Chapter 3
GM E, based on ED-125 [15].
3. Constructing a Safety Argument
Requirements Since the Safety Argument forms the framework of a Safety
14
See ESARR 4 [9], Appendix A, Endnote (2)
15
Both ATM 2000+ and ESARR 4 require, as a minimum, that risk must not increase – reducing risk
as far as reasonably practicable on its own does not ensure that this minimum requirement is met.
16
The comments here are aimed at the use of Risk Classification Schemes to determine what is a
tolerable level of risk, not at the use of Severity Classification / Categorisation Schemes proposed in,
inter alia, ESARR 2, ESARR 4 and the EUROCONTROL ANS Safety Assessment Methodology.
Chapter 4 Safety Case Development Manual
Page 20 Released Issue Edition: 2.2
Case, it is important that the Argument is set out in a rigorous,
GSN Solution
hierarchical and well-structured and easily-understood way.
Goal-structuring Notation (GSN), developed by the University of
York, provides a graphical means of setting out hierarchical
Safety Arguments, with textural annotations and references to
supporting Evidence.
The logical approach of GSN, if correctly applied, brings some
rigour into the process of deriving Safety Arguments and
provides the means for capturing essential explanatory material,
including assumptions, context and justifications, within the
argument framework.
The diagram below shows, in an adapted form of GSN, a
specimen Argument and Evidence structure to illustrate the
GSN symbology most commonly used in EUROCONTROL ATM
Safety Cases.
Argument
Arg 1
Fig n
Overall
Argument /
Claim
Arg 0
Argument
Arg 2
Argument
Arg n
Continuation
page
A0001
Assumption
J0001
Justification
C0001
Context
St0001
Strategy
Argument
Arg 1.2
Argument
Arg 1.1
Ref
Evidence
Ref
Evidence
Cr001
Criteria
Argument
Arg 1
Fig nFig n
Overall
Argument /
Claim
Arg 0
Overall
Argument /
Claim
Arg 0
Argument
Arg 2
Argument
Arg n
Continuation
page
A0001
Assumption
J0001
Justification
C0001
Context
St0001
Strategy
Argument
Arg 1.2
Argument
Arg 1.1
Ref
Evidence
Ref
Evidence
Cr001
Criteria
An Argument should take the form of a simple predicate - ie a
statement which can be shown to be only true or false.
GSN provides for the structured, logical decomposition of
Arguments into lower-level Arguments. For an Argument
structure to be sufficient, it is essential to ensure that, at each
level of decomposition:
Argument
Arg 1.1
Argument
Arg 1.1
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 21
• the set of Arguments covers everything that is needed in
order to show that the parent Argument is true;
• there is no valid (counter) Argument that could undermine
the parent Argument.
In the above diagram, for example, if it can be shown that Arg 1
is satisfied by the combination of Arg 1.1 and Arg 1.2, then we
need to show that Arg 1.1 and Arg 1.2 are true in order to show
that Arg 1 is true.
If this principle is applied rigorously all the way down through
and across a GSN structure, then it is necessary to show only
that each Argument at the very bottom of the structure is
satisfied (ie shown to be true) in order to assert that the top-
level Claim has been satisfied. Satisfaction of the lowest-level
Arguments is the purpose of Evidence.
Unnecessary (or misplaced) Arguments do not in themselves
invalidate an Argument structure; however, they can seriously
detract from a clear understanding of the essential Arguments
and should be avoided. The cover-up method illustrated in the
three GSN diagrams below can be used to determine identify
unnecessary and misplaced Arguments.
A=True
B=True C=True
E=TrueD=True
A=True
B=True C=True
E=True
D=True
A=True
B=True C=True
E=True
F=True
If this is complete
and correct …
…then D is incorrectly
positioned … …and F is
unnecessary…
D=True
A=True
B=True C=True
E=TrueD=True
A=True
B=True C=True
E=True
D=True
A=True
B=True C=True
E=True
F=True
If this is complete
and correct …
…then D is incorrectly
positioned … …and F is
unnecessary…
D=True
It follows from the above that, for an Argument structure to be
considered to be complete, every branch must be terminated in
a reference to the item of Evidence that supports the Argument
to which it is attached.
Evidence therefore must be:
• appropriate to, and necessary to support, the related
Argument - spurious Evidence (ie information which is not
relevant to an Argument) must be avoided since it would
serve only to confuse the “picture”;
• sufficient to support the related Argument - inadequate
Ref
Evidence
Chapter 4 Safety Case Development Manual
Page 22 Released Issue Edition: 2.2
evidence undermines the related Argument and
consequently all the connected
higher levels of the structure.
Strategies are a useful means of adding “comment” to the
structure to explain, for example, how the decomposition will
develop. They are not predicates and do not form part of the
logical decomposition of the Argument; rather, they are there
purely for explanation of the decomposition.
An Assumption is a statement whose validity has to be relied
upon in order to make an Argument.
Assumptions may also be attached to other GSN elements
including Strategies and Evidence.
Context provides information necessary for an Argument (or
other GSN element) to be understood or amplified.
Context may include a statement which limits the scope of an
Argument in some way.
A Justification is used to give a rationale for the use or
satisfaction of a particular Argument or Strategy. More
generally it can be used to justify the change that is the subject
of the Safety Case.
Criteria are the means by which the satisfaction of an Argument
can be checked.
Numbering It is recommended that Arguments be numbered hierarchically
(eg, Arg 1.1) to reflect their logical structure.
Strategies, Assumptions, Context, and Criteria should be
numbered sequentially (eg, St0001) since they elaborate, but do
NOT form part of, the logic of the structure.
It is recommended that Evidence be numbered according to its
source reference and that the Evidence ‘bubble’ contains a brief
indication of the form that the Evidence takes.
Other Symbology
A Choice can be used while a Safety Argument is being
developed to show a decision point between alternative
Strategies. However, they must be removed before a Safety
Argument is finalised.
A Model is some representation of the system, sub-system or
environment – eg Simulations, Data Flow Diagrams, Circuit
Layouts, State Transition Diagrams etc.
A Stakeholder is the person or role responsible for ensuring
satisfaction of an Argument, Strategy, or Choice.
Constraints are used to restrict the way in which an Argument
can be solved; they are restrictions imposed on the
interpretation of the parent Argument.
St0001
Strategy
A0001
Assumption
C0001
Context
J0001
Justification
Cr001
Criteria
Cr001
Criteria
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 23
A Problem is attached to an Argument to indicate that there is a
possible obstacle to showing that it is true. Problems can also
be attached to other GSN elements.
Examples of the application of GSN to generic Safety
Arguments are presented in Chapter 5.
4. Gathering, Assessing and Presenting Safety Evidence
Importance
Direct and Backing
General Attributes
Necessity
Evidence is the heart of every case and ultimately it is on the
quality and completeness of the Evidence that the validity of a
Safety Case depends. Of course, a well-structured Safety
Argument is very important but only insofar as it provides the
context for, and thus facilitates interpretation of, the Evidence.
In decomposing the Safety Arguments, the following two main
types of Argument (and related Evidence) are used:
• that which shows that a particular objective has been
achieved (ie that a higher level Argument or Claim has been
satisfied) – this is referred to as Direct Argument and
Evidence;
• that which shows that the Direct evidence is trustworthy (ie
that it can be relied upon) – this is referred to as Backing
Argument and Evidence.
Direct Evidence may be thought of as being that which relies
directly on the observable properties of a product (ie the output
of a process), supporting a logical Argument as to how the
product satisfies its safety objectives or requirements, as
appropriate.
Backing Evidence is obtained from the properties of the
processes by which Direct Evidence was obtained, and shows
that those processes, tools and techniques, human resources
etc were appropriate, adequate and properly deployed.
The points below expand upon the “essential rules” outlined in
Chapter 3, section 3 above.
Evidence must be presented only to the degree and extent
necessary to support the related Argument.
The issue here is that, in the context of an Argument-based
approach, any “Evidence” which is unrelated to a part of that
Argument is not only of no value but could also serve as a
distraction from those aspects of the Safety Case that are
relevant. On the other hand, any Evidence which actually
undermines the validity of an Argument must not be ignored –
the existence of such Evidence must be acknowledged and
explained fully in the Safety Case.
Chapter 4 Safety Case Development Manual
Page 24 Released Issue Edition: 2.2
Sufficiency:
o Clarity, and
Conclusiveness
o Objectivity
Appropriateness
Rigour
Relevance
Evidence must be sufficient, as follows.
It is bad (but unfortunately not uncommon!) practice to present
an element of a structured Argument and then refer to a mass of
information as “Evidence” to substantiate the Argument.
It is vital to the integrity of the Safety Case that the Evidence be
presented in such a way that is clear to the reader that the
Evidence does actually show the related Argument to be true,
“beyond all reasonable doubt”.
Where Evidence is contained in appendices or external
documents, a summary justifying the adequacy of the Evidence
should be presented (in the Safety Case) along with the
associated Argument. It is not sufficient to merely reference the
Evidence with statements such as “Evidence to support the
Argument is presented in ….”
Wherever possible, Evidence should consist of proven facts –
eg, the results of a well-established process such as simulations
and testing. Only where such objective Evidence is not
available should Evidence based on expert opinion be used,
and then only when the credentials of the expert(s) and the
means of eliciting the opinion are adequate and have been
presented as Backing Evidence.
The type of Evidence, from safety analysis, design, simulation,
test, previous usage etc, must be appropriate to the Argument –
see sections 5 and 6 below.
The rigour of the Evidence must be appropriate to the
associated risk. This is the principle behind the Assurance
Level concept in ESARR 6 [11] (for software) and the
EUROCONTROL ANS Safety Assessment Methodology [5] for
software, procedures and human aspects.
Evidence must relate to the configuration of the system and
operational environment under consideration - eg a correct and
known:
• version of the equipment, procedures, training, etc.;
•
documentation used in the production of that version;
• range of configuration data.
Application How the above should be applied specifically to the two main
stages of the safety development lifecycle – requirements
determination and requirements satisfaction - is discussed
below, in sections 5 and 6 respectively.
5. Evidence – Safety Requirements Determination
What are Safety
Requirements To paraphrase ESARR 4 [9], Safety Requirements are means
by which the necessary risk reduction measures identified in the
hazard and risk analysis are formally
17
specified. Necessary in
17
In the normal English meaning of the word.
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 25
this context means necessary in order to achieve the required
safety levels, as defined by the Safety Criteria (see section 2
above) and translated into specific Safety Objectives during the
Functional Hazard Assessment [5]
Role of Safety
Requirements in ATM
Types of Safety
Requirement
Direct Evidence of
Safety Requirements
Determination
Backing Evidence of
Safety Requirements
Determination
The primary purpose of ATM is to reduce the risk of accident to
air traffic that would otherwise exist. The amount of risk
reduction is determined primarily by the functionality and
performance of the ATM systems elements, including
equipment, people and procedures. However, failure within the
ATM system can cause risk to increase again, either by
reduction in functionality or performance, or by the introduction
of new risk caused by corruption of the outputs of ATM
functions.
Therefore, in order to achieve a net safety benefit from ATM, the
reduction in risk afforded by the desired functional and
performance properties of ATM needs to be substantially greater
that any increase due to failure
18
. It follows therefore that Safety
Cases are critically dependent on the determination and
satisfaction of a complete and correct set of Safety
Requirements in which system functionality and performance
are appropriately considered alongside system integrity.
19
Direct Evidence of Safety Requirements Determination is
concerned with the requirements themselves and should show,
inter alia, that:
• all relevant Hazards have been identified;
• the potential outcomes of the Hazards have been
categorised correctly;
• Safety Objectives have been specified to control the
frequency of occurrence of the Hazards such that an
acceptable level of risk (as defined by the Safety Criteria) is
achieved;
• Safety Requirements have been specified to control the
causes of the Hazards such that the Safety Objectives are
satisfied, and to capture the external means of mitigation of
the Hazard effects.
The key issue here is to ensure that the Safety Requirements
are complete – ie that all risks are taken into account. It would
not be sufficient to show that the Safety Requirements satisfy
the Safety Criteria if those Safety Requirements were based on
an incomplete / incorrect Hazard assessment.
Backing Evidence of Safety Requirements Determination is
concerned with the process of deriving the requirements and
should show, inter alia, that:
• the Safety Requirements were determined using an
established and appropriate process;
18
SAM [5] expresses the distinction in terms of the “success approach” and the “failure approach”
19
This point is emphasised here because of a popular misconception that safety is dependent mainly
on integrity. Neglect of functionality and performance can lead to systems that are “reliably unsafe”.
Chapter 4 Safety Case Development Manual
Page 26 Released Issue Edition: 2.2
Relationship to
EUROCONTROL Safety
Assessment
Methodology
• the techniques and tools used to support the Safety
Requirements Determination were verified and validated;
• the Safety Requirements Determination process was
executed by suitably competent and experienced personnel.
The Functional Hazard Assessment (FHA) and Preliminary
System Safety Assessment (PSSA) stages of the
EUROCONTROL, Air Navigation System Safety Assessment
Methodology [5] provides an appropriate and sound process for
the determination of ATM Safety Requirements – demonstration
of adherence to the FHA and PSSA processes could therefore
be used as Backing Evidence as in the first bullet point above.
6. Evidence – Safety Requirements Satisfaction
Sources of Evidence
Service Experience
20
2020
20
Direct Evidence from-
Service Experience
Evidence of Safety Requirements satisfaction may be used from
three main sources, as follows:
• Service Experience of previous usage
• Verification and Validation
• Compliance with Standards
Service Experience is data from previous operational use of the
product concerned. Direct Evidence is concerned with analysis
of data from Service Experience and what the results of that
analysis showed in terms of satisfaction of the safety
requirements. Backing Evidence is concerned with showing
that the environment from which the data was obtained is
sufficiently similar to that to which the re-used product will be
subjected, that adequate performance-assessment and fault-
recording processes were in place when the product was
originally deployed, and that the analysis of the outputs of those
processes was adequate and properly carried out.
In assessing and presenting Direct Evidence from Service
Experience, it is important to ensure that:
• an analysis process, with pass/fail criteria, was specified for
each aspect of the product safety requirement whose
satisfaction is being justified using service experience;
• analysis of the service records shows that the criteria for
each product safety requirement, whose satisfaction is being
justified using service experience, have been met;
• all of the details relevant to the argument being made (eg of
length of service, history of modifications, list of users) are
included in the Evidence;
20
Further guidance on Service Experience, specific to CNS/ATM software, may be found in ED-109
[13]. Note, however, that ED-109 makes no distinction between Direct and Backing evidence.
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 27
Backing Evidence from
Service Experience
• any product capabilities that are not necessary to satisfy the
Safety Requirements cannot have an adverse effect on the
safe operation of the system.
In assessing and presenting Backing Evidence from Service
Experience, it is important to ensure, inter alia, that:
Verification and
Validation
• the subject of the Safety Case and the product for which the
Service Experience Evidence is available are identical or
sufficiently similar;
• the conditions of use of the product for which the Service
Experience is available is taken into account in the analysis;
• the proposed operational environment and the operational
environment for which the Service Experience Evidence is
available are identical or sufficiently similar;
• any changes made to the operational environment,
conditions of use, or product during the period of the Service
Experience are analysed to determine whether those
changes alter the applicability of the data obtained from
Service Experience for the period preceding the changes;
• all aspects of those product functions whose safety
requirements that are being justified from Service
Experience have been exercised in the (previously)
deployed product;
• the extent of the Service Experience is sufficient to
demonstrate that each aspect of the product safety
requirement has been met;
• a Defect Reporting, Analysis and Corrective Action System
(DRACAS) is in place for the deployed product, and is
operated in a reliable manner, and is adequate to support
the Service Experience Evidence;
• the procedures and tools used to support the creation and
analysis of Service Experience Evidence were verified and
validated;
• for all reported failures of an aspect in the product
component, the underlying fault has been corrected, or it
has been shown that the fault is not relevant because it has
no safety impact;
• the collection and analysis of Service Experience Evidence
was done by suitably competent and experienced personnel.
Evidence from system Verification and Validation (V&V) may be
based on, inter alia, analysis and/or testing.
Analysis, in this context, covers any proof of requirements
satisfaction that is obtained from the design or other
representation of the product, including models, prototypes,
software source code etc. It includes, for example, simulation
formal proof, hardware reliability prediction, inspection, and
software static and dynamic code analysis.
Chapter 4 Safety Case Development Manual
Page 28 Released Issue Edition: 2.2
Direct Evidence -
V&V
Backing Evidence -
V&V
Testing is restricted largely to tests of the final product in an
environment which is as close as possible to the operational
environment. Its purpose, broadly, is to demonstrate that what
has been built satisfies the requirements, and it is used to
supplement (sometimes replace) Analysis.
It is beyond the scope of this Manual to discuss the relative
merits of analysis and testing, or of the various techniques
within those two broad categories. Suffice it to say that a Safety
Case should set out clear justifications of the selected
techniques according to the nature and integrity required of the
system to which the Safety Case applies. The following
guidance is however given concerning the principal
requirements of Direct and Backing V&V Evidence.
However obtained, Direct evidence is concerned with the output
of the V&V processes, and should include, as a minimum:
21
• specifications of what V&V activities were carried out;
• evidence that the V&V activities and pass/fail criteria were
sufficient to demonstrate that the related requirements were
satisfied;
• the results of the V&V activities;
• analysis of the results to shows that all the specified
pass/fail criteria were met;
• explanation and justification of any discrepancies in the
results.
Whether obtained from analysis or testing, Backing evidence is
concerned with the V&V processes themselves, and should
include, as a minimum Evidence that:
• the processes were specified and performed independently
from design;
• the methods and techniques used are appropriate and
adequate, for the properties of the product under
consideration;
• the tools used to support the processes were verified and
validated to a level appropriate for the assigned assurance
level and were properly used;
• the V&V processes were properly and completely executed,
and the guidance, procedures, and standards were adhered
to;
• for previously existing V&V evidence, obtained for COTS or
re-used products, the evidence is entirely valid for the new
system application;
• any differences between the operational and V&V
21
The list is intended to provide only an overview of the main issues. Further detail on V&V, specific
to CNS/ATM software, may be found in section 3 of ED-109 [13].
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 29
Compliance with
Standards
Product Standards
Process Standards
Relationship to
EUROCONTROL Safety
Assessment
Methodology
environments were identified, and the impact on the results
was assessed and justified.
Evidence of compliance with standards can be a significant
contribution to the safety case. However, the way in which
adherence to a particular standard can be used to demonstrate
compliance with Safety Requirements will depend on the nature
of the standard itself.
Product standards specify precisely what is required of a
specific item of equipment in terms of function, performance,
integrity and, in some cases, form and fit. A good example is
the Arinc 700 series of standards, which define digital avionics
systems and equipment installed on civil aircraft. Currently,
product standards are not common in ATM.
Compliance with product standards could be used as Direct
Evidence of system safety, subject to it being shown that the
standard was appropriate to the particular application and to the
provision of sufficient Backing Evidence concerning the
adequacy of the process by which compliance was
demonstrated.
At the other end of the spectrum, are standards which address
the processes of development and manufacture – examples
range from the very broadly based ISO 9000 series to the more
specific ED-78A (Guidelines for the Approval of the Provision
and Use of ATS Supported by Data Communications) and ED-
109 ( Guidelines for CNS/ATM System Software Integrity
Assurance). In none of these cases would it appropriate to
certify a product against them, from a safety viewpoint;
however, compliance with such standards, especially the more
specific ones, could provide excellent Backing Evidence for
safety requirements determination and/or satisfaction.
The distinction between product- and process-based safety
assurance is clearly fundamental since the former is concerned
with getting the right product and the latter with getting the
product right.
The System Safety Assessment (SSA) stage of the
EUROCONTROL, Air Navigation System Safety Assessment
Methodology [5] provides further guidance on the application of
the above approaches to requirements-satisfaction.
7. Developing a Safety Plan
Introduction
Basic Requirements
Safety Activities
A Safety Plan specifies, inter alia, the safety assurance activities
that are to be carried out in order to create necessary and
sufficient Evidence for the production of a Safety Case.
The SRC-EATM Interface process [6] specifies the following
contents for a Safety Plan:
• the Safety Activities needed to meet the (high-level) safety
objectives, as well as the links and relationships between
Chapter 4 Safety Case Development Manual
Page 30 Released Issue Edition: 2.2
Resources
Roles and
Responsibilities
Safety Deliverables
The Safety / Programme
Lifecycle
Safety Activity /
Deliverables Mapping
Schedule
Specific
Recommendations
Safety Argument
Safety Case
Development
Reviews and Approvals
Handover
Safety Regulation
Safety Case
Maintenance
safety activities and safety objectives;
• the means and resources to carry out safety activities within
the Programme;
• responsibilities and accountabilities for Safety Activities;
• the safety deliverables associated with the Safety Activities;
• the allocation of Safety Activities and Safety Deliverables in
the progression of the Programme;
• the relationships and dependencies between successive
Safety Activities and associated Safety Deliverables;
• the detailed schedule and milestones for conducting Safety
Activities and releasing associated Safety Deliverables.
It is recommended that the following items, specific to the
creation of a Safety Case, also be included in the Safety Plan:
• an initial version of the Safety Argument. The rationale for
this is that most of the Safety Activities (see above) should
be directed at the collection and assessment of Evidence to
support the Safety Argument;
• planned development stages of the Safety Case and their
relationship to the overall Programme milestones;
• requirements for review and approval of the Safety Case;
• arrangements for the proper handover of Safety Case
activities or obligations;
• arrangements for the approval of the Safety Case by the
regulatory authorities;
• arrangements for the maintenance of the Safety Case during
operations.
8. Format, Structure and Layout of the Safety Case
Executive Summary
Introduction:
Background
This section presents guidance on Safety Case layout.
Examples, relating to EATM can be found in the
EUROCONTROL Pre- and Post-Implementation Safety Cases
for RVSM, [2] and [3] respectively. More-recent examples can
be provided on request.
This should provide the reader with an overview of what the
Safety Case is about, what it is trying to show and for whom, a
summary of the conclusions and caveats (see below) and
recommendations (if any).
The Introduction should include:
• an outline of, for example, the circumstances which led to
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 31
Aim
Purpose
Scope
Layout
Service / System
Description
Overall Safety
Argument
Claim
Criteria
Context
Justification
Principal Safety
Arguments
High-level Assumptions
Safety Argument and
Evidence sections
the need for, and development of, the Safety Case;
• a simple statement of the aim – ie what the Safety Case
seeks to demonstrate. It should be related directly to the
top-level Claim (see below);
• the purpose of the Safety Case – ie why, and for whom, it
has been produced;
• the scope and boundary of the Safety Case. It is important
to explain what is included and what is not included;
• the purpose of each of the sections of the document. In
general, the main part of the document should be structured
along the lines of the Safety Argument.
Provide a description of the system to which the Safety Case
applies, including its operational environment, interfaces and
boundaries of responsibility.
This section should describe and explain the highest levels of
the Safety Argument structure, including:
• the Claim – ie the top-level statement which asserts that the
service / system (etc) is safe;
• the Safety Criteria which define what is meant by safe in the
context of the Claim;
• a description of the operational context to which the Safety
Case applies;
• the justification for the change, where the Safety Case
addresses a change to a service and/or system that is not
being made mainly for reasons of improving safety, and
therefore potentially for incurring some risk;
• the principal Safety Arguments – ie the first level of
decomposition of the top-level Claim – these should be
reasoned and well structured, showing how the Safety
Criteria are satisfied and the rationale for the approach
taken in the decomposition;
• the key Assumptions on which the highest levels of the
Safety Argument critically depend – for example, the level of
risk prior to the introduction of a change is acceptable.
Other Assumptions, applicable to the lower levels of the
Safety Argument structure should be included in the
Assumptions section – see below.
These sections should present each of the principal Safety
Arguments (see above) in turn, together with the supporting
Evidence which shows that each of the Arguments is valid. It is
recommend that, where applicable, each section be structured
as follows:
• Objective (of the section) – related directly to the principal
Safety Argument;
• Strategy (breakdown of the principal Safety Argument into
Chapter 4 Safety Case Development Manual
Page 32 Released Issue Edition: 2.2
Assumptions
Issues
Limitations
Conclusions
Recommendations
lower-level arguments);
• Rationale (for the Strategy);
• Lower-level Arguments / Evidence;
• Conclusions (of section).
Present directly, and/or by reference, all the Assumptions on
which the Safety Case depends, including the high-level
Assumptions mentioned above. Assumptions usually relate to
matters outside of the direct control of the organisation
responsible for the Safety Case but which are essential to the
completeness and/or correctness of the Safety Case. Each
Assumption must be shown to be valid or at least reasonable
according to the circumstances.
List any outstanding safety issues that must be resolved before
the Claim can be considered to be valid, together with the
responsibilities and timescales for clearing them.
State and explain any Limitations or restrictions that need to be
placed on the deployment and/or operation of the system.
Do not merely repeat the conclusions from each section here.
The main conclusion should refer to the original Claim and, if
applicable, reassert its validity, subject to the following caveats:
• the Scope – especially what the Safety Case does not
cover;
• the operational Context to which the Safety Case applies;
• the Assumptions that have had to be made;
• the outstanding Issues;
• any Limitations placed on the deployment and/or operation
of the service / system.
Recommendations are not mandatory and any that are made
should not be temporary in nature. For example, it might be
appropriate to make recommendations on the use of the Safety
Case by its recipients, but not concerning its approval.
Recommendations must not contain any statements that would
undermine, or add further caveats to, the Conclusions.
9. Verifying the Safety Case
Further guidance on what to look for in developing and
reviewing a Safety Case can be found in the detailed checklists
in Appendix C.
Safety Case Development Manual Process and Techniques
Edition: 2.2 Released Issue Page 33
10. ESARR Compliance
Overview
ESARR 2
ESARR 3
Compliance with ESARRs may be used in support of a Safety
Case. However, as indicated below, ESARRs are largely
concerned with processes and, therefore, compliance with
ESARRs should normally be used as Backing Evidence, not as
Direct Evidence
22
.
Reporting and Assessment of Safety Occurrences in ATM
The rationale for ESARR 2 is that the achievement of consistent
high levels of aviation safety and the management of safety in
ATM require, as a priority, the successful implementation of
harmonised occurrence reporting and assessment schemes.
Such schemes will lead to more systematic visibility of safety
occurrences and their causes, and will allow identification of
appropriate corrective actions as well as areas where flight safety
could be improved by changes to the ATM system.
Compliance with ESARR 2 can be used as (Backing) Evidence
of having an adequate in-service safety monitoring process in
support of:
• a Project Safety Case – see for example Arg4 / St005 in
Figure 11 of Chapter 5;
• a Unit Safety Case – see for example Arg2.5 in Figure 12 of
Chapter 5.
Use of Safety Management Systems by Service Providers
The rationale for ESARR 3 is that an ATM service provider has a
responsibility to ensure that all relevant safety issues have been
satisfactorily dealt with, and to provide assurance that this has
been done. Safety management is that function of service
provision, which ensures that all safety risks have been identified,
assessed and satisfactorily mitigated. A formal and systematic
approach to safety management will maximise safety benefits in a
visible and traceable way.
Because a typical SMS includes a very wide range of safety
processes in support of ATM operations, compliance with ESARR
3 can be used in many areas of a Safety Case - for example:
• in a Project Safety Case, SMS processes could be used as
Backing Evidence under Arg2.1 and Arg2.2, in Chapter 5,
Figure 8 and Figure 9 respectively;
• in a Unit Safety Case, SMS processes could be used as
Direct Evidence under Arg2.2 / St003, in Figure 14 of
Chapter 5.
In both cases, the SMS-process Evidence would be strengthened
if it could be shown that the SMS was compliant with ESARR 3 –
ie ESARR 3 compliance would provide Backing Evidence.
22
A possible exception to this statement could be a Safety Case which is based mainly on the
satisfaction of the requirements of the ESARR 4 Risk Classification Scheme.
Chapter 4 Safety Case Development Manual
Page 34 Released Issue Edition: 2.2
ESARR 4
Risk Assessment and Mitigation in ATM
ESARR 4 concerns the use of Risk Assessment and Mitigation,
including hazard identification, in Air Traffic Management when
introducing and/or planning changes to the ATM System. In this
ESARR 5
ESARR 6
requirement, Risk Assessment and Mitigation are addressed via a
total–aviation-system approach.
There are two aspects of ESARR 4 which can be used in a Safety
Case, as follows:
• subjective to the provisos of Chapter 4, section 2 above, the
Risk Classification Scheme in Appendix A to ESARR 4 could
be used as the basis of quantitative Safety Criteria – see, for
example, Cr001 / #1 in Chapter 5, Figure 1;
• compliance with the qualitative (process) requirements of
section 5 of ESARR 4 could be used as Backing Evidence as,
for example, in Arg 1.10 in Chapter 5, Figure 6.
ATM Services’ Personnel
ESARR 5 documents general safety regulatory requirements for
all ATM services’ personnel responsible for safety related tasks
within the provision of ATM services across the ECAC area,
including the specific safety regulatory requirements for air traffic
controllers and engineering/technical personnel.
Compliance with ESARR 5 could be used in a Unit Safety Case
to show that the human aspects of the on-going operation are
based on, inter alia, competent personnel. This would appear, for
example in the lower levels of decomposition of Arg2.1 and
Arg2.2 in Chapter 5, Figure 14.
Software in ATM Systems
ESARR 6 deals with the implementation of software safety
assurance systems to ensure that the risks associated with the
use of software in safety-related ground-based ATM systems are
reduced to a tolerable level.
Compliance with ESARR 6 could be used, for example, in:
• a Project Safety Case - software processes could be used as
Backing Evidence under Arg2.1 / St011 and Arg2.2 / St015,
in Figure 8 and Figure 9 respectively of Chapter 5
23
2323
23
;
• a Unit Safety Case - software processes could be used as
Direct Evidence under Arg2.2 / St003, in Figure 14 of
Chapter 5.
23
Direct Evidence would be the outputs of those processes
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 35
CHAPTER 5
Guidance -
GSN Safety Argument Examples
1. Example Application of GSN – A “Project” Safety Case
Relationship to the
EUROCONTROL SAM
Figure 1 to Figure 11 overleaf show a structured Safety
Argument for a hypothetical substantial
change (“SGxy”) to an
ATM service which could form the basis of what is known herein
as a Project Safety Case.
The structure is intentionally not complete in all areas of the
decomposition; however, it is intended to be sufficient, in
breadth and depth, to illustrate the use of the GSN notation. A
commentary on the development of the Safety Argument is also
provided below. This commentary is also not exhaustive but is
intended to bring out all the main points concerning the
application of GSN.
Where applicable references are given to those process(es) in
the SAM [5] that would generate the required Evidence.
Claim
Justification
Context
The Safety Argument starts, in Figure 1, with the top-level
Claim (Arg 0) that the ATM service, following the change, will
be acceptably safe.
J001 indicates that the change is justified operationally and this
justification would need to be elaborated in the Safety Case.
C001 provides an essential marker that the change itself needs
to be defined in terms of the ATM service / system and
accompanying operational concept – such descriptions would
need to be provided in the related Safety Case.
Chapter 5 Safety Case Development Manual
Page 36 Released Issue Edition: 2.2
.
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
C001
Operational concept
(SAM-FHA ch1-GM A)
Change_SGxy
Implementation
is acceptably safe
Arg 2
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
A001
Current ATM service
is accepted as being safe
J001
Change_SGxy is being
introduced to meet a
legitimate operational need
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 4
Fig 2 Fig 7
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2 Fig 11
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
Fig 10
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
St003
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
C002
Subject to declared
Assumptions, Limitations
and outstanding Issues
.
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
C001
Operational concept
(SAM-FHA ch1-GM A)
Change_SGxy
Implementation
is acceptably safe
Arg 2
Change_SGxy
Implementation
is acceptably safe
Arg 2
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
A001
Current ATM service
is accepted as being safe
J001
Change_SGxy is being
introduced to meet a
legitimate operational need
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 4
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 4
Fig 2Fig 2 Fig 7Fig 7
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2 Fig 11Fig 11
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
Fig 10Fig 10
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
St003
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
St003
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
St003
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
C002
Subject to declared
Assumptions, Limitations
and outstanding Issues
Figure 1 – Arg 0: Safety Argument
Safety Criteria
Choice of Criteria
Assumption
Arg1 to 4
Acceptably safe is defined in terms of the three criteria
summarised in Cr001. These criteria reflect the three main
ways of expressing a Safety Argument – ie:
• Absolutely: as compliance with a (numerical) target level of
safety – eg ESARR 4 (or local regulatory interpretation
thereof), OCP, ICAO, JAR 25 etc;
• Relatively: in relation to a current / previous (usually
qualitative) level of safety;
• Reductively: showing risk to be further reduced as far as
reasonably practicable;
The first two bullets are alternative ways of expressing a typical
regulatory minimum safety level
24
and specify what is
sometimes known as tolerable risk. In the further development
of the Safety Argument for Change SGxy, only the absolute
criterion is actually used
25
, and is supported by the reductive
criterion in order to specify what is sometimes known as an
acceptable level of risk.
If a relative Argument, were to be used it would be necessary to
establish that the pre-change baseline is safe. This is addressed
in A001 which is shown on Figure 1 for illustration only.
As indicated in Strategy St001, Claim Arg 0 is decomposed into
24
It would not normally be necessary to comply with both.
25
For examples of developing Safety Arguments using relative criteria, please contact DAP/SAF
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 37
four principal Arguments which, in this case, relate to the four
main, contiguous stages of the lifecycle of the Change. The
outcome of each stage is argued to be acceptably safe and
St002 to St005 are used to indicate, by reference to Cr001 what
is defined as acceptably safe for each stage:
• Arg 1 (through St002) asserts that the Change is acceptably
safe in principle – ie subject to subsequent complete and
correct implementation of the Safety Requirements;
• Arg 2 (through St003) asserts that the Implementation of
the Change is acceptably safe, through satisfaction of the
Safety Requirements, and that the rigour of the Assurance
(ie lower-level Arguments and Evidence) to support this is
appropriate to the risk associated with the Change;
• Arg 3 (through St004) asserts, in effect, that the Migration
from the current state to the post-Change state will not
endanger the on-going operational service. The change in
tense in Arg3 is deliberate since the Safety Argument would
be expected to be finalised once all the Implementation and
Migration steps, except the final “switchover” to the new
state, had been completed satisfactorily. Note that, because
of the short time for which the service is at risk, during
Migration, only Criterion Cr001, item 2 can be applied to this
Argument;
• Arg 4 (through St005) asserts that the monitoring of the on-
going operational service, post Migration, will be sufficient to
show the Change to be acceptably safe
Fig 3
Safety Functions &
Safety Objectives
specify what is
sufficient at functional
level to meet Safety
Criteria Cr001
Arg 1.1
Fig 1
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
Fig 4
Risks have been
minimised in the
process of deriving
the Safety
Requirements
Arg 1.3
Fig 5
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 6
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
Fig 3Fig 3
Safety Functions &
Safety Objectives
specify what is
sufficient at functional
level to meet Safety
Criteria Cr001
Arg 1.1
Safety Functions &
Safety Objectives
specify what is
sufficient at functional
level to meet Safety
Criteria Cr001
Arg 1.1
Fig 1Fig 1
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
Fig 4
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
Fig 4Fig 4
Risks have been
minimised in the
process of deriving
the Safety
Requirements
Arg 1.3
Fig 5
Risks have been
minimised in the
process of deriving
the Safety
Requirements
Arg 1.3
Risks have been
minimised in the
process of deriving
the Safety
Requirements
Arg 1.3
Fig 5Fig 5
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 6
St006
Show that Safety
Requirements
evidence is
trustworthy
St006
Show that Safety
Requirements
evidence is
trustworthy
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 6Fig 6
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
St002
Show that Safety
Requirements satisfy Cr001:
•item 1 (Args 1.1 & 1.2);
•Item 2 (Arg 1.3)
Figure 2 – Arg 1: Safety of the “Change SGxy” Concept
Chapter 5 Safety Case Development Manual
Page 38 Released Issue Edition: 2.2
Arg 1
Arg 1 focuses on the output of the Concept stage of the
lifecycle – ie a set of Safety Requirements for the Change that
ultimately satisfy the three safety criteria which define an
acceptable level of safety.
Arg 1 is achieved through a two-fold Strategy, which uses the
principle of Direct Evidence and Backing Evidence, as follows:
• St002 shows, through a sequential set of Arguments (Arg
1.1 to Arg 1.5), that the eventual outputs of the Concept
phase – the Safety Requirements – satisfy the three safety
Criteria. This is clearly a Direct approach since it is
concerned with the outputs of each stage in the sequence,
rather than with the processes that produce those outputs;
• St006 shows that the Direct Evidence is trustworthy – ie can
be relied upon. The Arguments to achieve St006 are
shown in Figure 6 below, and are considered to be of the
Backing type since they are concerned with the processes
that produce the above outputs, rather than with the outputs
themselves (ie they are complementary to St002).
Arg 1.1, Arg 1.2 and Arg 1.3 are decomposed below in
Figure 3, Figure 4 and Figure 5 respectively.
In Figure 3, the Context for Arg 1.1 is an FHA (C004)
associated with the Change. C005 is simply a reminder that the
FHA must encompass all aspects of the Change.
Arg 1.1.1 to Arg 1.1.6 relate to the outputs of the main stages
of a typical FHA. Safety Functions are concerned with
specifying the desired (correct) operation of a system in order
to provide safe ATM services (what the SAM
[5]
describes as
the “success approach”) whereas Safety Objectives limit the
frequency of failure.
The type of Evidence expected to be provided to support each
strand of the Argument is also shown on Figure 3, together with
the relevant references to the SAM
[5]
.
The use of the term “adequately” in Arg 1.1.2 and Arg 1.1.4
illustrates what is sometimes a fine distinction between Direct
and Backing Evidence. In general:
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 39
C005
Scope encompasses airspace,
equipment, procedures and human
aspects of Change_SGxy
Safety
Functions are
adequately
specified
Arg 1.1.2
Safety
Objectives are
adequately
specified
Arg 1.1.4
Safety Functions
and Safety
Objectives satisfy
Criteria Cr001
Arg 1.1.6
Change_SGxy
Concept has been
documented and
validated
Arg 1.1.1
C004
FHA
Functional
model &
Safety
Functions
SAM FHA,
Ch 1, 2.1
Safety
Objectives &
Traceability
SAM FHA
Ch 3, 3.2 & Ch 4,
3.2 GMA
Validation
evidence
SAM FHA
Ch 4, 3.1
Concept of
Operations
SAM FHA,
Ch 1, 2.1 &
2.2
Simulation
(etc)
results
SAM FHA,
Ch 1, 2.5
All hazards
correctly
identified and
analysed
Arg 1.1.3
HAZID
results
SAM FHA
Ch 3, 3.1
Event
Trees etc
SAM FHA
Ch 3, 3.2
& 3.3
Mitigations &
Assumptions
SAM FHA
Ch 3, 4, Ch 4,
3.2
All mitigations
captured as
SFs / SObjs or
Assumptions
Arg 1.1.5
Fig 2
Safety Functions &
Safety Objectives
specify what is sufficient
at functional level to
meet the Safety Criteria
Cr001
Arg 1.1
C005
Scope encompasses airspace,
equipment, procedures and human
aspects of Change_SGxy
Safety
Functions are
adequately
specified
Arg 1.1.2
Safety
Objectives are
adequately
specified
Arg 1.1.4
Safety Functions
and Safety
Objectives satisfy
Criteria Cr001
Arg 1.1.6
Safety Functions
and Safety
Objectives satisfy
Criteria Cr001
Arg 1.1.6
Change_SGxy
Concept has been
documented and
validated
Arg 1.1.1
C004
FHA
Functional
model &
Safety
Functions
SAM FHA,
Ch 1, 2.1
Functional
model &
Safety
Functions
SAM FHA,
Ch 1, 2.1
Safety
Objectives &
Traceability
SAM FHA
Ch 3, 3.2 & Ch 4,
3.2 GMA
Validation
evidence
SAM FHA
Ch 4, 3.1
Validation
evidence
SAM FHA
Ch 4, 3.1
Concept of
Operations
SAM FHA,
Ch 1, 2.1 &
2.2
Simulation
(etc)
results
SAM FHA,
Ch 1, 2.5
All hazards
correctly
identified and
analysed
Arg 1.1.3
HAZID
results
SAM FHA
Ch 3, 3.1
Event
Trees etc
SAM FHA
Ch 3, 3.2
& 3.3
Mitigations &
Assumptions
SAM FHA
Ch 3, 4, Ch 4,
3.2
All mitigations
captured as
SFs / SObjs or
Assumptions
Arg 1.1.5
All mitigations
captured as
SFs / SObjs or
Assumptions
Arg 1.1.5
Fig 2
Safety Functions &
Safety Objectives
specify what is sufficient
at functional level to
meet the Safety Criteria
Cr001
Arg 1.1
Fig 2Fig 2
Safety Functions &
Safety Objectives
specify what is sufficient
at functional level to
meet the Safety Criteria
Cr001
Arg 1.1
Safety Functions &
Safety Objectives
specify what is sufficient
at functional level to
meet the Safety Criteria
Cr001
Arg 1.1
Figure 3 – Arg 1.1: Safety Functions and Safety Objectives
• If the Argument / Evidence is concerned with observable
attributes of an output (product) then it should be considered
to be Direct – for example, traceability of Safety Objectives
back to Safety Functions and Safety Criteria would be Direct
since it would be observable (with the assistance of cross-
referencing) from the Safety Objectives, Safety Functions
and Safety Criteria themselves.
• On the other hand, if the Argument / Evidence cannot be
deduced from observable attributes of an output itself, but is
related only to the process, then it should be considered to
be Backing – for example it would be impossible to deduce
from a set of Safety Objectives that they had been
developed by a team with Appropriate expertise – see
Figure 6 below.
The decomposition of Arg 1.2 (see
Figure 4 below)
is similar in
principle to that for Arg 1.1 above. The Context (C004) is the
PSSA – ie the derivation of Safety Requirements – and in this
case is the first stage of PSSA, expressed at the recommended,
Logical-architecture level.
St007 emphasises the importance of considering the safety of
the system when it is working (what the SAM
[5]
calls the
“success approach”, expressed in terms of Safety Requirements
for function and performance) as well as when it fails
(expressed in terms of Safety Requirements for reliability and
integrity).
26
26
This mirrors the distinction between Safety Functions and Safety Objectives, which needs to be
made at the FHA stage.
Chapter 5 Safety Case Development Manual
Page 40 Released Issue Edition: 2.2
The type of Evidence expected to be provided to support each
strand of the Argument is also shown in Figure 4.
Safety
Requirements for
function &
performance are
adequately specified
Arg 1.2.2
Logical
Architecture
described
completely and
correctly
Arg 1.2.1
Architectural
Model
SAM PSSA
Ch 1, 2.1 &
2.2
FSRs &
Traceability
SAM PSSA
Ch 3, 3.1,
Ch 5, 3.2
Simulations
etc
Safety Requirements
for integrity are
adequately specified
Arg 1.2.3
Fig 2
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
C005
Scope encompasses
airspace, equipment, people,
procedures and training
C004
PSSA
Hazard causes
identified &
modelled
adequately
Arg 1.2.3.1
Fault Trees
SAM PSSA
Ch 3, 3.2, Part
IV GMK
Safety Integrity
Requirements
set to satisfy
Safety Objectives
Arg 1.2.3.2
SRs
SAM PSSA
Ch 3, 3.4,
Ch 4, 3.1
All causal mitigations
captured as Safety
Requirements or
Assumptions
Arg 1.2.3.3
Mitigations
and
Assumptions
SAM PSSA
Ch 3, 3.3 & 4
St007
Derive Safety Requirements
For “success” and “failure”
approaches
Safety
Requirements for
function &
performance are
adequately specified
Arg 1.2.2
Logical
Architecture
described
completely and
correctly
Arg 1.2.1
Architectural
Model
SAM PSSA
Ch 1, 2.1 &
2.2
FSRs &
Traceability
SAM PSSA
Ch 3, 3.1,
Ch 5, 3.2
FSRs &
Traceability
SAM PSSA
Ch 3, 3.1,
Ch 5, 3.2
Simulations
etc
Simulations
etc
Safety Requirements
for integrity are
adequately specified
Arg 1.2.3
Safety Requirements
for integrity are
adequately specified
Arg 1.2.3
Fig 2
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
Fig 2Fig 2
Safety Requirements
specify what is
sufficient at
architectural level to
meet Safety Objectives
Arg 1.2
C005
Scope encompasses
airspace, equipment, people,
procedures and training
C004
PSSA
Hazard causes
identified &
modelled
adequately
Arg 1.2.3.1
Hazard causes
identified &
modelled
adequately
Arg 1.2.3.1
Fault Trees
SAM PSSA
Ch 3, 3.2, Part
IV GMK
Safety Integrity
Requirements
set to satisfy
Safety Objectives
Arg 1.2.3.2
Safety Integrity
Requirements
set to satisfy
Safety Objectives
Arg 1.2.3.2
SRs
SAM PSSA
Ch 3, 3.4,
Ch 4, 3.1
All causal mitigations
captured as Safety
Requirements or
Assumptions
Arg 1.2.3.3
Mitigations
and
Assumptions
SAM PSSA
Ch 3, 3.3 & 4
St007
Derive Safety Requirements
For “success” and “failure”
approaches
Figure 4 – Arg 1.2: Safety Requirements
Arg 1.3 (see Figure 5 below) presents the Argument and
Evidence that the qualitative Safety Criteria have been satisfied
via the processes that led to the Safety Requirements for
Change SGxy.
The difficulty with Arg 1.3.1 is that most changes in ATM involve
some inherent risk because the service in general needs to
respond to an ever increasing demand on its capacity to deliver.
Therefore, it is necessary to find safety benefits – in the form of
removal or mitigation of areas of risk – to offset the inherent risk
of change. In most cases the relative Argument involved has to
be made on the basis of qualitative Evidence.
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 41
All practicable
mitigations of
cause identified
in PSSA
Arg 1.3.2
All practicable
mitigations of
consequence
identified in FHA
Arg 1.3.1 Safety Requirements
specified to reduce
risk as far as
reasonably practicable
Arg 1.3.3
Process
evidence
SAM PSSA
Ch 3, 3.3
Risks have been
minimised in the
process of deriving the
Safety Requirements
Arg 1.3
Fig 2
Process
evidence
SAM PSSA
Ch 3, 3.3
Process
evidence
SAM FHA Ch 3,
PSSA Ch 3
All practicable
mitigations of
cause identified
in PSSA
Arg 1.3.2
All practicable
mitigations of
consequence
identified in FHA
Arg 1.3.1 Safety Requirements
specified to reduce
risk as far as
reasonably practicable
Arg 1.3.3
Safety Requirements
specified to reduce
risk as far as
reasonably practicable
Arg 1.3.3
Process
evidence
SAM PSSA
Ch 3, 3.3
Risks have been
minimised in the
process of deriving the
Safety Requirements
Arg 1.3
Risks have been
minimised in the
process of deriving the
Safety Requirements
Arg 1.3
Fig 2Fig 2
Process
evidence
SAM PSSA
Ch 3, 3.3
Process
evidence
SAM FHA Ch 3,
PSSA Ch 3
Figure 5 – Arg 1.3: Satisfaction of Qualitative Safety Criteria
The Arguments and Evidence for Arg 1.3.3 are intended to
show that a (properly conducted) FHA and PSSA Stage 1 will
yield safety requirements that, when implemented, will result in
a risk that has been reduced as far as reasonably practicable, at
that stage
27
.
.
Concept of Ops
and simulations
done by
competent staff
Arg 1.4 FHA & PSSA
processes
were executed
by competent staff
Arg 1.6
Competence
evidence
FHA & PSSA
processes
were adequate
Arg 1.5
Process
evidence
SAM FHA, Ch 4
GMA-B-C, 3.3
PSSA, Ch 4 GM A-
B-C, 3.3
Competence
evidence
SAM FHA, Ch2,
PSSA, Ch 4
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 2
Architectural
model was
done by
competent staff
Arg 1.7
FHA and PSSA
processes comply with
qualitative requirements
of ESARR 4
Arg 1.8
Competence
evidence
SAM PSSA
Ch2
Competence
evidence Process
evidence
GM for SAM,
Annex B
.
Concept of Ops
and simulations
done by
competent staff
Arg 1.4 FHA & PSSA
processes
were executed
by competent staff
Arg 1.6
Competence
evidence
Competence
evidence
FHA & PSSA
processes
were adequate
Arg 1.5
Process
evidence
SAM FHA, Ch 4
GMA-B-C, 3.3
PSSA, Ch 4 GM A-
B-C, 3.3
Competence
evidence
SAM FHA, Ch2,
PSSA, Ch 4
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 2
St006
Show that Safety
Requirements
evidence is
trustworthy
St006
Show that Safety
Requirements
evidence is
trustworthy
St006
Show that Safety
Requirements
evidence is
trustworthy
Fig 2Fig 2
Architectural
model was
done by
competent staff
Arg 1.7
FHA and PSSA
processes comply with
qualitative requirements
of ESARR 4
Arg 1.8
Competence
evidence
SAM PSSA
Ch2
Competence
evidence
SAM PSSA
Ch2
Competence
evidence
Competence
evidence Process
evidence
GM for SAM,
Annex B
Process
evidence
GM for SAM,
Annex B
Figure 6 – St0006: Safety of the Concept (Backing)
27
The reduction of risk as far as reasonably practicable is further covered in
Arg 3
below
Chapter 5 Safety Case Development Manual
Page 42 Released Issue Edition: 2.2
Arg 2
As with most Backing Evidence, St0006, in Figure 6 above, is
based on arguing the adequacy of the processes (including
techniques and tools) involved and on the competence of the
personnel who executed those processes. In practice, some of
the Arguments may need to be decomposed to a lower level of
detail than shown in this example.
Figure 7 below addresses the Implementation of Change SGxy,
in two stages: physical-level design and realisation of the design
in the physical system – these are further decomposed below in
Figure 8 and Figure 9 respectively.
St004
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
Fig 1
Change_SGxy
Implementation
is acceptably safe
Arg 2
C008
SSA
Physical-level
design satisfies
the related Safety
Requirements
Arg 2.1
Fig 8
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 9
C009
May include further level(s)
of Safety Requirement
derivation
St004
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
St004
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
St004
Show that the Safety
Requirements are satisfied:
1. Initially in system design
2. Subsequently in the
realisation of that design
Fig 1
Change_SGxy
Implementation
is acceptably safe
Arg 2
Fig 1Fig 1
Change_SGxy
Implementation
is acceptably safe
Arg 2
Change_SGxy
Implementation
is acceptably safe
Arg 2
C008
SSA
Physical-level
design satisfies
the related Safety
Requirements
Arg 2.1
Fig 8
Physical-level
design satisfies
the related Safety
Requirements
Arg 2.1
Fig 8Fig 8
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 9
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 9Fig 9
C009
May include further level(s)
of Safety Requirement
derivation
Figure 7 – Arg 2: Safety of Implementation
In this example, Arg2 is decomposed only far enough to show
the elements of the ATM system that might be involved.
For the Implementation of Airspace Design, ATC Procedures
and Operational Training, most of the Evidence of compliance
with the Safety Requirements comes at the Design stage – ie
under Arg 2.1.
For the Implementation of the Equipment aspects, the Evidence
of compliance with the Safety Requirements should also come
from the Design stage – ie under Arg 2.1 – but should be further
substantially supported by testing in the subsequent Realisation
stage – ie under Arg 2.2.
The decomposition of Arg 2.1 would need to include Backing
assurance covering the adequacy of the processes, tools and
techniques employed in the design and realisation, and of the
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 43
competence of the personnel involved. Full use should be
made of existing operational and engineering procedures in the
organisation’s quality and safety management systems.
Physical-level
design satisfies
the related Safety
Requirements
Arg 2.1
Fig 7
C010
Changes to
hardware and
software
Provide direct
and backing that
Airspace
design satisfies
the related Safety
Requirements
St008
Fig [....]
Provide direct
and backing that
ATC Procedure
design satisfies
the related Safety
Requirements
St009
Fig [....]
Provide direct
and backing that
ATC Training
design satisfies
the related Safety
Requirements
St010
Fig [....]
Provide direct
and backing that
ATC Equipment
design satisfies
the related Safety
Requirements
St011
Fig [....]
Physical-level
design satisfies
the related Safety
Requirements
Arg 2.1
Fig 7Fig 7
C010
Changes to
hardware and
software
Provide direct
and backing that
Airspace
design satisfies
the related Safety
Requirements
St008
Fig [....]
Provide direct
and backing that
Airspace
design satisfies
the related Safety
Requirements
St008
Fig [....]Fig [....]
Provide direct
and backing that
ATC Procedure
design satisfies
the related Safety
Requirements
St009
Fig [....]
Provide direct
and backing that
ATC Procedure
design satisfies
the related Safety
Requirements
St009
Fig [....]Fig [....]
Provide direct
and backing that
ATC Training
design satisfies
the related Safety
Requirements
St010
Fig [....]
Provide direct
and backing that
ATC Training
design satisfies
the related Safety
Requirements
St010
Fig [....]Fig [....]
Provide direct
and backing that
ATC Equipment
design satisfies
the related Safety
Requirements
St011
Fig [....]
Provide direct
and backing that
ATC Equipment
design satisfies
the related Safety
Requirements
St011
Fig [....]Fig [....]
Figure 8 – Arg 2.1: Safety of Design
The decomposition of Arg 2.2 mirrors that for Arg 2.1 above
and is shown in Figure 9.
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 7
C011
Changes to
hardware and
software
Fig [....]
Provide direct
and backing that
the promulgation
of Airspace
changes satisfies
the related Safety
Requirements
St012
Fig [....]
Provide direct
and backing that
ATC Procedure
publication
satisfies the
related Safety
Requirements
St013
Fig [....]
Provide direct
and backing that
ATC Equipment
changes satisfy
the related Safety
Requirements
St015
Fig [....]
Provide direct
and backing that
ATC Training
delivery satisfies
the related Safety
Requirements
St014
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 7
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Realisation of the
physical-level
design satisfies
the related Safety
Requirements
Arg 2.2
Fig 7Fig 7
C011
Changes to
hardware and
software
Fig [....]
Provide direct
and backing that
the promulgation
of Airspace
changes satisfies
the related Safety
Requirements
St012
Fig [....]Fig [....]
Provide direct
and backing that
the promulgation
of Airspace
changes satisfies
the related Safety
Requirements
St012
Provide direct
and backing that
the promulgation
of Airspace
changes satisfies
the related Safety
Requirements
St012
Fig [....]Fig [....]
Provide direct
and backing that
ATC Procedure
publication
satisfies the
related Safety
Requirements
St013
Provide direct
and backing that
ATC Procedure
publication
satisfies the
related Safety
Requirements
St013
Fig [....]
Provide direct
and backing that
ATC Equipment
changes satisfy
the related Safety
Requirements
St015
Fig [....]Fig [....]
Provide direct
and backing that
ATC Equipment
changes satisfy
the related Safety
Requirements
St015
Provide direct
and backing that
ATC Equipment
changes satisfy
the related Safety
Requirements
St015
Fig [....]
Provide direct
and backing that
ATC Training
delivery satisfies
the related Safety
Requirements
St014
Fig [....]Fig [....]
Provide direct
and backing that
ATC Training
delivery satisfies
the related Safety
Requirements
St014
Provide direct
and backing that
ATC Training
delivery satisfies
the related Safety
Requirements
St014
Figure 9 – Arg 2.2: Safety of Realisation
In the case of equipment aspects of Realisation, most of the
Evidence will come from analysis and testing. The Backing for
this is not decomposed herein but should address the V&V
requirements covered in Chapter 4, section 6 above.
Chapter 5 Safety Case Development Manual
Page 44 Released Issue Edition: 2.2
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
Detailed plan
for Migration
produced
Arg 3.1
H&RA
results
SAM SSA
Ch 3, 3.2.1
Migration
Plan
Fig 1
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
Hazards and
Risks for
Switchover
identified and
analysed
Arg 3.2
Measures put in
place to control
/ mitigate risks
Arg 3.3
Contingency
plan prepared,
for reversion to
safe state
Arg 3.4
St016
Show that
Migration
evidence is
trustworthy
Risk-
reduction
measures
SAM SSA
Ch 3, 3.2.2
Contingency
Plan
SAM SSA
Ch 3, 3.2.1
H&R
process
adequate
for the task
Arg 3.5
Plans and risk-
reduction measures
independently
validated
Arg 3.6
Contingency
Plan
SAM SSA
Ch 4 GM A-B-C
Planning and
analysis staff
were
competent
Arg 3.7
Competence
evidence
SAM SSA
Ch2
Risk-
reduction
measures
SAM SSA
Ch 4 GM A-B-C
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
St004
Show that risk during
(and immediately
following) Migration will
satisfy Cr001 item 2
Detailed plan
for Migration
produced
Arg 3.1
Detailed plan
for Migration
produced
Arg 3.1
H&RA
results
SAM SSA
Ch 3, 3.2.1
H&RA
results
SAM SSA
Ch 3, 3.2.1
Migration
Plan
Migration
Plan
Fig 1
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
Fig 1Fig 1
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
Migration to
Change_SGxy
will be
acceptably safe
Arg 3
Hazards and
Risks for
Switchover
identified and
analysed
Arg 3.2
Hazards and
Risks for
Switchover
identified and
analysed
Arg 3.2
Measures put in
place to control
/ mitigate risks
Arg 3.3
Measures put in
place to control
/ mitigate risks
Arg 3.3
Contingency
plan prepared,
for reversion to
safe state
Arg 3.4
Contingency
plan prepared,
for reversion to
safe state
Arg 3.4
St016
Show that
Migration
evidence is
trustworthy
St016
Show that
Migration
evidence is
trustworthy
St016
Show that
Migration
evidence is
trustworthy
Risk-
reduction
measures
SAM SSA
Ch 3, 3.2.2
Risk-
reduction
measures
SAM SSA
Ch 3, 3.2.2
Contingency
Plan
SAM SSA
Ch 3, 3.2.1
Contingency
Plan
SAM SSA
Ch 3, 3.2.1
H&R
process
adequate
for the task
Arg 3.5
H&R
process
adequate
for the task
Arg 3.5
Plans and risk-
reduction measures
independently
validated
Arg 3.6
Plans and risk-
reduction measures
independently
validated
Arg 3.6
Contingency
Plan
SAM SSA
Ch 4 GM A-B-C
Planning and
analysis staff
were
competent
Arg 3.7
Planning and
analysis staff
were
competent
Arg 3.7
Competence
evidence
SAM SSA
Ch2
Competence
evidence
SAM SSA
Ch2
Risk-
reduction
measures
SAM SSA
Ch 4 GM A-B-C
Figure 10 – Arg 3: Safety during Migration
Arg 3
Clearly, in introducing a substantial change (or new system) the
safety of the existing ATM service must be preserved during the
period of Migration form the pre-change to post-change state.
Figure 10 shows a typical decomposition of the Argument, with
supporting Evidence, covering both the Direct and Backing
aspects.
Arg 4
Arg 4 in effect recognises that Evidence provided under Arg 1
to Arg 3 is necessarily predictive in nature and needs to be
confirmed by Evidence of what is actually achieved in practice,
from a safety perspective.
This is illustrated in the decomposition of Arg 4, in Figure 11.
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 45
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 4
Fig 1
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
Arg 4.1
Frequency of (service-
level) incidents will be
measured against pre-
defined indicators
Arg 4.2
Corrective actions
will be taken to
prevent recurrence
of incidents
Arg 4.2.2
All reported
incidents will be
investigated
Arg 4.2.3
Corrective actions
will be taken based
on the results of an
incident
investigation
Investigation
process
SAM SSA
Ch 3, 3.3.1
Arg 4.2.1
There is a process
for encouraging
the reporting of
safety incidents
Reporting
process
SAM SSA
Ch 3, 3.3.1
C012
Required for compliance
with Cr001, item 2
St008
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes
Fig [….]
Monitoring
process
SAM SSA
Ch 3, 3.3.1 C/A
process
SAM SSA
Ch 3, 3.3.2
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 4
Fig 1Fig 1
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
St005
Safety Monitoring
will satisfy Cr001
items 1 and 2
Arg 4.1
Frequency of (service-
level) incidents will be
measured against pre-
defined indicators
Arg 4.2
Corrective actions
will be taken to
prevent recurrence
of incidents
Arg 4.2.2
All reported
incidents will be
investigated
Arg 4.2.3
Corrective actions
will be taken based
on the results of an
incident
investigation
Investigation
process
SAM SSA
Ch 3, 3.3.1
Arg 4.2.1
There is a process
for encouraging
the reporting of
safety incidents
Reporting
process
SAM SSA
Ch 3, 3.3.1
C012
Required for compliance
with Cr001, item 2
St008
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes
St008
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes
Fig [….]Fig [….]
Monitoring
process
SAM SSA
Ch 3, 3.3.1 C/A
process
SAM SSA
Ch 3, 3.3.2
Figure 11 – Arg 4: Safety Monitoring
2. Example Application of GSN – Unit Safety Cases
Claim
Unit Safety Case is a commonly used term for the Safety Case
for an on-going operational service. Figure 12 below shows the
high-level Safety Argument for this example application of GSN,
for a hypothetical ATSU.
Arg 0 is the overall Claim, equivalent to that for Change “SGxy”
in Figure 1 above. C001 defines the type(s) of service provided
and C002 is a reminder that the full operational environment –
eg airspace boundaries, structure, classification, rules,
separation minima etc – needs to be fully described in order to
define the Context in which the Claim is being made.
Chapter 5 Safety Case Development Manual
Page 46 Released Issue Edition: 2.2
Arg 0
ATM services
provided by
<<ATSU>> are,
and will remain,
acceptably safe
Arg 2
Any changes to the
ATM System are made
such that the ATM
services will remain
acceptably safe
Arg 1.1
Safety Assessment
shows that the
ATM Services are
acceptably safe
Arg 1
The on-going ATM
Services are
acceptably safe
J001
ATM services are provided by
the ATM system
C001
ATM services comprise eg:
Airspace Management;
ATC Service;
Alerting; and Advisory Service
C002
Operational Environment
Cr001
Acceptably Safe defined as:
The risks of an accident or safety-related
incident:
1 achieve a tolerable level and
2 have been reduced As Far As
Reasonably Practicable (AFARP)
C003
Subject to declared Assumptions,
Limitations and outstanding Issues
Fig 13
Arg 1.2
Safety Monitoring &
Improvement shows
that the ATM Services
are acceptably safe
Fig 14 C005
System includes: airspace,
equipment, people and procedures
and the organisation
C004
For the extant configuration of
the ATM services and system
St001
Decomposition based on two dissimilar
approaches:
1 A proactive, analytical approach based on
inductive Safety Assessment techniques
2 A reactive, empirical approach based on
direct measurement of safety achievement
through in-service Safety Incident
Monitoring and Safety Improvement
Cr003
Tolerable level of risk defined
by Safety Indicators for ESARR
2-defined incidents, based on
historical achievement /
accepted tolerability
Cr002
Tolerable level of risk
defined by ESARR
4-compliant Safety
Targets
Fig [….]
Arg 0
ATM services
provided by
<<ATSU>> are,
and will remain,
acceptably safe
Arg 2
Any changes to the
ATM System are made
such that the ATM
services will remain
acceptably safe
Arg 1.1
Safety Assessment
shows that the
ATM Services are
acceptably safe
Arg 1
The on-going ATM
Services are
acceptably safe
J001
ATM services are provided by
the ATM system
C001
ATM services comprise eg:
Airspace Management;
ATC Service;
Alerting; and Advisory Service
C002
Operational Environment
Cr001
Acceptably Safe defined as:
The risks of an accident or safety-related
incident:
1 achieve a tolerable level and
2 have been reduced As Far As
Reasonably Practicable (AFARP)
C003
Subject to declared Assumptions,
Limitations and outstanding Issues
Fig 13Fig 13
Arg 1.2
Safety Monitoring &
Improvement shows
that the ATM Services
are acceptably safe
Fig 14Fig 14 C005
System includes: airspace,
equipment, people and procedures
and the organisation
C004
For the extant configuration of
the ATM services and system
St001
Decomposition based on two dissimilar
approaches:
1 A proactive, analytical approach based on
inductive Safety Assessment techniques
2 A reactive, empirical approach based on
direct measurement of safety achievement
through in-service Safety Incident
Monitoring and Safety Improvement
St001
Decomposition based on two dissimilar
approaches:
1 A proactive, analytical approach based on
inductive Safety Assessment techniques
2 A reactive, empirical approach based on
direct measurement of safety achievement
through in-service Safety Incident
Monitoring and Safety Improvement
Cr003
Tolerable level of risk defined
by Safety Indicators for ESARR
2-defined incidents, based on
historical achievement /
accepted tolerability
Cr003
Tolerable level of risk defined
by Safety Indicators for ESARR
2-defined incidents, based on
historical achievement /
accepted tolerability
Cr002
Tolerable level of risk
defined by ESARR
4-compliant Safety
Targets
Cr002
Tolerable level of risk
defined by ESARR
4-compliant Safety
Targets
Fig [….]Fig [….]
Figure 12 –: Overall Safety Argument for a Unit Safety Case
Arg 1
Arg 1.1
C003 is a reminder that the eventual conclusion of the Safety
Case will probably be subject to certain Assumptions and
outstanding Issues that need to be addressed and possibly to
some Limitations on the ATM service(s).
The definition of what is acceptably safe is captured in Cr001,–
note that item 1 (as elaborated in Cr002 and Cr003) is an
absolute measure, as is appropriate to an on-going service.
The Claim (Arg 0) is decomposed into two principal Safety
Arguments (Arg 1 and Arg 2) that, in effect, the services are
safe “today” (ie for the current system baseline – C004 refers)
and will remain so because any changes to the baseline will be
managed so as to maintain the safety of the services.
The decomposition of Arg 1 is very similar to that for “Change
SGxy” but, generally, on a much larger scale; in other words,
this part of the Unit Safety Case (although not related to
change) treats the Unit as a large ATM system for which:
• Safety Requirements (for the system) are derived and
satisfied in a predictive Safety Assessment (Arg 1.1);
• actual safety achievement is monitored and improved
through empirical Safety Monitoring (Arg 1.2).
Arg 1.1 is not decomposed further herein but should follow a
similar pattern to the equivalent Argument for Change “SGxy”
except that the underlying FHA, PSSA and SSA activities
should be carried out for the ATSU as a whole.
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 47
Arg 1.2 The decomposition of Arg 1.2 , shown in Figure 13 below, is
the equivalent to that for Arg 4 for “Change SGxy” shown in
Figure 11 above, except that the context for the former is the
“present” time, rather than the future.
Arg 1.2.1
ATM Services achieve
tolerable frequencies
of (service-level)
incidents
Arg 1.2.2
Corrective actions
are effective in
preventing
recurrence of
incidents
Fig 12
C006
Based on what is actually
achieved in operational
service
Arg 1.2.2.2
All reported
safety incidents
are investigated
effectively
Arg 1.2.2.3
Recommendations for
corrective actions
from incident
investigations are
implemented
throughout the ATSU
Ref
Incident
Investiga
tion
Reports Ref
C/A
reports
Ref
Safety
Monitoring
Reports
Arg 1.2.2.1
There is a process
and culture for
encouraging the
reporting of safety
incidents
Ref
Reporting
process
C007
Required for compliance
with Cr001, item #2
St002
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes and
competence of the staff
involved
Fig [….]
Arg 1.2
Safety Monitoring &
Improvement shows
that the ATM Services
are acceptably safe
Arg 1.2.1
ATM Services achieve
tolerable frequencies
of (service-level)
incidents
Arg 1.2.2
Corrective actions
are effective in
preventing
recurrence of
incidents
Fig 12Fig 12
C006
Based on what is actually
achieved in operational
service
Arg 1.2.2.2
All reported
safety incidents
are investigated
effectively
Arg 1.2.2.3
Recommendations for
corrective actions
from incident
investigations are
implemented
throughout the ATSU
Ref
Incident
Investiga
tion
Reports Ref
C/A
reports
Ref
Safety
Monitoring
Reports
Arg 1.2.2.1
There is a process
and culture for
encouraging the
reporting of safety
incidents
Ref
Reporting
process
C007
Required for compliance
with Cr001, item #2
St002
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes and
competence of the staff
involved
St002
Develop Backing
Argument and Evidence
regarding the
effectiveness of the
reporting, investigation
and C/A processes and
competence of the staff
involved
Fig [….]Fig [….]
Arg 1.2
Safety Monitoring &
Improvement shows
that the ATM Services
are acceptably safe
Figure 13 – Safety Monitoring and Improvement
Arg 2 For most Unit Safety Cases the system baseline is not fixed but
is updated periodically by Project Safety Cases produced for
significant changes – eg Change SGxy above.
Arg 2, decomposed in part in Figure 14 below is concerned
with showing that all the necessary processes are in place (and
are properly executed) to ensure that such changes are
managed safely in terms of the on-going service – both during
the period of introducing the change (”Migration”) and in the
subsequent in-service period.
Note that this is one of the few situations that processes are
used as Direct Evidence. Adherence to those same processes
would be used as Backing Evidence in the related Project
Safety Cases.
Chapter 5 Safety Case Development Manual
Page 48 Released Issue Edition: 2.2
Arg 2
Any changes to the
ATM System are made
such that the ATM
services will remain
acceptably safe
Fig 12
Arg 2.1
Processes exist to ensure
that changes are made
such that the ATM services
will remain acceptably safe
during migration to the
new system configuration
Cr004
Acceptably safe during
migration defined as:
Risks from migration
have been reduced
AFARP
Arg 2.2
Processes exist to ensure
that changes are made
such that the ATM services
will remain acceptably safe
following migration to the
new system configuration
Ref
Process
Evidence
Arg 2.3
Changes to system
baseline
configuration have
been implemented
correctly
Ref
Other
Change-
acceptance
records
Ref
Project
Safety
Cases
Ref
Safety-audit
records
St003
Decompose to levels
necessary to demonstrate
the effectiveness all SMS
Operational, Engineering
and Mgt processes that are
relevant to the execution of
change
Fig [….]
Arg 2
Any changes to the
ATM System are made
such that the ATM
services will remain
acceptably safe
Fig 12Fig 12
Arg 2.1
Processes exist to ensure
that changes are made
such that the ATM services
will remain acceptably safe
during migration to the
new system configuration
Cr004
Acceptably safe during
migration defined as:
Risks from migration
have been reduced
AFARP
Cr004
Acceptably safe during
migration defined as:
Risks from migration
have been reduced
AFARP
Arg 2.2
Processes exist to ensure
that changes are made
such that the ATM services
will remain acceptably safe
following migration to the
new system configuration
Ref
Process
Evidence
Arg 2.3
Changes to system
baseline
configuration have
been implemented
correctly
Ref
Other
Change-
acceptance
records
Ref
Project
Safety
Cases
Ref
Safety-audit
records
St003
Decompose to levels
necessary to demonstrate
the effectiveness all SMS
Operational, Engineering
and Mgt processes that are
relevant to the execution of
change
St003
Decompose to levels
necessary to demonstrate
the effectiveness all SMS
Operational, Engineering
and Mgt processes that are
relevant to the execution of
change
Fig [….]Fig [….]
Figure 14 – Change Management
3. Example Application of GSN – Preliminary Safety Cases
Preliminary (or Outline) Safety Case is a term used in
EUROCONTROL for the Safety Case that it restricted in both
scope and responsibility. It is particularly applicable to EATM
programmes since EUROCONTROL’s responsibility is usually
restricted to proving the concept behind a change (or new
system) – ie to proving that the service / system will be safe in
principle.
Figure 15 below shows the high-level Safety Argument for this
example application of GSN. The further decomposition and
accompanying commentary is limited to illustrating the main
differences between a full Project Safety Case (eg Change
“SGxy” above) and the equivalent Preliminary Safety Cases.
Figure 15 is the same as Figure 1 above, except as follows:
• A new Argument (Arg 2) has been introduced, and forms an
important bridge between the Preliminary Safety Case (of
which it is a part) and the subsequent Implementation safety
case / safety approval.
Safety Case Development Manual GSN Safety Argument Examples
Edition: 2.2 Released Issue Page 49
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
C001
Operational concept
(SAM-FHA ch1-GM A)
Change_SGxy
Implementation
is acceptably safe
Arg 3
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
A001
Current ATM service
is accepted as being safe
J001
Change_SGxy is being
introduced to meet a
legitimate operational need
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Migration to
Change_SGxy
will be
acceptably safe
Arg 4 On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 5
Fig [….]
C002
Subject to declared
Assumptions, Limitations
and outstanding Issues
Sufficient Guidance
exists to enable
complete and correct
Implementation of the
Safety Requirements
Arg 2
Fig [….]
Fig [….] Fig [….] Fig [….]
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
Change_SGxy will
be acceptably safe
in operational
service
Arg 0
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
St 001
Specify safety criteria for each of the
4 main life-cycle stages and show that
each stage is / will be acceptably safe
– ie the safety criteria are sufficient to
achieve the required level of safety,
and are satisfied
C001
Operational concept
(SAM-FHA ch1-GM A)
Change_SGxy
Implementation
is acceptably safe
Arg 3
Change_SGxy
Implementation
is acceptably safe
Arg 3
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
Change_SGxy
Concept is
acceptably safe,
in principle
Arg 1
A001
Current ATM service
is accepted as being safe
J001
Change_SGxy is being
introduced to meet a
legitimate operational need
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Cr001
The risk of an accident following
Change_SGxy shall be:
1.Within the regulatory requirements – eg:
a. such that the whole ATM service
meets ESARR 4 Design Safety
Targets (SAM-FHA ch3 GM E); OR
b. no greater (and preferably lower)
than currently exists.
AND
2. reduced as far as reasonably
practicable.
Migration to
Change_SGxy
will be
acceptably safe
Arg 4
Migration to
Change_SGxy
will be
acceptably safe
Arg 4 On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 5
On-going Operation
of Change_SGxy will
be shown to be
acceptably safe
Arg 5
Fig [….]Fig [….]
C002
Subject to declared
Assumptions, Limitations
and outstanding Issues
Sufficient Guidance
exists to enable
complete and correct
Implementation of the
Safety Requirements
Arg 2
Sufficient Guidance
exists to enable
complete and correct
Implementation of the
Safety Requirements
Arg 2
Fig [….]Fig [….]
Fig [….]Fig [….] Fig [….]Fig [….] Fig [….]Fig [….]
Figure 15 – Overall Safety Argument for Preliminary Safety Case
• The Guidance referred to in Arg 2 should include, but not be
limited to, the following:
o an amplification of the scope of the Preliminary Safety
Case – ie what is, and what is not included;
o a clear delineation of the responsibilities between
EUROCONTROL and the organisation(s) responsible for
Implementation;
o clear instructions for the Implementers concerning the
re-use / re-working of the safety assessment results
included in (or accompanying) the Preliminary Safety
Case – these should include a warning that the some of
the parameters on which the original safety assessment
were based may not be directly applicable to the context
in which the implementation is being done because of:
other changes that might have occurred during the time
elapsed between the Preliminary Safety Case and the
implementation, or differences between operational
context / environment assumed in the Preliminary Safety
Case and the local situation;
o clear instructions for the Implementers concerning the
re-use of any other information in the Preliminary Safety
Case; particular attention should be drawn to the Scope,
Operational Context, Assumptions, Issues and
Limitations and to the importance of these being
validated by the Implementer and the analysis reworked
as necessary;
o guidance on the additional safety assessment work
needed to cover the Implementation, Migration and
Chapter 5 Safety Case Development Manual
Page 50 Released Issue Edition: 2.2
Operational phases;
o guidance on how to develop the Preliminary Safety
Case into a full (Project) Safety Case.
• The responsibility for Arg 3 to Arg 5 (equivalent to Arg 2 to
Arg 4 in Figure 1) rests with the Implementer, although
some aspects of responsibility for Migration and on-going
Safety Monitoring (eg specification of requirements) may
rest with EUROCONTROL.
Safety Case Development Manual References
Edition: 2.2 Released Issue Page 51
APPENDIX A REFERENCES
EATM References
[1]
Air Traffic Management Strategy for the Years 2000+, EUROCONTROL
[2]
The EUR RVSM Pre-Implementation Safety Case, Edition 2.0, 14 August 2001
[3]
The EUR RVSM Post-Implementation Safety Case, Edition 2.0, 28 July 2004
[4]
EATMP Glossary, European Organisation for the Safety of Air Navigation (EATMP),
Edition 1.0, 1 August 2000
[5]
EUROCONTROL Air Navigation System Safety Assessment Methodology,
SAF.ET1.ST03.1000-MAN-01, Nov 2006, Edition: 2.1
SRC References
[6]
SRC-EATMP Interface Process, SRC DOC 6, Edition 2.0, Released Issue, 7th
November 2002
[7]
ESARR 2: Reporting and Assessment of Safety Occurrences in ATM, Edition 2.0,
Released Issue, 3rd November 2000.
[8]
ESARR 3: Use of Safety Management Systems by ATM Service Providers, Edition
1.0, Released Issue, 17th July 2000
[9]
ESARR 4: Risk Assessment and Mitigation in ATM, Edition 1.0, Released Issue, 5th
April 2001
[10]
ESARR 5: ATM Services’ Personnel, Edition 2.0, Released Issue, 11 April 2002
[11]
ESARR 6: Software in ATM Systems, Edition 1.0, Released Issue, 06 November
2003
ICAO References
[12]
Annex 11 to the Convention on International Civil Aviation, Air Traffic Control Service
Flight Information Service Alerting Service, Thirteenth Edition, July 2001
External References
[13]
Guidelines for CNS/ATM Systems Software Integrity Assurance, March 2002.
[14]
The Public Inquiry into the Piper Alpha Disaster, Volumes 1 & 2, November 1990,
HMSO Publications Centre ISBN 0-10-113102-X.
[15]
EUROCAE, ED-125, Process for Deriving Risk Classification Scheme and Specifying
Safety Objectives in ATM “in compliance” with ESARR 4, Version 6 (proposed issue).
Appendix A Safety Case Development Manual
Page 52 Released Issue Edition: 2.2
PAGE INTENTIONALLY LEFT BLANK
Safety Case Development Manual Glossary and Abbreviations
Edition: 2.2 Released Issue Page 53
APPENDIX B GLOSSARY AND ABBREVIATIONS
GLOSSARY
Accident An occurrence associated with the operation of an aircraft
which takes place between the time any person boards the
aircraft with the intention of flight until such time as all persons
have disembarked, in which a person is fatally or seriously
injured, the aircraft sustains damage or structural failure, or the
aircraft is missing or is completely inaccessible (ICAO, 1994).
Adequate In the context of the Safety Case Development Manual
adequacy is interpreted to mean necessary and sufficient.
Aircraft Accident An occurrence associated with the operation of an aircraft
which takes place between the time any person boards the
aircraft with the intention of flight until such time as all such
persons have disembarked, in which: a) a person is fatally or
seriously injured as a result of being in the aircraft, or in direct
contact with any part of the aircraft,; or b) the aircraft sustains
damage or structural failure which adversely affect the
structural strength, performance or flight characteristics of the
aircraft, and would normally require major repair or
replacement of the affected component; or c) the aircraft is
missing or is completely inaccessible.
28
Argument A statement asserting a fact that can be shown to be true or
false.
Backing <entity> arguments, strategies or evidence that help support and
validate Direct (qv) evidence of the satisfaction of a goal. For
example, competence, methodology, following a process, etc.
Causes Actions, omissions, events, conditions, or a combination
thereof, which led to the accident or incident. (ICAO).
Direct <entity> Arguments, strategies or evidence that directly support the
satisfaction of the Claim. For example, test results, FHA
results, etc.
Functional Requirements Operational requirements that determine what functions a
system [including person] should perform; they can usually be
expressed by a verb applying to a type of data, (eg display
aircraft position).
Good Practice A practice that is sufficiently recognised by various
people/organisations to allow it to be used as an informal
standard. The concept of Good Practice is derived from our
responsibilities as professional operators, engineers and
managers. We set ourselves a duty of care for all the people
who use, operate, maintain and come into contact with the Air
Traffic Service domain. Our objective is to ensure that we only
28
See ESARR 4 for full definition
Appendix B Safety Case Development Manual
Page 54 Released Issue Edition: 2.2
make claims relating to safety that are supportable by the use
of within current good practice.
Incident An occurrence, other than an accident, associated with the
operation of an aircraft that affects or could affect the safety of
the operation of the aircraft. (ICAO, 1994).
Integrity The assurance that all functions of a system perform within
operational performance limits.
Migration The processes involved in transitioning from the current system
state to the new / modified system state.
Necessary In the context of a Safety Argument, that which must be
included in order to satisfy the Argument – cf sufficient (qv).
Preliminary Safety Case The term used in EATM to describe a Safety Case which
covers of part of the full project lifecycle – typically a
Preliminary Safety Case would demonstrate the safety of a
Concept subject to the subsequent Implementation being
executed completely and correctly.
Product Used herein to denote the output of a process as opposed to
the process itself – the distinction between product and process
is very important in structuring a Safety Argument.
Project In the context of this Manual, “project” is used generically to
denote any temporary endeavour undertaken to introduce a
substantial change to an ATM system or service. It should be
interpreted as including EATM Programmes.
Project Safety Case A Safety Case which addresses the safety of a (proposed)
change to the on-going operation of an ATSU – a Project
Safety Case would normally result in an update of the
corresponding Unit Safety Case (qv).
Reliability The probability of performing a specified function without a
failure under given conditions for a specific period of time.
Risk Analysis A technique used to evaluate risks and to analyse how far
forecasts might go wrong – and at what cost.
Safety Criterion A specification of what is acceptable and/or tolerable in terms
of risk.
Shall, Should 1 – Shall: denotes a mandatory requirement; 2 – Should:
denotes a preferred requirement.
Sufficient In the context of a Safety Argument, (at least) enough to
entirely satisfy the Argument – cf necessary (qv).
System A set of interconnected, interdependent parts, forming an
identifiable, organised complex and dynamic whole. In the
context of this Manual, it includes airspace, equipment, people
and procedures.
Target Level of Safety A level of how far safety is to be achieved in a given context,
assessed with reference to an acceptable or tolerable risk.
Safety Case Development Manual Glossary and Abbreviations
Edition: 2.2 Released Issue Page 55
Unit Safety Case A Safety Case which addresses the safety of the on-going
operation of an ATSU – cf Project Safety Case (qv).
ABBREVIATIONS
ANS Air Navigation Service
ATC Air Traffic Control
ATM Air Traffic Management
ATS Air Traffic Service
ATSU Air Traffic Services Unit
DRACAS Defect Reporting, Analysis and Corrective Action System
EATM European Air Traffic Management [Programme]
ECAC European Civil Aviation Conference
ESARR EUROCONTROL Safety Regulatory Requirements
FHA Functional Hazard Assessment
FTA Fault Tree Analysis
GSN Goal Structuring Notation
ICAO International Civil Aviation Organisation
PSC Preliminary Safety Case
PSSA Preliminary System Safety Assessment
RCS Risk Classification Scheme
RVSM Reduced Vertical Separation Minima
SMS Safety Management System
SRC Safety Regulation Commission
SRU Safety Regulation Unit
SSA System Safety Assessment
TLS Target Level of Safety
USC Unit Safety Case
Appendix B Safety Case Development Manual
Page 56 Released Issue Edition: 2.2
PAGE INTENTIONALLY LEFT BLANK
Safety Case Development Manual Safety Case Checklist
Edition: 2.2 Released Issue Page 57
APPENDIX C SAFETY CASE DEVELOPERS AND REVIEWERS CHECKLIST
E
U
R
O
C
O
N
T
R
O
L
Safety Case Checklist
Ch/S
29
2929
29
Yes
No N/A
Safety Case Presentation: General 2/-
1. Is the aim of the Safety Case explained and clear? 2/3
2. Is the purpose of the Safety Case explained and clear? 2/3
3. Is the scope of the Safety Case explained and clear? 2/3,4
4. Is a justification given as to why the introduction of the
change(s) - ie the subject of the Safety Case - is
necessary?
2/1,2
5. Is the ‘system’ and its environment completely and correctly
described and bounded? 2/3,4
6. Is the operational concept described? 2/3,6
7. Is the regulatory context described? 2/5
8. Is the Safety Case structured along the lines of the
Argument?
9. Is the Argument structure apparent in the layout of each of
the core sections?
Argument Structure 4/3
10. Is the overall Claim a single, clear and unambiguous
statement of what the Safety Case is trying to
demonstrate?
3/2
11. Is the Claim expressed in a positive way – ie does it accept
the “burden of proof”? 2/1
12. Is the context clear?
13. Are the criteria for being ‘acceptably safe’ appropriate and
adequately specified? 4/2
14. Are the initial assumptions explicitly stated?
29
Reference to Chapter/Section(s) in the Safety Case Development Manual for more information
Appendix C Safety Case Development Manual
Page 58 Released Issue Edition: 2.2
Ch/S
29
2929
29
Yes
No N/A
15. Is the decomposition of the Argument structure adequately
explained by “Strategies”?
16. Is the level of decomposition appropriate to the complexity
of the Safety Case and/or Evidence?
17. Is each level of decomposition necessary and sufficient to
show that the parent Argument is true?
18. Is each Argument set out as a simple predicate?
19. Is the Argument structure free of negative and inconclusive
Arguments? [Lack of evidence of risk ≠ Evidence of lack of
risk]
20. Does the Argument structure appear to be immune to
possible counter Arguments which could undermine the
top-level Claim?
21. Is the distinction between product- and process-based
Arguments clear?
22. Are Arguments supposedly related to the observable
properties of the related product (ie Direct Arguments)
actually addressing the outputs of a process?
23. Are Arguments supposedly related to the observable
properties of the related processes which generated that
product (ie Backing Arguments) actually addressing the
process?
24. Are Direct Arguments and Evidence supported by enough
Backing Arguments and Evidence to give sufficient
confidence in the former?
25. Where process-based Arguments are used as Direct
Arguments, is this appropriate?
26. Is each branch of the Safety Argument structure terminated
in Evidence?
Evidence 4/4
27. Is all the presented Evidence necessary to support the
Argument to which it relates?
28. Is all the presented Evidence clear, objective, relevant and
conclusive in showing the related Argument to be true?
29. Is the rigour of the Evidence appropriate to the associated
risk – ie is it to the required level of assurance?
30. Has the Evidence been produced from following an
Safety Case Development Manual Safety Case Checklist
Edition: 2.2 Released Issue Page 59
Ch/S
29
2929
29
Yes
No N/A
accepted and recognised methodology?
31. Is the underlying safety analysis sound?
32. Does the safety analysis address both the desired and
undesired behaviour of the ‘system’?
33. Are the various possible types of Evidence – design, test,
previous usage etc – used appropriately?
34. Where Evidence is contained in appendices or external
documents, is an adequate summary presented in the body
of the Safety Case alongside the related Argument?
35. Where Evidence is based on compliance with standards, is
its usage appropriate and justified?
36. Does the Evidence actually relate to the system /
configuration under consideration?
Caveats 2/3
37. Have all the Assumptions been clearly stated and
validated, or responsibilities for validation been stated?
38. Have all the outstanding Issues been cleared, or
responsibilities for clearing them been stated?
39. Have Limitations on the scope of the analysis been clearly
stated?
40. Have Limitations on the deployment / operation of the
‘system’ been clearly stated?
Conclusions 2/3
41. Is there a clear statement of what the Safety Case
concludes, which relates to the initial, overall Claim?
42. Is it made clear that the conclusions are subject to the
stated Caveats (see above)?
Comments
Appendix C Safety Case Development Manual
Page 60 Released Issue Edition: 2.2
Final Page (Blank)