SMS - Rosellini

2015
Pierre
ROSELLINI
ANSP04 ATM Safety Culture

Safety Management System
Module 1
Why do we need a Safety Management System ?
- berlingen accident
- Reason model

berlingen accident
- This presentation on the berlingen accident is not made
to judge a state, an organization or men, but to understand
what happened.
- We will try to see how a Safety Management System
(SMS) would have prevented this accident.
berlingen accident
- This accident happened over the territory of the Federal

Republic of Germany, July 1, 2002 at 09h35 pm UTC.
- 71 persons were killed.
- On 24 February 2004 the air traffic controller on duty
during the accident was murdered by the parent of a
victim.
berlingen accident
- Most of following informations are issued from the Report
AX001 May 2004 of the BFU German Federal Bureau of
Aircraft Accidents Investigation.
- You can find this report at : http://www.bfu-web.de
- Search with Uberlingen.
berlingen accident
Search results : 1 Report and 2 Annexes.
berlingen accident : factual informations

- This accident happened over the territory of the Federal
Control of the airspace in this area is delegated to the
Swiss Air Navigation Services.
- The 2 flights involved in the collision were controlled by

ACC Zurich.
- The air traffic volume at ACC Zurich is characterized by
different traffic flows : transit flights, climbs from airports
and descents to airports.

- During the night shift the whole
airspace of ACC Zurich had been
switched to workstation RP (128,50
MHz).
- The approach of Friedrichshafen
had been switched to workstation
RE (119,920 MHz).
- On 1 July at 21h the traffic load was low :
Tupolev TU154M and Boeing B757-200 on 128,50 MHz.
Airbus A320 delayed flight to Friedrichshafen on 119,920
MHz.
- The meteorolical conditions were good.

- For the night from 1 to 2 July a modification of the upper
airspace sectorisation had been planned.
The modification work was to start at 9 pm and was to
last about 6 hours.
- Several systems were impacted by the works : Radar
data processing, Flight plan data processing, ATS
ground-ground telecommunication system.
Main consequences :
- No automatic correlation.
- Visual Short Term Conflict Alert (STCA) was off.
- Direct telephone connection with the other centers
(Karlsruhe, Friedrichshafen ) had to be switched off.
- 2 official instructions regarding these changes were

issued. These instructions described the assignment of
the new sectors and the procedures to be followed after
the completion of the sectorisation.
- An additional memoradum included a list of system
impacted by the work. This memoradum wasnt clear and
the information that the ground-ground direct phone
connection had to be switched off, was missing.
- Others centers (Karlsruhe, Friedrichshafen ) were not

informed of planned work.

- 10 technicians were scheduled to carry out the planned
work, about 6 stayed in the control room.
- 1 staff member from the ACC management was there to

act as coordinator between controllers and technicians.
During the whole time he stayed in close vicinity with the
controller.
- The controller had not been informed about the tasks of
the coordinator.

- Tupolev TU154M from Moscow (Russia) to Barcelona
(Spain), 9 crew members and 60 passengers.
- B757-200 from Bergamo (Italia) to Brussels (Belgium),

cargo flight with 2 pilots.
- Both aircrafts are equipped with TCAS (Traffic alert and

Collision Avoidance System).
berlingen accident : chronology the aircrafts

Events in both cockpits.
berlingen accident : chronology Zurich ACC

- Both controllers have reported to duty at 5h50 pm.
- The chief controller was on duty until 09h pm.
In accordance with the procedure SMOP (Single Manned
Operation Procedure) :
- The second controller on duty left the control room at
about 09h15 pm.
- The second assistant left the control room at about
09h25 pm.
They retired to rest at the lounge.
berlingen accident : chronology Zurich ACC
09h10 pm : The technicians entered the control room and

set to work.
09h18 pm : The optical SCTA was not avalaible.
09h23 pm : The direct telephone lines to the others ACC
and airports were no longer avalaible (Unfortunately the
switch to the public network was also out of service).
09h34 30s pm : the direct telephone on RP position is OK.
09h34 37s pm : the direct telephone on RE position is OK.
berlingen accident : chronology Aircrafts-ACC

09h21 21s pm : initial call of Boeing 757
09h30 11s pm : initial call of Tupolev 154
09h?? pm : initial call of Airbus A320, delayed flight,

approach to Friedrichshafen ; this fligth was unexpected.
09h35 32s pm : collision between Boeing 757 and Tupolev

154.
berlingen accident : analysis
Boeing 757 :
When the TCAS issued a RA descend descend the crew
acted in accordance with procedures.

Tupolev 154 :
- The BFU considers the crews
qualification and experience to be
high.The pilot sitting on the right seat
is the chief pilot of the compagny. The
crew has received a TCAS training in
accordance with the national
regulations. The crew has not a
practical experience of TCAS.
- The manuel compagny was ambiguous about the priority
of RA TCAS.
Tupolev 154
At 09h34 56s pm 3 very closed events occurred for the
crew :
- The instruction of the controller to descent to FL350 has
just ended.
- The pilot pushed the control column forward (to descent).
- An RA climb climb was generated by TCAS.
There was a conversation in the cockpit about the RA, but
according to the compagny manual it was not mandatory
to follow the RA.

See and avoid
The apparent object size of an aircraft changes in form of

an exponential function during the approach of two
aircrafts. The aircraft stays little for a long time then it
explodes optically just a few seconds before the collision.

ACC Zurich
- When the controllers reported for duty at 05h50 pm they
were not aware about the scheduled work. They did not
seize the opportunity to read the documents avalaible for
the self briefing.
- The controller was concentrated on the
Airbus approaching Friedrichshafen. He
had to move from position RP to
position RE. He tried several times to
phone to Friedrichshafen but due to
work in progress it was not possible.
Unfortunately the connection to the
public network phone was not avalaible.
ACC Zurich
- Priorities had not been evaluated properly by the
controller.
- Single Manned Operation Procedure (SMOP) was not an
official procedure but was known and tolerated by the
management.
- Visual Short Term Conflict Alert (STCA) was off.
ATC Karlsruhe
They tried several times to phone to Zurich ; 2 calls with no
response.

Regulations
- For TCAS, regulations of the ICAO are in several
documents : Annex 2, Annex 10, Doc 8186 PANS-OPS,
Doc 4444 PANS-ATM, State letter AN 11/19-02/82.
- Analysis of the BFU has shown that TCAS regulations
are not clear enough.
berlingen accident : Reason model

James Reason, born in 1938 in England, is a human factors
expert.

Regulations
Management
Controllers
Pilots
Equipments
Reason's model : an
organization's
defenses against
failure are modeled
as a serie of
barriers,
represented as
plates with holes.
The holes in the
plates represent
weaknesses. The
size and the
position of the
holes in the plate
are varying.

When holes in each plate
are aligned a collision
happens.
Regulations
Management
Controllers
Pilots
Equipments
Collision
berlingen accident : Causes & Reason model

Regulations
Management
Controllers
Pilots
Equipments
We can put each cause in a plate.

The plates are families of causes.
Collision
Immediate causes :
The conflict has not been seen and solved by the ATCO.
The TU154 crew followed the ATC instruction to descend,

and continued after the RA TCAS to climb.

Regulations
Management
Controllers
Pilots
Equipments
Other causes :
Collision
The management of ACC Zurich did not ensure that during

the night all open positions were continuously staffed by
controllers.
The management of ACC Zurich tolerated for years that
during times of low traffic at night only one controller
worked (SMOP).
The regulations concerning TCAS published by ICAO and by
national aviation authorities, were not standardised ; they
were incomplete and partially contradictory.

Regulations
Management
Controllers
Pilots
Equipments
Collision
Due to work in progress :

-Optical STCA was off,
-Direct phone connections with adjacent centres were off.
No Risk assessment and mitigation for the works. No
internal coordination between operationals and technicians.
The written directives concerning the accomplishment of the
work did not included explanations about the effects that
work would have on the availability of technical equipment.

Regulations
Management
Controllers
Pilots
Equipments
Collision
The controllers were obliged to read directives concerning

the accomplishment of work. But on the 1st july they did
not read these directives.
The ATCO had to work on 2 adjacent positions with 2
different frequencies.
The ATCO was not aware that the optical STCA was off.

Regulations
Management
Controllers
Pilots
Equipments
Collision
The bypass phone system had a technical defect, so it

was impossible to contact Friedrichshafen.
The controller did not detect the conflict between TU154M
and B737-200. During the last 5 minutes before the
collision, the controller has focused its attention on the
Airbus A320 on approach with Friedrichshafen.

To avoid collision we have
to delete only 1 hole on 1
plate
Regulations
Management
Controllers
Pilots
Equipments
Collision

Regulations
Management
Controllers
1 hole has disappeared

in management plate.
This plate is certainly
the easiest to correct.
Pilots
Equipments
Collision

Regulations
Management
Controllers
A Safety Management
System in ACC has
actions on almost all the
plates.
Pilots
Equipments
Collision

END
Module 2
SMS Requirements and Implementation
ICAO Annex 19, DOC9859
European Requirements.
Policy, Responsability, Priority, Objectives, Competency.
Documentation, External Services.
Survey, Monitoring, Records.
SMS Requirements and Implementation

For Safety Management System we have :
- requirements ICAO Annex 19
http://www.icao.int/Pages/default.aspx
- requirements European Single Sky

http://www.skybrary.aero/index.php/Portal:Safety_Regulations
https://www.eurocontrol.int/
All these requirements are very close.
Requirements for European Single Sky are built on ESARR

requirements.
They are more explicit and easier to understand than the
requirements of Annex 19.
ICAO Annex 19
- The first edition of Annex 19 (July 2013)

was adopted by the council on 25 february
2013 and becomes applicable on 14
November 2013.
- A lot of requirements concern the
National Supervisory Authority (NSA).
- Requirements for Air National Service
4.1.7 and in
Providers (ANSP) are in
Appendix 2.
- Guidance on the implementation of a
SMS is contained in DOC 9859 Safety
Management Manual.
ICAO Annex 19
1. Safety Policy and Objectives
2. Safety Risk Management

3. Safety Assurance
4. Safety Promotion
ICAO Annex 19
There is a personal work in progress in order to

understand and to precise each item of Annex 19.
In blue you have what has been added.
ICAO Annex 19
1.1 Management commitment and responsability
1.2 Safety accountabilities.
1.3 Appointment of key safety personnel.
1.4 Coordination of emergency response planning.
1.5 SMS documentation.
ICAO Annex 19
1.1. Management commitment and responsability
Commitment at the highest level
1.2 Safety accountabilities.
Responsibility at the highest level
Responsibilities of the managerial staff
1.3 Appointment of key safety personnel.
Responsibilities
1.4 Coordination of emergency response planning.
Contingency plan in ATC
1.5 SMS documentation.
Management of SMS documentation
Management of operationnal documentation
Identification of demonstrative elements (records)
ICAO Annex 19
2.1 Hazard identification.

2.2 Safety risk assessment and mitigation
ICAO Annex 19
Notification, immediate actions, analysis of events
Processing of safety occurrences
Processing of security occurrences
Planning tools and resources
2.2 Safety Risk Assessment and Mitigation
Safety studies (changes)
Programmed method of intervention
Monitoring measures to reduce risk
ICAO Annex 19
3. Safety Assurance
3.1 Safety performance monitoring and measurement.

3.2 The management of change.
3.3 Continuous improvement of SMS.
ICAO Annex 19
3. Safety Assurance
3.1 Safety performance monitoring and measurement.
Monitoring of Indicators
3.2 The management of change.
Management of projects
3.3 Continuous improvement of SMS.
Corrective Actions
Audits
Process review
Management review
ICAO Annex 19
4. Safety Promotion
4.1 Training and education.

4.2 Safety communication.
ICAO Annex 19
4. Safety Promotion
SMI training
Competency (ATCO, ATSE)
Lesson dissemination
European requirements
2002-2004.
The Eurocontrol SAfety Regulatory Requirements (ESARR)
were prepared by Eurocontrol.
The European Commission converted these ESARRs into

Common Requirements that were published in 2004 (and
amended in 2011). It is on the basis of these requirements
that the ANSPs of the UE countries have been certified as
air navigation service provider in the European Single Sky.
Eurocontrol SAfety Regulatory Requirement (ESARR)
ESARR1 is for NSA
ESARR3 is for ANSP
Eurocontrol SAfety Regulatory Requirement (ESARR)
The SMS requirements

are in ESARR3.
ESARR3 is linked to :
- ESARR2 for safety
occurrences,
- ESARR4 for risk
assessment and
mitigation,
- ESARR5 for
competencies,
- ESARR6 for software.
Safety
Occurrences
Risk
Assessment
and
Mitigation
Competences
Software
in ATM
functional
systems
Today :
- 1034 2011 Safety Oversight for NSA.
- 1035 2011 Common Requirements for ANSP.
1034
1035
ICAO Annex 19 vs EU Requirements
ICAO Annex 19
EU Requirements
Safety Policy Level
To Achieve Safety
3. Safety Assurance
To Ensure Safety
4. Safety Promotion
To Promote Safety
SMS requirements
SMS Requirements
SAFETY POLICY LEVEL
SAFETY
MANAGEMENT
SAFETY
RESPONSIBILITY
TO IMPLEMENT A
FORMAL AND
EXPLICIT SAFETY
MANAGEMENT
APPROACH
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
SAFETY PRIORITY
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
SAFETY
OBJECTIVE
TO MINIMISE THE ATM
CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
SMS requirements
SAFETY POLICY LEVEL
SAFETY
MANAGEMENT
SAFETY
RESPONSIBILITY
TO IMPLEMENT A
FORMAL AND
EXPLICIT SAFETY
MANAGEMENT
APPROACH
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
SAFETY PRIORITY
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
SAFETY
OBJECTIVE
TO MINIMISE THE ATM
CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
This requirement means that you have to implement a SMS !
SMS requirements
SAFETY POLICY LEVEL
SAFETY
MANAGEMENT
SAFETY
RESPONSIBILITY
TO IMPLEMENT A
FORMAL AND
EXPLICIT SAFETY
MANAGEMENT
APPROACH
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
SAFETY PRIORITY
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
SAFETY
OBJECTIVE
TO MINIMISE THE ATM
CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
SAFETY
RESPONSIBILITY
Implementation by
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
Everyone involved in safety and in safety management has

responsibilities clearly defined.
Everyone must known his responsibilities.
SAFETY
RESPONSIBILITY
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
ATCOs and ATSEPs
Implementation by
SMS requirements
SAFETY POLICY LEVEL
SAFETY
MANAGEMENT
SAFETY
RESPONSIBILITY
TO IMPLEMENT A
FORMAL AND
EXPLICIT SAFETY
MANAGEMENT
APPROACH
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
SAFETY PRIORITY
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
SAFETY PRIORITY
SAFETY
OBJECTIVE
TO MINIMISE THE ATM
CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
ANSP
Operational
We can consider
that an ANSP is
surrounded by
barriers.
SAFETY PRIORITY
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
ANSP
If you put more

pressure on one
side
you must put
less pressure on
the others.
Operational
SAFETY PRIORITY
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
Example of
commercial
pressure.
all airlines
want to arrive in
Paris around 08
am.
SAFETY PRIORITY
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
Map of the routes and sectors

around Paris.
Each sector has a maximum
number of aircrafts that can
be handled at same time.
So it is not possible to accept
that too much aircrafts arrive
in Paris airport at same time
for safety reasons.
SAFETY PRIORITY
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
Because safety is the most important item, in order to avoid

to have too many flights in Paris at 8h am :
1. Strategic.
Twice a year allocate slots for an optimal use of airport
resources in respect with the constraints,
Monitor the proper use of slots allocated to airlines.
2. Tactical.
The Network Manager Operations Centre in Brussels can
modify time of departure of flights if the maximum capacity
on an area is reached.
SAFETY PRIORITY
Implementation by
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
ANSP
Operational
- In accordance with
this requirement you
must never accept to
put less pressure on
safety barrier.
- Your policy must
explain this.
- You must apply your
policy.
Extract of policy of the French ANSP.

The policy or strategy of DSNA is defined by the Director of the DSNA
under the authority of the Director General of Civil Aviation (DGCA) and
related services, to achieve the objectives of the LOLF.
It is materialized by a set of strategic directions defined in the 5 years
plan and precised in each annual plan
At this end we give priority to the following strategic axes:
1) Ensure a high level of safety and security of air navigation
2) Controlling the environmental impact of air traffic
3) Improve delays.
4) Improve the economic efficiency of air navigation services
5) Participate in European construction
6) Consider the needs of general aviation in the establishment
procedures and airspace structures.
I rely on the involvement of all staff to address these objectives at all
levels, in order to strengthen the unit and the image of DSNA.
I will ensure its implementation and its effectiveness.s
SMS requirements
SAFETY POLICY LEVEL
SAFETY
MANAGEMENT
SAFETY
RESPONSIBILITY
TO IMPLEMENT A
FORMAL AND
EXPLICIT SAFETY
MANAGEMENT
APPROACH
EVERYBODY HAS AN
INDIVIDUAL SAFETY
RESPONSIBILITY FOR
HIS/HER OWN
ACTION
SAFETY PRIORITY
OVER COMMERCIAL,
OPERATIONAL,
ENVIRONMENTAL OR
SOCIAL PRESSURES
SAFETY
OBJECTIVE
SAFETY
OBJECTIVE
TO MINIMISE THE ATM
CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
Implementation by
TO MINIMISE THE ATM

CONTRIBUTION TO
THE RISK OF AN
AIRCRAFT ACCIDENT
That requirement means that you must define quantitative

and/or qualitative objectives.
Very often the quantitative objectives are linked to
indicators.
Objectives can be defined in the policy or in the action
plan.
Extract of policy of the French ANSP.

The policy or strategy of DSNA is defined by the Director of the DSNA
under the authority of the Director General of Civil Aviation (DGCA) and
related services, to achieve the objectives of the LOLF.
It is materialized by a set of strategic directions defined in the 5 years
plan and precised in each annual plan
At this end we give priority to the following strategic axes:
1) Ensure a high level of safety and security of air navigation
2) Controlling the environmental impact of air traffic
3) Improve delays.
4) Improve the economic efficiency of air navigation services
5) Participate in European construction
6) Consider the needs of general aviation in the establishment
procedures and airspace structures.
I rely on the involvement of all staff to address these objectives at all
levels, in order to strengthen the unit and the image of DSNA.
I will ensure its implementation and its effectiveness.
SMS requirements
TO ACHIEVE SAFETY
MEANS FOR ACHIEVING HIGH SAFETY STANDARDS
AN APPROPRIATE ORGANISATION
COMPETENCY
STAFF TRAINED, MOTIVATED AND
COMPETENT
SMS DOCUMENTATION
THE SMS IS A DOCUMENTED SYSTEM
ARISING FROM A SAFETY POLICY
SAFETY MANAGEMENT RESPONSIBILITY
SAFETY MANAGEMENT FUNCTION
WITHIN THE ORGANISATION
EXTERNAL SERVICES
DEALING WITH EXTERNALLY PROVIDED
SERVICES
SYSTEMATIC ACTIONS
QUANTITATIVE SAFETY LEVELS
DERIVING QUANTITATIVE LEVELS
WHEREVER PRACTICABLE
SAFETY OCCURRENCES
ATM OPERATIONAL OR TECHNICAL
OCCURRENCES ARE INVESTIGATED
INTERNALLY
RISK ASSESSMENT AND MITIGATION
THE SAFETY OF NEW SYSTEMS AND
CHANGES IS TO BE DEMONSTRATED
USING A RISK BASED APPROACH.
RISK IS ASSESSED AND MITIGATED.
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SYSTEMATIC ACTIONS
SAFETY OCCURRENCES
INTERNALLY
COMPETENCY
COMPETENT
- The overall safety objective is to ensure the competence

of personnel responsible for safety related tasks within
the provision of ATM services.
- Air Traffic Controller (ATCO) and Air Traffic Safety
Engineers Personnel (ATSEP) are mainly concerned by
this requirement.
ATCO
COMPETENCY
COMPETENT
Implementation by
Requirements for ATCO competency.

ICAO
Annex 1 and DOC 9379.
Regulation (EU) 2015/340.
ATCO
COMPETENCY
COMPETENT
Implementation by
To be allowed to work on a position, ATCOs must have a

valid licence issued by the National Supervisory Authority.
To obtain the licence (initial training) :
- Training in ENAC.
- Training in ACC or Airport.
- On job training.
- Medical certificate.
COMPETENCY
COMPETENT
ATCO
Implementation by
To maintain the licence (continuing training) :

- Evaluation and individual training plan.
- Proficiency in English.
- Medical certificate.
- Annual number of hours worked.
A database is used to monitor the competency of ATCOs.

For each ATCO all the trainings done are recorded in this
database.
To manage, monitor and organize all these trainings we
have a dedicated subdivision.
OPS Division : Training Subdivision

OPS
Division
Aera East
12 teams of
18 ATCO
Subdivision
Subdivision
Subdivision
ATCO OPS
Studies
Training
Training
FMP
FIS
Alert
Aera West
12 teams of
18 ATCO
Paris ACC :
- 550 ATCOs
- Among them 100 ATCOs are in training.
Chief
Deputy
ATCO
Engineers
Subdivision
Safety
ATCO
COMPETENCY
COMPETENT
Implementation by
Planning Paris ACC
Units
Continuing
Training 1
Continuing
Training 2
Chief
Controller
Individual
Training
English
Instructors
ATSEP
COMPETENCY
COMPETENT
Implementation by
Requirements for ATSEP competency.

ICAO.
- ICAO Annex 1.
- SARPS published in ICAO Annex 10 and guidance material in ICAO
Doc 7192 - AN/857 Part E2.
European requirements.
- ESARR 5 Section3 - Requirements for Engineering and Technical
Personnel Undertaking Operational Safety Related Tasks.
- Regulation 1035/2011 Annex II section 3.3 (idem ESARR5).
COMPETENCY
COMPETENT
ATSEP
Implementation by
To be allowed to work on a position, ATSEPs must have a

valid licence issued by the National Supervisory Authority.
CNS-ATM
Energy
Communication
Electrical engineering
Navigation
Air conditioning
Surveillance
Data processing
Supervision and
monitoring systems
Technical Division : Training Subdivision

OPS
Division
Aera East
12 teams of
18 ATCO
Subdivision
Subdivision
ATCO OPS
Studies
FMP
FIS
Alert
Aera West
12 teams of
18 ATCO
Paris ACC :
- 80 ATSEPs
- Among them about 8 ATSEPs are in training.
Subdivision
Training
Training
Chief
Deputy
ATSEP
Instructors
Subdivision
Safety
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SYSTEMATIC ACTIONS
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SAFETY OCCURRENCES
INTERNALLY
SMS DOCUMENTATION
The documentation of
the SMS can be
represented by
a five floors pyramid.
SMS
Manual
Mapping, Process,
Activites
Procedures: Audits, Documentation,

Records, Corrective Actions,
Management review
Operational Documentation
ATCO Manuals
ATSEP Manuals
Technical documentation
Records: Minutes management review, ACAP,
Dashboards, Safety occurrences,
Reports of audits, Strips, Data radar , Flight plan data
Implementation by
SMS DOCUMENTATION
Implementation by
Headquarters
Lille
CDG
& Orly
Brest
W
CESNAC =
Centralised Air
Navigation Systems
Operations Centre
Strasbourg
Lyon
11
Airports
5 ACC
AIS
CESNAC
Bordeaux
SW
SE
Toulouse
Marseille
Nice
Indian
Ocean
West Indies
Guiana
Implementation by
SMS DOCUMENTATION
The Paris ACCs

Manual explains
how the SMS
requirements are
implemented.
SMS DOCUMENTATION
Implementation by
Anything you write in the SMS manual must be done and

demonstrated. It is a new layer of requirements.
So avoid writing too much.
SMS DOCUMENTATION
Implementation by
We can use ISO 9001 (quality) tools in order to explain in a

procedure how we manage the documentation.
We can identify different families of documents. For each
family we define management rules.
Who write, who verifie, who approve ? What is the current
version ? Paper or electronic document ? Where is the
document of reference ?
With such a procedure its very easy to build an electronic

documentation.
SMS DOCUMENTATION
Operational
Division
SMS DOCUMENTATION
Implementation by
Implementation by
The procedure PRO_E_OPR describes the management of

the operational documentation.
The procedure PRO_INST_OPR describes the management
of the training documentation.
All the documentation has been converted in pdf files.
With these pdf files an intranet site has been implemented.
Operational
Division
SMS DOCUMENTATION
Implementation by
ATCOs documentation.
Operational
Division
ATCO Training
SMS DOCUMENTATION
Implementation by
Technical
Division
SMS DOCUMENTATION
Implementation by
The procedure PRO_T_OPR describes the management of

the technical documentation.
This procedure has been elaborated by a working group :
Chief of the Technical Division, Chief of the safety
subdivision + deputy, Chief of radar subdivision, 10
ATSEPs.
A specific tool SIAM has been implemented.
The technical documentation is stored on SIAM.
Technical
Division
SMS DOCUMENTATION
Implementation by
Technical
Division
SMS DOCUMENTATION
Implementation by
Form for operational instruction (subdivision)
Technical
Division
SMS DOCUMENTATION
Form for operational instruction (division)
Implementation by
Technical
Division
Implementation by
SMS DOCUMENTATION
1 MISO to
implement
2 MISO to
verify
8 Events in
progress
3 Feedback
in progress
4 Corrective
Actions in
progress
Technical
Manual
Manual:
7 new
documents
Manual:
5 documents
to verify
Manual:
1 document
to approve
Manual:
83
documents
to update
SMS DOCUMENTATION
Technical
Manual
Manual:
7 new
documents
Manual:
5 documents
to verify
Implementation by
By using this button you can access to a new screen on

which you have all the technical documentation.
By using this button you can access to the new

documents that you have not read.
By using this button you can access to the documents to

verify.
SMS DOCUMENTATION
Implementation by
Manual:
1 document
to approve

approve.
Manual:
83
documents
to update

update.
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SYSTEMATIC ACTIONS
SAFETY OCCURRENCES
INTERNALLY

It means that :
- You must have identified a safety management function
with responsibility for development and maintenance of
the safety management system.
- This function must be accountable directly to the highest
organisational level.
- This function must be independant of the operational
management.

Implementation by
A dedicated organization has been identified and created

at the national level.
A team called MSQS (french acronym, it means team in
charge of the Safety, Security) is directly linked the the
Director of the french ANSP.

Implementation by
French ANSP Headquarters

French ANSP
Director
Planning & Strategie Human Resources

Subdirectorate
Subdirectorate
Finance
Subdirectorate
The Management
of Safety, Security,
Quality Mission

The Environment
Mission
Implementation by
A dedicated function has been identified and created in

each entity (ACC and Airports).
This function called RSMS (french acronym it means
responsible of the SMS) is directly linked to the chief of
the entity.
French ANSP : A RSMS can be engineer, ATCO or ATSEP.
Implementation by

ACC or Airport Organization
ACC or Airport
Chief
Deputy
Operations
Division
RSMS
Technical
Division
Administrative
Division
Implementation by

RSMS
Links between
Mission and
RSMS for
mutualization.
CDG
& Orly
Brest
W
Headquarters
MSQS
RSMS
RSMS
AIS
CESNAC
Bordeaux
SW
5 ACC
CESNAC =
Centralised Air
Navigation Systems
Operations Centre
RSMS
RSMS
RSMS
RSMS
11
Airports
Lille
RSMS
RSMS
Lyon
RSMS
RSMS
RSMS
RSMS
SE
RSMS
Toulouse
RSMS
Strasbourg
Marseille
RSMS
RSMS
Nice
Indian
Ocean
West Indies
Guiana
RSMS
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SYSTEMATIC ACTIONS
SAFETY OCCURRENCES
INTERNALLY
EXTERNAL SERVICES
SERVICES
This requirement means : you must check, survey the

external services that have a link with safety.
We have to define what are external services.
EXTERNAL SERVICES
SERVICES
Implementation by
Remember when we talked about berlingen accident :

This accident happened over the territory of the Federal
Control of the airspace in this area is delegated to the
Swiss Air Navigation Services.
According to the Letter of Agrement (LOA) we can say

that for the German ANSP, the Swiss ANSP is an external
service provider.
EXTERNAL SERVICES
SERVICES
Implementation by
French ANSP has identified a list of suppliers and external

services that can have an impact on safety.
Key elements of the list of Paris ACC:
- Energy.
- Air conditioning.
- Fire Detection.
- Telecommunications.
- Cleaning the operational room.
- Cleaning technical rooms.
- Training in English.
Implementation by
EXTERNAL SERVICES
SERVICES
External services
Supplier
Contract
Date &
Duration
Responsible
for monitoring
Maintenance of
generator sets (fuel)
SDMO
S5204
14504
01.01.12
5 years
Chief of energy
subdivision
Impact on Safety
Major.
Energy :
1 External (EDF)
2 Generator sets (fuel)
3 Batteries (4h max)
Safety objectives
for supplier (contract)
Others Safety barriers
- 2 preventive
interventions by year.
- Call : intervention
within 4 hours.
- 2 generator sets.
- SDMO supplier can
be helped by local
technicians.
Implementation by
EXTERNAL SERVICES
SERVICES
External services
Supplier
Contract
Date &
Duration
Responsible
for monitoring
Fire detection
SICLI
11/07
10.12.07
5 years
Chief of
administrative
division
Impact on Safety
Major.
- Risk of late detection
of a fire
- False alarms.
Safety objectives
for supplier (contract)
- 2 preventive interventions
by year.
- Call : intervention within 4
hours.
- All the be fire detectors
must changed within 4 years.
Others
Safety barriers
- 2 generator sets.
- SDMO supplier
can be helped by
local technicians.
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SYSTEMATIC ACTIONS
SAFETY OCCURRENCES
INTERNALLY

According to ICAO DOC 9859 Safety Management manual,

Whenever quantitative safety performance targets are set,
it must be possible to measure, or estimate, the achieved
level of safety in quantitative terms. Use of quantitative
data helps clarify most decisions and should be used
where available.
Based on quantitative risk assessment EUROCONTROL
has established in ESARR4 an overall safety performance
target for ATM in the ECAC region - the maximum tolerable
probability of ATM directly contributing to an accident of a
commercial air transport aircraft shall not be greater than
1.55 x 10-8 per flight hour.
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SYSTEMATIC ACTIONS
SAFETY OCCURRENCES
INTERNALLY
SAFETY OCCURRENCES
INTERNALLY
MODULE 4
Safety Occurrences
Tuesday 26th may, 13h30-15h

Wednesday 27th may, 09h-10h30h and 10h45-12h15.
SMS requirements
TO ACHIEVE SAFETY
COMPETENCY
COMPETENT
SYSTEMATIC ACTIONS
SMS DOCUMENTATION
EXTERNAL SERVICES
SERVICES
SAFETY OCCURRENCES
INTERNALLY

MODULE 6
Risk assessment
and Mitgation
Thursday 28th may 09h-10h30.
SMS requirements
TO ENSURE SAFETY
MEANS FOR PROVIDING ASSURANCE THAT RISKS ARE BEING PROPERLY MANAGED
SYSTEMATIC ACTIONS
CONCERNING THE STEADY STATE
SAFETY SURVEYS
SAFETY HAS TO BE VERIFIED
INTERNALLY AND CONTINUOUSLY
SAFETY MONITORING
CONTINUOUS MONITORING AND
ANALYSIS OF SAFETY INDICATORS
DOCUMENTING SYSTEMATIC
ACTIONS AND CHANGES
SAFETY RECORDS
RECORDS ARE PRODUCED AND
MAINTAINED THROUGHOUT THE SMS
OPERATION
DOCUMENTATION
THE RESULTS OF RISK ASSESSMENT
AND MITIGATION PROCESSES ARE
DOCUMENTED THROUGHOUT THE
SYSTEM LIFECYCLE
SMS requirements
TO ENSURE SAFETY
SYSTEMATIC ACTIONS
SAFETY SURVEYS
SAFETY MONITORING
ACTIONS AND CHANGES
SAFETY RECORDS
OPERATION
DOCUMENTATION
SYSTEM LIFECYCLE
SAFETY SURVEYS
Implementation by
The procedure Internal Audits describes how are realized

the internal audits.
Internal auditors are trained by an approved organization.
Internal auditors must done at least 1 audit per year.

Each year a program of internal audits is planned and
realized.
SAFETY SURVEYS
Implementation by
External Audits, done by DSAC (french NSA), in order to

certify the SMS of DSNA (french ANSP).
Headquarters, ACC and Airports are audited like mentionned
below :
Who
Periodicity
ACC (5)
Main Airports (11)
3 years
2 years
Headquarters
Each year
SAFETY SURVEYS
Implementation by
2006 DSNA obtained the certificate of ANSP issued by the

DSAC. The certificate ended in 2010.
2010 Renewal the certificate, valid until 2016.
Monitoring by DSAC :
- Audits.
- Monitoring of security events.
- Monitoring changes and safety records.
- Monitoring the performance.
DSAC performs regular coordination with DSNA.
SMS requirements
TO ENSURE SAFETY
SYSTEMATIC ACTIONS
SAFETY SURVEYS
SAFETY MONITORING
ACTIONS AND CHANGES
SAFETY RECORDS
OPERATION
DOCUMENTATION
SYSTEM LIFECYCLE
Implementation by
SAFETY MONITORING
In french ACC or Airports safety indicators are built and

controlled by dedicated teams (Safety subdivisions) then
analysed during several periodic meetings.
For each meeting we have a safety dashboard.
Dashboard
Managers need a dashboard for monitoring the main
indicators.
Summary
Topic
Safety
Traffic
Delay
Technical
Results
Trend
Definitions : Losses of separation with 50%, 70%, 80%, 100%

ft
NM
Inside red rectangle we are 50% under the minimum of separation,

inside the orange 70%, inside the yellow 80% and inside the blue
100%.
Dashboard : safety indicator

Losses of separation per 100 000 flights
0,60
0,55
0,50
0,45
0,40
0,35
Losses of separation below 70% of the minimum radar

separation.
French ACC minimum radar separation :
- Vertical 1000 ft.
- Horizontal 5NM.

0,60
1,00
0,90
0,80
0,70
0,60
0,50
0,40
0,30
0,20
0,10
0,00
0,55
0,50
0,45
0,40
0,35
HN70
2007
2008
2009
Janv
1
0
0
Fvr
1
0
0
Mars
1
1
0
Avr
0
1
1
Mai
0
0
1
Juin
2
2
0
Juil
1
0
0
Aot
0
0
1
Sept
0
1
1
Oct
2
1
Nov
0
0
Dc
0
1
Total
8
7
4
Evolution annuelle 12
mois glissants
0,61
A graph is subjective. These 2 graphs are the same but have

different scales.
It is useful to present the data in a table.

RA TCAS per 100 000 flights
1,00
0,90
0,80
0,70
0,60
0,50
0,40
0,30
0,20
0,10
0,00
Resolution Advisory Traffic Alert Collision Avoidance System

(RA TCAS).
Dashboard : Delays indicator

Delays for xxxx ACC
Dlais 07/08
Dlais 08/09
160000
minutes
140000
120000
100000
80000
60000
40000
20000
0
Meteorogical
conditions
ATCO strike
In a dashboard you must explain the peaks or the anomalies.
Dashboard : Technical indicators

Event with severity b :
Frequency 128,140 permanent emission by aircraft from
11h24 to 11h30 am.
This event has been
classified with severity b :
it is a partial inability to
provide safe ATM services.
In this case only the
frequency 128,140 is
concerned.
Events on telecom leased lines.
Implementation by
SAFETY MONITORING
Direction
When
Weekly
OPS Division
When
Monthly
Daily
Who
Chief, Deputy, RSMS,

Chiefs of divisions,
deputies
Technical Division
When
Who
Chief Division OPS,
deputy, chiefs subd
Subdivision
Safety
1 chief
1 Deputy
4 ATCO and assistants
Weekly
Daily
Who
Chief Technical Division,
deputy, chiefs subd
Subdivision
Safety
1 chief
1 Deputy
2 ATSEP
SMS requirements
TO ENSURE SAFETY
SYSTEMATIC ACTIONS
SAFETY SURVEYS
SAFETY MONITORING
ACTIONS AND CHANGES
SAFETY RECORDS
OPERATION
DOCUMENTATION
SYSTEM LIFECYCLE
SAFETY RECORDS
OPERATION
Safety
y records
he result of
are the
an activity
ctivity
(indicators)
cators) or
roof that an
the proof
ty has been
activity
performed
rmed
(minutes
utes of a
meeting).
ing).

DOCUMENTATION
SYSTEM LIFECYCLE
Implementation by
SMS
Manual
Mapping, Process,
Activites
Procedures : Audits, Documentation,

Records, Corrective Actions,
Management review
ATCO Manuals
ATSEP Manuals
SAFETY RECORDS
OPERATION

DOCUMENTATION
SYSTEM LIFECYCLE
Implementation by
Paris ACC is using an ISO tool : a documented procedure

for records. This documented procedure defines several
items : identification, storage, protection, retrieval, and
retention of records.
SAFETY RECORDS
OPERATION
Record
Acces
Minutes of
management
review
Free
Audit reports
LOAs
Safety
occurrences
analysis
Free
Free
Confide
ntial
Implementation by

DOCUMENTATION
SYSTEM LIFECYCLE
Who
RSMS
RSMS
Chief
Subd
OPS
Chief
Subd
Safety
Where
Support
Duration
Archivage
G:\Dir_CRNA\SMQS\revues
Electronic
3 years
5 years
G:\Dir_CRNA\SMQS\audits
Electronic
3 years
5 years
G:\EXPLOITA\Doc_Ops\LOA
Electronic
3 years
5 years
Office Chief Subd Safety
Paper
3 years
5 years
SMS requirements
TO PROMOTE SAFETY
MEANS TO BUILD A SAFETY IMPROVEMENT CULTURE WITHIN THE
ORGANISATION
LESSON DISSEMINATION
DISSEMINATING PAST LESSONS
SAFETY IMPROVEMENT
INVOLVING ALL STAFF AND
IMPLEMENTING THE IMPROVEMENT
OF SAFETY AS A CONTINUOUS
PROCESS
SMS requirements
TO PROMOTE SAFETY
ORGANISATION
SAFETY IMPROVEMENT
PROCESS
MODULE 4
Safety Occurrences
Lesson dissemination is included in module 4.
SMS requirements
TO PROMOTE SAFETY
ORGANISATION
SAFETY IMPROVEMENT
PROCESS
SAFETY IMPROVEMENT
PROCESS
Continuous improvement is a ISO 9001 quality concept but

it applies also to safety.
Deming wheel : Plan, Do, Check, Act PDCA cycle.
SAFETY IMPROVEMENT
PROCESS
Provide ATS
services
Policy
Action plan
Objectives
Resources
SAFETY
OCCURRENCES
- Analyse
- Causes
- Gravity
Corrective
actions to avoid
same causes
SAFETY IMPROVEMENT
PROCESS
Continuous
improvement is
never completed.
You must climb
slowly, step by
step.
AUDITS
REVIEWS
Implementation by
SAFETY IMPROVEMENT
PROCESS
2 Management review per year.
Members of the management review :

- Chief of ACC or Airport (chairman of the revue) and deputy
- RSMS (secretary of the revue)
- Chief of operational division
- Deputy of operational division
- Chief of technical division
- Deputy of technical division
- Chief of administrative division
SAFETY IMPROVEMENT
PROCESS
Safety Indicators
Safety Dashboard
Implementation by
Audit reports
(internal, external)
List of
Planned changes
List of
corrective actions
Actions plan
Project of internal
and external audits
Preparation
Analysis
Synthesis
done
by
RSMS
Management
Review
Minutes of
Management
Review
Actions
New
Corrective
Actions
Action
Plan
(update)
Planning
of
audits
SAFETY IMPROVEMENT
PROCESS
Agenda :
1. Safety indicators
2. Risk assessment and mitigation
3. Implementation of SMS
4. Audit reports
5. Corrective and Preventive Actions
Titre
END
Implementation by
Module 3
ANSP NSA How to work together ?
- French civil Aviation Organization.
- French ANSP Organization.
- French NSA Organisation.
- Audits NSA.
Module 3
- Audits NSA.
French Civil Aviation Organization
French Civil Aviation Organization
General Directorate
for Civil Aviation
Directorate
for Air Transport
(DTA)
Directorate
for Air Navigation
(ANSP)
DTA elaborates
regulations.
Most of the
requirements are
coming from
ICAO and EU.
ANSP applies
the regulations
and provides
services (ATM,
CNS, AIS ).
Directorate
for Civil Aviation
Safety (NSA)
NSA monitors
ANSP through
audits.
The certificate of
provider is
issued by NSA.
Module 3
- Audits NSA.
French ANSP Organization

Directorate
for Air Navigation (ANSP)
Planning and Strategy
Subdirectorate
Human Resources
Subdirectorate
Finance
Subdirectorate
The management of Safety,

Security and Quality Mission
The Environment
Mission
Operations Directorate (ACC,

Airports )
Technical and Innovation

Directorate
Operations Directorate
(ACC, Airports )
Lille
CDG
& Orly
Brest
W
Strasbourg
E
Lyon
11
Airports
AIS
CESNAC
Bordeaux
SW
5 ACC
SE
CESNAC =
Centralised Air
Navigation Systems
Operations Centre
Toulouse
Nice
Indian
Ocean
West Indies
Guiana
Marseille
Deputy
Operations
Division
ATCO
ACC or Airport
Chief
Technical
Division
ATSEP
RSMS
Administrative
Division
A dedicated function has been identified and created in

each entity (ACC, Airports, AIS and CESNAC).
This function called RSMS (french acronym it means
responsible of the SMS) is directly linked to the chief of
the entity.
The RSMS must implement and monitor the local SMS.

OPS
Division
Aera East
12 teams of
18 ATCO
Subdivision
Subdivision
Subdivision
ATCO OPS
Studies
Training
FMP
Subdivision
Safety
FIS
Alert
Aera West
12 teams of
18 ATCO
Paris ACC :
- 550 ATCOs
- Among them 100 ATCOs are in training.

Technical
Division
Subdivision
Subdivision
Subdivision
Subdivision
Subdivision
Subdivision
Flight Plan
Radar
Telecoms
Energy
Training
Safety
Operational maintenance
Supervision 3 ATSEP
Supervision
1 technician
Paris ACC :
- 80 ATSEPs
- Among them about 8 ATSEPs are in training.
French ANSP Organization

Directorate
for Air Navigation (ANSP)
Planning and Strategy
Subdirectorate
Operations Directorate (ACC,
Airports )
Human Resources
Subdirectorate
Finance
Subdirectorate
Technical and Innovation

Directorate

The Environment
Mission
The Management Of safety Security and Quality Mission

Internal Audits and

Certification Division
Insurance of the
Regulatory
Compliance Division
Safety Performance
Insurance Division
Systems Safety
Division
A dedicated organization has been identified and created

at the national level.
A team called MSQS (french acronym, it means team in
charge of the Safety, Security, Quality) is directly linked
the the Director of the french ANSP.
A network of RSMS coordinated by MSQS

The RSMS are
coordinated by
MSQS in order to
mutualize and to
share.
Monthly
meetings are
piloted by MSQS.
RSMS
RSMS
RSMS
RSMS
CDG
& Orly
Brest
W
RSMS
Headquarters
MSQS
RSMS
RSMS
AIS
CESNAC
Bordeaux
SW
11
Airports
5 ACC
Lille
Strasbourg
RSMS
Lyon
RSMS
RSMS
RSMS
RSMS
SE
RSMS
CESNAC =
Centralised Air
Navigation Systems
Operations Centre
RSMS
RSMS
Nice
Toulouse
RSMS
Marseille
RSMS
Module 3
- Audits NSA.
Indian
Ocean
West indies
Guiana
RSMS
French NSA Organization

Directorate
for Civil Aviation Safety
Headquarters
Local Departments
Resource
Management
EASA monitors all

the NSA.
European
Cooperation
Licence, medical
control, training.
Flight Crew
Certification and
monitoring of
airlines and aircratfs.
Airworthiness
and Air
Navigation
Certification and
monitoring of ANSP
and Airports.
Airports and Air

Navigation
Control the
security measures.
Security
The oversight
and monitoring
operations of
NSA are done
with the support
of local
departments.
West
North
East
South
West
Centre
East
South
Indian
Ocean
South
East
Antilles
French
Guiana
North
French NSA Organization

Lille
North
East
North
Brest
CDG
& Orly
Local
NSA
W
West
NSA
headquarters
Lyon
11
Airports
5 ACC
CESNAC =
Centralised Air
Navigation Systems
Operations Centre
Strasbourg
Centre
East
AIS
CESNAC
Bordeaux
SW
Indian
Ocean
SE
South
West
Nice
Toulouse
South
Marseille
South
East
Indian
Ocean
West Indies
Guiana
West Indies
Guiana
Pole : Airports and Air navigation

Airports and Air
Navigation
Airports
Certification of ANSP
Staff Aptitude for Air

Navigation
Air Navigation Systems

and Equipment
National certification of airports.

- Audits of SMS.
- Monitoring Non Conformities.
- Monitoring Correctives Actions.
- Monitoring of safety events, safety records,
safety performance.
- Certification of ANSP.
Monitoring of competences of ATCO and
ATSEP.
Monitoring of changes (Risk assessment and
mitigation).
Module 3
- Audits NSA.
Audits NSA
Program of audits :
- Program over 6 years, 6 to 10 audits per year.
- Defining audit objectives and audit program by adaptation
based on the results of year n-1.
- Annual monitoring plan taking into account the maturity,
the identified risks and regulatory requirements.
- Pool of auditors from Headquarter and Local Departments.
Particuliarities of audits DSNA

- Large referential.
- Multi-site audits.
- Monitoring non-conformities and observations of previous
audits.
- Harmonization at national level.
Audits NSA
Program of audits over 6 years, 6 to 10 audits per year.

Defining audit objectives and audit program by adaptation
based on the results of year n-1.
Annual monitoring plan taking into account the maturity,
the identified risks and regulatory requirements.
Particuliarities of audits DSNA
- Large referential.
- Multi-site audits.
- Monitoring non-conformities and observations of
previous audits.
- Harmonization at national level.
Audits NSA : Periodicity

Lille
Brest
W
CDG
& Orly
Strasbourg
Headquarters
Each year
Lyon
2 years
3
years
AIS
Bordeaux
CESNAC
SW
SE
Nice
Toulouse
Marseille
Indian
Ocean
West Indies
Guiana
Certificate of ANSP provided by NSA.

DSNA (french ANSP) : a national provider with more than
50 sites.
DSNA provides ATS, CNS and AIS.
DSAC (French NSA) performs regular coordination with
DSNA (twice a year).
2006 DSNA obtained the certificate of Air Navigation
Services Provider issued by the DSAC. The certificate
ended in 2010.
2010 Renewal the certificate, valid until 2016.
DSNA has an ISO9001 certification since 2009.
Audits NSA : From Non Compliance to Corrective Actions

Non Compliance
ACC X define Corrective

Actions
MSQS checks with others
Entities
Corrective Actions
accepted by MSQS?
No
Yes
MSQS proposes corrective

actions to NSA
Corrective Actions
accepted by NSA ?
Yes
No
Corrective actions are implemented

by ANSP and monitored by NSA
Audits NSA : From Non Compliance to Corrective Actions

NSA considers that a non compliance found in an entity
concerns the whole ANSP.
MSQS must verify that the corrective actions can be
applied by all the entities.
The corrective actions must be implemented in all the
entities.
MSQS and NSA monitor the implementation of corrective
actions and their effectiveness.
Audits NSA : Monitoring Corrective Actions

MSQS monitors all the corrective actions of the ANSP
(linked to NSA audits).
MSQS and RSMS have a tool called AGATHA in which all
the non compliances and the corrective actions are stored.
Twice a year MSQS has a meeting with NSA in order to
monitor the corrective actions in progress.
Sometimes a corrective action needs several months to be
completed.
Audits NSA : Exemple of Non Compliance

The annual safety report of ACC X shows that all the
safety events are not reported spontaneously by the
ATCOs :
- RA TCAS: 2 of 16 are reported.
- Losses of separation 50: 1 on 3 is reported.
- Losses of separation 70: 7 of 22 are reported.
Non Compliance 1 : All the safety events are not reported
by the ATCOs.
Explanation : When 2 aircrafts are under the minima of separation the
event is automatically stored in a log file. So the ATCOs consider that it
is not useful to report the safety events by filling a dedicated form (ATS
Occurrence Report)..
Audits NSA : Example of Corrective Actions

Action 1.
Note to the ATCOs to ask them to report all events they are
aware (AIRPROX, RA TCAS, Losses of separation).
Every agent must report all the

safety events which he is aware.

Action 2.
A new indicator is implemented in order to monitor the
ratio number of reported events by ATCOs / number of
events.
The note to ATCO
has been done in
August 2008.
An improvement
has been observed
from September
2008 and, of
course, in 2009.

Action 3.
Communication to ATCOs via briefings, safety commission,
feedback
Between May 2008 and December 2009 during each briefing,
each safety commission and each feedback, the mandatory
notification of safety occurrences is reminded.
Module 4
Safety Occurrences
Regulations and Methodology of the French ANSP
Definitions, List of Safety Occurrences
Safety occurrences
Report and Notification
Analysis (Severity, Frequency, Causes)
Corrective Actions, Feedback
Module 4
Safety Occurrences
Safety occurrences
ICAO Annex 19
Requirements in
Annexe 19
Guidance in
DOC 9859
ICAO Annex 19
3. Safety Assurance
4. Safety Promotion
Requirements for
Safety Occurrences.
ICAO Annex 19

2.2 Safety risk assessment and mitigation
ICAO Annex 19
Notification, immediate actions, analysis of events
Processing of safety occurrences
Processing of security occurrences
Planning tools and resources
Safety studies (changes)
Programmed method of intervention
Monitoring measures to reduce risk
ICAO Annex 19
4. Safety Promotion

ICAO Annex 19
4. Safety Promotion
SMI training
Competency (ATCO, ATSE)
Lesson dissemination
Requirements
Guidance : classification
for severity and frequency
ESARR2 Summary
EAM2/GUI1 Summary
Attachment 1 is used for OPS events.
Attachment 2 is used for Technical events.
Satety Occurrences : Methodology of the French ANSP

Regulations :
ICAO Annex 19, DOC 9859,
ESARR2, EAM2/GUI1
French ANSP Methodology
This methodology explains

how to do the assessment
of the safety occurrences :
report, notification,
analysis
Assessment of
safety occurrences
Safety events : How to do

analysis ? How to classify
severity and frequency ?
How to search causes ?
The regulations are not
enough explicit.
Satety Occurrences : Methodology of the French ANSP
Procedure :
Manual :
Findings/
Corrective Actions
Assessment of
Safety Occurrences
Manual for Assessment of safety occurrences
This manual is used by Safety Subdivisions (OPS and

Technical).
Module 4
Safety Occurrences
Safety occurrences
Definition : ATM Safety Occurrences
Occurrences : Accidents, serious incidents and incidents

as well as other defects or malfunctioning of an aircraft, its
equipment and any element of the Air Navigation System
which is used or intended to be used for the purpose or in
connection with the operation of an aircraft or with the
provision of an air traffic management service or
navigational aid to an aircraft.
List of Safety Occurrences

(To be Reported and Analysed)
1. Accidents :
Mid Air collision,
Controlled Flight Into Terrain (CFIT),
Collision on the ground between aircraft,
Collision between an airborne aircraft and vehicle/another
aircraft on the ground,
Collision on the ground between aircraft and vehicle or
person or obstruction(s),
Other accidents of special interest would include losses
of control in flight, due to VORTEX or meteorological
conditions.

2. Incidents :
Near collision
Separation minima infringement,
Inadequate separation,
Near Controlled Flight Into Terrain (Near CFIT),
Runway incursion where avoiding action was necessary.
Potential for collision or near
Runway incursion where no avoiding action is necessary,
Runway excursion by aircraft,
Aircraft deviation from ATC clearance,
Aircraft deviation from applicable ATM regulation:
Horizontal separation
(aircrafts same flight level FL)
5 NM
5 NM
5 NM
En route minimum horizontal separation 5 NM.
Vertical separation
FL 220
1 000 FT
FL 210
En route minimum vertical separation 1 000 FT.
Short Term Conflict Alert STCA
Visual alarm :
aircrafts
involved are in
red on the
radar screen
The Short Term Conflict Alert (STCA) informs the ATCO

when 2 aircrafts are going under the minima of separation.

3. ATM-specific occurrences (technical)

This shall include the following occurrences:
Inability to provide Air Traffic Management Services:
Failure of Communication function,
Failure of Surveillance function,
Failure of Data Processing and Distribution function,
Failure of Navigation function,
ATM system security.
Module 4
Safety Occurrences
Safety occurrences
Safety Occurrences
Runway incursions : Danger

Vehi
grrr unway
Causes
Safety Event
What did he
say ?
We could
go I
believe
Be careful. Be sure that the radio

communications are understood
by your correspondent
Consequences
Bad radio
communications,
Human error
Incursion of a
vehicle on the
runway
Interrupted landing,
collision
Safety Occurrences
Causes
To find the causes, we have to

investigate the safety event.
Safety Event
A safety event must be reported.
Consequences
Unfortunately the only thing we

can do is to try to minimize the
consequences.
Safety Occurrences
Causes
If we delete the causes
Safety Event
To avoid the occurrence of a safety

event we have to delete the causes.
we also delete the consequences.
Consequences
Safety Occurrences
Improvement loop for
safety occurrences.
Provide ATM & CNS services

Install and maintain ATM & CNS
Safety occurrences :
Losses of separation,
Technical events
Policy
Action plan
Objectives
Resources
Safety Occurrences
Assessment
- Analyze
Corrective
actions to avoid
same causes
- Severity
- Causes
Module 4
Safety Occurrences
Safety occurrences
Safety Occurrences : Report and Notification

Report
Safety
Occurrence
ATCOs, ATSEPs, Pilots
List of events
to be notified
to managers
Immediate Actions
if necessary
Real Time
Record event
in database
ECCAIRS
Database
Toward next step

(analysis)
ECCAIRS : European Coordination

Centre for Accident and Incident
Reporting Systems.
Safety Occurrences : Report and Notification

How to Report safety occurrences to safety subdivisions ?
The reports of the safety occurrences are done by using a
dedicated form.
Different forms are available :
- Form for ATCO (AIRPROX, Losses of separation ).
- Form for ATSEP (technical events, failure of systems ).
All the infringements of the norm (for French ANSP : less

than 5 NM horizontal, less than 1000 ft) are automatically
recorded in a log file.
ATCO Occurrence Form 1/2

X
X
FL280
TP
RATCAS
28/10/2014
12:15
AFR
F-ABCD
A320
LFPG LFML
1457
IFR
BAW
G-KLMN
B737
EGLL LIRF
2812
IFR
123,45
YES
NO
AWY
Radar control
2,4
600
ATCO Occurrence Form 2/2
Explanation of the incident by ATCO involved.
ATCO
None
X
Paris/ACC
01:05
04:05
ATSEP Occurrence Form 1/2
X
11/02/2014
Position TT
S03
11/02/2014
ATSEP Occurrence Form 2/2

The backup computer that manages the radar screen was out of service
without any alarm. The backup computer seems to be frozen since
several hours and displays an image of the radar situation at 9h22 pm.
After a reset situation OK.
Supervisor
List of events to notify immediately

Accident
Near collision (situations where one aircraft and
another aircraft/the ground/a vehicle/person or object is
perceived to be too close to each other) :
- Losses of separation (50%) and RATCAS.
- Landing or attempted landing on an occupied or closed runway.
- Takeoff or attempted takeoff on an occupied or closed runway.
Event emergency reported by the pilot to the ATCO.
List of events to notify immediately
Inability to provide ATM or CNS Services.

Failure of Communication function.
Failure of Surveillance function.
Failure of Data Processing and Distribution function.
Notification Process (mail, phone ).
ACC or Airport
END of notification process
N
ATCO or
ATSEP
Operational
Duty
Engineer
Analyze
with experts
Event
must be notify ?
Chief
Chief OPS
Chief Tech
RSMS
Chief
ANSP
BEA
MSQS
NAS
Office
investigation
analysis
Outside ACC or Airport
Notification Process
Who is the operational duty engineer ?
Each week the

operational duty
engineer is chosen
among the chiefs of
subdivisions and their
deputies.
Module 4
Safety Occurrences
Safety occurrences
Analysis
Severity and Frequency
Classification
Debriefing of ATCO
or ATSEP involved by
safety subdivision
The databases
are updated during analysis
N
END
Reporting Systems.
Search
Causes ?
Y
Toward next step
(search causes)
Safety Subdivision or
safety commission
Safety Subdivision
To determine if causes
must be searched
a matrix is used by the
safety Subdivision
Analysis
Y
The databases
Safety
Commission
?
Causes evaluated
by safety
commission

Reporting Systems.
Causes evaluated
by safety
subdivision
Toward next step

(corrective actions)
OPS Division : Severity

Two levels of severity:
- Global severity (ATC + aircraft)
- ATC Severity.
The ATC severity is the most interesting for us, because

we can work to improve it.
If we have a problem with a flight we must inform the
airline.
If we have too many problems with the same airline we
must inform our National Supervisory Authority.

Classification
Signification
A : Serious incident
ICAO Annex 13: An incident involving circumstances

indicating that an accident nearly occurred.
Note: The difference between an accident and a serious
incident lies only in the result.
B : Major incident
An incident associated with the operation of an aircraft, in which

safety of aircraft may have been compromised, having led to a
near collision between aircraft, with ground or obstacles (i.e.,
safety margins not respected which is not the result of an ATC
instruction).
C : Significant incident
An incident involving circumstances indicating that an accident,

a serious or major incident could have occurred, if the risk had
not been managed within safety margins, or if another aircraft
had been in the vicinity.
D : Not determined
An incident which has no safety significance.
E : No safety effect
Insufficient information was available to determine the risk

involved or inconclusive or conflicting evidence precluded such
determination.

Classification
Examples
A : Serious incident
- Critical near collision between aircraft or between aircraft and

obstacle(s).
- Separations lower than half the separation minima.
- Controlled Flight Into Terrain only marginally avoided
- Aborted take-offs/landings on a closed or engaged runway
- Take-offs/landings from a closed or engaged runway
B : Major incident
- Loss of separation (separation higher that half the separation

minima) which is not fully under ATC control.
- Safety margins not respected ( higher than half the applicable
safety margins) which is not fully under ATC control.
C : Significant incident - After visual contact between two aircraft, no avoidance
manoeuvre was seen as necessary or was carried out within

safety margins.
- Aircraft deviation from ATC clearance (such as flight level,
route, heading, runway)
- Unauthorised penetration of airspace.
- Runway incursion with no other traffic in the vicinity (hence,
where no avoiding action was necessary).

EUROCONTROL provides some guidelines to classify severity by using
Reason plates. For each plate you have to answer some questions and
you get points given for each answer. The amount of points helps you
to choose the severity.
Examle of question :
The event has been :
- detected on time (-1)
- detected late. (0)
- detected by somebody else.(2)
- never detected. (3)
- detected and forgotten. (2)
Regulations
Management
Controllers
Equipments
OPS Division : Frequency

5 levels of frequency has been defined.
FREQUENCY
DEFINITION
5 Extremely rare
Has never occurred yet throughout the total lifetime

of the system.
4 Rare
Only very few similar incidents on record when

considering a large traffic volume or no records on a
small traffic volume.
3 Occasional
Several similar occurrences on record - Has

occurred more than once at the same location.
2 Frequent
A significant number of similar occurrences already

on record - Has occurred a significant number of
times at the same location.
1 Very Frequent
A very high number of similar occurrences already

on record- Has occurred a very high number of times
at the same location.
Technical Division : Severity

For technical events we use the same severity than for
the global ATM severity.
We use lower case letters !
OPS Division : Classification matrix

Serious
A1
A2
A3
A4
A5
Major
B1
B2
B3
B4
B5
Significant
C1
C2
C3
C4
C5
Not determined
D1
D2
D3
D4
D5
No safety effect
E1
E2
E3
E4
E5
Very
frequent
Frequent
Occasional
Rare
Extremely
rare
A safety occurrence is characterized by two items :

- Severity
- Frequency
OPS Division : Classification matrix

Serious
A1
A2
A3
A4
A5
Major
B1
B2
B3
B4
B5
Significant
C1
C2
C3
C4
C5
Not determined
D1
D2
D3
D4
D5
No safety effect
E1
E2
E3
E4
E5
Very
frequent
Frequent
Occasional
Rare
Extremely
rare
The causes must be searched for the safety occurrences

in the red area (example).
OPS Division : Safety Commission

Composition of the commission: Head of OPS division.
Head of Subdivisions Studies, Training, Safety.
ATCO involved, others ATCO, experts ...
Brainstorming to identify causes.
Replaying radio
communications
Replaying radar data
Causes
We have to identify the different categories of causes,
specially for the human factors.
The numbers are the references in the database.

A safety occurrence can have several causes (455, 443 ).
It is very important to define corrective actions on the

main causes.
ft
Horizontal and vertical distribution of safety events

Year Y -1
Inside red rectangle we are

50% under the minimum of
separation, inside the
orange 70%, inside the
yellow 80% and inside the
blue 100%.
NM
ft
Year Y
Comparison between year Y-1

and year Y of the horizontal
and vertical distribution of
losses of separation.
A very bad loss of separation
with 1,4 NM (horizontal) and
same level (vertical).
NM
Geographic distribution of safety events by severity

This graph shows us that we
have a lot of safety events in
sector AO.
So we decided to modify the
structure of this area and to
create another sector.
Sometimes we are taking
corrective actions when we
have several safety events with
the same cause.
The causes are :
- too much traffic,
- a bad design of the airspace.
In module 6 we will see the
change we have done to create
a new sector.
OPS division : Safety occurrence 1

Analyze
Load
Sector
66%
RT
Description
2 aircrafts going to Orly. 2nd
one goes faster than 1st.
Bad reaction to STCA.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
497
AFR130
1
AFR55
73
100%
5NM
<5NM
5NM
Speed 1
Speed 2
Speed 1 < Speed 2

Analyze
Load
107
%
Sector
AO
Description
Clearance given too

early.
No reaction to STCA.
No use of emergency
phraseology.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
668
TAR964
AF415
N
100%
Loss
of Sep
D <5 NM

Analyze
Load
Sector
111%
TM
Description
Military traffic in civil

airspace.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
588
LGL809
4
6200
100%
MIL
This safety occurrence is

due to a military aircraft that
leaves the military area and
goes through civil airspace.
On this map the military

areas appear in color (red
most used, green less
used).

Analyze
Load
Sector
83%
UP
Description
Level Bust.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
603
AF814
WL
VPBB
V
70%
Pilote
FL 220
1 000 FT
FL 210
1 000 FT
FL 200
Level bust this aircraft does not stop at FL200 (clearance).
For technical events, we use the same severity grid

than for the global ATM severity.
But we use lower case letters !

SEVERITY
DEFINITION
aa Total inability to
provide safe ATM
service
An occurrence associated with the total inability to

provide any degree of ATM Services in compliance with
applicable Safety Regulatory Requirements, where:
There is a sudden and non managed total loss of
ATM service or situation awareness
There is a totally corrupted ATM service or corrupted
information provided to ATS personnel.
An occurrence associated with almost a total and sudden

a Serious inability
to provide safe ATM inability to provide any degree of ATM Services in
compliance with applicable Safety Regulatory
service
Requirements. It involves circumstances indicating that

the ability to provide ATM services is severely
compromised and has the potential to impact many
aircraft safe operations over a significant period of time.
b Partial inability to
provide safe ATM
service
An occurrence associated with the sudden and partial

inability to provide ATM Services in compliance with
applicable Safety Regulatory Requirements.

SEVERITY
DEFINITION
c Ability to provide
safe but
degraded ATM
service
An occurrence involving circumstances indicating that a

total, serious or partial inability to provide safe and non
degraded ATM Services could have occurred, if the risk
had not been managed/controlled by ATS personnel
within Safety Regulatory Requirements, even if this
implied limitations in the provision of ATM Services.
d Not determined
Insufficient information was available to determine the

risk involved or inconclusive or conflicting evidence
precluded such determination
e No effect on ATM
service
Occurrences which have no effect on the ability to

provide safe and non degraded ATM Services.
Technical Division : Frequency

5 levels of frequency has been defined.
FREQUENCY
DEFINITION
5 Extremely rare
Has never occurred yet throughout the total lifetime of

the ground part of the ATM system.
4 Rare
No similar occurrences on record when considering a

particular location or element of the ground part of the
ATM system.
3 Occasional
Several similar occurrences on record, has occurred

more than once at the same location, or more than
once to similar element of the ground part of the ATM
system.
2 Frequent
A significant number of similar occurrences already on

record - Has occurred a significant number of times at
the same location or involving a particular element of
the ground part of the ATM system.
1 Very Frequent
A very frequent number of similar occurrences already

on record - Has occurred a high number of times at
the same location or involving a particular element of
the ground part of the ATM system
Technical Division : Classification matrix

aa Total inability to provide safe
ATM service
aa1
aa2
aa3
aa4
aa5
a Serious inability to provide

safe ATM service
a1
a2
a3
a4
a5
b Partial inability to provide

safe ATM service
b1
b2
b3
b3
b5
c Ability to provide safe but

degraded ATM service
c1
c2
c3
c4
c5
d Not determined
d1
d2
d3
d3
d5
e No effect on ATM
service
e1
e2
e3
e3
e5
Very
frequent
Frequent
Occasional
Rare
Extremely
rare
Technical Division : Classification matrix

aa Total inability to provide safe
ATM service
aa1
aa2
aa3
aa4
aa5
a Serious inability to provide

safe ATM service
a1
a2
a3
a4
a5
b Partial inability to provide

safe ATM service
b1
b2
b3
b3
b5
c Ability to provide safe but

degraded ATM service
c1
c2
c3
c4
c5
d Not determined
d1
d2
d3
d3
d5
e No effect on ATM
service
e1
e2
e3
e3
e5
Very
frequent
Frequent
Occasional
Rare
Extremely
rare
Technical division : Safety occurrence 1 Analyze

ON
ATCO
position 1
Backup
LAN
ATCO
position 2
ATCO
position 3
ATCO
position 4
ATCO
position n
ACC

ON
ATCO
position 1
Begin
End
11/02/14
04h18
am
Technical and innovation

Department (DTI) can make
investigations on the
systems outages.
Backup
Description
.
The backup computer that manages
11/02/14
the radar screen was out of service
04h24
without any alarm. The backup
am
computer seems to be frozen since
several hours and displays an
image of the radar situation at 9h22
pm.
After a reset situation OK.
sev
Freq
Function
Ref
DTI
S03
(radar)
functio
n).
0095
FFT
11/14
France Telecom
ACC
Begin
05/09/14
02h00
pm
End
Description
Outage of all connections (normal

05/09/14 and backup) with Lille airport for a
duration of 2h37mn.
04h37
pm
Lille Airport
sev
Freq
Function
Ref
DTI
S02
Ground
Ground
821
No
Technical Division : Safety Commission
Composition of the commission: Chief of Tech

Division, Chief of Subdivisions Flight Plan, Radar
Telecom Energy, Training, Safety and Chief of Studies
subdivision (OPS division).
ATSEP involved, others ATSEP, experts ...
Brainstorming to identify causes.
Report, Notification, Analysis in the SMS
Module 4
Safety Occurrences
Safety occurrences
Corrective Actions
Corrective
Actions
Causes
If we delete the causes
Safety Event
To avoid the occurrence of a safety

event we have to delete the causes.
we also delete the consequences.
Consequences
Corrective Actions
The databases

Reporting Systems.
Decide
Corrective Actions
and Feedback
Monitoring commission
Chief of OPS
Implement
Corrective Actions
and Feedback
Responsible of the
Corrective Action.
Responsible of the
Feedback.
Monitoring
Corrective Actions and
Feedback.
Corrective
Action
effective?
Y
END
Corrective actions
Main topics for Corrective Actions :
- Technical improvement of systems (flight plan data,

radar ).
- Airspace improvements.
- Methods.
- Training for ATCOs and ATSEPs.
- Feedback for ATCOs and ATSEPs.
Feedback
Besides Corrective Actions, we must inform the ATCOs

and the ATSEPs (feedback).
Information content :
- Safety occurrences
- Causes
- Corrective Actions
- How to avoid same causes
The feedback can be done by email, paper, during briefings.

The feedback can be sent to others entities.

Corrective Actions and Feedback
Load
Sector
66%
RT
Description
2 aircrafts going to Orly. 2nd
one goes faster than 1st.
Bad reaction to STCA.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
497
AFR130
1
AFR55
73
100%
b3 causes must be searched.

b safety commission.
Corrective action : In next briefing What to do when you have a

STCA alert ?

Corrective Actions and feedback
Load
107%
Secto
r
AO
Description
Clearance given too

early.
No reaction to STCA.
No use of emergency
phraseology.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
668
TAR964
AF415
N
100%
b4 causes must be searched.

b safety commission.
Corrective action 1 : In next briefing What to do when you have a
STCA alert ?
Corrective action 2 : In next briefing Phraseology
Safety occurrences 1 and 2 : Feedback

The briefing is provided
during 12 days because
we have 12 teams on East
area and 12 teams on
West area.
The ATCOs must sign the

attendance sheet.

Load
Sector
111%
TM
Description
Military traffic in civil

airspace.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
588
LGL809
4
6200
Loss
of Sep
100%
MIL
d2 causes must not be searched.

d No safety commission.
Corrective action : Letter to military aviation.

Load
Sector
83%
UP
Description
Level Bust.
ATM
sev
ATC
sev
Freq
Ref
A/C 1
A/C 2
Loss
of Sep
603
AF814
WL
VPBB
V
70%
Pilote
e3 causes must not be searched.

e No safety commission.
Corrective action 1 : Letter to airline involved with copy to NAS.

Corrective action 2 : Feedback to ATCOS to ask them to report all the
level bust.
Safety occurrence 4 : Feedback
Monitoring Corrective Actions

Until 1 January 2007 the visual separations are allowed in en-route
centers.
From 1st January (new regulation) it is no more possible to do such
separations.
By using visual separations it is possible to go under minima if pilots
agree (in 2006 more than 60 visual separations under minima).
Causes and Contributing Factors :
Visual separation
9 cases in 2007 and only 1 in 2008. The actions of awareness and the
trainings carried out by the safety subdivision have been effective.
Monitoring effectiveness of Corrective Actions

Correctives actions and feedback
December
2006 : 2
briefing
sessions
(2x12) about
visual
separation
30 january
2007 Feedback
about visual
separation
20 february
2007 note
07CPG012 to
all ATCOs
1 to 12
march
2007 :
During
briefing
reminder
on visual
separation
02 to 20 april
2007 : During
briefing
reminder on
visual
separation
17 to 28
september 2007 :
During briefing
reminder on
visual separation
t
Visual separation
by ACC forbidden
ON
ATCO
position 1
Safety Events with cause =

visual separation
HN70 HN80 HN100
Technical division : Safety occurrence 1

Backup
a 1 causes must be searched.

a safety commission.
Corrective action 1 : Log and informations send to DTI for investigations.

Corrective action 2 : Note to ATCOs and ATSEP to ask them to check
every hour the backup computer.
Feedback : Information inside the ACC and outside to the others ACC.
Technical division : Safety occurrence 2

b 3 causes must be searched.

b safety commission : Not useful.
Corrective action : Letter to France Telecom to ask why both normal and
backup lines are simultaneous out of service
Corrective actions, Feedback in the SMS
Module 3
Safety Occurrences
Definition, List of Safety Occurrences
Why Reporting and Assessment of Safety Occurrences ?
Report, Notification
Analysis = Severity, Frequency, Causes
Corrective Actions,
Safety Occurrences Documentation
Safety Occurrences Documentation

Safety
y Occurrences
mentation is
Documentation
ywhere in the
everywhere
five floors
oors pyramid.
SMS
Manual
Mapping, Process,
Activites
Audits, Documentation, Records,

Corrective Actions, Management
review
ATCO Manuals
ATSEP Manuals
Safety Occurrences in SMS Manual
In the Safety Management

Manual 2.7 we have links
to mapping, to procedure, to
records.
We also have a presentation
of the organization.
Safety Occurrences in Mapping
Safety Occurrences : Procedure
Safety Occurrences : Records

Safety Occurrences must be
recorded in a database.
Example ECCAIRS database.
ECCAIRS : European Coordination Centre for
Accident and Incident Reporting Systems.
A link must be done between Safety occurrences and

Corrective Actions.
So you can easily explain what has been done.
AGATA
Corrective Actions must be stored
and recorded in a database or in a
file.
Corective Actions database or Table
Titre
END
Module 5
SMS Tools
- SMS Intranet site.
- Technical Division Tool (SIAM).
- Safety Occurrences data base (INCA, ECCAIRS, e-TOKAY).
- Findings/Corrective Actions Tools (Excel Files, AGATHA).
- Risk Assessment and Mitigation Tool (SPIRIT).
- Dashboard
- Action Plan
Module 5
SMS Tools
- Dashboard
- Action Plan
SMS Tools : Intranet Site

Everybody is involved in the SMS.
Everybody must be informed and must receive
informations about the SMS.
How to broadcast all the SMS informations ?

It is very useful to have a dedicated intranet site.
To build easily an intranet site you must have a good

organization of documentation.
SMS Tools : Intranet Site of Paris ACC
Operational documentation site
SMS Tools : ATCO training
ATCO Training
Module 5
SMS Tools
- Dashboard
- Action Plan
Technical Division Tool : SIAM

SIAM french acronym : Systme (System) Intgr (Integrated) dAide
(Support) la Maintenance Oprationnelle (Operational)
SIAM is a professional software dedicated to technical services and in
particular the supervision of a technical macro-system.
First step : SIAM has been developed and implemented in Paris ACC.
Second step : SIAM has been validated by french ANSP and installed in
all ACC and the main Airports.
SIAM is used by Technical division for :
- Operational supervision (alarms from systems).
- Technical documentation.
- Safety Occurrences database.
- Corrective Actions database.
- MISO.
- Scheduled works.
SIAM Main Screen
1 MISO to
implement
2 MISO to
verify
8 Events in
progress
3 Feedback
in progress
4 Corrective
Actions in
progress
Technical
Manual
Manual:
7 new
documents
Manual:
5 documents
to verify
Manual:
1 document
to approve
Manual:
83
documents
to update
SIAM Main Screen
News
Reports of
meetings
Scheduled
Works
Daybook
(alarms,
supervisor
actions).
Corrective
Actions
Search
Technical
documentation
Safety
Events
SIAM Main Screen
Technical
Manual
Manual:
7 new
documents
Manual:
5 documents
to verify
By using this button you can access to a new screen on

which you have all the technical documentation.
By using this button you can access to the new

documents that you have not read.

verify.
SIAM Main Screen
Manual:
1 document
to approve

approve.
Manual:
83
documents
to update

update.
SIAM Supervision Screen
Equipments, systems
selected
Post it in progress,
news
Radar : ON
Telecom : ON
Flight Plan: ON
Energy : OFF
Part 3 : Outages in progress.

For each outage a file is opened and all the
informations (alarms, actions ) are logged in this
file.

Part 4 : Daybook, list of alarms and actions from different
systems.
The supervisor has not read this alarm.
Part 5 : Calendar with scheduled works.
Module 5
SMS Tools
- Safety Occurrences data base (INCA, ECCAIRS, e-TOKAI).
- Dashboard
- Action Plan
Operational Division : Safety Occurrences Tools
What ?
Who ?
Safety
Subdivision
Users ?
All
Subdivisions :
Safety,
Studies,
OPS, Training
Contents ?
Goal
Safety Events
and data
Local database
Traceability of safety
events.
Achivement of
indicators and
statistics.
Database
Division OPS : Different databases
INCA
National database.
used by safety subdivisions
in ACC and airports.
European Union database.

Used by ANSP.
Used by NSA.
New european tool.

Used by German ANSP
and will be used by
French ANSP from 2016.
ECCAIRS : European Coordination Centre for

Accident and Incident Reporting Systems
ECCAIRS Customers
ECCAIRS is used by differents customers : ANSP, NSA,

EASA, Airlines, AIRBUS
ECCAIRS is a very large and complex database.
ECCAIRS Community
ECCAIRS is a free tool provided by European union (free)

used by more than 600 organisations all around the world.
TOKAI : Tool Kit for ATM Occurrence Investigation
TOKAI : Tool Kit for ATM Occurrence Investigation.

Specially designed to provide dedicated software tools for
each of the major steps of the safety events investigation.
Technical Division : Safety Occurrences Tools
What ?
Who ?
Users ?
Contents ?
Safety
Subdivision
All Technical
Subdivisions and
sections
Operational supervision
Scheduled works
Safety events
Documentation,
Corrective actions.
Goal
Daybook
Technical
documentation
Management of
Safety events,
corrective actions.
Module 5
SMS Tools
- Dashboard
- Action Plan
Findings/Corrective Actions
Findings are non compliance, weak points (audits) and
causes of safety events.
Each finding is linked to one or several corrective actions.
Findings and corrective actions must be stored in a file or

a database.
AGATA : Findings and Corrective Actions

CORRECTIVE
ACTIONS
FINDINGS
MSQS and all the

RSMS can access
to AGATA. They
update the
informations about
the implementation
of the corrective
actions.
RSM
S
RSM
S
Bres
t
RSM
S
N
W
RSM
S
RSM
S
CDG
&
Orly
Headquarters
MSQS
AIS
S
W
Toulous
e
RSM
S
RSM
S
Strasbour
g
E
RSM
S
Lyon
RSM
S
CESNA
C
RSM
S
Bordeau
x
RSM
S
Lill
e
RSM
S
RSM
S
RSM
S
S
E
RSM
S
Nice
Marseille
RSM
S
Findings/Correctives Actions in Paris ACC

What ?
Who ?
Users ?
Contents ?
Goal
Safety
subdivision
Head of division
and all the
subdivisions
Safety Events,
Causes.
Audits reports.
Correctives
Actions
Monitoring of the
corrective actions.
Verifying their
effectiveness.
Head of division
and all the
subdivisions
Safety Events,
Causes.
Audits reports.
Correctives
Actions
Monitoring of the
corrective actions.
Verifying their
effectiveness.
OPS Division
Events and
corrective
actions in an
excel file
Technical Division
Events and
corrective
actions in
database
Safety
subdivision
Items of Corrective Actions
Ref.
Origin
& Date
Number/
YY
State of
progress
Finding
Target
Date
Actions planned
and carry out
Name
or better
Function
In progress,
Completed,
Closed.
Safety review
Internal audits,
External audits,
Process reviews
Others
Responsible
List of actions
planned
and carried out
If the target date

has passed, a new
target date should
be set
Findings of audits,
Action decided,
Proposal,
Others
Effectiveness
Criteria
Criteria to check
before closing the
Finding
Table of Corrective Actions

Ref.
Origin
& Date
State of
progress
Finding
Respon
sible
Target
Date
Actions planned and

carry out
Effectiveness
Criteria
03/07
Internal
Audit
January
2007
In
progress
Description of
jobs not
completed
RSMS
mars 08
mars 09
mars10
- Ask a national
coordination.
- Wait for RSMS
meeting in Brest
- ATSEP job
description in
progress.
- ATCO job description
to plan.
All job
description
done and
signed.
12/08
NSA
audit
April
2008
In
progress
Chief
Division
OPS
End
2009
1 Oficial reminder to
ATCO.
Done under ref.
08/2008
2 Monitor the report
rate with an indicator.
3 Briefings to ATCO.
Briefings done in june
2014.
New briefings
scheduled in oct 2008
Report rate =
100% for RA
TCAS and
AIRPROX.
ATCO : bad
reports of
safety events
Module 5
SMS Tools
- Dashboard
- Action Plan
SPIRIT
SPIRIT
SPIRIT is an english acronym Safety studies, Performance

and Internal audit Real time Integrated Tool.
SPIRIT is the database used by french ANSP for Risk
Assessment and Mitigation.
Preliminary studies, safety studies are stored in SPIRIT.
SPIRIT is very useful in order to mutualize and share
informations about risk Assessment and Mitigation.
MSQS validates some preliminary studies and some safety
studies stored in SPIRIT. The validated studies can be
used as template.
SPIRIT
Lille
SPIRIT
SPIRIT
SPIRIT
CDG
SPIRIT
& Orly
Brest
W
SPIRIT is managed
by MSQS.
Each entity can
access to SPIRIT
(RSMS and people
involved in safety
studies).
SPIRIT
SPIRIT
SPIRIT
Strasbourg
E
SPIRIT
SPIRIT
Lyon
SPIRIT
SPIRIT
AIS
CESNAC
Bordeaux
SPIRIT
SW SPIRIT
SPIRIT
SE
Toulouse
SPIRIT
Marseille
SPIRIT
Nice
SPIRIT
SPIRIT
Indian
Ocean
West Indies
Guiana
SPIRIT
SPIRIT
When a change is decided it is

mentioned in SPIRIT and all the
informations about this change are
recorded in SPIRIT :
- Preliminary Study,
- Safety study (if exists),
- Date of implementation.
Some preliminary studies and safety

studies that has been validated by
MSQS can be used for similar changes.
SPIRIT
Module 5
SMS Tools
- Dashboard
- Action Plan
Dashboard
Managers need a dashboard for monitoring the main
indicators.
Summary
Topic
Safety
Traffic
Delay
Technical
Results
Trend

0,60
0,55
0,50
0,45
0,40
0,35
Losses of separation below 70% of the minimum radar

separation.
French ACC minimum radar separation :
- Vertical 1000 ft.
- Horizontal 5NM.

0,60
1,00
0,90
0,80
0,70
0,60
0,50
0,40
0,30
0,20
0,10
0,00
0,55
0,50
0,45
0,40
0,35
HN70
2007
2008
2009
Janv
1
0
0
Fvr
1
0
0
Mars
1
1
0
Avr
0
1
1
Mai
0
0
1
Juin
2
2
0
Juil
1
0
0
Aot
0
0
1
Sept
0
1
1
Oct
2
1
Nov
0
0
Dc
0
1
Total
8
7
4
Evolution annuelle 12
mois glissants
0,61
A graph is subjective. The 2 graphs are built with the same datas but
have different scales.
It is useful to present the data in a table.

RA TCAS per 100 000 flights
1,00
0,90
0,80
0,70
0,60
0,50
0,40
0,30
0,20
0,10
0,00
Resolution Advisory Traffic Alert Collision Avoidance System

(RA TCAS)
Dashboard : delays indicator

Delays for Paris ACC
Dlais 07/08
Dlais 08/09
160000
minutes
140000
120000
100000
80000
60000
40000
20000
0
Meteorogical
conditions
ATCO strike
In a dashboard you must explain the peaks or the anomalies.
Events on telecom leased lines.
Implementation by
SAFETY MONITORING
Direction
When
Weekly
OPS Division
When
Monthly
Daily
Who
Chief, Deputy, RSMS,

Chiefs of divisions,
deputies
Technical Division
When
Who
Chief Division OPS,
deputy, chiefs subd
Weekly
Subdivision
Safety
Daily
1 chief
1 Deputy
4 ATCO and assistants
Who
Chief Technical Division,
deputy, chiefs subd
Subdivision
Safety
1 chief
1 Deputy
2 ATSEP
Module 5
SMS Tools
- Dashboard
- Action Plan
Action Plan
Every year an action plan with the main objectives and the
planned actions.
4 main axes for actions :

- Safety and security
- Environment
- Management and user services
- European construction
Action Plan
A monthly review of the action plan with an update of the
monitoring document.
SMS Tools
Main tools for managers : Action Plan, Corrective Action
Table, Dashboard.
Action Plan
(yearly)
Dashboard
Corrective Actions Table

(corrective actions added each time when need)
Module 6
Risk Assessment and Mitigation
Regulations.
General Principles (FHA, PSSA, SSA ).
French Methodology (ANSP and NSA).
Preliminary Study (EPIS CA, EPIS TECH).
Methodology of intervention (MISO).
Safety Study : new procedure for Marseille Provence
Airport (south east of France).
Module 6
Regulations and General Principles.
French ANSP and NSA Methodology.

Safety Study : change of procedure for Marseille Provence
Regulations : Annex 19 Appendix 2
Regulations : Annex 19 Appendix 2

The service provider shall develop and maintain a
process that ensures analysis, assessment and control of
the safety risks associated with identified hazards.
3.2 The management of change
The service provider shall develop and maintain a process
to identify changes which may affect the level of safety
risk associated with its aviation products or services and
to identify and manage the safety risks that may arise from
those changes.
Regulations : SMM DOC 9859

2.2 Safety Risk Assessment and Mitigation page 5-18
3.2 The management of change
page 5-23
The Safety Management Manual (SMM) is a guidance

documentation.
In the SMM you find help and examples.
Regulations : SMM DOC 9859
Figure 5-4. The safety risk management process
European Regulations
Regulation n
1035/2011
- Obligation for ANSP to make Risk Assessment and

Mitigation for every planned change with an impact on
safety
- Definition of the content of Risk Assessment and
Mitigation for ANSP.
Regulation n
1034/2011
ANSP must notify to ANS every change with an impact on

safety.
European Regulations
The origin of the regulation about Risk Assessment and
Mitigation can be found in ESARR4.
Module 6
Regulations.
What is a Change ?
A change is :
- A new equipment (hardware and/or software),
- A modification of an equipment (hardware and/or software),
- A modification of airspace (airways, design )
- A significant change in working methods.
We can have :
- Technical change,
- Airspace change,
- Both Technical and Airspace.
Technical Change
Instrument Landing
System (ILS)
Radar Station
Radio Station
Flight plan and

Radar data
Network
Airspace Change
New airways to optimize departures on south of Paris.
Airspace change and Technical change

SU
AP
FL345
AP
FL285
AO
FL285
AO
Initially we have 2 layers : sector AO and sector AP. To improve

safety and capacity in this area we have create a third layer
sector : SU.
This change has an impact on airspace.
But it has also a technical impact : new radio frequency, new
ATCO position .
General principles
t
Definition of the system perimeter and environment
Functional Hazard Assessment (FHA) :

System Analysis
Identification of the hazards
Definition of the safety objectives
Preliminary System Safety Assessment (PSSA) :
Identification of the Mitigation Means (MM).
System Safety Assessment (SSA) :
Demonstrate the implementation of Mitigation Means
Analysis of transition phases
Definition of safety assurance means
General principles
FHA
System analysis
Identification of Hazards (severity, frequency )
Definition of the Safety Objectives
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Objectives
Achieved ?
YES
Stored
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
qualitative assessment
of safety
Synthesis
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Synthesis
Objectives
Achieved ?
YES
Stored
Description of change
and perimeter of safety analysis.
It must take into account the three following elements :
- Human factors (working methods, Human Machine Interface (HMI)
competencies).
- Procedures.
- Equipements (hardware and software).
The interfaces of the change with the outer environment

should not be forgotten (Letters of Agrement, protocols ).
Example of description of a perimeter

Change = new air traffic control service on a platform
Approach
En route
LOA
Protocol
CTR classe D
SID a
Loc
SID a
Technical
STAR z
Glide
Q F U 10-32
TWR
AIP
Users
Technical room
Exploiting
ploiti
ting
ti
ng
Protocoll
STAR y
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Objectives
Achieved ?
YES
Stored
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Synthesis
Identification of Hazards
Hazard = danger affecting the provision of services by
ANSP and that can lead to an accident or incident.
Causes
of hazard
Human Factor
Error
Technical
Dysfunction
Combination
Brainstorming with
experts to identify hazards.
Procedural
Error
Brainstorming
with experts
to identify
causes
Hazard
You can build a list of hazards.
Consequences
Severity
Frequency
Brainstorming
with experts to find
severity and frequency
Example of Hazards
Examples of hazard :
- Loss of one radio frequency in a control center.
- Illicit penetration of an aircraft in a sector.

- Corrupted radiation of an ILS glide.
- Corrupted radar image not detected on an operational
control position.
- Loss of radar coverage.
- Others.
Example of Hazards : hazard 1

SU
FL345
AP
FL285
AO
Radar screen
of AO, AP, SU
positions
This change is done to

increase the safety and the
capacity on this area.
The aircrafts that are in AO,
AP and SU are all visualized
on each position AO, AP and
SU.
The first hazard identified is :
Too many aircrafts on the
screen at the same time,
screen overloaded.
Hazard 1 : Radar screen overloaded.
Example of Hazards : hazard 2
SU
FL345
AP
FL285
ATCO
Hazard 2 : Transfert to wrong sector.

The upstream sector gives the aircraft to the wrong sector (AP
instead SU, SU instead AP).
Consequences of Hazards
For each hazard we have to identify the potential
consequences.
We must determine the severity and the frequency by

imagining the worst possible case.
Hazard
Consequences
Severity
Gravity
Severity of Hazards
5 levels are defined for the severity.
Severity
Consequences Accidents
on operations
Examples of
consequences
(assessment
beforehand)
One or several
catastrophic
accidents;
One or more
air collision;
One or more
ground
collision;
Serious
incidents
Major
incidents
Significant
incidents
No immediate
effect on safety
Important loss
of separation
(eg. < 50% of
minimum
separation)
where aircrew
or ATC cant
fully control the
situation or
arent able to
put it right
Important
loss of
separation
(eg. < 50% of
minimum
separation)
where
aircrew or
ATC fully
control the
situation and
are able to
put it right
Increase in
controllers or
aircrew
workload or
slight
deterioration
of functional
capacity in
ATC system
A situation that
can generate
danger : no direct
or indirect impact
on safety
Example of severity : hazard 1

Hazard 1
Radar screen
overloaded
Brainstorming
with experts
Severity = 3
Major
incident
Radar screen of AO, AP, SU positions

overloaded
Example of severity : hazard 2

Hazard 2
Transfert
to bad sector
The ATCO
makes an error,
he gives to the
FL345 aircraft the
frequency of AP
instead of SU.
FL285
SU
AP
ATCO
Brainstorming
with experts
Severity = 4
Significant
incident
Frequency of Hazards
The frequency can be quantitative but its easier to have
qualitative level.
Frequency
Extremely
rare
Rare
Occasional
Frequent
Very
Frequent
1 per 1000
years
1 per 5-10
years
1, 2 times
per year
Several times
per year
1 time per
month
Example of frequency : hazard 1
Hazard 1
Radar screen of AO, US, SU positions

overloaded
Brainstorming
with experts
Frequency =
Frequent
Example of frequency : hazard 2

SU
Hazard 2
Brainstorming
with experts
Frequency =
Frequent
X
ATCO
AP
The ATCO
makes an error,
he gives to the
FL345 aircraft the
frequency of AP
instead of SU.
FL285
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Objectives
Achieved ?
YES
Stored
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Synthesis
Safety Objectives
For each level of severity we must define the maximum
acceptable frequency.
Severity
1
Accident
2
Serious
Incident
3
Major
Incident
4
Significant
Incident
5
No
Effect
Safety
Objective
Extremely
rare
Rare
Occasional
Frequent
1 per 1000
years
1 per 5-10
years
1, 2 times
per year
Several times
per year
Safety Objectives
A matrix is used to see if a hazard (severity + frequency) is
in the acceptable area.
Frequency
Very
Frequent
Frequent
Occasionnal
Rare
Extremely
rare
Severity
1 Accident
2 Serious
Incident
3 Major
Incident
4 Significant
Incident
5 No Effect
Example of check of safety objectives

Hazard 1
Severity = 3
Frequency =
Frequent
Hazard 2
Severity = 4
Frequency =
Frequent
For each hazard we must

check
if
the
couple
severity/frequency is in
the acceptable area of the
matrix.
Frequency
Very
Frequent
Frequent
Severity
1 Accident
2 Serious
Incident
3 Major
Incident
4 Significant
Incident
5 No Effect
Hazard n
1 is in the non acceptable area.
Hazard n
2 is in the acceptable area.
Occasionnal
Rare
Extremely
rare
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Objectives
Achieved ?
YES
Stored

Synthesis
Protective Mitigation Means
Generaly the Protective Mitigation Means are applied to

decrease the severity of a hazard.
They help to mitigate the consequences of a hazard and

they have an effect when the hazard has occurred.
Example of Protective Mitigation Means : hazard 1

SU
FL345
AP
FL285
AO
Radar screen SU position with

all aircrafts (AO, AP, SU)
Radar screen of
SU position
Hazard 1 : too many aircrafts on a position, radar screen

overloaded.
Mitigation mean : the aircrafts that belongs to SU are in
red color, the others (AO and AP) are in black (software
update).
Preventive Mitigation Means
Generaly the Protective Mitigation Means are applied to

decrease the frequency of a hazard.
They are put on the cause of a hazard (before the hazard

occurrence).
Example of Preventive Mitigation Means : hazard 2

SU
FL345
AP
FL285
ATCO
Hazard 2 : Transfert to wrong sector.

The upstream sector gives the aircraft to the wrong sector (AP instead
SU, SU instead AP).
Mitigation means :
- ATCO training.
- ATCO documentation.
- Warning on positions.
New brainstorming after Mitigation Means (MM)

Hazard 1
Radar screen
overloaded
Brainstorming
with experts
after MM
Severity = 4
(3 before MM)
Frequency = Frequent
(same before MM)
Radar screen of AO, AP, SU positions

overloaded
New brainstorming after Mitigation Means (MM)

SU
Hazard 2
Brainstorming
with experts
after MM
AP
The ATCO
makes an error,
he gives to the
FL345 aircraft the
frequency of AP
instead of SU.
FL285
ATCO
Severity = 4
(same before MM)
Frequency = Rare
(Frequent before MM)
Example of check of safety objectives after MM

Hazard 1
Severity = 4
Frequency =
Frequent
Hazard 2
Severity = 4
Frequency =
Rare
After MM, for each hazard

we must check if the
couple severity/frequency
is in the acceptable area
of the matrix.
Frequency
Very
Frequent
Frequent
Occasionnal
Severity
1 Accident
2 Serious
Incident
3 Major
Incident
4 Significant
Incident
5 No Effect
The two hazards are now in the acceptable area.
Rare
Extremely
rare
Safety Objectives hazards 1 and 2

(before and after MM)
Frequency
Very
Frequent
Frequent
Occasionnal
Rare
Extremely
rare
Severity
1 Accident
2 Serious
Incident
3 Major
Incident
Hazard 1
4 Significant
Incident
Hazard 1
Hazard 2
Hazard 2
5 No Effect
Mitigation Means, Causal Chain

Causes
of hazard
Human Factor
Error
Technical
Dysfunction
Procedural
Error
Mitigation
Frequency
Frequency
Decrease
Has
effect on
Consequences
Hazard
Preventive
MMS
Severity
Decrease
Protective
MMS
Has
effect on
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Objectives
Achieved ?
YES
Stored

Synthesis
Demonstrate the implementation of the Mitigation

Means
This phase has to demonstrate that :
- The Safety Objectives allocated to hazards are achieved.
- The Mitigation Means are effectively enforced.
It consists in the provision of :

- Reports of technical tests.
- Updated documentation (Letters of agreement, Protocols, Manuals,
Maintenance procedures).
- Traceability of training (ATCO, ATSEP ).
Example : Demonstrate the implementation of the

Mitigation Means
Hazard 1 : The update of software
to make appear aircrafts with
different colors must be validated
before the implementation of the
change.
Radar screen of
SU position
Hazard 2 :
The traceability of ATCO training must be done and
recorded.
The ATCO manuals have been updated. A new manual
has been created fot the new sector.
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Synthesis
Objectives
Achieved ?
YES
Stored
Analysis of transition phase

When you implement the change, you have a transition
phase. You must also do a safety analysis for the hazards
that can exist during this phase.
Remember berlingen accident causes :
No Risk assessment and mitigation for the works. No internal

coordination between operationals and technicians.
The written directives concerning the accomplishment of the work did
not included explanations about the effects that work would have on
the availability of technical equipment.
The transition phase has been forgotten
Analysis of transition phase

Later we will see the DSNA MISO procedure.
The MISO procedure takes into account the transition

phase.
The MISO procedure takes into account backward steps.
General principles
FHA
System analysis
NO
PSSA
SSA
Identification
of objectives
the Mitigation
Means
Conversion
of safety
in requirements
Demonstrate
implementation
of mitigation
means
Quantitativethe
and
of safety
Objectives
Achieved ?
YES
Stored

Synthesis
Safety Assurance
Safety assurance defines the means to monitor the new
system :
- Verify that an acceptable safety level is maintained on
the long run.
- Verify that the initial hypothesis are always valid.
- Verify if new hazards occur.
They can take different forms :
- Definition of safety indicators.
- Procedure to monitor the indicators.
If necessary the safety analysis is updated.
Example of Safety Assurance

SU
FL345
AP
FL285
AO
Safety is the most important item.

Safety assurance : monitoring of
monthly indicators to check the
safety on AO, AP and SU positions.
1 indicator to check the incidents
due to screen overload.
1 indicator to check incidents due
to wrong sector.
Is the change efficient ?

Project assurance : indicator to check the delays on the
positions AO, AP, SU.
Module 6
Regulations.

Regulations :
ICAO Annex 19, DOC 9859
Safety Analysis
This methodology
explains how to do a
safety analysis :
procedure, guides,
templates
How to do a safety
analysis ? The
regulations and the
general principles are
not enough explicit.
Procedure
Guides explain how

to use templates.
Guides
Templates
Procedure, guides and templates are compliance with regulations and

with general principles.
Guide
Procedure
Template
Airspace
Change
Safety
Analysis Report
MISO
MISO
Technical
Change
Hazards
Preliminary
Analysis
Documentation
Procedure
Technical
EPIS-TIL
template
Airspace
EPIS-CA
template
MISO
template
Structure for
Safety Analysis Report
List of Hazards (built with exprience)

EPIS-TIL
guide
EPIS-CA
guide
MISO
guide
Safety analysis
guide
Brainstorming
Brainstorming
Leader : Safety Coordinator of the change
Experts : ATCOs, ATSEP, engineers
The safety coordinators follow a training (initial and

continuous) on safety analysis (method, cause tree,
requirements ).
The RSMS (Responsible Safety Management System) can
follow the brainstorming.
Brainstorming
Brainstorming
The brainstorming is done :

- to define the hazards,
- to define the severity,
- to define the frequency,
- to define mitigation means
-
Brainstormings are used during EPIS-TIL, EPIS-CA, Safety
Analysis Report, MISO.
French ANSP Methodology : EPIS-TIL

EPIS-TIL Technical change.
Preliminary safety analysis for a technical change. EPISTIL is done for :
- the implementation of a new system,
- an important modification (software or hardware) of the current system.
At the end of EPIS-TIL you have the worst possible case with hazard
severity. If severity is 1 or 2 you must done a safety analysis study.
ILS
Radar
Radio
Flight plan,
Radar data
Network
French ANSP Methodology : EPIS-CA

EPIS-CA Airspace change.
Preliminary safety analysis for an airspace change.
At the end of EPIS-CA you have the worst possible case with hazard
severity. If severity is 1 or 2 you must done a safety analysis study.
SU
AP
FL345
AP
FL285
AO
AO
New airways
FL285
New sector
French ANSP Methodology : MISO

MISO
Safety analysis for each planned technical intervention on an
operational system.
MISO is not applicable in case of system failure.

MISO needs a coordination between technical and
operational division.
Technical Division analyzes the technical risks.
OPS Division analyzes the impact of the intervention on
operational room (ATCOs).

Remember some of the causes of berlingen accident.
No Risk assessment and mitigation for the works. No internal
coordination between operationals and technicians.
The written directives concerning the accomplishment of the work did
not included explanations about the effects that work would have on
the availability of technical equipment.
The ATCO was not aware that the optical STCA was off.
With MISO the ATCO would be informed of the effects of

the work in progress.

Difference between EPIS-TIL, EPIS-CA, Safety Analysis
Report and MISO :
- EPIS-TIL, EPIS-CA, Safety Analysis Report are done for
the risks related to a change (new systems, new
functionalities ).
- MISO is done for the risks related to a technical
operation.
When a change is implemented
several MISO.
we must have 1 or
DSNA Methodology Chronology

Activities linked to Project Management
Safety Assurance
Activities
EPIS-TIL
and/or
EPIS-CA
Beginning of
the change
Severity
1 or 2
No
Yes
Is the safety
analysis pertinent ?
Safety Analysis
Report
MISO
Monitoring indicators
Documentation reviews
Audits
Implementation
decided by DSNA
after approval by
DSAC if necessary
French ANSP Methodology : Safety Plan
DSNA Risk Assessment and Mitigation Tool
SPIRIT
DSNA database
For each change DSNA

puts in SPIRIT database :
- Definition and perimeter.
- Planned date of implementation.
- EPIS CA and/or EPIS TIL.
- Safety Analysis Report (if it
exists).
- Actual date of implementation.
DSNA Risk Assessment and Mitigation Tool

Headquarters, ACC and Airports
can access to SPIRIT.
SPIRIT allows a mutualization
between users.
If a safety analysis has been done
for a change somewhere it can be
useful to look about it if you have a
same change to do.
SPIRIT
ACC
Headquarters
Airports
DSAC procedure
For oversight
DSNA
Notification of planned changes regarding safety

t
DSAC
Followed up
Nomination of a correspondant
Decision
of follow up
by NSA ?
Not followed up
Validation of Safety Plan (if exists)
New hazard during

Analysis with Severity
1 or 2 ?
N
Writing the Coordination Plan
Safety analysis, not

followed up by NSA,
archived by ANSP
Review of Safety Analysis

Safety
Analysis
NSA correspondant sends his report

Change approved ?
Request for
Complementary
information ?
Data archived in NSA
Refusal of change
Implementation
of change
Documentary reviews
Verification : follow up of safety assurance
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?

New hazard during

1 or 2 ?
Request for
Complementary
information ?
N
Refusal of change
Documentary reviews
Implementation
of change
Notification
SPIRIT
National Database
Change
DSNA units :
ACC, Airports, Others.
Every month
Notification to
DSAC
DSAC
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?

New hazard during

1 or 2 ?
Request for
Complementary
information ?
N
Refusal of change
Documentary reviews
Implementation
of change
Decision of follow up by DSAC

The NSA must follow up a change if :
- It has a severity 1 or 2 (preliminary study).
- Its implementation implies the introduction of new
aeronautical norms.
Any other ATM changes of DSNA can be followed up.
Followed up changes are submitted to approval by DSAC

before implementation.
Each safety analysis can be subjected to documentary
review by DSAC after the implementation of change.
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?

New hazard during

1 or 2 ?
Request for
Complementary
information ?
N
Refusal of change
Documentary reviews
Implementation
of change
Nomination of the DSAC correcpondant

A DSAC Correspondant is nominated for every change
followed up by DSAC. He represents the NSA through the
follow up.
The DSAC correspondants have initial and continuous

training on Risk Assessment and Mitigation.
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?

New hazard during

1 or 2 ?
Request for
Complementary
information ?
N
Refusal of change
Documentary reviews
Implementation
of change
Validation of Safety Plan

If the safety analysis is based on a safety analysis report,
DSNA must write a safety plan
The safety plan must be validated by the DSAC

correspondant.
The safety plan can be modified without new formal

validation by the correspondant (the correspondant is
informed).
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?

New hazard during

1 or 2 ?
Request for
Complementary
information ?
N
Refusal of change
Documentary reviews
Implementation
of change
Writing the coordination plan

Coordination plan is written by the DSAC correspondant
and the DSNA point of contact.
The coordination plan is a Contract between the DSAC

correspondant and the DSNA point of contact. It
describes how the follow up is done.
It helps to describe formally the discussions during the
safety analysis.
Writing the coordination plan

The minimal content for the coordination plan :
- Applicable regulations.
- Level of intervention by DSAC.
- If several countries are involved in the change, the role
of each NSA must be define.
- Identitication of NSA and DSNA actors for the safety
analysis
Writing the coordination plan : Level of intervention

Regulation n 1034/2011 sets that the review of a safety
analysis must be done in a way proportionate with the
change level of risk
Chosen level of intervention for the review of the safety analysis
Level A
- Verification of how the ANSP applies the procedures for risk

assessment and mitigation.
- Verification of all results found by DSNA during the safety analysis
Level B
- Verification of how the ANSP applies the procedures for risk

assessment and mitigation
- Verification of some results found by DSNA during the safety
analysis
Level C
Verification of how the ANSP applies the procedures for risk

assessment and mitigation
Writing the coordination plan : Deadline for approval

The deadline for approval must be defined as soon as
possible in the safety analysis process.
The deadline does not correspond to the implementation of

change. The date of the implementation of the change is
chosen by DSNA.
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up
New hazard during

1 or 2 ?
N

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?
Request for
Complementary
information ?
Refusal of change
Implementation
of change
Documentary reviews
Review Safety Analysis

The NSA correspondant can verify :
- The perimeter and the description of the change.
- The defined hypothesis (in particular interfaces with external
systems).
- The identification of risks and hazards.
- The correct handling of the consequences of hazards.

- The consistency of the classification in severity.
- The warranty for the actual implementation of proposed mitigation
means.
- The transition phase is processed.
- The demonstration that the process and methods used meet
the applicable regulatory requirements for safety
DSNA

t
DSAC
Followed up
Decision
of follow up
by NSA ?
Not followed up

followed up by NSA,
archived by ANSP

Safety
Analysis

N
Change approved ?
New hazard during

1 or 2 ?
Request for
Complementary
information ?

Refusal of change
Implementation
of change
Documentary reviews
Changed approval
The correspondant report gives DSAC :
- Essential characteristics of the change.
- Critical review of safety analysis.
- Conclusion of the correspondant regarding the approval
of change related to safety.
DSAC delay for answer : 1 month.
Three possible answers by DSAC :
- Approval of change.
- Request for further information.
- Refusal of change
DSNA

t
DSAC
Decision
of follow up
by NSA ?
Followed up
Not followed up
New hazard during

1 or 2 ?
N

followed up by NSA,
archived by ANSP

Safety
Analysis

Change approved ?
Request for
Complementary
information ?
Refusal of change
Implementation
of change
Documentary reviews
Synthesis
DSAC
Decision
to follow
change
Approval
of
Procedures
Notification
Review of
procedures
Decision
to make
a change
DSNA
Use of documented
procedures
Review
of SA
Make safety analysis
Approval
of change
Decision
of
Implementation
Documented
procedures
Monitoring of
continuous
conformity
Implementation
Module 6
Regulations.
Preliminary Study : EPIS-CA
Module 6

Safety Study : change of procedure for Marseille Provence

AFTN/CIDIN
system called
AERMAC. This
MISO describes
the switchover on
a new system
called MESANGE.
AERMAC
MESANGE
New system
Previous system

SWITCHOVER AERMAC on MESANGE
MISO V3 MIS RSX 10 055
SCOPE of the INTERVENTION
1.1 GENERAL CHARACTERISTICS
BEGIN
END
1.2 CONTEXT OF THE CHANGE
AFTN/CIDIN system called AERMAC.

This MISO describes the switchover on a new system called
MESANGE.
The switchover will be done line by line.

1.3 TECHNICAL MEANS INVOLVED
S1 COM GROUND/AIR
S2 COM GROUND/GROUND
S3 RADAR
S4 FLIGHT PLAN
S5 RECORDS
S6 Particular AirSpace
S7 OPS ROOM management
S7 ATFM
S8 RADIONAV
S10 GROUND mouvements
S11 GENERAL INFOS
S12 Others tools
S13 Transverse services
S14 STCA
S15 External services
2 ENTITIES CONCERNED

SWITCHOVER AERMAC on MESANGE
MISO V3 MIS RSX 10 055
3 AGENDA

4. ANALYZE and MITIGATION MEANS
4.1 CONSEQUENCES
Each line will be cut during 30 minutes.
Alarms.
Wrong routage modification. Some messages are not routes to airports

or ACC.

6. ANALYZE and MITIGATION MEANS (OPS)
6.1 IDENTIFICATION OF IMPACT POINTS
Experience on similar change
Impact on ATCO
Impact on Chief ATCO room
Important traffic load
Impact on flights
Impact time
Impact other entities
Impact on airspace
Other

6.2. SEVERITY and MITIGATION MEANS (OPS)
NO HAZARD IDENTIFIED

9. PREPARATION OF INTERVENTION
9.1 ACTORS
9.2 ACTIONS
Coordination
Experts
Tests
Final check
TO DO
DONE
DONE
TO DO
Protection OPS room
DONE
Methodology
gy of intervention ((MISO).
)
10 CHRONOLOGY OF INTERVENTION
10.1 EXECUTION
Module 6

Safety Study : change of arrival procedure for Marseille
Provence Airport (south east of France).
Where is Marseille ?
Marseille Provence : New Arrivals QFU 13

Description of the change
Implementation of an approach procedure passing by the

vertical of Istres military base at an altitude of 5000 ft
QNH.
Implementation of a procedure "alternative" passing by
the vertical of Salon de Provence military base. This
alternative procedure is used when Istres is not
available.

Goals of the change
Improve the safety in this area.
Take into account the increase of traffic.
Intercept the ILS at 3000ft (environment).

Who is involved ?
Ministry of transports DSNA (Marseille Airport).
Ministry of Defense DIRCAM (Salon and Istres 2 military

bases).
Residents affected by the new arrival trajectories de
Marseille provence. They must be informed.
Marseille Provence New Arrivals QFU 13 : Safety Study
Brainstorming
with experts
EPIS-CA
EPIS-CA
Safety Study
Safety
Plan
Other
Documents
EPIS-CA
Coordination
Plan
with NSA
EPIS-CA
Minutes meeting
Planning
Records
Marseille Provence New Arrivals QFU 13 : Safety Plan
Marseille Provence New Arrivals QFU 13

Coordination Plan
Ministry of transports DSNA.
Ministry of transports NSA.
Ministry of Defense DIRCAM.

Ministry of Defense NSA/D.

Coordination Plan
Actors of the coordination.

Context of the change.
Applicable regulations.
Intervention level by NSA.
Planned meetings

Coordination Plan
Coordination Plan
Title
CHGT-001682 Marseille New Arrival QFU13

A. Actors
Correspondant of military NSA

Correspondant of Military Provider
Correspondant of civil NSA
Correspondant of civil provider

Coordination Plan
Context of the change
Date of notification to civil NSA
Date of designation of civil correspondant
Date of notification to military NSA
Date of designation of military NSA
Planned date of implementation
Dead line for approval
Localization
Scope of the change
Implementation of an approach procedure passing by the vertical of Istres military
base at an altitude of 5000 ft QNH.
Implementation of a procedure "alternative" passing by the vertical of Salon de
Provence military base. This alternative procedure is used when Istres is not
available.

Coordination Plan
C. Regulations
D. Evolutions of the coordination plan.

Coordination Plan
E. Level of intervention by NSA
Verification of procedures.
Verification of some results.

Coordination Plan
G. Explanations for the choice of the deadline
16 weeks before the planned date of implementation.
It is necessary to have 16 weeks to be abble to update the
AIP (Aeronautical Information Publications).
H. Meetings between NSA and operators.
Periodic meetings.
Frequency
Meetings at end of phasis.
When ?

Coordination Plan
I. Planned agenda
Meetings and documents
Scope of the change and follow up.
Safety Plan
EPIS-CA Preliminary study V2.19 03/06/2011
Follow up meeting of safety study
Follow up meeting of safety study
Final meeting

EPIS-CA Preliminary Study : Size of change
Size of the change
Number
Number
Numb
Nu
mber
mb
of entities
of
f entities
enti
titi
involved
ties involved
iinvol
olved
ol
(internal
d (internal)
(int
(i
nternal)
DSNA)
l)
Number of entities involved (external DSNA)
Size of the change
Impact on the working methods of controllers
Impact on the working methods of pilots
Impact on the working methods of technicians
Environnemental impact
Experience on a similar change
Results

EPIS-CA Preliminary Study : characterisation of risk
Characterization of risk
Conception
Integration
Working methods
Technical
Human resources
Aeronautical publication - Communication
Experience on a similar change
Results

EPIS-CA Preliminary Study : Hazards
Wrong interpretation of the operational situation
Severity
Frequency
Description
The worst hazard is :

Severity 3
Frequency Frequent
Causes
Consequences

EPIS-CA Preliminary Study : Mitigation Means MM)
A MM can be put on several Hazards.
Update Flight
gh PLN data processing
p
g
MM1 Up
Radar
separation
pa
12NM
MM2
Extension Istres area
MM3
MM
MM4 Radar surveillance, vectoring
MM5 Briefing to pilots, to airlines
Update LOA
MM6 Up
MM7 ATCOs training, simulations
MM7
MM8 Phraseology
MM9 New
MM9
New AIP
AIP
MM10 Take into account military requirements
Hazards

EPIS-CA Preliminary Study: Mitigation means
MM11
MM12
MM13
MM13
MM14
MM15
MM16
Preventive maintenance
Equipment
Eq
pm
redundancy
cy
Alternative procedure via Salon
IRMA PC
Regular
gu
exhange
ng (civil
(c
and military)
y)
MM17
MM18
Tactical coordination
Backup phone
After brainstorming MM not validated.

EPIS-CA Preliminary Study : Acceptability of risk
Acceptability of risk
Before MM H1 is not in the

acceptable area.
H1
H2,H4,
H5
H3
After MM the 5 hazards are in

the acceptable area.
H1
H2,H3
H4,H5

Mitigation Means Training of ATCOs
Module 7
- Organization of SMS, QMS and IMS.
- Quality Management System QMS
- Mapping
- Management Reviews.
Module 7
- Mapping
SMS Organization
When
Every 2 or 3
years
Who
Structures and Tools

NSA
Audits
Audits
MSQS
NSA Auditors
MSQS Auditors
Every 2 years
SMS
ANSP
Safety Management
review (ANSP level)
Twice
a year
AGATA
According to
the annual
program
SMS ACC or
Airport
Internal
Audits
Safety Management
review
(ACC or Airport level)
Twice
a year
Monthly
OPS
Monitoring
Group
Corrective
Actions
For every
change
Every 2 years
Actions
Audits
MSQS
ISO Auditors
ISO
Audits
Quality Management
review (ANSP level)
MSQS Auditors
QMS
ANSP
Monthly
QMS ACC or
Airport
Processes
reviews
OPS
Monitoring
Group
For every
change
Corrective
Actions
Corrective
Actions
Technical
Monitoring
Group
Corrective
Actions
SPIRIT
INCA
For every
event
Local Auditors
ECCAIRS
Processing
of Quality
Events.
Chief ACC or Airport,

deputy,
RSMS,
Chief OPS Division,
Chief Tech Division,
Chiefs safety
subdivision.
Chief OPS Division,
deputy, chiefs of
subdivisions.

deputy, chiefs of
subdivisions.
Responsibles of safety
studies,RSMS
Safety Studies
OPS division
Processing
of safety
Events
Director ANSP
Deputy
Chiefs ACC &
Airports
MSQS
Pilots, Actors of
processes/
Quality Management
review
Twice
a year

deputy, chiefs of
subdivisions.
Who
Internal
Audits
Chief OPS Division,

deputy, chiefs of
subdivisions.
Report
Notification
Analyse
Safety commission
Corrective Actions
Feedback
AGATA
According to
the annual
program

deputy,
RSMS,
Chief OPS Division,
Chiefs safety
subdivision.
studies,RSMS
QMS Organization
Twice
a year
Local Auditors
Tech Division
Processing
of safety
Events
SPIRIT
Report
INCA
Notification
Analyse
ssion
Safety commission
Corrective Actions
ns
ECCAIRS
Feedback
When
Every Year
Technical
Monitoring
Group
Corrective
Safety Studies
OPS division
Processing
of safety
Events
For every
event
Corrective
Actions
Director ANSP
Deputy
Chiefs ACC &
Airports
MSQS
Tech Division
Processing
of safety
Events
IMS Organization
When
Every Year
Every 2 years
Who

NSA
Audits
Audits
MSQS
ISO
Audits
MSQS Auditors
Management
review (ANSP level)
Twice
a year
IMS
ANSP
AGATA
According to
the annual
program
Internal
Audits
IMS ACC or
Airport
Processes
reviews
OPS
Monitoring
Group
Corrective
Actions
For every
change
Director ANSP
Deputy
Chiefs ACC &
Airports
MSQS
Local Auditors
Pilots, Actors of
processes/
Management
review
Twice
a year
Monthly
ISO Auditors
NSA Auditors
Corrective
Actions
Technical
Monitoring
Group
Corrective
Actions

deputy,
RSMS,
Chief OPS Division,
Chiefs safety
subdivision.
Chief OPS Division,
deputy, chiefs of
subdivisions.

deputy, chiefs of
subdivisions.
studies,RSMS
Safety Studies
SPIRIT
INCA
For every
event
ECCAIRS
OPS division
Processing
of safety
Events
Processing
of Security,
Quality,
Environment
Events.
Tech Division
Processing
of safety
Events
Module 7
- Mapping
QMS : ISO 9001 V2008 Requirements

4 Quality
Management
System
5 Management
Responsibility
6 Resource
Management
7 Product
Realization
8 Measurement
Analysis and
Improvement
4.1 General
Requirements
5.1 Management
Commitment
6.1 Provision of
Resources
7.1 Planning of
Product
Realization
8.1 General
4.2 Documentation
Requirements
5.2 Customer
Focus
6.2 Human
Resources
7.2 Customer
Related Process
8.2 Monitoring and

Measurement
5.3 Quality Policy
6.3 Infrastructure
7.3 Design and

Development
8.3 Control and Non

Conforming Product
5.4 Planning
6.4 Work
Environment
7.4 Purchasing
8.4 Analysis of Data
5.5 Responsibility,
Authority,
Communication
7.5 Production and

Service Provision
8.5 Improvement
5.6 Management
Review
7.6 Control of
Measuring and
Monitoring
Equipment
SMS and QMS
A lot of common
requirements
SMS = Safety
Management System
ICAO Annex 19
QMS = Quality
Management System
ISO 9001
IMS
IMS = Integrated
Management System
Safety
Security
Environment
Quality
Quality is a component of an IMS but

also a tool used to implement the IMS.
Very often Quality is a tool used to
implement a SMS (procedure of
management of documentation,
records, audits, management reviews,
mapping )
The different components of the IMS

must follow the priorities chosen by
the General Director.
2 complementary approaches :
PROCESSUS Management of
the collective performance.
Input : listening to customers
Output : results, performance.
Avoid generating too much

documentation.
STRUCTURE
Management of :
Entities
Functions
Actors
Module 7
- Mapping
Mapping
In the next slide we have a mapping of Paris ACC.
Management
Listening customers
Strategy and management
Evaluation and improvement
of the management system.
Realization
Provide ATM and CNS

Maintain ATM and CNS
Support
Manage financial resources

Manage human resources
and competencies.
Manage infrastructures and
logistics.
Manage information systems
What is a Process ?
Pilot
Audits
Copilot
Reviews
Process
Indicators
Input
data
PROCESS A
Others
Performance
Indicators
Output
data
What is a Process ?
Chief OPS
Pilot
Division
Audits
Chief ATCO
Copilot
Subdivision
Reviews
Others
Ratio ATCO
on duty/
Process
ATCO
available
Indicators
Flight
Plans,
Input
Calls
from
data
Pilots
Provide Air Traffic

Control
Service
PROCESS
A
Process vs Organization
Performance
Safety
indicators
(Losses
of separation)
Indicators
Output
Safety
for
data
Aircrafts,
Safety Events
Process vs Organization
Module 7
- Mapping
Management review
2 Management review per year.
Members of the management review :
- Chief of ACC or Arports (chairman of the revue) and deputy.
- RSMS (secretary of the revue)
- Chief of operational division
- Deputy of operational division
- Chief of technical division
- Deputy of technical division
- Chief of administrative division.
- Chiefs of safety subdivisions
Management review
Safety Indicators
Safety Dashboard
Audit reports
(internal, external)
List of
Planned changes
List of
corrective actions
Actions plan
Project of internal
and external audits
Preparation
Analysis
Synthesis
done
by
RSMS
Management
Review
Minutes of
Management
Review
New
Planned
Corrective
Changes
Actions
Action
Plan
(update)
Planning
of
audits
Safety Management review
Agenda :
1. Safety indicators
2. Risk assessment and mitigation
3. Implementation of SMS
4. Audit reports
5. Corrective and Preventive Actions
Management Review : from SMS to IMS

SMS : Safety Management Review
IMS : Management Review
In Paris ACC, safety is the highest priority.

Safety is the first point of the management
review.
END
Module 8
Global Aviation Safety Plan (GASP)
Global Aviation Safety Plan
ICAO Safety Report (annual report)
Module 8
Global Aviation Safety Plan : Summary
GASP : Policy Principles

Reaffirms that Aviation safety is the highest priority.
Supports the implementation of defined safety objectives
and safety performance areas.
Provides a framework for Regional and State safety
priorities including safety management principles.
Takes into account cost benefit and financial issues.
GASP is reviewed every three years and submitted for
endorsement to each regular ICAO Assembly.
Global Aviation Safety Plan : Framework
Annex 19
Requirements
Between NSA
& ANSP, NSA
& NSA, ANSP
& ANSP.
Sharing of
statistics in
order to
determine the
main safety
problems and to
set plans to
solve these
problems.
NSA
ANSP
SMS implementation DOC 9859

DOC 9859
4 phases for SMS
implementation.
Phase 1 : 12 months.
NSA &
ANSP
Module 8
Regional Aviation Safety Group Regions
The Universal Safety Oversight Audit Program (USOAP)

States having an implementation of safety oversight above the global
average (61%).
The Universal Safety Oversight Audit Program (USOAP)

List of states having an implementation of safety oversight above the
global average (61%).
Average Effective Implementation by Area
Accidents statistics
Accidents statistics
Accidents by phases of flight
Accidents 2009-2013
ICAO Safety Report

SMS - Rosellini

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SMS - Rosellini

Hochgeladen von

Copyright:

Verfügbare Formate

2015

ANSP04 ATM Safety Culture

Why do we need a Safety Management System ?

- This accident happened over the territory of the Federal

berlingen accident : factual informations

- The 2 flights involved in the collision were controlled by

berlingen accident : factual informations

- The meteorolical conditions were good.

berlingen accident : factual informations

berlingen accident : factual informations

- 2 official instructions regarding these changes were

- Others centers (Karlsruhe, Friedrichshafen ) were not

berlingen accident : factual informations

- 1 staff member from the ACC management was there to

berlingen accident : factual informations

- B757-200 from Bergamo (Italia) to Brussels (Belgium),

- Both aircrafts are equipped with TCAS (Traffic alert and

berlingen accident : factual informations

berlingen accident : chronology the aircrafts

berlingen accident : chronology Zurich ACC

berlingen accident : chronology Zurich ACC

09h10 pm : The technicians entered the control room and

berlingen accident : chronology Aircrafts-ACC

09h30 11s pm : initial call of Tupolev 154

09h?? pm : initial call of Airbus A320, delayed flight,

09h35 32s pm : collision between Boeing 757 and Tupolev

berlingen accident : analysis

berlingen accident : analysis

berlingen accident : analysis

berlingen accident : analysis

The apparent object size of an aircraft changes in form of

berlingen accident : analysis

berlingen accident : analysis

berlingen accident : analysis

berlingen accident : Reason model

berlingen accident : Reason model

berlingen accident : Reason model

berlingen accident : Causes & Reason model

We can put each cause in a plate.

The TU154 crew followed the ATC instruction to descend,

berlingen accident : Causes & Reason model

The management of ACC Zurich did not ensure that during

berlingen accident : Causes & Reason model

Due to work in progress :

berlingen accident : Causes & Reason model

The controllers were obliged to read directives concerning

berlingen accident : Causes & Reason model

The bypass phone system had a technical defect, so it

berlingen accident : Reason model

berlingen accident : Reason model

1 hole has disappeared

berlingen accident : Reason model

Why do we need a Safety Management System ?

SMS Requirements and Implementation

- requirements European Single Sky

All these requirements are very close.

Requirements for European Single Sky are built on ESARR

- The first edition of Annex 19 (July 2013)

2. Safety Risk Management

There is a personal work in progress in order to

2.1 Hazard identification.

3.1 Safety performance monitoring and measurement.

4.1 Training and education.