You are on page 1of 35

FAB CENTRAL EUROPE

FEASIBILITY STUDY

FAB Central Europe

Feasibility Study
Safety Case

Reference No.: FABCE/SAF/6.2/001


Edition Number: 01.00
Edition Date: 07/03/2008
Status: Released Issue
Classification: Restricted
Author: SAF WG

FAB Central Europe Feasibility Study


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Document Identification Sheet


Objective
Author SAF WG
Audience PMO, FAB SG, CCG
Document status Released Issue
Document reference FABCE/SAF/6.2/001
Edition 01.00
Edition date 07/03/2008

Version history
Author of
Version Date of Issue Reason for update
changes
00.16 23/01/2008 Version for PMO review SAF WG
00.17 25/01/2008 FAB CE document format CPMO
Update according to comments received +
00.18 15/02/2008 SAF WG
proposed issue
00.19 18/02/2008 Update according to comments received SAF WG
00.20 26/02/2008 Update according to OPS comments received SAF WG
00.90 26/02/2008 Proposed issue for FAB CE SG approval CPMO
00.92 07/03/2008 Tracked version before release CPMO
01.00 07/03/2008 Released issue CPMO

Distribution List

; FAB CE SG ; FAB CE OPS WGL


; FAB CE PMO ; FAB CE TEC WGL
† ; FAB CE HR WGL
† ; FAB CE SAF WGL
† ; FAB CE LIR WGL
† ; FAB CE FIN WGL

Status, Audience and Accessibility


Status Intended for Accessible via
Working Draft † Restricted ; Intranet †
Draft † Classified † OneSky Teams ;
Proposed Issue † Public †
Released Issue ;

Edition 01.00 Page 2 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

FAB CE FS Safety Case - TABLE OF CONTENTS


EXECUTIVE SUMMARY................................................................................................................. 5

1 INTRODUCTION ..................................................................................................................... 6
1.1 PURPOSE AND SCOPE ........................................................................................................ 6
1.2 LIMITATION ........................................................................................................................ 6
1.3 LIST OF REFERENCES ......................................................................................................... 7

2 SAFETY ARGUMENT............................................................................................................. 8
2.1 BACKGROUND .................................................................................................................... 8
2.2 HIGH LEVEL SAFETY ARGUMENT......................................................................................... 8
2.3 TOP LEVEL CLAIM .............................................................................................................. 9

3 FAB CE FS SAFETY CONSIDERATIONS........................................................................... 11


3.1 METHODOLOGY ............................................................................................................... 11
3.2 SAFETY OBJECTIVE .......................................................................................................... 11
3.3 SAFETY ISSUES INDICATED ............................................................................................... 11
3.4 CHANGES IDENTIFICATION ................................................................................................ 11
3.5 HAZARDS IDENTIFICATION AND PROPOSED MITIGATION...................................................... 12
3.5.1 General .................................................................................................................. 12
3.5.2 Hazards Related to People Element ..................................................................... 12
3.5.3 Hazards Related to Equipment Element ............................................................... 13
3.5.4 Hazards Related to Procedure Element ................................................................ 14
3.5.5 Detail Description of Hazards and Mitigation Measures........................................ 15

4 CONCLUSION....................................................................................................................... 16

APPENDIX 1: QUESTIONNAIRE ................................................................................................. 17

APPENDIX 2: SAFETY ISSUES INDICATED.............................................................................. 20

APPENDIX 3: LIST OF CHANGES IDENTIFIED ......................................................................... 26

APPENDIX 4: HAZARDS IDENTIFICATION AND PROPOSED MITIGATION........................... 30

Edition 01.00 Page 4 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Executive Summary
The FAB CE Feasibility Study Safety Case is the deliverable within WP 6.2.1 (DEL1) as
defined by the Safety Working Group (SAF WG) Work Breakdown Structure (WBS,
document number FAB-WBS-3-00-03).

Information contained in this document is intended to assist other FAB CE working groups
and also the developments of Master Plan and Cost benefit Analysis (CBA).

The FAB CE FS Safety Case reports on the performed safety assessment related activities
and appropriate conclusions. This document also proposes the high-level structure of safety
argument to be built during next stages of the FAB CE project.

Concerning the OPS concept, the dynamicity was considered as more demanding in terms of
time for the safety assessments being performed as well as for the mitigation means to be
applied in the FAB CE operations phase.

Fourteen hazard areas were identified as well as proposed mitigation measures. These
proposed mitigation measures (or their equivalents/alternatives) have to be applied during
the next stages of the FAB CE project.

Due to early stage of the project, the lists of hazard areas and proposed mitigation means
presented in this report are not to be considered as the final ones.

All the information contained in lists mentioned above is consolidated outcome of the
workshop with OPS and TEC experts and reflect the current stage of the FAB CE Feasibility
Study project and deliverables available at the moment of analyses conducted.

The SAF WG concluded the following:

From the safety point of view, there have been no blocking factors identified concerning the
feasibility of FAB CE considering that:

• Fourteen hazard areas were identified as well as feasible mitigation measures.


• These proposed mitigation measures (or their equivalents/alternatives) have to be
applied during the next stages of the FAB CE project.
• Although the hazard list is likely to be complemented at later stages of the project, it is
not foreseen that any possible additional hazard will raise a blocking factor.
The completion of the FAB CE Safety Case will require safety assessments to be done in
every stage of FAB CE project. Therefore, this document must not be considered as a
complete Safety Case of FAB CE project.

Edition 01.00 Page 5 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

1 Introduction
1.1 Purpose and Scope
The FAB CE Feasibility Study Safety Case is the deliverable within WP 6.2.1 (DEL1) as
defined by the Safety Working Group (SAF WG) Work Breakdown Structure [2].

Information contained in this document is intended to assist other FAB CE working groups
and also the developments of Master Plan and Cost benefit Analysis (CBA).

This document will support the FAB CE Feasibility Study project from the safety perspective
in compliance with SES Regulation (EC) No 551/2004 article 5.

Note:

In general, a Safety Case gives the evidence that, in the context of the operational
environment and the known limitations and shortcomings, the system (as defined in a known
build state) meets its Safety Requirements. However, as specified in Eurocontrol guidance
documentation (e.g. Safety Case training documentation and the SCDM [8]), it is necessary
to have a phased approach to the development of the Safety Case commensurate with the
major development milestones of the system, e.g.:

• Feasibility
• Project Definition
• Procurement
• Installation and Commissioning
• Transition
• Etc.

The production of the Safety Case could be supported by splitting the Safety case into a
number of parts or by successive iterations of the Safety Case.

The input for this document has been the draft document Safety Considerations [9] issued by
SAF WG.

The FAB CE Feasibility Study Safety Case provides the report on safety considerations,
based on FAB CE documents that have been available at the FAB CE “feasibility study”
project stage.

Note: SAF WG performed also an analysis on how the FAB CE introduction impacts the
safety management systems (SMSs) within the FAB CE area. This is documented in a
separate document (DEL 2: FAB CE Safety Management Roadmap [10]).

1.2 Limitation
This document is based on the other WGs representatives’ inputs during the 7th SAF-WG
session which includes the content of deliverables and papers. Additionally, experience and
expertise of participating ANSPs were used.

Edition 01.00 Page 6 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

As all the deliverables in the feasibility study stage are of high level, this document can only
highlight hazards related to the FAB CE operations as defined today, and propose possible
related mitigation means. It raises questions that need to be answered in the implementation
phases of the project. For the decision makers, it provides just basic information about
safety-related issues that the FAB CE operations introduce.

1.3 List of references


[1] Safety Group Statement of Work (FABCE/SAF/SOW/001)
[2] Safety Group Work Breakdown Structure
[3] Target High Level Operational Concept Elements (FABCE/OPS/1.2/001)
[4] FAB CE High Level Contingency Principles (FABCE/OPS/1.5/001)
[5] FAB CE Airspace Plan, Volume I, Airspace Design (FABCE/OPS/1.4/001)
[6] Analysis of Technical Environment in the FAB CE Region
(FABCE/TEC/WP2.1/ANL/01)
[7] Technical Solution for the Establishment of the FAB CE
(FABCE/TEC/WP2.3/SOL/01.00)
[8] Safety Case Development Manual (EUROCONTROL, DAP/SAF/091)
[9] Safety Considerations (FABCE/SAF/6.2.1/001)
[10] FAB CE Safety Management Roadmap (FABCE/SAF/6.1/001)

Edition 01.00 Page 7 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

2 Safety Argument
2.1 Background
SAF_WG agreed to use the Goal Structured Notation (GSN, defined by SCDM [8]) to present
high level safety argument. This technique links a top level claim about the safety of FAB CE
operations to a structured set of arguments and supporting evidence. The main arguments
follow the FAB CE lifecycle:

1. Concept

2. Implementation of concept (definition, design, integration, test)

3. Transition to Operational Service

4. Operational Service

This technique will be used further within safety assessment activities during the next stages
of FAB CE project. It includes further development of the tree given in the chapter 2.2 High
Level Safety Argument.

The SAF WG agreed on application of Eurocontrol Safety Assessment Methodology (SAM)


and Safety Case Development Manual (SCDM [8]). The methodology specifies a standard
way how to proceed with safety assessment of any project.

2.2 High Level Safety Argument


The high level safety argument is presented in Figure 1 below.

The structures of Arg1, 2, 3 and 4 shall be provided in the later stages of the project based
on a SCDM guidance.

Safety considerations provided in this document cover partly the substructure of Arg1, as far
as possible at the FS stage.

Note: At the feasibility study stage, one of the means to fulfil the sub-argument Arg1 is the
implementation of all the mitigation measures proposed (or the implementation of equivalent
ones) in safety considerations.

Edition 01.00 Page 8 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Cr001 (Criteria)
Acceptably safe means:
a) Risk no greater (and preferably
lower) than current operations

b) Compliant with SES legislation

c) Risk reduced as far as


reasonably practicable

A001 (Assumption)
Current operations are
acceptably safe

J001 (Justification)
FAB CE is a response to SES
regulations and to operational
A002: FAB CE Concept and business needs of 7 CE
Elements will be gradually ANSPs.
implemented as an evolution of
the current operations avoiding
radical changes of operational Arg0 (Argument)
paradigm.
Operating the FAB CE is
acceptably safe

A003: Any FAB CE operational


C001 (Context)
paradigm shift will be consistent
FABCE Master Plan Document
with the relevant SESAR
concept elements, therefore
having ensured a double level of
validation [general concept and
FAB CE application]

Arg1 Arg2 Arg3 Arg4


FAB CE concept is FAB CE implementation is The transition to operational The acceptable level of
acceptably safe, in principle acceptably safe service of FAB CE is safety of FAB CE will
acceptably safe continue to be demonstrated
in operational service

Figure 1 – High-Level Safety Argument

2.3 Top Level Claim


Top level claim (Arg0) is: “Operating the FAB CE is acceptably safe.”

It shall be achieved by fulfilling all the sub-arguments:

• Arg1 - FAB CE concept is acceptably safe, in principle,

Edition 01.00 Page 9 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

• Arg2 - FAB CE implementation is acceptably safe,


• Arg3 - The transition to operational service of FAB CE is acceptably safe,
• Arg4 - The safety of FAB CE will continue to be demonstrated in operational service.

Edition 01.00 Page 10 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

3 FAB CE FS Safety Considerations


3.1 Methodology
The basic approach used for developing this document was proposed by the
EUROCONTROL support to the SAF WG (represented by Mr. Le Galo, DAP/SSH), which
was adopted by SAF WG.

It is based on the assumption the current ATM system has its own weaknesses and
strengths. FAB CE, when implemented, is expected to support the strengths and decrease
the effects of weaknesses. Additionally, FAB CE will introduce new issues, bringing both new
strengths and new weaknesses. All these have to be analysed.

The process for identification of safety issues can be described in 4 steps:

• Initial safety issue analysis (section 3);


• Changes identification (section 3.4);
• Hazards identification (section 3.5); and
• Proposed mitigation (section 3.5).

3.2 Safety objective


Unless otherwise specified the following safety objective shall be used:

“FAB CE as implemented shall maintain and where possible improve the current level of
safety in the FAB CE airspace”.

3.3 Safety Issues Indicated


The Excel table ”Questionnaire” was proposed by EUROCONTROL and modified by the SAF
WG at the 6th SAF WG meeting in Budapest (18-19 Oct 2007). Basically, the questionnaire
(Appendix 1: Questionnaire) identifies domains of the ATM that are expected to be
influenced by the FAB CE implementation.

Using expert knowledge of the participating ANSPs, the issues related to the FAB CE
implementation were identified and filled in the summarised table.

The results of this analysis are documented in Appendix 2: Safety Issues Indicated.

3.4 Changes Identification


The analysis was conducted at the Zagreb meeting (26-27 Nov 2007) with participants from
OPS, TEC and SAF WGs.

The changes were identified based on the domains listed in the questionnaire used already
for initial safety issues analysis.

Only the changes that the FAB CE target scenarios implementation (the static and dynamic
scenarios) will induce were taken into consideration. There was no comparison to other
scenarios defined within the FAB CE Feasibility Study project.

Edition 01.00 Page 11 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

The list of changes identified is documented in the Appendix 3: List of Changes identified.

3.5 Hazards Identification and Proposed Mitigation

3.5.1 General
At the Zagreb meeting (26-27 Nov 2007), the hazards related to the listed changes were
identified and feasible mitigation means were proposed.

In line with the changes identification (see section 3.4), hazards related to the FAB CE target
OPS scenarios (dynamic and static) were identified. In the process, the dynamicity was
considered as more demanding in terms of time for the safety assessments being performed
as well as for the mitigation means to be applied in the FAB CE operations phase. More
written procedures shall be necessary for preparation of the dynamic scenario.

Note: Hazard areas are used for the identification of unintended consequences of certain
presumed operational arrangements that are required for FAB.CE The causes were
considered and some foreseeable mitigation actions were proposed in order to highlight the
possible tasks for establishing and maintaining the safety of the FAB CE target scenarios.

Note: The hazards identified will NOT cover all the hazard areas to be considered in FAB CE
operation. Also hazards related to transition phases of FAB CE implementation are not
considered.

Note: The hazards which may occur in scenarios without FAB CE implementation are not
listed and shall be covered by the SMS of the individual ANSPs.

The hazards are clustered into 3 groups:

• People;
• Equipment
• Procedure (including airspace design).

Note: The grouping respects the approach considering that the ATM functional system has
its people, procedure and equipment elements.

3.5.2 Hazards Related to People Element


Six hazard areas were identified as related to the “people element” of the ATM system. The
following table summarises them together with proposed mitigation means.

ID Hazard Mitigation Means


H-PE-1 Rarely used configuration MIT-H-PE-1-1
Competency monitoring system

MIT-H-PE-1-2
Regular use of all sector configuration

MIT-H-PE-1-3
Reduce number of configurations

Edition 01.00 Page 12 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Hazard Mitigation Means


H-PE-2 Noise disturbance MIT-H-PE-2-1
Reduced verbal communication in room

MIT-H-PE-2-2
Noise reduction infrastructure
H-PE-3 HF fatigue (over/under load) MIT-H-PE-3-1
Optimise sector utilisation
Note: There will always be over/under
load sector in every configuraton
H-PE-4 Tactical staffing of the sectors MIT-H-PE-4-1
Proper rostering scheme
H-PE-5 LoA confusion of staff with complex MIT-H-PE-5-1
configuration Tools to handle procedures from LoAs

MIT-H-PE-5-2
Translation process from LoA → OPS
Proc create simple process

MIT-H-PE-5-3
Same DFL across the FAB CE area
H-PE- COM (language) problem: MIT-H-PE-6.0-1
6.1 Maintenance English as common language
H-PE- COM (language) problem: MIT-H-PE-6.0-1
6.2 OPS ↔ foreign TEC English as common language
H-PE- COM (language) problem: MIT-H-PE-6.0-1
6.3 MIL or VFR ↔ ATCO NATO/MIL standards
H-PE- COM (language) problem: MIT-H-PE-6.0-1
6.4 MIL/MIL communication, ATCO may NATO/MIL standards
not be aware

3.5.3 Hazards Related to Equipment Element


Six hazard areas were identified as related to the “equipment element” of the ATM system.
The following table summarises them together with proposed mitigation means.

ID Hazard Mitigation Means


H-EQ-1 Equipment may not fulfil OPS needs MIT-H-EQ-1-1
Safety assessment of LoA
(e.g.: interface in dynamic scenario)
H-EQ-2 Loss of network capacity or of MIT-H-EQ-2-1
information Application of PENS (PAN-EUR-NTW-
ST)

Edition 01.00 Page 13 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Hazard Mitigation Means


H-EQ-3 Unavailability of equipment which is MIT-H-EQ-3-1
not under (ANSP’s) managerial SLAs with neighbouring ANSPs/CNS
control providers

MIT-H-EQ-3-2
Common SMC

MIT-H-EQ-3-3 Coordinate maintenance


activities (relating SUR availability with
other units)

MIT-H-EQ-3-4 Degraded mode


operations procedure
H-EQ-4 Loss of FDP data or of correlation MIT-H-EQ-4-1
Well defined transition procedure
(collapse – de-collapse)

MIT-H-EQ-4-2
Shared environment
H-EQ-5 Different safety nets implementation MIT-H-EQ-5-1
Functionality and the behaviour
consistent

MIT-H-EQ-5-2
Define usage of safety NETS
H-EQ-6 Different technology influenced MIT-H-EQ-6-1
services Assess impact on other ANSPs

(e.g. use of ADS-B) (e.g. MIT-H-EQ-6-2


Common ADS-B policy)

3.5.4 Hazards Related to Procedure Element


Two hazard areas were identified as related to the “procedure element” of the ATM system.
The following table summarises them together with proposed mitigation means.

ID Hazard Mitigation Means


H-PE-1 Wrong application of roster (1 ACC) MIT-H-PR-1-1
Coordination of rostering schemes
between ANSPs
H-PR-2 Different application (interpretation) MIT-H-PR-2-1
of the procedure English language training

MIT-H-PR-2-2
Common training sessions

MIT-H-PR-2-3
English as common language

Edition 01.00 Page 14 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

3.5.5 Detail Description of Hazards and Mitigation Measures

See Appendix 4: Hazards Identification and Proposed Mitigation for further details.

Edition 01.00 Page 15 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

4 Conclusion

From the safety point of view, there have been no blocking factors identified
concerning the feasibility of FAB CE considering that:

• Fourteen hazard areas were identified as well as feasible mitigation measures.


• These proposed mitigation measures (or their equivalents/alternatives) have to be
applied during the next stages of the FAB CE project.
• Although the hazard list is likely to be complemented at later stages of the project, it is
not foreseen that any possible additional hazard will raise a blocking factor.
The completion of the FAB CE Safety Case will require safety assessments to be done in
every stage of FAB CE project. Therefore, this document must not be considered as a
complete Safety Case of FAB CE project.

Edition 01.00 Page 16 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Appendix 1: Questionnaire

Component Element Sub-element Description Work Well Area for Improvements Area of concerns

Current scenario Number


Sectors Aver. Size
Airspace
Collapse/De-collapse philosophy
Route network
Staffing level
People Career development/Qualification/Training
Roster
OPS Manuals
Procedures
LoAs (within the ANSP)
Equipment Coverage
Voice A/G
Quality
COM
Data
Voice G/G
NAVAIDS
NAV
RNAV
PSR/SSR
Radar Coverage/multi cov.
SUR External sources
ADS
Other SUR means
WAM
ATM systems Level of automation

Edition 01.00 Page 17 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Description Work Well Area for Improvements Area of concerns
Collapse/de-collapse functions
Own/Ext. Staff
Maintenance
Level of efficiency
IFR/VFR Mix
Schedule/Non schedule
Environment Traffic Main flows
Yearly traffic
Monthly distribution/seasonal peak

Delegation of airspace
Airspace
Adjacent TMAs
People Relationship with staff of adjacent units
Current Interfaces OLDI
Equipment COM data
Others
LoAs (with adjacent units)
Procedures
Working Methods/Practices

Airbases
TSAs
Military Areas CBAs
Airspace
Current Users Others
Requirements Coordination Procedures
Level of military activities
Flight testing
Other users
Others

Inputs to the AFTN

Edition 01.00 Page 18 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Description Work Well Area for Improvements Area of concerns
system Power supply
Other

Adjacent airspace closure


Earthquake
Weather phenomena
External Failures
CFMU
AFTN
Other

Expected information:
Description as concise as possible, give figures and/or address only safety related aspects
Work Well Y or N
Area for Improvements list areas without explanation
Area of Concerns list areas without explanation

Edition 01.00 Page 19 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Appendix 2: Safety Issues Indicated


The table is summarising safety issues as identified by the 6th SAF WG meeting in Budapest (18-19 Oct 2007).

ID Component Element Sub-element Issues identified by the SAF WG


Current The number of sectors/configuration should respect the human
1 Number
scenario capability to cope with the number of sectors endorsement.
The size of sectors is ok today, the bigger (collapsed) sectors, if
2 Aver. Size proposed for the FAB, could be un-manageable even in low traffic
periods.

Sectors Awareness on the current configuration (what the adjacent sectors


are) needs to be ensured.

3 Airspace Collapse/De-collapse philosophy Sectorisation planning manual has to be in place, a tool can help for
decision making.

A graphic tool can help to increase awareness of the configuration.


Free flight concept not mentioned in the current OPS documents.
May come with SESAR.
4 Route network
Optimisation of route network in the FAB (simplifying the network,
according the ops experience, recommendations, hot spots
analysis).

Edition 01.00 Page 20 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Component Element Sub-element Issues identified by the SAF WG

The number of available competent staff may be limiting.

Enough people to be allocated to operational and maintenance


tasks, however training (refresher and emergency trainings) and
5 Staffing level developmental needs have to be taken into account.

Common FAB approach to single man operation.

See also ID1.


Harmonisation of training process necessary.
The career development shall be harmonised (e.g. OJTI after a
People
certain period of time)
6 Career development/Qualification/Training
The level of harmonisation necessary for the FAB shall be analysed
and a plan defined for the FAB CE implementation phase (HR
experts).
Implementation of the rostering system is subject of safety
assessment.

7 Roster Shifts changes should be taken into account within the FAB area
(communicated to adjacent centres, co-ordinated at FAB level).

Guidance material on rostering system available (EUROCONTROL)


OPS manual is assumed to contain all procedures, responsibilities,
use of equipment needed.

Harmonised approach for OPS manual development and its content


should be in place (NATS example - differences from ICAO
8 Procedures OPS Manuals
highlighted, explanatory notes included). Emergency and
contingency should be covered (in or outside the OPS manual) as
well as co-ordination procedures both ATS and technical.

QM should be harmonised in the FAB, this needs to be analysed.

Edition 01.00 Page 21 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Component Element Sub-element Issues identified by the SAF WG


9 LoAs (within the ANSP) See ID 8
Frequency allocation coordinated within FAB to ensure efficiency.

10 Equipment Coverage More critical in lower airspace.

Security issue.
Voice A/G
Monitoring of frequencies could be introduced (not just a quality
issue, also external influences).
11 Quality
RCOM architecture has to be analysed and optimised (quality and
coverage as well), and to be a subject of safety assessment.
COM External services.
12 Data
Interoperability issues (harmonisation, common standards for data
exchange protocols within the FAB).
See ID 12

New coordination partners, need to establish LoAs, technical issues


(phone numbers, dedicated lines). Link to the appropriate SAR and
13 Voice G/G
national authorities.

Language problem with GAT or MIL or other national authorities - the


national centre may never be closed to assist in such situations?
Consider NAVAIDS as a backup to GNSS, common approach within
14 NAVAIDS
NAV the FAB
15 RNAV
Periods of maintenance have to be solved, clear procedures to be in
force to indicate the lower level of radar coverage to ATCOs and
describing the procedures under certain circumstances.
16 SUR Radar PSR/SSR
Requirements for the primary coverage within the FAB CE area?
(security, loss of transponders onboard)

Edition 01.00 Page 22 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Component Element Sub-element Issues identified by the SAF WG


Mode S coverage and different implementation plans to implement it
should be taken into account (problems on boundaries).
Coverage/multi
17
cov.
Co-ordination of maintenance of the radars within the FAB area
would be an advantage.
Subject of safety assessment.
18 External sources
MIL radars integration?
19 Other SUR ADS
20 means WAM
Safety nets available (features) to be harmonised (same standard of
21 Level of automation
safety within the FAB area).
ATM systems
These functions have to be solved to enable cooperation between
22 Collapse/de-collapse functions
adjacent units. Also subject to safety assessment.
Competency.
23 Own/Ext. Staff
Maintenance Harmonisation of approach/liability issues related to external
services.
24 Level of efficiency Should be covered by SLAs.
Harmonisation of airspace classes, including the rules for the specific
classes.
25 IFR/VFR Mix
Use of national language has to be solved.
26 Environment Traffic Schedule/Non schedule
27 Main flows
28 Yearly traffic
29 Monthly distribution/seasonal peak
31 Current Delegation of airspace Legal assessment.
Interfaces Airspace
32 Adjacent TMAs Possible changes in line with safety cases.

Edition 01.00 Page 23 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Component Element Sub-element Issues identified by the SAF WG


Personal contact during common training can increase common
understanding of the same problem, building the trust (within the
33 People Relationship with staff of adjacent units
FAB). E.g. advantage in contingency situations. Common TRM
sessions can also improve the safety.
Same standard need to be applied within FAB. See also ID 12. Also
34 OLDI
Equipment COM data applied to CIV/MIL coordination.
35 Others Should be specified in LoAs.
36 LoAs (with adjacent units) See above.
Need to analyse the working methods/tools against the new
Procedures requirements. Subject of safety assessment.
37 Working Methods/Practices
E.g. need to monitor NOTAMs and weather conditions in other states
where the services could be provided
39 Airbases Airbases shall be taken into account when designing the airspace.
Related to airbases locations.
40 TRAs/TSAs
Differences in legal definitions of these areas in different countries.
Areas Need to harmonise?
41 Military CBAs Should be determined on the LoA level.
Airspace
42 Current Others Prohibited areas? Rules, buffers...
Users
43 Requirements Coordination Procedures Same training, same procedures, same tool - need for harmonisation
Common AMC procedures.
44 Level of military activities
Ad hoc missions need to be taken into account, esp. in cross-border
sectors - harmonised procedures.
45 Flight testing Common policy?
Other users
46 Others GAT (airspace infringements)
48 AFTN
Inputs to the
49 Power supply
system
50 Other

Edition 01.00 Page 24 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

ID Component Element Sub-element Issues identified by the SAF WG


E.g. neighbouring sectors (to FAB) closure/unavailability of data
52 Adjacent airspace closure
exchange to be analysed (contingency situation)
53 Earthquake It should be taken into account in the contingency plan
54 Weather phenomena Dynamic scenario
External Backup systems are available. Procedure should be in place how to
Failures deal with the situation.
55 CFMU
CFMU is also mitigation to certain external events.
56 AFTN Covered by data communication above.
57 Other

Edition 01.00 Page 25 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Appendix 3: List of Changes identified


The table summarising changes as filled in the questionnaire at the Zagreb meeting (26-27 Nov 2007) by OPS, TEC and SAF work groups. See
section 3.4 of this document for detailed explanation.

Component Element Sub-element Change Identification


Extended number of endorsements for sectors.

Dynamic:
Current
Number Increased number of sectors controlled by a specific ACC, the
scenario
total number being the same

Note: More frequencies needed?


Both extensions and reductions of sectors for different ACCs -
changes
Aver. Size
Sectors Note: In FS stage, no final sector design
Airspace Note: ESARR5 applicable
Collapsing/de-collapsing philosophy will not change at sector
level. It will change at ACC level by handing over/accepting
new airspace volume compared with previous period.

Collapse/De-collapse philosophy Change in legal responsibility


New decision making processes

Dynamic scenario: new ops procedures for cooperation of two


adjacent units - not analysed yet
Significant change to the network (AAS 07), plus adaptation for
Route network
the lower airspace

Edition 01.00 Page 26 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification

Note: ESARR 5 applied

Dynamic: An average workload for an ATCO may be higher as


sectorisation would change dynamically
Staffing level Different levels of workload accepted today in different ACC
People
Action: Discuss with HR WG

Single man ops not part of the concept


Career development/Qualification/Training
Roster
Need for convergence, common principles, harmonisation of
OPS Manuals
working methods, standardisation of procedures expected
Procedures A shift in culture
LoAs (within the ANSP) Possible changes in structure of LoAs, one unit being part of
FAB (a part of ANSP is part of the FAB)
Equipment Coverage Change in coverage, re-allocation of frequencies
Voice A/G
Quality No additional change
Data Change of data com architecture
COM
Change of G/G architecture
Voice G/G
Language issue
Note: State policies - awareness of availability in case of
NAVAIDS cross-border use - not FAB-related; procedures for reporting
NAV should be harmonised
RNAV

Edition 01.00 Page 27 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification


Increased coordination of the maintenance within the FAB to
ensure the availability of SUR as required
PSR/SSR
Note: different data distribution (see above)
Radar
SUR Note: change in data processing at certain ATSUs
Coverage/multi Harmonisation of definition of double coverage and SUR
cov. performance
External sources Note: all sources must comply with SES legislation
Other SUR ADS N/A
means WAM Accepted in the FAB concept
Customisation and harmonisation of interfaces with
neighbouring systems
Level of automation
ATM systems Harmonisation of general ATC tools (list is available) and
safety nets
Collapse/de-collapse functions as above
Own/Ext. Staff Coordination of maintenance
Maintenance
Level of efficiency Coordination of maintenance
IFR/VFR Mix Note: Language issue - national languages used
Schedule/Non schedule Benefit: better airspace structure, reduced complexity...
Environment Traffic Main flows
Yearly traffic
Monthly distribution/seasonal peak
Current Delegation of airspace
Interfaces Airspace
Adjacent TMAs
People Relationship with staff of adjacent units
OLDI Change of current partners (potentially dynamic)
Equipment COM data
Others
Procedures LoAs (with adjacent units)

Edition 01.00 Page 28 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification


Working Methods/Practices Ensuring relevant information exchange (NOTAMs...)
GENERAL NOTES
Change of interfaces, data flows...
Airbases Harmonisation of handling with OAT flights

Military Action: Discuss with MIL experts


Airspace TRAs/TSAs Coordination
Current Users
Requirements Areas CBAs
Others
Coordination Procedures
Level of military activities
Flight testing
Other users
Others
AFTN
Inputs to the
Power supply
system
Other
Adjacent airspace closure
Earthquake
External Weather phenomena
Failures CFMU
AFTN
Other

Edition 01.00 Page 29 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Appendix 4: Hazards Identification and Proposed Mitigation

Component Element Sub-element Change Identification Hazard Consequence Mitigation Assumptions Safety Benefits Notes

Sector configuration shall be


used regularly.
Extended number of certifications OJT??
Experience of ATCOs, SUP, Competency monitoring
for sectors. In dynamic scenario some Certain amount of sectors -
and ATSEP maybe not system shall be established.
sector configuration may be routine work. However,
enough for different sectors,
Dynamic rarely used. sometimes they have
because they will not work in
Current scenario Airspace Number Increased number of sectors Note: FAB CE Common additional sectors, not
this configuration regularly
controlled by a specific ACC, the Noisy environment might be Competency Scheme is experienced as the others.
total number being the same experienced due to possible mitigation by defining Number of scenarios is the
Technical solutions for noise
higher number of CWPs. regularity to be applied for one key point.
reduction.
Note: More frequencies needed? ATCO. Its application blocks
increase of sector ratings per
one ATCO
Both extensions and reductions
of sectors for different ACCs -
changes
No larger sectors expected
Aver. Size
then now
Note: In FS stage, no final sector
design
Note: ESARR5 applicable
For the static scenario, the
responsibility of SG is under
responsibility of certain ACC.

For dynamic: it must be


predefined who is in charge of
collapsing/ de-collapsing
Sectors ("owner"), dissemination
process has to be defined,
configuration plan to be
developed/
Collapsing/de-collapsing approved and assessed
philosophy will not change at against the safety.
sector level. It will change at ACC
level by handing over/accepting There should be a means to
new airspace volume compared Tactical staffing of sectors Some sector configurations stick just to configurations
with previous period. Different ratings of ATCOs -> probably cannot be staffed defined in Sector
High sophisticated rostering
Collapse/De-collapse philosophy possible troubles with correctly. Configuration Plan.
scheme
Change in legal responsibility rostering, especially during the Increased number of In case 1 ACC is not able to
New decision making processes break-times. handovers implement the configuration
from Sector Conf Plan, some
Dynamic scenario: new ops mitigation measures have to
procedures for cooperation of two be in place.
adjacent units - not analysed yet
Liability/responsibility has to
be clearly defined and
communicated to ATCOs. It
shall be ensured that ATCOs
properly understand.
. ATCOs have to be aware
who is responsible for certain
piece of airspace.

Decision making process must


be clearly described.

Edition 01.00 Page 30 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification Hazard Consequence Mitigation Assumptions Safety Benefits Notes
Implementation of new routing
structure should be assessed
against safety.

Technical implementation shall


be assessed (can also be a
business risk)
Significant change to the network
Route network (AAS 07), plus adaptation for the Adaptation and the training
lower airspace needed.

Lower airspace navigation to


be further investigated.

How are the route networks on


which the FAB concepts are
based on, harmonized?
Note: ESARR 5 applied

Dynamic: An average workload


for an ATCO may be higher as
sectorisation would change
dynamically optimised sector utilisation Better utilisation of
Constant higher workload is
Staffing level Different levels of workload Fatigue issue HF taking HF issues into account manpower and better
possible in dynamic scenario.
accepted today in different ACC (e.g. workload) traffic distribution.

Action: Discuss with HR WG


People
Single man ops not part of the
concept
Application of ESARR5
Career development/Qualification/Training
required
The coordination necessary
Wrong application of roster by
between ACCs (taking into
certain ACC may influence the Workload of adjacent centres
Roster Co-ordination of shift-plans account national holidays,
troubles in neighbouring ACCs is increased
summer holidays, available
within the FABCE.
personnel etc).
What is the OPS-Manual (and
Different information or
what is ATM-Manual in project
different interpretation (due to English as standard language
Need for convergence, common Availability/sharing of charter)?
language constraints). E.g. possible different in FAB CE
principles, harmonisation of OPS manual between
OPS Manuals The revision which had not (interpretation) application of (Taking legal aspects into
working methods, standardisation ANSPs can be the States should establish
been done correctly. procedures consideration)
of procedures expected benefit. harmonised legal framework
Common OPS manual may be common training sessions
relating the structure of
too large
Procedures documentation.

Confusion of internal and Lower limit of FAB has to be


A shift in culture Different configurations may
external people to work with defined.
Possible changes in structure of lead that ANSPs may not
complex configuration. Tools to be given to staff; clear Similar troubles possible within
LoAs (within the ANSP) LoAs, one unit being part of FAB follow so large quantity of
and simple configuration. FAB and at the interfaces o
(a part of ANSP is part of the "configurations/applications
Equipment will not fulfil LOA the neighbouring FAB/ANSPs,
FAB) defined in LoAs.
requirements or TMA under the FABCE.

Edition 01.00 Page 31 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification Hazard Consequence Mitigation Assumptions Safety Benefits Notes

Access to cross border sites


Common monitoring and is assured;
Procedure shall cover all legal
Change in coverage, re- failure of equipment not under technical controlling any sector configuration is
Equipment Coverage Loss of communication issues; the responsibility of
Voice A/G allocation of frequencies managerial control; information; validated;
ATC and SAR are different
SLA; EMG stations are also
available
COM
Quality No additional change
Loss of data;
Unavailability of network loss European standards are
Data Change of data com architecture Severity of consequences is
of capacity applied PENS
higher
Change of G/G architecture
Severity of consequences is
Voice G/G same as above; G/G voice COM shall be VoIP
higher
Language issue
Note: State policies - awareness
of availability in case of cross- Common monitoring and
failure of equipment not under Consistency check of
NAVAIDS border use - not FAB-related; Loss of navigation functions technical controlling system;
NAV managerial control; AIS data
procedures for reporting should SLA;
be harmonised
RNAV
Increased coordination of the
maintenance within the FAB to
Increased coordination of the
ensure the availability of SUR as
maintenance within the FAB to
required
ensure the availability of SUR
Failure of equipment not under
PSR/SSR Loss of SURV as required.
Note: different data distribution managerial control;
(see above)
Degraded modes OPS
Radar procedure.
Note: change in data processing
at certain ATSUs
Harmonisation of definition of Resume the work which was
SUR Coverage/multi
double coverage and SUR completed in the relevant
cov.
performance CEATS WG
External Note: all sources must comply
sources with SES legislation

Assessment of new
General hazard: technology implementation
ADS N/A use of different SURV and impact on other providers
Other SUR means technology by different ANSPs
Common ADS-B policy?

WAM Accepted in the FAB concept


Customisation and harmonisation Safety net functionalities
of interfaces with neighbouring Different safety net systems in (algorithm and usage) and
systems the same airspace; behaviour shall be consistent
Level of automation transfer of sector (in dynamic in the same airspace.
Harmonisation of general ATC scenario) inconsistent conflict
ATM systems tools (list is available) and safety detection Consistent policy, how a
nets safety net is used for.
Shared environment
Loss of correlation in certain
Collapse/de-collapse functions as above Loss of shared FDP data Well prepared transition
airspace
procedures
Communication problems due English as common language
Problems are not identified on LoA shall describe every
Maintenance Own/Ext. Staff Coordination of maintenance to insufficient language in multinational practice (also
correct service level details
knowledge for external staff).

Edition 01.00 Page 32 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification Hazard Consequence Mitigation Assumptions Safety Benefits Notes
Level of efficiency Coordination of maintenance
Inability to provide ATS fro Controllers might not fully
pilots speaking national understand VFR pilots'
Harmonization of airspace
Note: Language issue - national language; communication. According to WBS FAB covers Not common in current
IFR/VFR Mix classification in dynamic
languages used Airspace classification in Provision of ATS is not the whole controlled airspace. practice in ACCs
scenario.
dynamic scenario might according to airspace
probably not common. classification.

Reducing the airspace


load.
Environment Traffic By having a precise tool for
Benefit: better airspace structure, (Benefit: better
Schedule/Non schedule prediction of sector loads, the
reduced complexity... airspace structure,
forecast will be more accurate.
reduced
complexity...).

extended direct
Main flows
Main flow might be shifted to routing
Sufficient training for ATCOs.
Yearly traffic another sector.
Monthly distribution/seasonal peak
As a prerequisite: OLDI
Delegation of airspace
Airspace standard shall be applied
Adjacent TMAs
People Relationship with staff of adjacent units
Change of current partners
OLDI Final solution not decided.
Equipment COM data (potentially dynamic)
Others
Current Interfaces
LoAs (with adjacent units)
A lot of information:
distribution to different users,
Procedures various TMAs, ACCs, other
Ensuring relevant information Single source of data reduce
Working Methods/Practices users. Good management of
exchange the inconsistencies.
information requirement
(update, availability,
correctness, distribution...)

GENERAL NOTES
Change of interfaces, data
flows...
Airbases Harmonisation of handling with
OAT flights

Action: Discuss with MIL experts


TRAs/TSAs Coordination
Military
Airspace Areas CBAs
Current Users Others
Requirements
Coordination Procedures

Level of military activities

Flight testing
Other users
Others

Inputs to the AFTN

Edition 01.00 Page 33 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Component Element Sub-element Change Identification Hazard Consequence Mitigation Assumptions Safety Benefits Notes
system Power supply
Other

Adjacent airspace closure


Earthquake
Weather phenomena
External Failures
CFMU
AFTN
Other

Edition 01.00 Page 34 of 35


FABCE/SAF/6.2/001 Released Issue FAB CE FS Safety Case

Edition 01.00 Page 35 of 35