SMS & Technical

Question 1

Safety Performance Monitoring

Answer 1

Service Measurement, Service Reporting and Service Improvement -

As safety and Assurance we would identify the Service monitoring criteria and would assess the assurance requirements of any improvements that were to be made

Question 2

What is the difference between between validation and verification?

How is this split across the layers?

Answer 2

verification takes place to ensure that requirements have been met through testing to make sure that we have built it correctly

validation is checking what we have built is correct to be used

DSESAR validation occurs at the Deployment layer to test whether the already verified platform meets the requirements of ATC as the end user and their expectations,

whereas verification occurs at the platform layer and below.

Validation will use techniques such as simulations, whereas verification would include activities such as observations, demonstrations etc

Question 3

SAF012/SAF019/SAF020/SAF021/SAF022

(Manage Continual Safety Assurance)

Answer 3

SAF12 = Manage Safety Improvment - NATS Safety Steering Group (Safety Improvement Cycles)
SAF19 = Analyse Safety Performance
SAf 20 = Safety Lessons learning
SAF21 = Safety Surveys
SAF22 - Risk-based oversight

Question 4

What is the SMS? what does it provide?

Answer 4

Its part of the NATS BMS
a legislative and regulatory requirement - contains a core set of safety policies, principles and processes
sets the standard for safety management
objective is to provide NATS’ Managers with the information necessary to apply the Safety Management System within their own areas of activity. “

Question 5

How do we manage risk?

Answer 5

Risk id 
Risk analysis 
Risk treatment 
Monitor and review 
Close risk or implement risk event

Question 6

How do we measure Safety?

Answer 6

We measure safety in a number of ways.
Incidents are assessed and we assign RAT points to each of these, allowing us to quantify our safety performance, in a qualitative way the causal factor trends. Further we set safety monitoring criteria for systems that are going into service and use these alongside the Assurance Cases to identify the current state of the systems which allows us to measure change in performance against.

Question 7

What are System Integrity Requirement and what do they mean to you?

Answer 7

System Integrity Requirements define what the system should do = Functional and Non-functional requirements.
Functional requirements explain how the system must work, while non functional requirements explain how the system should perform

These will be reported on in AADs or the FADs for older systems, and will confirm that the requirements of the system have been met.
I would use this document as evidence that the system performs as expected.

Question 8

What are Safety Requirements and what do they mean to you?

Answer 8

Safety Requirements are dervied from Hazard Identification workshops, from FMEAs etc. These are fundemantal to what we do as these requirements are in place to mitigate or remove hazards that have been identifed lowering the risk to the operation. These hazards could be functional or non-functional. These workshops and other parts of analysis will lead to System integrity requirements as well.

Question 9

What are CAP670 Requirements and what do they mean to you?

Answer 9

These are the Air Traffic Services Safety Requirements that are identfiied for use through the Publication.

Question 10

What are ED109A Requirements and what do they mean to you?

Answer 10

ED109A Requirements identify the assurance level to which the supplier must build assurance. The required assurance level will change depending on the system with this being derived alongside the safety requirements, a more safety critical system will require a higher Assurance Level, the highest NATS can go to is AL-3

Question 11

What do you understand by the terms high level and low level requirements?

Answer 11

High level requirements would be those that define the overall behaviour of the system - for example user requirements or high-level safety requriements which would say there needs to be a a tool for post operational monitoring - the low-level requriements would define more details of what this should monitor, the type of data to be used etc

Question 12

What is the difference between functional and non-functional requirements?

Answer 12

Functional Requirements say what the system should do e.g. The system must provide data to a user, The non-fucntional requriements will tell you how it should do that e.g. it should provide the data within 5 seconds, it should store the information for 7 days - these are just examples.

Question 13

What is a hazard?

Answer 13

A hazard is any condition, circumstance or event that could induce a harmful effect

Question 14

What 2 categories can hazards be split into

Answer 14

Hazardous conditions -
Hazardous Events
From a NATS perspective we tend to focus on addressing hazardous events.

Question 15

What are hazard causal factors ?

Answer 15

Hazards result from failures, malfunctions, external events, errors, or a combination of these. (SAE ARP-4761) the result of poor insufficient design, incorrect implementation of a good design, or potential or actual failures that would have to occur in order to result in the condition defined as a hazard.

Question 16

hazard outcomes?

Answer 16

Hazardous outcomes include:
• injury, illness, or death to personnel,
• damage to or loss of a system, equipment, or
property,
• damage to the environment (MIL-STD-882D).

Question 17

Risk ?

Answer 17

Risk is the combination of the likelihood of a hazardous outcome occurring
and the severity of that hazard outcome. It is often expressed using the formula:
Risk = Severity x Likelihood

Question 18

What is likelihood?

Answer 18

Likelihood can be broken down into the frequency with which the hazard occurs, called hazard frequency,

and the probability of the hazardous outcome occurring, called the outcome probability.

Question 19

Mitigation ?

Answer 19

A mitigation is the action taken to reduce the risk presented by a hazard, by modifying the hazard in order to decrease the hazard frequency and/or the outcome probability.
preventative = reduce hazard frequency
recovery = reduce hazard outcome probability
Mitigation is generally accomplished through design measures, use of safety devices, warning devices, training, or procedures. It is also referred to as hazard mitigation and risk mitigation.

Question 20

Residual risk

Answer 20

is the overall risk that remains after safety mitigations have been put in place to minimise the risk of a hazard or failure occurring.

(According to MIL-STD-882D residual risk is “the remaining mishap risk that exists after all mitigation techniques have been implemented or exhausted, in accordance with the system safety design order or precedence.”
This is the total risk passed on to the user. When introducing a change into the operation the units want evidence of low residual risk

Question 21

Residual Risk Classes ?

Answer 21

four Risk Classes (A, B, C or D).

Risk classification is explained in SAF004 (See Section 5.2.2.1 below).
Who signs them off to say that the risk is tolerable depends on the risk class.

SP408 outlines what to do with residual risks that are class B (See Section 5.2.2.4 below).