Safety Study in Aviation

The objective of this article is to provide a brief look at safety studies, which are a necessary part of every change of system or a new system in aviation. The main focus is put on the area of air traffic management, because it affects most of the aviation stakeholders. The article begins with a description of safety and safety assessment of changes in systems. Then it discusses analysis of processes, hazard identification and risk assessment. Main part focuses on Safety studies and briefly describes the elements of the study. At the end, possible ways of safety study evaluation are mentioned.


INTRODUCTION
The aviation sector employs about 58 million people worldwide and engages in activities worth of approximately 2,4 trillion dollars.3,3 billion passengers were transported in 2014 and some estimates talk about 16 billion passengers in 2050 [1].Those are huge numbers and it will be impossible to reach them without focusing on operational safety and its increasing.
The EUROCONTROL Safety Regulatory Requirement (ESARR 4) defines safety as "freedom from the risk of unacceptable harm" [2].Harm means death or a serious injury and/or structural damage to an aircraft.In other words, safe situation exists when the risk of an accident is acceptably low (when acceptably low risk is a risk not higher than tolerable and mitigated as far as reasonably practicable) [3].Different definition of safety comes from Systems theory.It says that safety is an emergent property arising from interactions between system elements.Such property is managed through setting constraints or requirements on behaviour of elements and interactions between them [4].
Safety is not a one-time event, it is an ongoing, never ending process of identifying hazards and managing risks in order to show that a system or process is safe.This continuous process is performed by utilizing Safety Management System (SMS).[11] However, it is also required to assess a planned change or a new system before it enters service.Method for such assessment is a Safety Study, which focuses on identifying negative events and consequently determine means of prevention of such events.

II. ANALYSIS OF PROCESSES
Analysis of processes consists of dividing the whole process into subparts: actors (hardware, software, human), environment conditions and other.These subparts are then studied both individually and in interactions with each other in order to find various failure modes, interactions and effects of failures on other subparts.Such analysis is a basis for safety studies as they are based on analysis of processes, their assessment and evaluation, whether they are safe or not.A shortcoming of an analysis conducted before entry into service is the fact, that it is based on the design of a system.Design takes into account specific characteristics of elements, but in real life service, these characteristics are different and the elements might influence their environment in a different way than expected and assessed in an analysis [4].Furthermore, some systems require an operator, who needs information about the ongoing process.Already at the beginning of designing of a new system, it has to be decided what kind of information has to reach the operator.However, the designer is not able to come up with exactly everything needed, therefore brings a source of mistakes into the system.A way of reducing the number of these mistakes is to conduct analysis of processes over and over again to search for the mistakes and take them out of the system.
There are many methods that can be used for performing the analysis, although two of them stand out.They are called Fault Tree Analysis (FTA) and Event Tree Analysis (ETA).Both of them require identification of a negative event, from which the ETA analyses possible effects and FTA analyses possible causes.It is important to define three terms: hazard, hazard consequence and a risk.
 Hazard -ESARR 4 defines hazard as "Any condition, event, or circumstance which could induce an accident."It is reasonable to make this definition more general: a hazard is anything, that can negatively influence safety [6].
 Hazard consequencethis term describes what is the consequence (effect) of a hazard.For example, if a hazard is an unwanted release of steam, then consequence is burnt worker.It is obvious, that one hazard can have multiple consequences.
 Riskaccording to ICAO doc.9859 [7] risk is a "probability and severity of a consequence of a hazard.

A. Hazard and its consequences
Hazard itself does not necessarily mean something negative or destructive.It gains those attributes only when in contact with operations, that can cause safety affecting situations.A wind could be used as an example.It does not pose any threat on its own, but its speed, runway configuration, pilot experience and airplane characteristics transform this hazard into something, that can affect safety of flight.
Problem of hazard and hazard consequences identification is caused by mixing up these two terms.It is quite common, that an accident is identified as a hazard.It is logical from nonprofessional point of view, but wrong and confusing from an expert point of view and could lead to insufficient analysis of processes.Accident is a consequence of a hazard and its interactions with operations

B. Risk
Risk is an assessed consequence of hazard in terms of probability and severity.These two attributes can be divided into several categories, such as according to ICAO doc.9859 [7].Probability: When probability and severity is assigned, the risk is compared to safety risk assessment matrix and then to safety risk tolerability matrix (ICAO doc.9859 offers possible forms of these matrices).
Current state of risk assessment has several flaws.First of them is in the risk assessment matrix, which should provide firm basis for determining acceptability of risks, their prioritization and funding allocation.Unfortunately, most of those matrices use subjective and sometimes even poorly defined scales that they are almost unusable.It sure is hard to assign numerical values to probability and severity, but it is desirable to do some level of quantification of these scales.Because values such as "maybe so/maybe not" or "great damage/little damage" hardly describe the type of data needed for essential decision making.[8] When the risks are being assessed by several experts, each of them might use a little bit different matrix, more suitable to their knowledge and experience, which could lead to a different risk assessment.Then, it might be tempting to use those outcomes, that require the smallest amount of effort for further dealing with risks.

IV. SAFETY STUDIES
Safety studies are a method of assessing risks related to implementing a change to the aviation system.Execution of such study and following report is used by the regulator to decide whether it will allow start of assessed operations (or use of changed/new system), and also by the organization itself as a way of assurance, that their current and future actions are and will be safe.
Described process of safety study in this article is based on Safety Assessment Methodology (SAM) developed by EUROCONTROL.SAM has three major phases, called Functional Hazard Assessment (FHA), Preliminary System Safety Assessment (PSSA) and System Safety Assessment (SSA).At the beginning of a project, each of them has set a specific timeline in which it will be conducted, but as the project develops and time goes by, the phases begin to blend together as the last one can have an influence on the first one and vice versa.Following picture shows the timeline.A. FHA FHA is the first phase of a safety study.Its goal is to determine how safe the proposed system has to be.That means setting Safety Objectivesqualitative or quantitative statement, which specifies acceptable frequency or probability of hazard occurrence [6].Briefly, FHA consists of these five steps:  Get to know the proposed system designdefinition of the system, definition of the environment  Hazard identification  Hazard consequence identification  Assessment of hazard consequence severityassign severity to consequences, set Safety targets  Safety Objectives derivation B. PSSA PSSA works with deeper description and knowledge of the system architecture.The outcome of this phase are Safety Requirementsmeans of risk mitigation, which will enable achieving given Safety Objective.Safety Requirements can have various formsorganizational, operational, procedural, functional, etc. [12] C. SSA SSA is the last phase and it consists of proving that the proposed system will be safe when implemented and in operation.That is achieved through collecting evidence, that Safety Requirements are being fulfilled.Most of SSA is being performed during operation and it is recommended to use SMS [13].

V. SAFETY STUDY EVALUATION
The goal of safety assessment is to continuously identify hazards and assess risks, however in the case of safety study, a certain line has to be drawn after conducting FHA, PSSA and part of SSA and before implementing system into operation.The reason is that the outcome of this "first" part is used by regulator to either give or not give an approval for implementation and following operation of the assessed system.It is obvious that the purpose of the safety study is to show, that the system is safe, but that does not mean that the safety study should be bent and twisted and conducted with both eyes closed in order to just get the approval.If the safety study has a positive outcome, then there is no need to not approve the implementation and operation.On the other hand, if the study comes with a negative outcome, the authority then has several options:  Change/new system will not get and approval and no further activities will be done  The authority considers the outcomes and grants a limited approval, for example for test trials  There is overall effort to implement the change.Then, the stakeholders work closely with authorities in order to come up with possible solutions, that would allow for a revision of the safety study (e.g.change of regulations).Of course it cannot be something, that could lower the required level of safety.[10] VI.CONCLUSION Correct and thorough execution of a safety study requires large amount of time, knowledge, expert opinions and many inputs.Crucial parts are identification of hazards and their consequences and risk assessment.Without these steps done properly, the following steps would be a simple waste of time.The SAM methodology is one of a few (maybe the only one), that provides a complex list of inputs a steps needed for conducting a proper safety study.