Safety management is essential to meet primary safety requirements both under normal and contingency operations. The need to use fallback facilities or to call on letters of agreement make it imperative that service providers consider the achieved level of safety during all phases of the contingency lifecycle.
Safety management processes are intended to help ensure contingency provisions do not result in the achieved level of safety falling below the target level of safety for normal operations under service continuity.
Air navigation service providers (ANSPs) must be able to deal with unexpected events. It is the ability to respond to these events in a safe, orderly manner which provides the overriding rationale for the development of contingency plans rather than the legal obligation to do so. Safety is, and must remain, the number one priority. These provisions are in line with Article 28 of the Chicago Convention, under which States are responsible for providing air navigation facilities and services in their airspace. This responsibility extends to the situations of crisis and to the necessity to maintain where possible the provision of services and a sufficient level of safety.
The following figure shows that Achieved Safety Levels are not easy to measure, moreover during a phase as dynamic as the “Degradation Phase”. The red-dotted line dipping in the Figure represents the fact that a decision is needed to switch from the “Normal” to the “Interrupted Service” mode of Operations before the “Achieved Safety Level” becomes unacceptable (i.e. before it falls below the Safety Target). The Star labelled “A” represents the moment persons in charge of Operations take the decision to go to “Interrupted Service”, considering that it is no longer “safe enough” to keep on working in the current mode of operations.
The Star labelled “B” represents the moment the management/political decision is made to move to a “service continuity” mode of operation. The service continuity mode of operation is fully described by a dedicated operational concept. In some peculiar circumstances, minimum conditions to go to “Service Continuity” mode of operations might not be met thus requiring the ‘failing’ Unit to switch to another mode of operations (e.g. into an emergency mode of operations). The “Recovery” phase could be undertaken in one “go” or through a staged approach. It represents the phase where key faulty elements of the system (e.g. equipment, people or procedures) are put back in place (transfer into operation) in order to facilitate the reversion to the “Normal” mode of operations. It is represented as a stepped phase as this is the most generic approach to it.
Safety Management and Service Types Safety management processes must not only consider the provision of services within an ANSP but also the interfaces to external organisations. In the context of EUROCONTROL Safety Regulatory Requirement 3 (ESARR 3) “the ATM service-provider shall ensure adequate and satisfactory justification of the safety of the externally provided services, having regard to their safety significance within the provision of the ATM service”. Therefore, in case an ANSP avails itself of services of other ANSPs, it should consider the possible causes of loss/disruption of services related to a failure in the delivery of external services and these suppliers should be consulted, as relevant, when developing the contingency plans. It is important to achieve consistency with recognised safety assessment techniques such as the EUROCONTROL Safety Assessment Methodology (SAM) and the Safety Case Development methodologies that start their assessment process from the operational concept downward to the system design approach. A guiding principle in all of this is that the target level of safety for contingency measures should be the same as for Normal Operation.