The DO’s SSA and its SMS
Duane Kritzinger (BEng, MBA)
Initial Airworthiness and System Safety Specialist (civil & military)
1.???Introduction
In a Design Organisation, System Safety Engineers assess the design’s foreseeable failure modes and generate System Safety Assessments (SSA), typically as a means of compliance to design codes such as CS25.1309(b).?
With the recent (2022) amendment to EASA Part 21, the Design Organisation also need to do Safety Risk Management (SRM) as part of the Safety Management Element within the Design Management System [for brevity, let’s just refer to it as the Safety Management System (SMS)].
This paper is going to consider three things:
2.???The Purpose of the SSA and the SMS
For a new (or modified) system, the System Safety Assessment’s objective is to, inter alia, prove that an inverse relationship exists between the probability of an undesired failure condition[1] and the degree of severity inherent in its effect. ??A “Failure Condition” is defined in EASA’s CM-SA-002 Iss 1 as “ A condition having an effect on the aeroplane and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant adverse operational or environmental conditions, or external events”.?Note that these “failure or errors”:
In AMC25.1309 this inverse relationship is illustrated in Fig 1 as replicated below, whereby the “unacceptable” region (in terms of Type Certification) could reveal itself pre- or post-certification:
Next, let us consider the Safety Management System (as promulgated via ICAO Annex 19).??To understand the purpose of the SMS it might be worth looking at each term in the acronym separately:
ICAO’s SMM edition 4 goes on to advise us that it should be designed to “to continuously improve safety performance through: the identification of hazards, the collection and analysis of safety data and safety information, and the continuous assessment of safety risks”.?This has recently been adopted into EASA Part 21.A.239, where a key pillar/component of an SMS is to “establish, implement and maintain a safety risk management process that includes the identification of aviation safety hazards entailed by its activities, their evaluation and the management of the associated risks, including taking actions to mitigate the risks and verify their effectiveness. ?Whereby:
So, we can see that the purpose of an SMS is to provide organisations who are working in safety critical industries with a systematic approach to managing safety of its activities in its widest sense .?By that I mean, for Design Organisations, that it goes beyond just xx.1309….it starts off with being compliant with all relevant design codes and regulations (after all, these are all written in blood) and extends to the activities of the design organisation’s innovative endeavours. ??By making sure we do not unwittingly get it wrong, we ultimately also improve product/aircraft safety (as previously discussed here ).
?3.???The relationship between the SSA and the SMS’s SRM
At first glance, the safety criteria (or taxonomy) used in the SSA and the SMS look the same….but they are not.?
The Severity criteria are indeed very similar:?
领英推荐
However, the probability criteria are very different:
The following picture from ICAO’s SMM edition 2 could be used to neatly illustrate the difference between the criteria used in the SSA and the SMS:
4.???The interface between the SSA Engineer and the SMS Manager
Using the tables above, the SSA engineer can inform the SMS Manager of the potential worst-case Severity of technical failure conditions for the systems being modified/installed on the aircraft.?
However, for the purposes of Risk Management within the wider Management System of your “activities”, the SSA Engineer cannot determine the Likelihood of the end consequence.?For this the SMS Manager needs to use:
Both of these can be visualised in the incomplete, but illustrative, example below: ?
5.???Conclusion
On the face of it, the SSA and the SMS have the same intent and use similar terminology.?But, in fact they are quite different. ?In a Design Organisation using xx.1309 design targets, the:
Note:???For the SSA discussion above, I have used the civil aviation approach as promulgated in design codes such as CS25.1309.??In the absence of such a goal/failure-based approach to the SSA, some military organizations are contacted to the risk/accident-based approach in standards such a MIL-STD-882 and Def Stan 00-56. This often complicates matters: ?Firstly, Design Organisations?are then faced with a struggle to select system architectures which will meet yet-to-be agreed design/FDAL targets when bidding for fixed price contracts.?Secondly, the SMS demanded in these standards have a different intent than the ICAO Annex 19 approach.??In these standards the SMS is actually focussed on how the SSA (or Safety Case) is generated and agreed between all impacted stakeholders?…. and not on the performance of the complete Management System, as discussed by EASA below:
Footnotes
[1] A “Failure Condition” is defined in EASA.s CM-SA-002 Iss 1 as “ A condition having an effect on the aeroplane and/or its occupants, either direct or consequential, which is caused or contributed to by one or more failures or errors, considering flight phase and relevant adverse operational or environmental conditions, or external events”. ?Note that these “failure of errors” could be due to technical failures or due to human endeavour (such as errors in commission or omission)
[2] Note that this Table 2 from SM-001 is very product/aircraft centric and ignores other organisational consequences, so should be extended to address organisational performance consequences too.?For more information, see ICAO’s discussion on Integrated Risk Management in para 1.4 here .
END
Your comments/thoughts/critique/contributions would be appreciated
Director, Verda Consulting. Supporting your business through enhanced safety performance.
1 年Sorry to say that the guidance we have been given through regs is half the issue. As you point out Duane the matrix is controversial... my views are well known. 10 years into SMS and confusion is very prevalent. Worryingly evidence shows a degradation to safety due to SMS yet this is not being spoken of. Just the other day I asked a regulator what the matrix was for... after he answered, I then pointed out that his view was at odds with the approval privileges and limitations. Further discussion revealed a view that organisations "with limited resources must make decisions on risk acceptability". I pointed out that this was 180 degrees out from SFaiRP obligations and one that legitimises operations outside of regs. The conversation was moved on. Language such as 'SMS into' part 21 or 145 suggests that the understanding of the role compliance makes to safety has been lost. Given 145 has had 90% of the SMS elements since 2006 you have to wonder on the alignment of thinking. To your post, we could all do ourselves a favour by dropping the SMS term. How does a part 21 organisation contribute to aviation safety may help unlock the debates we see. We have new words, new processes, same issues.
RAM Process Lead | NG Technical Fellow
1 年Duane Kritzinger (BEng, MBA) Thankyou for this discussion paper… quite timely and relevant from my perspective working currently in a Defence “in service” environment I see serious misunderstandings in 21j, Part M and Part 145 organisations regarding “Aviation Safety” “System safety” occurrence reporting and the role/purpose of SMS..definitely a subject area in need of further promotion… In my experience it is essential to firstly clarify and understand the difference between Aviation Safety and System safety…often these are conflated or poorly understood in organisational management areas and particularly decision makers involved in “safety” oversight roles. To the initiated it may seem obvious what the difference is At ?the end of the day the SMS is about identifying and maintaining the “quality assurance” for safety critical activities/process/people etc which if not performing/meeting minimum criteria may result in a safety impact on the aircraft…the likelihood and consequence/ and need for organisational mitigation actions comes into it after these processes/activities are established … In relation to your paper there are potentially many SMS activities/outputs ?that could indirectly or potentially threaten the inherent SSA level failure modes assumptions/likelihood etc…(ie in an in service environment).. another problem area/topic in SMS is the seeming pursuit of zero risk in areas that have no aircraft safety mitigation impact…and the converse problem of occurrence reporting for things the OEM has specifically directed to look for! The confusion and misunderstanding of basic concepts is itself an Aviation Safety issue…not being able to see the wood for the trees… (these are my personal opinions and do not represent the views of my employer)
System Safety Engineering and Management of Complex Systems; Risk Management Advisor...Complex System Risks
1 年"SSA is all about the integrity of the technical system.?It examines the robustness of the technical system and whether their failure rates meet acceptable targets SMS is all about the integrity of the Management System that created the technical system (see the end of this?EASA page, which is replicated below).?It searches for failures and shortcomings in our intellectual endeavours, puts in place mitigations again them and then goes on to monitor the effectiveness of those mitigations." No need to ramble on... Just go about the identification, elimination or control of risks to acceptable levels...
Deputy Chief of the Office of Airworthiness and CVE at Babcock Design and Completions
1 年Interesting read, thank you! I wonder if you have considered a similar comparison between a Design Assurance System and SMS? I would argue that these share more similarities than xx.1309/SMS because they both focus on the organisational system.
Advisor Tech Mahindra - EASA independent safety expert - retired @ Airbus - AEPA
1 年The topic of 1309 as covered in the current requirement is considered for long as a SMS item of Part21 DOA. The similarity shown in the visual proposed by Duane in term of design definition and design organisation is thus correct. One issue might be the use of the probabilistic terminology not existing in Part21 SMS addressing organisational findings ONLY.