Contents lists available at ScienceDirect Safety Science journal homepage: www.elsevier.com/locate/safety Bayesian inference in Safety Compliance Assessment under conditions of uncertainty for ANS providers Rosa Arnaldo Valdés a, ⁎ , Victor Fernando Gomez Comendador b , Javier Alberto Perez Castan b , Alvaro Rodriguez Sanz b , Luis Perez Sanz b , Francisco Javier Saez Nieto c , Eduardo Sanchez Aira d a Universidad Politecnica de Madrid, EU SES Performance Review Body, Spain b Universidad Politecnica de Madrid, Spain c Cranfield University, UK d Universidad Politecnica de Madrid, Iberia Lineas Aereas, Spain ABSTRACT System Safety Assessment is an integral part of the design and operation of aviation and Air Traffic Management (ATM) systems. The aim of the System Safety Assessment is to identify, quantify and mitigate any and all risks; and to ensure that the system complies with the safety levels established by the regulatory authority. This paper presents an integrated methodology, based on Bayesian inference, for assessing and evaluating compliance with system safety requirements when there is uncertainty regarding the safety performance of ATM systems. The study constructs a Bayesian framework that reformulates the Safety Compliance Assessment as decision making under uncertainty. This framework addresses the main limitations of the System Safety Assessment carried out by Air Navigation Service Providers (ANSPs). Specifically, it: • Solves the issue of compliance for systems that lack the data and operational history of conventional systems. • Avoids situations under which limited information, lack of operational data and uncertainty may lead to erroneous conclusions and to the potential certification of a system that does not satisfy the minimum safety performance requirements. • Constitutes a valid alternative to the arbitrary Margins Of Safety (MOS) considered in the worst-case scenarios for safety assessments, thereby reducing the need for conservative assumptions and safety margins. • Allows for more inclusive handling of the uncertainties intrinsic to all System Safety Assessments. This leads to increased neutrality and a better understanding of decisions and judgements regarding compliance. The features and advantages of this approach are demonstrated via a case study which assesses whether an Air Navigation Service Provider (ANSP), which has begun to provide services at a new airport with new systems and technology, is compliant with the safety objectives. Specifically, it is necessary to demonstrate compliance with any and all safety requirements applicable to the Air Navigation Systems, in particular VOR, DME and ILS. 1. Introduction. Limitations in the System Safety Assessment process applied by ANSPs In line with that set out in the ICAO Safety Management Manual (International Civil Aviation Organization, 2018), safety in ATM - Air Traffic Management -, has evolved from the idea of risk-free systems towards the concept of Safety Management as part of which ANSPs - Air Navigation Service Providers - shall implement a formal risk manage- ment process known as SA or Safety Assessment (Di Gravio et al., 2016). One of the fundamental levers in this change of paradigm has been the work done by EUROCONTROL in 3 main safety areas: (i) Development of standards and safety requirements for carrying out risk analysis (EUROCONTROL, 2001); (ii) Review and development of methods (EUROCONTROL, 2004) for carrying out safety studies; and (iii) Eva- luation of safety performances vis the use of safety indicators such as APF (EUROCONTROL, 2009). The overall aim of the SA is to guarantee that the system design, development and operation attains the safety levels approved by the designated regulatory authority (Di Gravio et al., 2016). The objective of the SA process, which encompasses a number of multifaceted ac- tivities, is to minimise the likelihood and severity of the consequences of latent hazards. SA typically comprises 3 main phases that evolve throughout the lifecycle of the system: (i) FHA - Functional Hazard Assessment; (ii) PSSA - Preliminary System Safety Assessment; and (iii) SSA - System Safety Assessment. Fig. 1 shows how these 3 phases relate to the steps in the System Life Cycle. The hazards are identified and evaluated during the FHA and PSSA phases which are carried in parallel with the system definition and design. As such, the quantitative and qualitative safety objectives and requirements are derived at system and subsystem level; and maximum https://doi.org/10.1016/j.ssci.2019.03.012 Received 20 July 2018; Received in revised form 13 March 2019; Accepted 15 March 2019 ⁎ Corresponding author at: School of Aerospace Engineering, Plaza de Cardenal Cisneros, N3, Building B, Room, B224, 28040 Madrid, Spain. E-mail address: rosamaria.arnaldo@upm.es (R. Arnaldo Valdés). Safety Science 116 (2019) 183–195 0925-7535/ © 2019 Published by Elsevier Ltd. T