Study of SESAR implied safety validation needs Jelmer J. Scholte and Henk A.P. Blom Air Transport Safety Institute, National Aerospace Laboratory NLR Amsterdam, the Netherlands scholte@nlr.nl , blom@nlr.nl Alberto Pasquini Deep Blue Rome, Italy alberto.pasquini@dblue.it Abstract—Safety validation of changes to an individual organization’s local ATM system has become common practice in Europe. However, the SESAR program is planning changes in air traffic operations in Europe that go much further than changes to a local ATM system. This paper identifies the issues on which safety validation approaches need extensions, in order to move from safety validation of changes to a local ATM system to safety validation in SESAR. Subsequently, it identifies approaches that address the identified extension needs. This way an integrated view is developed from the fragmented research results in this area. Keywords-Safety validation, ATM, SESAR. I. INTRODUCTION Safety validation of changes to an individual organization’s local Air Traffic Management (ATM) system has become common practice in Europe. As part of this, Air Navigation Service Providers (ANSPs) are required by applicable safety regulations [21],[18] to hand over a positive safety case for regulatory approval prior to introducing a change. However for future changes in ATM, it is highly questionable whether assuring compliance to [21],[18] is effective for SESAR. For example, [21],[18] adopt a conservative approach regarding airborne safety nets: both assume that safety risk reduction by safety nets is taken into account neither in the safety target nor in the safety risk assessment. As a consequence, current regulations may discourage improvements in safety nets [4]. The Single European Sky ATM Research (SESAR) program is planning changes in air traffic operations in Europe that go much further than changes to a local ATM system. SESAR concepts of operations include changes for a multitude of stakeholders including many ANSPs, airlines and airports. The safety of such operations does not only depend on these stakeholders’ individual performance, but also on their interactions. Because SESAR strives for ambitious objectives addressing almost contradictory Key Performance Areas (KPAs) 1 , the changes to be made are fundamental. This increases even more the importance of addressing safety validation from the concept development start. In early design phases changes to concepts are still relatively easy to make, which makes the provision of feedback to designers the focus of safety validation. Only when the concept of operation matures, the focus of safety validation shifts to derivation of safety requirements and finally confirmation that the concept as developed is indeed safe. In this paper issues are identified on which safety validation approaches need extensions, in order to move from safety validation of an ANSP’s change to safety validation in SESAR. Subsequently, it is identified which approaches are available to address these extension needs. Although these kinds of questions are being addressed by several researchers inside and outside SESAR, a drawback is that this research is documented in a very fragmented way, which makes it impossible to grasp a complete picture. The aim of this paper is to review these fragmented sources and to provide an integrated view. The paper is organized as follows. Section II lists relevant studies regarding safety validation needs. Section III discusses safety validation needs identified from SESAR sources. These needs concern two categories: needs regarding organizing safety validation and needs regarding safety assessment. In Sections IV and V approaches are identified that aim to address these two categories of needs. Section VI provides concluding remarks. II. STUDIES ON SAFETY VALIDATION NEEDS The methodology widely in use by Air Navigation Service Providers over Europe for safety assessment of changes to their local ATM system is the Air Navigation System Safety Assessment Methodology (SAM) [15]. The current section introduces two series of studies addressing additional validation needs. One series of studies has developed the European Operational Concept Validation Methodology (E- OCVM) [16],[17]. The second series of studies [39]-[48] has been conducted during the SESAR definition phase. E-OCVM [17] has been developed in order to organize validation from the early concept life-cycle on. E-OCVM provides a common structure to an iterative and incremental approach to operational concept validation, and consists of three elements: • A Concept Lifecycle Model that reflects the maturity of the concept under investigation (see Fig. 1); • A Structured Planning Framework that guides planning validation activities; and • A Case-Based Approach used for providing key stakeholders focused information in an easily understood format. The main part of this research has been conducted within the European Commission sponsored CAATS II project, and is documented in [35] and [39]. 1 The KPAs for ATM are [29]: access & equity, capacity, cost-effectiveness, efficiency, environment, flexibility, global interoperability, participation by the ATM community, predictability, safety and security.