A Safety Case is the documented assurance, including argument and supporting evidence, of the achievement and maintenance of safety.
The development of a Safety Case is not an alternative to carrying out a Safety Assessment. It is a means of structuring and documenting a summary of the results of a Safety Assessment, and other activities (e.g. simulations, surveys etc.), in a way that a reader can readily follow the logical reasoning as to why a change (or ongoing service) can be considered safe.
“Primarily the Safety Case is a matter of ensuring that every company produces a formal safety assessment to assure itself that its operations are safe. Only secondarily is it a matter of demonstrating this to a regulatory body. That said such a demonstration both meets a legitimate expectation of the workforce and the public and provides a sound basis for regulatory control” (Lord Cullen, in investigation of Piper Alpha accident)
ICAO Annex 11 places an obligation on the providers of Air Traffic Management services to ensure the safety of air traffic, in respect of those parts of the ATM System and supporting services within their managerial control. Implicit to this obligation is the requirement on those with managerial control to demonstrate positively that the relevant Safety Regulations are satisfied. In essence there is a “burden of proof” on Air Navigation Service Providers to show that acceptable levels of safety are and continue to be achieved.
Safety Case Types
Safety Cases may come in many forms, but most can be thought of as falling into one of the two categories, as follows:
- Those that are used to demonstrate the safety of an on-going service - Unit Safety Cases;
- Those that are used to demonstrate the safety of a substantial change to that service - Project Safety Cases.
Unit Safety Case: an Air Traffic Services Unit (or other major, safety-related service/facility) may decide to produce and maintain a Unit Safety Case (USC) in order to show that the on-going, day-to-day operations are safe and that they will remain so indefinitely. An USC would include typically an a priori safety assessment, together with the results of safety audits, surveys and operational monitoring.
Project Safety Case: an Air Traffic Services Unit (or other responsible organisation) may also decide to produce a Project Safety Case (PSC) when a particular substantial change to an existing safety-related service/systems to be undertaken. A PSC would normally consider only those risks created or modified by the change and rely on an assumption (or evidence from the corresponding USC) that the pre-change situation is at least tolerably safe.
Defining the Scope and Boundaries for the Safety Case
Defining the scope and boundaries of the Safety Case is an essential first step in the development of the Safety Case. It should explain what the Safety Case covers (and does not cover), boundaries of responsibility with respect to managerial control and other stakeholders, applicability and compliance with safety regulations and standards and any assumption made in defining the scope, boundaries or safety criteria.
A Safety Case may be temporarily restricted to the safety of a new concept, and therefore be conditional on the subsequent complete and correct implementation of that concept by the responsible organisation. Such Safety case is classified as Preliminary Safety Case. It should be supported by guidance material for the subsequent implementation of the Safety Requirements and for the development of a full Safety Case.
Safety Case Contents
A good Safety Case should include, at least:
- What the Safety Case is trying to demonstrate - this should be directly related to the Claim that the subject of the Safety Case is acceptably safe;
- Why is the Safety Case being written and for whom;
- A description of the system/change and its operational/physical environment, sufficient only to explain what the Safety Case addresses and for the reader to understand the remainder of the Safety Case;
- For PSC, the justification for introducing the change (and therefore potentially for incurring some risk);
- A reasoned and well-structured Safety Argument, showing how the Aim is satisfied;
- Supporting safety evidence to substantiate the Safety Argument;
- All assumptions, outstanding safety issues, and any limitations or restrictions on the operation of the system;
- A simple statement to the effect that the Aim has been satisfied, subject to the stated caveats.