AIR COMMODITIES TEAM GENERIC SAFETY ASSESSMENT …
16
AIR COMMODITIES TEAM GENERIC SAFETY ASSESSMENT REPORT FOR AIR COMMODITIES EQUIPMENT ACT/GSAR/1 Version: 1 5 Oct 12 Dated: Endorsed by: Name Signature Rank/Grade Lieutenant Commander Post C Safety (Air) Date 0 c_. - r I a Authorised by: Name Signature Rank/Grade roue ptain Post Air Commodities Team Leader Date 5 CDci 1 2_ Version 1 05/10/12
Transcript of AIR COMMODITIES TEAM GENERIC SAFETY ASSESSMENT …
AIR COMMODITIES TEAM
GENERIC SAFETY ASSESSMENT REPORT FOR AIR COMMODITIES EQUIPMENT
ACT/GSAR/1
Version: 1 5 Oct 12 Dated:
Endorsed by:
Name
Signature
Rank/Grade Lieutenant Commander
Post C Safety (Air)
Date 0 c_.-r I a
Authorised by:
Name
Signature
Rank/Grade roue ptain
Post Air Commodities Team Leader
Date 5 CDci 1 2_
Version 1 05/10/12
CONTENTS Page
FRONT COVER i CONTENTS ii REVIEW RECORD iii SPONSOR BRANCH iii ABBREVIATIONS iv PART 1 GENERAL INFORMATION 1 Introduction 1 Document Application 1 Aim 1 Scope 2 Exclusions 2 Audit and Review 3 Quality Management 3 PART 2 EQUIPMENT SAFETY ASSESSMENT 4 Safety Requirements 4 Safety Evidence Requirements 4 Managing Safety Through Life 6 Safety Assumptions 7 Safety Criteria 7 PART 3 CONSUMABLES SAFETY ASSESSMENT 9 Safety Requirements 9 Procurement Process 9 ANNEX A DERIVATION OF SAFETY CRITERIA 10 Severity Category 10 Frequency Category 10 Risk Classification Matrix 11
Version 1 05/10/12
REVIEW RECORD
Date (a)
Review Comments (b)
Amendment (c)
Signature (d)
05/10/12 Initial Issue
SPONSOR BRANCH
The ACT Safety Manager is responsible for the maintenance of this document:
AC Safety (Air) ACT Walnut 3b #1329 MOD Abbey Wood Bristol BS34 8JH
Version 1 05/10/12
iii
ABBREVIATIONS
AC Air Commodities ALARP As Low As Reasonably Practicable AP Air Publication COSHH Control of Substances Hazardous to Health DO Design Organisation DO PM Design Organisation Project Manager Def Stan Defence Standard EA Engineering Authority GSAR Generic Safety Assessment Report GSE Ground Support Equipment IHRB Issue and Hazard Review Board ISA Independent Safety Auditor JAP Joint Air Publication JSP Joint Service Publication MOD Ministry of Defence OEM Original Equipment Manufacturer PE Project Engineer PM Project Manager POEMS Project-Oriented Environmental Management System POSMS Project-Oriented Safety Management System PSP Project Safety Panel RACI Responsible, Accountable, Consulted, Informed SA Support Authority SAR Safety Assessment Report SEMP Safety & Environmental Management Plan SEWG Safety & Environmental Working Group SME Subject Matter Experts TAA Type Airworthiness Authority
Version 1 05/10/12
iv
PART 1 GENERAL INFORMATION
Introduction
1. The Air Commodities Team (ACT) delivers a wide range of mechanical and avionic equipments and services to the front-line, with all aircraft currently on operations critically dependant on ACT outputs. The ACT also procures and supports a diverse range of general purpose Ground Support Equipment (GSE), Airfield Vehicles, Armament GSE (AGSE) and ancillary ground support equipment and facilities, used across and essential to all front line units.
2. It is incumbent on the MOD and ACT to ensure that the systems provided are safe, hazards eliminated or their risks reduced to a level that is tolerable and As Low As Reasonably Practicable (ALARP), so the level of safety and environmental risks can be supported through life. The ACT actively manages safety but some legacy equipments lack the rigorous hazard analysis and configuration data required by current standards. Therefore a two-tier review and reporting programme for all ACT main equipment types has been implemented.
3. This Generic Safety Assessment Report (GSAR) is a 'Tier 1' document to bind the generic elements for the majority of ACT equipment safety assessments. It describes the approach taken to develop the Tier 2 documents, the individual equipment Safety Assessment Reports (SARs), and combines all common elements of a traditional Safety Case Report that would otherwise be repeated across each and every safety assessment.
Document Application
4. For aircraft equipment, ACT recognises the primacy of the Platform Safety Cases and will seek to provide data and support to platform Project Teams (PTs), who have overall airworthiness responsibility for the safety of their aircraft. Whilst ACT SARs will focus on establishing and communicating equipment safety risks to platform PTs, endeavouring to highlight any perceived airworthiness risks, ACT cannot quantify integration risks for equipment or its suitability for the platform. The ACT can only assess the safety of the equipment it manages, identifying generic equipment hazards, but does not assess the full airworthiness implications in the context of aircraft architecture, or equipment criticality. It is for the platform PTs to undertake this role as part of their management of the aircraft safety case.
5. The ACT Tier 1 GSAR avoids the nugatory repetition of generic elements across the large number of individual ACT equipment SARs required. These individual Tier 2 SARs are tailored to report only pertinent safety information on that equipment for the intended recipient. The Tier 1 GSAR should be read in conjunction with Tier 2 SARs to provide the overall safety justification.
6. The first iterations of the Tier 2 SARs may have gaps in the data provided. However as live documents these will be frequently updated. TAAs are invited to assess whether these gaps present any particular risks to their platforms and highlight any concerns to the ACT Safety Team.
7. Platforms will be asked to acknowledge acceptance of the GSAR and each SAR.
Aim
8. A Safety Case is defined in Defence Standard (Def Stan) 00-56 as:
A structured argument, supported by a body of evidence that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment.'
Version 1 05/10/12
As an assessment report (Air OC S&E Handbook, Ch 8), the aim of the GSAR is to support overall aircraft safety cases. It sets out the methodology used for managing equipment safety within the ACT, justifying the equipment as suitable for safe use in service.
Scope
9. Tier 2 SARs are intended to address all credible hazards in scope of the equipment, that could be perceived to harm personnel. Physical hazards include those resulting from the physical composition, construction, operation, maintenance, transport, storage and disposal of the equipment. Generic functional hazards are those resulting from functional failures (such as navigation errors) which can act as potential initiating events to accident sequences in other systems.
10. ACT, as a supplier of equipment to other MOD Project Teams, is not involved in the integration of the equipment onto platforms or the subsequent operation of that equipment. Hazards arising out of the integration onto aircraft platforms and their consequent functionality on that platform are beyond the capability of ACT to assess and are considered out of scope. However, ACT (although not Subject Matter Experts (SMEs)) will consider integration and functional hazards and any that are identified will be recorded in the Tier 2 SAR and transferred to the appropriate Platform PTs for consideration, assessment and management.
11. In recognition that many of the equipment items are fitted onto aircraft and therefore have to meet rigorous airworthiness standards, evidence has been sought to ensure this requirement has been met, however it is for the Platform PT to determine the suitably of the evidence and to confirm it is sufficient for their needs. For Ground Support Equipment, although the standards are not as rigorous, the same level of evidence will be sought for completeness.
12. MAA Regulatory Publications (MRP) Regulatory Article 1210 identifies that Aviation Duty Holders are legally accountable for the safe operation of equipment and management of the associated Risk to Life within their Area of Responsibility (AoR). Therefore it is for the Aviation Duty Holder to assess the impact of this equipment on their platforms. As such the operation of the equipment onboard an aircraft is considered out of the scope of ACT.
13. Any consequential hazards resulting from the operational loss or a failure of the system or an element of it to deliver its designed capability will not be considered within the scope of the Tier 2 SARs unless it is considered to have direct safety consequences, in which case any identified operational hazards will be recorded and transferred to the appropriate Platform PTs and Aviation Duty Holders for consideration, assessment and management.
Exclusions
14. The Tier 2 SARs only cover the equipment listed and do not cover any other part of the platform or its systems. Also hazards and risks associated with the use of general oils, lubricants and solvents used in the maintenance and cleaning of the equipment have not been considered. These items are covered by safety data sheets, available through the supply system, which should be read at the time of issue.
15. In the context of the SARs, safety is only taken to include harm to personnel (both service and general public) and excludes equipment damage and environmental impacts.
16. ACT has no influence on local Safety and Emergency Procedures (fire evacuation, first aid etc.) and as such these arrangements are considered out of scope. All emergency arrangements are the responsibility of local commands.
Version 1 05/10/12
2
17. Environmental impacts are considered out of scope at this time and are therefore not considered further in this GSAR.
Audit and Review
18. The Tier 1 GSAR will be periodically reviewed and updated.
19. The Tier 2 SARs are live documents and shall be reviewed biannually as a minimum, but will always be reviewed after a significant change, for example in equipment usage or the operating environment.
20. The ACT has appointed an Independent Safety Auditor (ISA) to oversee ACT activities. Part of the ISA remit will be to conduct annual audits on a selected 10% of the Tier 2 SARs. The selection of these SARs will be representative of the variety of equipment types provided by ACT, with prioritisation being given to higher risk items.
Quality Management
21. The ACT quality strategy and plan is being developed and will be in place by Apr 2013, with a structure for both internal and supplier audits thereafter. A risk-based approach to contractor audits will be necessary, with limited but targeted content, given the limited resources available to conduct audits and the problem of managing over 200 contractors.
Version 1 05/10/12
3
Appropriate Configuration
Management in Place.)
Designed by Competent Persons
Hazard Materials Identified
Tested for 'Air' Environment
• Adequate Technical Information Provided
Good Safety Record
Maintainers are SQEP
Operators are SQEP
Hazards Managed in Hazard Log
Risk Reduction / — ALARP Justification
Conducted
Formal Endorsement by Safety Panel
Formal Acceptance by Platform
PART 2 EQUIPMENT SAFETY ASSESSMENT
Safety Requirements
22. With the majority of Air Commodities equipment having entered service some years ago, most of the equipment has not been designed, developed or procured under modern safety legislative requirements. Consequently, in most cases, no safety requirements exist in User Requirement Documents (URD) or System Requirement Documents (SRD).
23. For legacy systems, good practice is to conduct a high-level risk assessment of potential hazards in order to establish a safety baseline. As such, the ACT has adopted the following generic safety requirement:
Air Commodity equipment is to remain tolerably safe in the following conditions: a. When operated and maintained in its intended environment (aircraft, airfield or ship where applicable); b. When transported, stored and disposed of.
24. The SAR makes the safety claim shown below and presents the argument and process based evidence in support of that claim:
Air Commodities Team managed equipment is acceptably safe when operated in accordance with defined procedures and maintained in accordance with appropriate maintenance publications'.
25. For the argument to be complete, there is a requirement for equipment specific evidence to be presented.
Safety Evidence Requirements
26. For each ACT equipment, the safety assessment follows a Claims-Argument-Evidence process to demonstrate that the equipment has been correctly designed, evaluated, maintained and operated as illustrated in Figure 1. This identifies the evidence categories to substantiate the top level goal.
• ACT Equipment is
Safe
Equipment is Safe as Designed
Equipment is Safe to Operate / Maintain
Equipment Hazards Have Been Identified
And Managed y
Figure 1: Safety Argument
Version 1 05/10/12
4
27. Assurance that adequate evidence exists to substantiate the safety assessment will be carried out by the appropriate Engineering Authority Desk Officer responsible for the equipment and recorded in an 'Assurance Matrix' within the Tier 2 SAR. Table 1 provides guidance on the type of evidence sought and what defines an acceptable means of compliance.
Evidence Category
Description Acceptable Means of Compliance
Equipment is Safe as Designed Designed by Competent Organisation
Evidence that the equipment has been designed by a competent Design Organisation or equivalent, following appropriate design procedures for the purpose that it is intended for. Relevant aircraft design standards, such as Def Std 00-970 have been complied with. •
DAOS accreditation Appropriate Certification: CoD, CoC, DDP
Hazardous Materials Identified
Evidence that hazardous materials have been identified, with arrangements in place to mitigate any associated risk.
Hazardous Material Data Sheets
Tested for Intended Environment
Evidence that the equipment has undergone the necessary testing for the environment it is intended to be used in.
Limits identified in CoD Test reports
Change Management
Evidence that changes to the equipment are undertaken by a competent organisation and approved by the relevant stakeholders.
DAOS accreditation Change Procedures
Configuration Management
Evidence that the equipment is under strict configuration management control including the management of lifed components and recording of usage data.
Asset tracking database
Maintainers are SQEP
Evidence that the maintainer competence is SQEP to maintain acceptable levels of safety.
Training Course / Material MAOS accreditation
Operators are SQEP
Evidence that the operator competence is SQEP to maintain acceptable levels of safety.
Training Course / Material
Adequate Technical Information Provided
Evidence that adequate approved technical information is provided to maintain acceptable levels of safety.
Technical Publications
Manufacturer's handbook
Historical Safety Record
Evidence that the equipment has a good safety record in-service, i.e. there are few to none incident reports generated throughout its service life.
Evidence of effective feedback, reporting and corrective action.
Incident and Accident Reports
Trend Analysis
Corrective action records
Equipment Hazards have been Identified and Managed
Hazards Managed in Hazard Log
Evidence of all hazards being identified in Hazard Log and managed appropriately.
Hazard Log
HAZID records
Risk reduction / ALARP Justification Conducted
Evidence that a comprehensive Hazard Analysis has been carried out on the equipment and the associated risks have been reduced to a level no higher than Tolerable and ALARP (where applicable).
Identification of mitigation in Hazard Log
ALARP statements
Formal Endorsement by Safety Panel
Evidence that the risks have been reviewed and endorsed by a Safety Panel of appropriate SQEP representation.
Safety Panel Minutes, SQEP forms
Formal Acceptance by Platform / Commands
Evidence that the ACT and the Platform/ commands have agreed the boundaries of their respective responsibilities. Integration acceptance of the equipment by the platform.
Platform Acceptance E-mail
Table 1: Safety Evidence Requirements
28. The AC Safety Team shall then assess the maturity and suitability of the evidence in its
Version 1 05/10/12
5
entirety to provide a holistic judgement on the extent of substantiation that can be claimed. This assurance activity shall then be used in tandem with a Hazard Identification Review to endorse a Hazard Log which will demonstrate the equipment as being suitably safe for continued use in service.
29. To review the Tier 2 SAR, a Safety Assessment and Hazard Review Board shall be held and the report reissued to reflect any additional assurance information obtained and new points raised.
Managing Safety Through Life
30. Maintenance and Operating Procedures. The Tier 1 and Tier 2 SARs combined cover the off-aircraft maintenance and the operating procedures of the equipment, providing all procedures are carried out in accordance with the relevant publications identified in the Tier 2 SAR. It is the responsibility of the Aviation Duty Holder to ensure these procedures are complied with.
31. As the ACT is not involved in the integration of equipment onto aircraft, they cannot be held accountable for ensuring the safety of maintaining or operating the equipment once integrated.
32. Transportation. The SARs have limited cover for road transportation of the equipment by carrier, i.e. air, road or rail. Cover will only be applicable when the regulations specified in this GSAR are applied and adhered to:
JSP 327 - Joint Service Manual of Movements JSP 335 - Dangerous Air Cargo Regulations JSP 886 - The Defence Logistics Support Chain Manual JSP 375 - MOD Health and Safety Handbook JSP 445 - Transport of Dangerous Goods by Road, Rail and Sea JSP 515 - MOD Hazardous Stores Information System Def-Stan 81-41 - Packaging of Defence Materiel
33. Support. The SARs cover the storage of the equipment, providing all procedures are carried out in accordance with the relevant Technical Publications as listed in the Tier 2 SAR for each equipment, and the following regulations are applied and adhered to:
JSP 886 - The Defence Logistics Support Chain Manual JAP 100E-10 - Military Aviation Ground Support Equipment Management and Policy AP 119F-0001-5F - Aircraft Ground Support Equipment General Information Maintenance Schedule
34. Disposal. Contentious materials contained in the equipment are identified as part of the disposal process. These are listed in a Green Passport which forms part of each Tier 2 SAR and which is maintained throughout the life of the equipment. Regulations to be followed when submitting redundant equipment for disposal can be found in the following publications:
JSP 886 - The Defence Logistics Support Chain Manual JSP 515 - MOD Hazardous Stores Information System MAP-01 - Manual of Maintenance and Airworthiness Processes JAP (D) 100E-10 - Military Aviation Ground Support Equipment Management and Policy. CAA regulations on the disposal of items, which, for airworthiness reasons, must not be refitted to an aircraft.
Safety Assumptions
Version 1 05/10/12
6
35. The generic safety assumptions that underpin each SAR are listed below: a. There is no deliberate misuse of the equipment outside the operating instructions supplied. b. The equipment is operated within its declared environmental range. c. The approved operating and maintenance instructions are followed. d. The operators and maintainers will be appropriately trained. e. The equipment is transported and stored in accordance with the regulations identified in this Tier 1 GSAR; f. The severity of any integration or functional hazard will be determined by the platform team.
36. Any additional equipment specific safety assumption will be listed in the equipment's Tier 2 SAR.
Safety Criteria
37. Risks of accidents are classified according to their severity and frequency. ANNEX A defines the rationale behind the hazard and risk classification system to be used within the ACT, which is based on domains to which the equipment is supplied for ease of hazard transfer and safety management. This is based on guidance given by the Military Aviation Authority (MAA) in Regulatory Article (RA) 1210 and by the Land Systems Safety Office (LSSO) in JSP 454, Part 2, Leaflet C2.
38. Accident frequency in the context of ACT equipment is defined in Table 2.
Accident Frequency
Frequency of occurrence of accident per equipment/system and generic guidance words
Frequent >1x10-2 / yr Likely to be continually experienced (more than once a year per equipment fleet)
Probable 1x10-3 to 1x10-2 / yr Likely to occur up to once in 100 years (up to once a year per equipment fleet)
Occasional 1x10 to 1x10-3 / yr Likely to occur once in 1000 years (up to once per 10 years per equipment fleet)
Remote 1x10-5 to 1x10 / yr Likely to occur once during the life of the system (up to once per 100 years per equipment fleet)
Improbable 1x10-6 to 1x10-5 / yr Unlikely, but may exceptionally occur (no reported accidents within MOD but single incident reported which may have led to an accident under different circumstances)
Incredible <10-b / yr Extremely unlikely that the event will occur at all, given the assumptions recorded about the domain and the system.
Definitions in italics are to demonstrate a fleet-wide equivalent based on a fleet of 100 pieces of equipment.
Table 2: Frequency Definitions
Version 1 05/10/12
7
39. Accident severity is defined in Table 3.
Category ACT Definitions 3rd Parties (Public) 1st Party
Catastrophic Single death or multiple severe injuries or severe occupational illnesses*.
Three or more fatalities
Critical A single major injury or occupational illness*, or multiple minor injuries or multiple minor occupational illnesses**.
One or two fatalities or a large number of major injuries or severe occupational illnesses*.
Major At most a single minor injury or a single minor occupational illness**.
A single major injury or severe occupational illness*, or multiple minor injuries or multiple minor occupational illnesses**.
Minor Any injury or occupational illness, however minor.
At most a single minor injury or a single minor occupational illness**.
* A major injuries or severe occupational illness is one that can be considered a RIDDOR and results in hospitalisation and / or inability to perform normal duties for over 5 days. "* A minor injury or a minor occupational illness is one that can be considered a non-RIDDOR and requires medical assistance but would not result in more than 5 days inability to perform normal duties.
Table 3: Severity Definitions
40. The Risk Classification Matrix and Tolerability Criteria shown Table 4 and Table 5 have been used by ACT as a guide for the categorisation of accidents:
ACCIDENT SEVERITY CATEGORIES
CATASTROPHIC CRITICAL
B
MAJOR MINOR
B
›-
IL LL
w
(7)
0 0 w H
FREQUENT
PROBABLE C
OCCASIONAL C C
REMOTE B C C
IMPROBABLE C
C
C
INCREDIBLE
Table 4: Risk Classification Matrix
RISK DEFINITION — (BASED ON DEF STAN 00-56)
INTOLERABLE RISK — Requires urgent action, including reporting in accordance with SEMIs.
B
UNDESIRABLE RISK — Requires management action and shall only be accepted when risk reduction is impracticable.
C
TOLERABLE RISK — With the endorsement of the project safety working group.
BROADLY ACCEPTABLE — With the endorsement of the normal project reviews.
Table 5: Tolerability Criteria
Version 1 05/10/12
8
PART 3 CONSUMABLES SAFETY ASSESSMENT
Safety Requirements
41. In addition to the supply of equipment, ACT also provides consumable items to multiple Project Teams. Although ACT supply many items of equipment, the number of consumable items is significantly greater. As such, the Safety Assessment Report approach undertaken on an equipment basis is inappropriate for effective safety management of the consumable items.
42. Consumable items tend to be components of larger systems and so the safety risks associated with them are covered by the equipment safety assessment. As the Design Organisation underwrites the safety of the equipment they provide (including all components used within), replacement of components with like-for-like parts (with matching form, fit and function) meeting the technical specifications declared by the Design Organisation, will not compromise the original safety assessment.
43. ACT have therefore taken an assurance approach to managing the large number of consumable items, with demonstration of adequate processes being in place and followed, providing the assurance that consumable items meet the technical specifications and safety standards declared by the Design Organisation.
Procurement Process
44. For new items the ACT follows standard JSP 886 procurement processes. Where original items are not available, the ACT uses the JSP 886 alternative items procurement process which mandates the use of Form 181 or equivalent. This is signed off by a Letter of Delegation (LoD) holder and is retained for the life of the system/equipment procured.
45. ACT follow an approved MOD process and MOD system in the procurement of equipment, as well as applying additional checks to both internal ACT processes and to suppliers of equipment by Certificates of Conformity, thereby ensuring compliance with the technical specification. Should a non-conforming part make it through the system, an established fault reporting process with dedicated focal points of contact is in place to not only capture these items, but to also communicate it back through the ISIS system to prevent the non-conforming part from being available to others. Overall, this approach to procurement and fault reporting should provide sufficient assurance to recipients of consumables that only parts which meet the technical specification are fitted, thereby maintaining the safety integrity of the host equipment under its existing SAR.
Version 1 05/10/12
9
ANNEX A DERIVATION OF SAFETY CRITERIA
Severity Category
46. The Severity Categories used for ACT equipment have been derived from that recommended by the Military Aviation Authority (MAA) and the Land Systems Safety Office (LSSO), these being the primary domains in which the ACT equipment will be operated. The source material has been recreated in Table 6 for comparison purposes. The MAA definitions are those as defined in the Military Regulatory Publications (MRPs) Regulatory Article (RA) 1210. The LSSO definitions are those recommended in JSP 454 Issue 5 — Part 2 — Leaflet C2 — Risk Management.
Category MAA Definitions JSP 454 Definitions 3rd Parties (Public) 1st Party
Catastrophic Three or more fatalities of MOD employees engaged in the activity in question or a single fatality of a member of the public.
A single death and/or multiple severe injuries or equivalent occupational illness.
Multiple deaths
Critical One or two fatalities of MOD employees engaged in the activity in question. A large number of major injuries must also be included in this category.
A single severe injury or occupational illness and/or multiple minor injuries or minor occupational illness.
A single death and /or multiple major injuries or equivalent occupational illness, as defined in RIDDOR 95 Schedule 1.
Major (MAA) / Marginal (JSP 454)
Major injuries to any person. A large number of reportable injuries must also be included in this category.
At most a single minor injury or minor occupational illness.
A single major injury or occupational illness and/or multiple minor injuries, as defined in RIDDOR 95 Schedule 1.
Minor (MAA) / Negligible (JSP 454)
Reportable injuries of any person. (3 or more day's absence from work)
Any injury or occupational illness, however minor.
At most a single minor injury or minor occupational illness. (A non-sporting injury requiring professional medical attention).
Table 6: MAA and JSP 454 Severity Categorisation
47. The Severity Categories used for ACT equipment is an amalgamation of these two source materials as presented in Part 2, Table 3.
Frequency Category
48. The Frequency Categories used for ACT equipment were more difficult to derive as the MAA categorisation is based on aircraft fleet per year where as the JSP 454 guidance is per system over its lifetime. These categorisations have been recreated in Table 7 for comparison purposes.
Accident Frequency
MAA likelihood of a single accident resulting in harm for a particular fleet
JSP 454 Likelihood Category Definitions
Frequent Likely to occur at least several times a year
Likely to be continually experienced during the life of the system
Probable Likely to occur often during the life of the system
Occasional Likely to occur one or more times per year
Likely to occur several times during the life of the system
Remote Likely to occur one or more times in 10 years
Likely to occur some time during the life of the system
Improbable Unlikely to occur in 10 years Unlikely, but may exceptionally occur during the life of the system
Incredible Extremely unlikely that the event will occur during the life of the system
Table 7: MAA and JSP 454 Probability Categorisation
Version 1 05/10/12
10
49. These categorisations are mutually incompatible without knowledge of expected fleet numbers and service life which is different for each system/platform. Therefore, the ACT categorisation has been derived from first principles based on the HSE top level requirement of:
a. Basic Safety Level (BSL) of the risk; a fatality per year being no greater than 1 in 1,000 (1x10-3) for an involved person (1st Party — operator and maintainers). This defines the boundary between an Intolerable and Tolerable Risk (A/B Risk boundary).
b. Additionally, it is possible to discriminate between risk to involved persons and that to the General Public (3rd Parties). Due to their non-involvement, the HSE set a lower tolerability boundary for members of the general public. This risk target is set at 1 in 10,000 (1x10-4) per year and defines the B/C Risk boundary.
c. Basic Safety Objective (BSO) of the risk; a fatality per year being no greater than 1 in 1,000,000 (1x10-6) for any person (1st and 3rd Parties). This defines the boundary between a Tolerable and Broadly Acceptable Risk (C/D Risk boundary).
50. These requirements are accepted by the MAA in RA 1210 and are widely recognised in the ALARP triangle. This is presented in Table 8 and has been colour coded to reflect the HSE requirements for risk of fatality per year.
Accident Fre • uenc
Frequency of occurrence of accident per equipment/system and associated tolerabili based on a sin • le fatalit
Frequent Intolerable - A Probable Intolerable - A Occasional 1x10 ' to 1x10- / yr Tolerable, Undesirable - Remote 1x10-5 to 1x104 / yr Tolerable - C Imerobable 1x10-b to 1x10-5 / r Tolerable - C Incredible Broadly Acceptable -
Table 8: MAA Frequency Categorisation
51. However, these figures are difficult to interpret in relation to what is experienced in-service by operators and maintainers, therefore, qualitative definitions have been derived as an aid to categorising the frequency of individual accidents. These have also been normalised to demonstrate a fleet-wide equivalent in italics (based on a fleet of 100 equipment) as these can be more clearly understood for some of the categories. Note that is an aid only and will need to be tailored based on actual equipment fleet numbers. See Part 2, Table 2.
Risk Classification Matrix
52. From the defined severity and frequency categorisations, it is possible to construct a matrix to define the risk of accidents other than single fatalities. This is typically achieved by assigning the above risk distribution to the 'Critical' column (which represents single fatality), and then stepping the distribution of risk up and down for each neighbouring severity column, as shown in Part 2, Table 4.
Version 1 05/10/12
11
