The term Safety Case has, over time, been applied liberally, inconsistently and with a variety of prefixes: potentially leading to confused, incoherent and ineffective safety management. It is also apparent that the practical management of Safety Cases can often remain an equipment-centric activity, led by the Defence Equipment & Support Delivery Team. Recent Military Aviation Authority (MAA) audits have highlighted that the development and utility of a robust Air System Safety Case (ASSC) is poorly defined and understood, especially during acquisition of new capabilities. The MAA recognised an important opportunity to enhance both the activity associated with the in-service ownership and management of ASSCs, and the effective influence of Air Safety requirements on capability design/selection. Subsequently Niteworks was contracted to investigate the links between the MOD’s capability development process and the establishment of effective ASSCs. The resulting study led to a revision of Regulatory Article (RA) 1205 and the introduction of a new Manual of Air System Safety Cases - both documents to be published in a Notice of Proposed Amendment in January 2019.
Why do we require Safety Cases?
Where a Defence activity presents a credible and reasonably foreseeable Risk to Life (RtL), MOD policy requires specified individuals to be designated as Duty Holders - responsible for the management of the risk, whilst ensuring it remains both As Low As Reasonably Practicable (ALARP) and tolerable. Within the Defence Air Environment, the nominated Duty Holders responsible for managing RtL will either be Aviation Duty Holders or Accountable Managers of Military Flying. The MOD policy further directs that if Defence activity takes place on or involves a complex system (aircraft, ship or other complex platform), a simple risk assessment will not be sufficient to assess the potential impact on the health and safety of the workforce or public, or the impact on the environment. Therefore, the use of a Safety Case enables nominated Duty Holders to understand the cumulative and interrelated risks associated with use of the system.
What is a Safety Case?
The MOD defines a Safety Case as a structured argument, supported by a body of evidence that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment. By extension, an ASSC is simply the application of Safety Case theory to a Military Registered Air System, noting that it applies throughout the life cycle of the system, across all Defence Lines of Development (DLoD), and addresses a combination of the physical components, procedures and human resources organised to deliver the capability. The final part of the definition - for a given application in a given environment - is determined by establishing the operating context. Thus, a consolidated ASSC should include a clearly-defined operating context, a structured argument and a body of supporting evidence.
Defining the Operating Context
A safety argument is impossible to make without considering the specific context of use. Before any work is undertaken to develop an explicit argument, the intended or anticipated operating context of the system must be defined. This enables the anticipated hazards associated with operating the system to be identified and affords the opportunity to mitigate these through system design or selection. It is essential that the end-user operators and maintainers have sufficient influence over determining the operating context and the development of the subsequent safety argument.
The Safety Argument takes primacy
The role of the safety argument is often neglected, and too much emphasis placed on the body of evidence, with the link between the two left unexplained and meaningless. Investment in developing and capturing a robust safety argument early in the development of the capability will pay dividends throughout its lifecycle; this serves many purposes, including:
Generation and assessment of Integrated Test Evaluation and Assessment (ITEA) criteria.
Retrospective inspection during periodic reviews, driving the work of Air System Safety Working Groups and underpinning the safety statements of Operating Duty Holders/Accountable Managers (Military Flying) (ODH) / (AM(MF)).
Identification and assessment of the full impact of weaknesses and/or shortfalls in the evidence, informing potential mitigating actions.
A validity assessment of the ASSC when the Air System is required to undertake a new type of operation or operate within a new environment.
Assessment of the potential impact caused by changes to the pan-DLoD supporting structures of the ASSC.
Active management of the safety of operations, providing it is easily accessible to those responsible for maintaining, operating, and managing the capability.
What constitutes a body of evidence?
A body of evidence that is sufficiently comprehensive and supports the safety argument remains a vital element in the overall ASSC. The supporting evidence comprises the results of observing, analysing, testing and simulating the properties of a system and provides the fundamental information upon which the safety argument can be reasoned. However, evidence without argument is meaningless, regardless of the quality or quantity of the evidence.
What are the benefits of a Safety Case Regime?
A robust Safety Case regime, especially if implemented early in a product’s life cycle, ensures that:
Safety arguments are considered early in capability design/selection, enabling safety issues to be eliminated or mitigated through early design modification; this will avoid difficult and costly re-design or additional safety modifications being required once in-service.
Design and test activities (i.e. Integrated Test Evaluation and Assessment) are focused on generating evidence applicable to the identified operating context and its anticipated hazards.
The ASSC can be used to inform and influence the daily management of the system, enabling those responsible for operating the capability to make informed decisions.
Those who are responsible for operating and maintaining the system - and know how it really works - understand how their actions support the overall safety argument and are able to highlight weaknesses in the safety argument and/or supporting evidence.
The ASSC must be applicable across all Defence Lines of Development
Historically the Equipment DLoD has been subject to disproportionate emphasis in relation to other DLoDs. The separation of single (equipment) risks from unified risk in many ASSCs reinforces the inappropriate prioritisation of the Equipment-DLoD. This makes it difficult to connect an Equipment Safety Assessment to an explicit pan-DLoD safety argument and masks the thread that leads to a risk being judged as both ALARP and Tolerable. To develop and maintain a coherent, robust and effective ASSC that enables the operational capability to be employed safely, the ASSC must retain pan-DLoD applicability.
The need for Through-Life Safety Cases
RtL will evolve during both development and in-service operation of the Air System. The ASSC will require regular review throughout the life of the system. Importantly, ASSCs that are initiated after the system design has been finalised, miss the opportunity to influence the design and subsequent operation of the system. This often results in the ‘apologetic Safety Case’; one which is based on the best argument that can be created from the evidence available, rather than being one which can prove the top-level claim of safety. As such, one of the biggest changes within RA 1205 is the formal requirement to apply ASSCs throughout the life of the Air System. Starting in the Concept phase of the acquisition cycle, the ASSC needs to demonstrate that a system is capable of being safe, and subsequently can be used as a mechanism to support the judgement that a system is actually safe. The ASSC should influence design/selection and shape the ITEA programme, which in turn will generate the supporting evidence to the safety argument. Therefore, for MOD acquisition programmes, the most appropriate owner for the development of the ASSC is the Senior Responsible Owner (SRO). Through-life applicability of the ASSC has resulted in revised regulation that requires a four-staged approach to its development and management: an ASSC Strategy, applied prior to a programme’s Initial Gate; an ASSC Acquisition Basis, applied prior to a programme’s Main Gate; a Live ASSC, applied during Test and Evaluation flying; and a Live ASSC, applied once the Air System is in-service. Figure 1 represents the through-life progression of the ASSC, importantly identifying the phases of ASSC ownership during the Air System’s life cycle.
The Defence ASSC Model.
Developed as the core principles for effective management of an ASSC, the Defence ASSC Model, at Figure 2, recognises:
The duality of the central hubs argument being both ‘safe to operate’ and ‘operated safely’.
That the operating context is critical to Hazard Management.
That the overall safety argument is dependent on three areas: Hazard/Risk Management; compliance with safety rules and regulation; and confidence in the safety processes and governance which deliver the evidence to support the safety argument. Within these three domains of risk, rules and confidence, five key facets were identified.
The five key facets are subordinate to the central hub’s claim that an Air System is ‘safe to operate’ and ‘operated safely’. They are recognised as:
Context Defined. The ability to make any effective argument depends on the existence and understanding of context.
Hazards Managed. The criticality of hazard identification, analysis and mitigation in the context of intended use, as emphasised so strongly by Charles Haddon-Cave QC in the Nimrod Review.
Regulatory Compliant. Compliance with regulations is a critical step in making a safety argument.
Confidence in the ASSC. Internal and external oversight and assurance of the ASSC, providing the justification that the safety argument and supporting evidence can be relied upon, and requiring appropriate Suitably Qualified Experienced Personnel (SQEP) to be responsible for the evidence gathering.
Effective Air Safety Management System (ASMS). An ASMS is symbiotic to the ASSC; the tangible output of an effective ASMS is the evidence which supports the ASSC, whilst the intangible output is a safe Air System.