Pre-assessment · ATS.OR.205(a)
Change details
Identifying information for this change — forms the header of the safety case document.
ATS.OR.205(a) — IR
For any change notified under ATM/ANS.OR.A.045(a)(1), the ATS provider shall ensure a safety assessment is carried out and provide assurance, with sufficient confidence, via a complete, documented and valid argument that the safety criteria are valid, will be satisfied and will remain satisfied.
0.1
Service provider *
0.2
NOC reference *
0.3
Change type
0.4
Change description *
0.5
Planned date
0.6
Assessment lead
0.7
Assessment date
Section 01 · ATS.OR.205(a)(1)
Scope of change
Define the full scope — changed elements, interfaces, operational context, life cycle, and degraded modes.
ATS.OR.205(a)(1) — IR
The scope shall cover: (i) equipment, procedural and human elements being changed; (ii) interfaces between changed elements and the remainder of the functional system; (iii) interfaces between changed elements and the operational context; (iv) the life cycle from definition to operations including transition; (v) planned degraded modes of operation.
AMC guidance — GM2 ATS.OR.205(a)(1)
- Scope = changed + directly affected + indirectly affected (iterative, until no new components found)
- Include transitional stages (installation) as separate phases
- Training that changes operator behaviour before the change is operational must be treated as a transitional stage
1.1
Elements being changed *
Equipment, procedural and human elements — nature, functionality, location, performance, maintenance, training, responsibilities.
1.2
Interfaces — internal functional system *
Between changed elements and the remainder of the functional system (communication means, protocols, format, timing).
1.3
Interfaces — operational context
Between changed elements and the context in which the service is delivered, including the airborne domain and third-party services.
1.4
Transition / life cycle phases
1.5
Planned degraded modes
1.6 Scope coverage — confirm all five ATS.OR.205(a)(1) elements are addressed
1.6a
Equipment, procedural and human elements being changed are identified
1.6b
Internal functional system interfaces and interactions are described
1.6c
Operational context interfaces (including airborne domain) are described
1.6d
Full life cycle from definition to entry into service is addressed
1.6e
Planned degraded modes of operation are addressed
Section 02 · ATS.OR.205(b)(1)
Hazard identification
Identify all credible hazards introduced by or affected by the change — from failure modes, normal operations, and existing hazards.
ATS.OR.205(b)(1) — IR
The safety assessment shall comprise the identification of hazards.
AMC1 & AMC2 ATS.OR.205(b)(1)
- Target complete coverage of any condition, event or circumstance that could induce a harmful effect
- Performed by personnel trained and competent for this task
- Credible hazards only — credible = material effect on risk assessment
- New hazards from failure of the functional system
- New hazards from normal operation of the functional system
- Existing hazards affected by the change (functional system and aviation hazards)
2.1
Identification methods used
2.1a
Functional analysis
2.1b
HAZOP / What-if
2.1c
Expert judgement / brainstorming
2.1d
Incident / accident database query
2.1e
Literature / safety study review
2.2
Hazard identification performed by personnel trained and competent for this task (AMC1 ATS.OR.205(b)(1)(b))
2.3
Hazard register *
Type column maps to AMC2 categories. Credible hazards only.
| Ref | Hazard description | Type (AMC2) | Severity |
|---|
Section 03 · ATS.OR.205(b)(2)
Safety criteria
Determine and justify the safety criteria applicable to this change in accordance with ATS.OR.210.
ATS.OR.205(b)(2) — IR
The safety assessment shall comprise the determination and justification of the safety criteria applicable to the change in accordance with ATS.OR.210.
AMC1 ATS.OR.205(b)(2) & AMC2 ATS.OR.205(b)(3)
- Criteria support risk analysis that is relative or absolute, and objective
- Criteria are measurable to an adequate degree of certainty
- Set of criteria covers the full scope of the change
- Criteria consistent with SMS safety objectives and KPIs
- Where a proxy cannot be compared with acceptable certainty, risk shall be constrained
- Severity scheme: independent of cause, unique assignment, scalar quantities, assignment rules
3.1
Risk analysis approach
3.2
Safety criteria statement *
State the specific criteria. Reference TLS, ERCs, or proxy measures as applicable.
3.3
Justification for criteria selection
Explain why these criteria are appropriate. Link to SMS objectives and safety KPIs.
3.4
Severity classification scheme
Per AMC2 ATS.OR.205(b)(3) — independent of cause, unique assignment, scalar quantities, supported by assignment rules.
3.5 Criteria coverage
3.5a
Criteria are objective and measurable (numerically or otherwise)
3.5b
Criteria cover the full scope of the change
3.5c
Criteria are consistent with SMS safety objectives and KPIs
3.5d
Severity classification scheme satisfies all six AMC2 ATS.OR.205(b)(3) criteria (a)–(f)
Section 04 · ATS.OR.205(b)(3) & (b)(4)
Risk analysis and evaluation
Analyse risk for each hazard, evaluate against safety criteria, and determine whether mitigation is required.
ATS.OR.205(b)(3) & (b)(4) — IR
(3) The risk analysis of the effects related to the change. (4) The risk evaluation and, if required, risk mitigation such that the change can meet the applicable safety criteria.
AMC1 ATS.OR.205(b)(3) & AMC1–2 ATS.OR.205(b)(4)
- Performed by personnel trained and competent for this task
- Complete list of harmful effects for all hazards — including implementation-phase hazards
- Risk contributions of all hazards and proxies evaluated
- Results expressed in terms of risk, proxies, or combination — comparable against safety criteria
- Evaluation: compare results against criteria accounting for uncertainty
- If criteria unsatisfied: abandon the change OR identify and apply additional mitigation
4.1
Risk analysis performed by personnel trained and competent for this task (AMC1 ATS.OR.205(b)(3))
4.2
Risk analysis narrative *
For each hazard: frequency/probability, accident trajectories, contributing factors, harmful effects, severity, overall risk. Reference hazard register. Include implementation-phase hazards.
4.3
Risk evaluation outcome
4.3 — Mitigation required — per AMC2 ATS.OR.205(b)(4): identify all functional system elements to be reconsidered and those parts of the safety assessment (steps (1)–(6)) that must be repeated.
4.4
Uncertainty statement
Per GM2 ATS.OR.205(b)(5) — where sequences or contributing factors are excluded, justify this and state resulting uncertainty.
4.5 Analysis coverage
4.5a
Harmful effects identified for all hazards, including implementation-phase hazards
4.5b
Risk contributions of all hazards and proxies have been evaluated
4.5c
Severity assigned to each harmful effect using the defined scheme
4.5d
Results compared against safety criteria, accounting for uncertainty
4.5e
Multi-actor coordination of severity schemes completed where applicable
Section 05 · ATS.OR.205(b)(5)
Verification
Verify the assessment corresponds to the full scope and that the change meets its safety criteria.
ATS.OR.205(b)(5) — IR
Verification that: (i) the assessment corresponds to the scope as defined in ATS.OR.205(a)(1); (ii) the change meets the safety criteria.
5.1 AMC1 ATS.OR.205(b)(5) — nine verification activities
5.1a
Full scope of change addressed throughout the entire assessment process — all changed and dependent elements identified
5.1b
Service behaviour complies with and does not contradict applicable requirements and certificate conditions
5.1c
Specification of service behaviour is complete and correct
5.1d
Specification of the operational context is complete and correct
5.1e
Risk analysis is complete per AMC1 ATS.OR.205(b)(3)
5.1f
Safety requirements are correct and commensurate with the risk analysis
5.1g
Design is complete and correct with reference to the specification and correctly addresses safety requirements
5.1h
Design that was analysed is the design that was implemented
5.1i
Implementation corresponds to that design and behaves only as specified in the given operational context
5.2 Safety case completeness — AMC2 ATS.OR.205(a)(2)
5.2a
The safety assessment has produced a sufficient set of non-contradictory valid safety criteria
5.2b
Safety requirements placed on elements changed and those affected by the change
5.2c
Safety requirements as implemented meet the safety criteria
5.2d
All safety requirements traced from criteria to the architecture level at which they are satisfied
5.2e
Each component satisfies its safety requirements
5.2f
Each component operates as intended, without adversely affecting safety
5.2g
Evidence derived from known versions of components, architecture, and known sets of products, data and descriptions
5.3
Verification notes
Section 06 · ATS.OR.205(b)(6)
Monitoring criteria
Specify monitoring criteria to demonstrate the safety case remains valid during operation. Applicable from entry into service only.
ATS.OR.205(b)(6) — IR
The safety assessment shall comprise the specification of the monitoring criteria necessary to demonstrate that the service delivered by the changed functional system will continue to meet the safety criteria.
AMC1 ATS.OR.205(b)(6)
- Monitoring criteria identified and documented within the safety assessment process
- Criteria are specific to the change
- (a) Assumptions made in the argument remain valid
- (b) Critical proxies remain as predicted and are no more uncertain
- (c) Other properties affected by the change remain within predicted bounds
- Monitoring is only applicable following entry into service
6.1
Monitoring register *
Parameters should be internal system indicators. Not applicable before entry into service.
| Ref | Parameter / indicator | Threshold | Frequency | Responsible | Addresses |
|---|
6.2
Monitoring approach notes
6.3 Monitoring coverage
6.3a
Monitoring criteria demonstrate assumptions made in the safety case argument remain valid
6.3b
Critical proxies included with measurable thresholds — remain as predicted and no more uncertain
6.3c
Other properties affected by the change bounded within limits predicted by the safety case
6.3d
Monitoring criteria are specific to the change and documented within the safety assessment
Safety case · ATS.OR.205(a)(2) & AMC1
Safety case summary
Complete assessment record — constitutes the safety case document per AMC1 ATS.OR.205(a)(2).
Inspector review · Pre-assessment
Change identification review
Verify the change is correctly identified and the notification triggers the safety assessment obligation under ATM/ANS.OR.A.045(a)(1).
I.0.1 Change identification 0/3
I.0.1a
The change has been notified in accordance with ATM/ANS.OR.A.045(a)(1) — the safety assessment obligation is triggered
I.0.1b
Service provider, NOC reference, change type, and change description are clearly identified
I.0.1c
Assessment lead and date are recorded — responsibility for the assessment is attributable
INSPECTOR FINDING — CHANGE IDENTIFICATION
Inspector review · ATS.OR.205(a)(1)
Scope of change review
Verify the scope covers all five mandatory elements and the iterative identification process has been applied.
I.1.1 Scope elements — ATS.OR.205(a)(1)(i)–(v) 0/6
I.1.1a
Equipment, procedural and human elements described — includes nature, functionality, location, performance, maintenance, training and responsibilities
I.1.1b
Interfaces between changed elements and the remainder of the functional system described — communication means, protocols, timing
I.1.1c
Interfaces between changed elements and the operational context described — including the airborne domain
I.1.1d
Life cycle from definition to entry into service addressed — installation, testing, trial, transition phases identified
I.1.1e
Planned degraded modes of operation are addressed
I.1.1f
Scope identification applied iteratively — directly and indirectly affected components identified until no new components found (GM2 ATS.OR.205(a)(1))
INSPECTOR FINDING — SCOPE
Inspector review · ATS.OR.205(b)(1)
Hazard identification review
Verify completeness — all four AMC2 categories addressed, credibility rationale applied, competent personnel used.
I.2.1 Completeness and process — AMC1 & AMC2 ATS.OR.205(b)(1) 0/7
I.2.1a
Identification targets complete coverage — any condition, event or circumstance that could individually or in combination induce a harmful effect
I.2.1b
Identification performed by personnel trained and competent for this task — confirmed in the assessment
I.2.1c
New hazards from failure of the functional system are addressed (AMC2(a)(1))
I.2.1d
New hazards from normal operation of the functional system are addressed (AMC2(a)(2))
I.2.1e
Existing hazards in the functional system affected by the change are addressed (AMC2(b)(1))
I.2.1f
Existing aviation hazards affected by the change are addressed (AMC2(b)(2))
I.2.1g
Credibility rationale applied — only hazards with a material effect on the risk assessment are included; exclusions are justified
INSPECTOR FINDING — HAZARD IDENTIFICATION
Inspector review · ATS.OR.205(b)(2)
Safety criteria review
Verify safety criteria are determined and justified in accordance with ATS.OR.210, are measurable, cover the scope, and are consistent with the SMS.
I.3.1 Criteria determination — AMC1 ATS.OR.205(b)(2) 0/6
I.3.1a
Risk analysis approach is stated — relative, absolute, proxy, or mixed — and is objective (numerically or otherwise)
I.3.1b
Safety criteria are measurable to an adequate degree of certainty
I.3.1c
The set of criteria covers the full scope of the change
I.3.1d
Criteria are consistent with the SP’s SMS safety objectives and KPIs
I.3.1e
Severity classification scheme satisfies AMC2 ATS.OR.205(b)(3)(a)–(f) — independent of cause, unique assignment, scalar, appropriate granularity, assignment rules, societal views
I.3.1f
Where proxies cannot be compared with acceptable certainty, risk is constrained and long-term actions are documented
INSPECTOR FINDING — SAFETY CRITERIA
Inspector review · ATS.OR.205(b)(3) & (b)(4)
Risk analysis and evaluation review
Verify the risk analysis is complete, conducted by competent personnel, covers all hazards including implementation phase, and the evaluation outcome is documented.
I.4.1 Risk analysis completeness — AMC1 ATS.OR.205(b)(3) 0/9
I.4.1a
Risk analysis carried out by personnel trained and competent to perform this task
I.4.1b
Complete list of harmful effects produced for all identified hazards (in terms of risk or proxies as applicable)
I.4.1c
Hazards introduced due to implementation are included and assessed
I.4.1d
Risk contributions of all hazards and proxies are evaluated
I.4.1e
Results expressed in terms of risk, proxies, or combination — comparable against the safety criteria
I.4.1f
Risk evaluation: results compared against safety criteria accounting for uncertainty (AMC1 ATS.OR.205(b)(4)(b))
I.4.1g
Uncertainty in the risk analysis is documented — assumptions, exclusions, and basis for estimates stated
I.4.1h
Risk evaluation outcome clearly stated — criteria satisfied, mitigation required, or change abandoned
I.4.1i
Where mitigation is proposed: affected functional system elements identified and assessment steps to be repeated specified (AMC2 ATS.OR.205(b)(4))
I.4.2 SWAL assessment — software involvement
Does this change involve new software, modified software, or COTS/NDI software? If yes, AMC3 and AMC4 ATS.OR.205(a)(2) apply and a separate software assurance review is required outside this tool.
Confirm whether software assurance obligations are triggered by this change:
INSPECTOR FINDING — RISK ANALYSIS & SWAL
Inspector review · ATS.OR.205(b)(5)
Verification review
Verify all nine AMC1 ATS.OR.205(b)(5) verification activities have been carried out and the safety case argument is complete per AMC2.
I.5.1 Nine verification activities — AMC1 ATS.OR.205(b)(5) 0/9
I.5.1a
(a) Full scope of change addressed throughout the whole assessment process
I.5.1b
(b) Service behaviour complies with applicable requirements and does not contradict certificate conditions
I.5.1c
(c) Specification of service behaviour is complete and correct
I.5.1d
(d) Specification of operational context is complete and correct
I.5.1e
(e) Risk analysis is complete per AMC1 ATS.OR.205(b)(3)
I.5.1f
(f) Safety requirements are correct and commensurate with the risk analysis
I.5.1g
(g) Design is complete, correct and correctly addresses safety requirements
I.5.1h
(h) Design that was analysed is the design that was implemented
I.5.1i
(i) Implementation corresponds to that design and behaves only as specified in the operational context
I.5.2 Safety case completeness — AMC2 ATS.OR.205(a)(2)
I.5.2a
Sufficient set of non-contradictory valid safety criteria produced
I.5.2b
Safety requirements placed on changed and affected elements
I.5.2c
Safety requirements as implemented meet the safety criteria
I.5.2d
All safety requirements traced from criteria to the architecture level at which satisfied
I.5.2e
Each component satisfies its safety requirements and operates without adversely affecting safety
I.5.2f
Evidence derived from known versions of components, architecture, and known sets of products and descriptions
INSPECTOR FINDING — VERIFICATION
Inspector review · ATS.OR.205(b)(6)
Monitoring criteria review
Verify monitoring criteria are specified, specific to the change, address all three AMC1 requirements, and are documented within the safety assessment.
I.6.1 Monitoring criteria — AMC1 ATS.OR.205(b)(6) 0/6
I.6.1a
Monitoring criteria are identified and documented within the safety assessment process
I.6.1b
Criteria are specific to this change — not generic monitoring already in place
I.6.1c
(a) Criteria indicate that assumptions made in the safety case argument remain valid
I.6.1d
(b) Critical proxies monitored with measurable thresholds — remain as predicted and no more uncertain
I.6.1e
(c) Other properties affected by the change bounded within limits predicted by the safety case
I.6.1f
Monitoring is only specified for post-entry-into-service — not applied to pre-operational phases
INSPECTOR FINDING — MONITORING CRITERIA
Inspector review · Overall
Overall assessment outcome
Summarise inspector findings across all sections and record the overall review outcome.
I.7.1 Overall review outcome
I.7.2 Inspector name / reference
I.7.3 Review date
I.7.4 Overall finding and rationale
I.7.5 Conditions / required actions