Safety regulation

commission

Annual Safety Report

2008
SAFETY REGULATION COMMISSION
COMMISSION DE REGLEMENTATION DE LA SECURITE

Annual Safety Report 2008

Corrigendum

Page 33

Replace;

“Accordingly, SRC has established a Task Force (TF) to evaluate the possible
options and their feasibility, incorporating the principles that:
° The oversight of ATFM shall be carried out as a requirement provided in
Commission Regulation (EC) N° 1315/2007 and ESARR 1;
° The oversight of FMP’s at national level will not exclude the oversight of
CFMU, and vice-versa;
° Once EASA is entrusted with ANS/ATM competencies, this will fall under its
responsibilities;
° For the time being the safety oversight required for CFMU in accordance with
Commission Regulation (EC) N° 1315/2007 and ESARR 1 has not been
entrusted to somebody. As such this gap, if no further action is taken, will
extend until the time when EASA is entrusted with ANS/ATM competencies
and is in position to exercise them;
° The Provisional Council is the ultimate body to take decisions on the safety
regulatory aspects of ATFM function.”

With;

“Accordingly, SRC has established a Task Force (TF) to evaluate the possible
options and their feasibility, incorporating the principles that:
° The oversight of ATFM shall be carried out as a requirement provided in
Commission Regulation (EC) N° 1315/2007 and ESARR 1;
° The oversight of FMP’s at national level will not exclude the oversight of
CFMU, and vice-versa;
° For the time being the safety oversight required for CFMU in accordance with
Commission Regulation (EC) N° 1315/2007 and ESARR 1 has not been
entrusted to somebody. As such this gap, if no further action is taken, will
extend until new arrangements are established;
° The Provisional Council is the ultimate body to take decisions on the safety
regulatory aspects of ATFM function.”

(***)
Chapter 1 - Introduction

by Jos Wilbrink,
Chairman
EUROCONTROL Safety Regulation Commission

In the field of ATM safety regulation, Europe is now facing a period of profound debate leading to institutional change. The
earlier proposals of the European Commission’s High-Level Group are now being translated into reality, and proposals for
the extension of the European Aviation Safety Agency (EASA) into ATM and ANS have now been launched.

At the same time, ATM safety regulation has been shown (and measured) to be subject to a number of factors which limit
the achievement of full and successful implementation. Principal amongst these is lack of adequate levels of manpower
and expertise across Europe as a whole, where ATM safety regulation is a new field into which sufficient numbers of trained
personnel have yet to be developed.

The expansion of EASA into ATM/ANS will significantly transform EUROCONTROL’s formal role in key areas of safety regulation.
EASA will be expected to gain a legal remit in these areas applying to those States, and those aspects of national operations,
subject to EC law. Nevertheless, for other EUROCONTROL and ECAC Member States, and for the Military in all States,
EUROCONTROL rules and activities will remain the only basis for cooperation/harmonisation at European level.

Institutional development is necessary, but will only be successful if safety is protected throughout the change process. In
addition, future developments in ATM, including SESAR, are introducing demands for significantly increased safety levels to
which safety regulation must make a significant contribution.

The role of EUROCONTROL’s Safety Regulation Commission (SRC) includes the assessment of overall safety performance
of the ATM system, provision of feedback of experience to the EUROCONTROL Organisation as a whole in order to promote
safety improvement, and raising issues of sufficient safety importance to require the attention of the EUROCONTROL
Organisation’s governing bodies - the Permanent Commission and Provisional Council (PC).

Throughout this period of evolutionary change, the SRC is committed to keeping a determined focus on continued and
improving safety. The further advances in safety measurement detailed in this Report, together with the analysis of key
safety issues, as well as the assessment of new ATM developments, demonstrate the direction in which safety work must
proceed if safety regulation is to be established on a robust and credible basis. The assurance of adequate safety is the key
to all other ATM developments.

Safety regulation commission Annual Safety Report 2008 1

2
Chapter 2 - Development of ATM Safety Regulation

This Chapter deals with the development of ATM safety
regulation across the ECAC area. Principal activities have
centred on the measurement of safety regulation implemen-
tation, through the ESARR Implementation Monitoring
and Support (ESIMS) Audit Programme and the ATM
Safety Framework Maturity Survey methodology.
Being a formal audit programme, ESIMS provides a detailed
analysis of the level of compliance with all safety oversight
mandatory provisions applicable in the Member States. It
also enables the development of Corrective Action Plans
to address the deficiencies identified. ESIMS is operated in
coordination with the ICAO USOAP.
The ATM Safety Framework Maturity Survey complements
that picture with information resulting from a self-assess-
ment conduced against a benchmark of best practices
beyond the strict application of mandatory provisions.
Results from ESIMS Audits
ESIMS Programme
Since 2005 the renewed ESIMS Programme has focused
on auditing the State’s ATM safety oversight capabilities.
The programme has ceased to be primarily ESARR-based
and now focuses on all applicable safety oversight regula-
tions.
The audits cover the relevant legislative and institutional ar-
rangements, the ATM safety regulations in place, the safety
regulatory arrangements and their capacity (policy and
principles, procedures for rulemaking, safety oversight and
personnel licensing, and resources and staff competency).
On-site audits are followed by the development of a State’s
Corrective Action Plan, which is incorporated into the Final
Audit Report.

On 1st October 2008, twenty one-site audits had been completed as follows:

State On-site Audit Final Audit Report

DENMARK November 2005 Released April 2006
HUNGARY December 2005 Released April 2006
MALTA March 2006 Released September 2006
SPAIN April 2006 Released November 2006
THE NETHERLANDS April 2006 Released December 2006
PORTUGAL June 2006 Released November 2006
SLOVAKIA October 2006 Released May 2007
SLOVENIA November 2006 Released May 2007
FRANCE February 2007 Released September 2007
FINLAND March 2007 Released September 2007
ICELAND June 2007 Released January 2008
UK July 2007 Released January 2008
AUSTRIA September 2007 Released March 2008
ROMANIA October 2007 Released May 2008
SWEDEN November 2007 Released June 2008
SWITZERLAND December 2007 Released September 2008
LITHUANIA February 2008 Under development
IRELAND March 2008 Released September 2008
LATVIA April 2008 Under development
THE FORMER YUGOSLAV
July 2008 Under development
REPUBLIC OF MACEDONIA
NOTE: Three additional audits will take place by the end of 2008 (Bulgaria, Serbia and Croatia). Seven have been scheduled for 2009 (Cyprus, Estonia,
Czech Republic, Bosnia & Herzegovina, Norway, Poland, Monaco). In addition two follow up audits have also been scheduled for 2009 (Malta, Hungary) to
check the implementation of corrective actions.

Safety regulation commission Annual Safety Report 2008 3

 CE
-2 Primary
Aviation

CE

-
St s O n

3
at tem ve s
Legislation

Sy ty ctio
gu rat fic

e
Sa F
lat ing

Av an sigh
Re pe eci

fe un
ns

iat d t
O p

io
S

io
n
r

Technical Guidance,
Tools & provision
ESTABLISH

Personnel
Technical

of Safety
Qualified

Training

Critical
CE-4

CE-5
and

Info
IMPLEMENT
The Memorandum of Cooperation signed in 2005 between to avoid overlaps and take advantage of the synergies

Li rtifi risa rov s

Ce tho pp tion
ce ca ti al
ICAO and EUROCONTROL regarding safety oversight au- between programmes. In addition, ICAO SOA has been

io e
Au d A liga

ns tio on

at c
ig lan
in n,
an b
diting ensures that coordination takes place between ICAO/ given full access to the ESIMS audit reports, while ESIMS

ns
g,

bl veil
SOA and SRU at working and programme management Ohas full access to IUSOAP audit reports;

r
Su
Resolution of
level1. ESIMS and IUSOAP audit schedules are coordinated

O
Safety
-6
CE
CE

-7
Concerns

ICAO Model – Eight Critical Elements of a State’s Safety Oversight System

CE-8

CE-1
ICAO Model
The Eight Critical Elements of a State's Safety Oversight System
CE
-2 Primary
Aviation
CE

-
St s O n

3
at tem ve s
Legislation Sy ty ctio
gu rat fic

e
Sa F
lat ing

Av an sigh
Re pe eci

fe un
ns

iat d t
O p

io
S

io
n
r

Technical Guidance,
Tools & provision
ESTABLISH
Personnel
Technical

of Safety
Qualified

Training

Critical
CE-4

CE-5
and

Info

IMPLEMENT
Li rtifi risa rov s
Ce tho pp tion
ce ca ti al

io e
Au d A liga

ns tio on

at c
ig lan
in n,
an b

ns
g,

bl veil
O

r
Su

Resolution of
O

Safety
-6
CE
CE

-7

Concerns

CE-8

ICAO Model
The Eight Critical Elements of a State's Safety Oversight System

There is a correspondence between the areas reviewed
in an ESIMS audit and the Eight Critical Elements (CEs)
of a State’s Safety Oversight System as defined in ICAO
Doc 9734-Part A, ‘The Establishment and Management of
a State’s Safety Oversight System’. The eight critical ele-
ments provide ICAO with the model used by IUSOAP to
ESTABLISH
audit the safety oversight capabilities of a State. ESIMS au-
dits use a series of protocol questions covering the whole
scope of the audit. Findings are raised against one or more
protocol questions and each protocol question is associated
with ICAO’s Critical Element.

IMPLEMENT

1- Five SRU auditors are currently qualified as IUSOAP auditors. Since 2005, they have been seconded to ICAO to take part in 13 IUSOAP audits, included those conducted in Austria, Poland, Ukraine,
Russian Federation and Denmark in 2008. In 2009, SRU auditors will be seconded to ICAO to take part in the IUSOAP audits to Lithuania, Portugal, Albania and FYROM.

4
 CE 2 - Specific Operating Regulations

CE 3 - State Civil Aviation System and Safety Oversight Fuctions

CE 4 - Technical Personnel, Qualifications and Training

CE 5 - Technical Guidance, Tools and Provision of Safety Critical Information

CE 6 - Licensing, Certification, Authorisation and/or Approval Obligations

CE 7 - Surveillance Obligations

When considering the sample of 15 ESIMS audits for which

CE 8 - Resolution of Safety Concerns
the Final Audit Reports had been released in August 2008,
the aggregated scores obtained against the ICAO model
are as follows:

Percentage of audit protocol questions declared compliant

ICAO Critical Elements 0 10 20 30 40 50 60 70 80 90 100

CE 1 - Primary Aviation Legislation

CE 2 - Specific Operating Regulations

CE 3 - State Civil Aviation System and Safety Oversight Fuctions

CE 4 - Technical Personnel, Qualifications and Training

CE 5 - Technical Guidance, Tools and Provision of Safety Critical Information

CE 6 - Licensing, Certification, Authorisation and/or Approval Obligations

CE 7 - Surveillance Obligations

CE 8 - Resolution of Safety Concerns

Level of compliance with Requirements

Compliance with mandatory provisions established at national
or international level which relate to an ICAO Critical Element
(arithmetic mean for 15 audited Member States)

These scores are significantly similar to those included in
the SRC Annual Safety Report in 2007 for a sample of 10
audits, although they show slight progress in Critical Ele-
ment 2 (specific operating regulations) and Critical Element
5 (Technical Guidance and Tools)
Nevertheless, it is worth noting that Critical Element 2
(specific operating regulations) still obtains the lowest
score. The problems raised by the transposition of ESARRs
into EC law and the associated “Double Regulation” were
already identified in the analysis of the relevant non-com-
pliances presented in the 2007 Report as the primary
reason for that scoring.
The areas of primary aviation legislation and technical
personnel qualification and training remain with the high-
est level of compliance with the regulatory requirements
(compliance at levels exceeding 90%).
It should also be noted that the percentages reflect the
compliance with the relevant mandatory provisions in
force at the time of the audit, not the maturity of the safety
oversight system. Findings raised in the form of obser-
vations indicating areas for improvement do not count in
these percentages.

Safety regulation commission Annual Safety Report 2008 5

Implementation of ESARR 1 and Commission
Regulation (EC) N° 1315/2007
ESARR 1 and its equivalent EC rule, Commission Regu-
lation (EC) N° 1315/2007, set the pan-European require-
ments applicable to the safety oversight function exercised
by NSAs as from November 2007. These requirements pro-
vide many of the audit protocol questions reviewed during
an ESIMS audit and only a measurement against ESARR 1
can give a comprehensive view of the level of maturity of the
safety oversight system.
However, out of the sample of 15 audit reports released,
The diagram above shows a measurable gap between the
situation evaluated before the entry into force of ESARR
1 and Member States’ obligations effective from No-
vember 2007. The difference identified by the CE analysis
shows the importance of safety oversight improvement by
National Supervisory Authorities, and supports the need for
continued and enhanced action in this area. In particular,
the analysis shows the gap is significant with regard to
the ICAO Critical Elements related to the effective imple-
mentation of safety oversight processes by NSAs (critical
elements
10 5, 6, 7 and 8).
9
8

only three relate to audits conducted at a time at which ES- Progress

7 of Corrective Action Plans
ARR 1 was mandatory. Consequently the above aggregat- 6

ed scores do not reflect the overall level of implementation A key

5 feature of the ESIMS process is the development and
4 Audited States
of ESARR 1 except wherever mandatory provisions existed implementation of Corrective Action Plans (CAPs) by States.
Audited States’ Average if ESARR 1
3
previously at national level to implement aspects related to The CAPshadaddress the
been applicable deficiencies
at the
15 audits were conducted
time all revealed in the audit pro-
2
ESARR 1. Nevertheless, it should be noted that although cess. They are incorporated into the final audit report, which
1
findings raised against ESARR 1 were classified as non- also includes an evaluation of their effectiveness by SRU.
0
conformities in those three audits, this has not significantly CE CE CE CE CE CE CE CE
modified the overall 2007 scores. The following graph is based on the reports received from
10 States previously audited by ESIMS, and shows the
As explained in the 2007 Report, an analysis of the findings progress made in the implementation of corrective actions.
revealed in the form of observations related to the ESARR
1 shows that if all the ESIMS audits had taken place with 100

ESARR 1 being fully applicable at the time of the audit, the 90

result would have been significantly different. In that hypo- 80

thetical scenario, the number of non-compliances revealed 70

60
would have increased as shown in the following diagram:
50 Level of compliance with mandatory
provisions in force at the time of the
40 audit

30 Progress of implementation of corrective

10 actions reported by States in September
20 2008
9
10
8
0
7 CE-1 CE-2 CE-3 CE-4 CE-5 CE-6 CE-7 CE-8
6
5
2008 Progress in implementation of Corrective Actions
4 Audited States
as reported by States
Audited States’ Average if ESARR 1
3
had been applicable at the time all
2 15 audits were conducted

1
The reports forwarded by States are based on their self-
0
assessment of the progress made. The ESIMS process
CE CE CE CE CE CE CE CE foresees the possibility of arranging follow up audits to
double-check this aspect. Nevertheless, due to resource
Level of Compliance per ICAO Critical Element considerations, the ESIMS Programme will confine itself to
scheduling a limited number of follow-up audits by select-
ing a sample of two or three States per year. The first two
100 follow-up audits will take place in 2009.
90
80
70
60
50 Level of compliance with mandatory
provisions in force at the time of the
40 audit
6 30 Progress of implementation of corrective
actions reported by States in September
20 2008

10
0
CE-1 CE-2 CE-3 CE-4 CE-5 CE-6 CE-7 CE-8
Top Non-Compliances Revealed by ESIMS
Audits
In this sample of 15 audits, a number of audit protocol
questions were declared non-satisfactory in most cases
due to a lack of compliance with mandatory provisions in
force at the time of the audit. From the analysis of these
“top non-compliances” it can be concluded that at the time
of being audited:
❍❍ 11 out of 15 audited States had not issued appropriate
safety rules for engineering and technical person-
nel undertaking safety-related tasks as required in
ESARR 5, Section 5.3.2.1 and the equivalent Article
8 of Commission Regulation (EC) N° 2096/2005.
❍❍ Nearly 70% of States audited had no rule in place to
fully transpose ESARR 4 into their applicable regu-
latory framework or had not verified in an effective
manner its implementation by ANSPs.
❍❍ The same number of States did not take sufficient
actions in order to establish and verify a safety base-
line defining acceptable levels of safety as required
in ICAO Annex 11, section 2.27.
❍❍ 60% of States did not fully implement ESARR 2 re-
quirements.
A more detailed analysis of the audit findings related to each
ICAO Critical Element leads to the following summary:
■■ CE1 (Primary Aviation Legislation) - The level
of implementation remains very high. the most
problematic area is the determination of sanctions
for infringements of SES requirements, required in
Regulation (EC) N° 549/2004.
■■ CE2 (Specific Operating Regulations) – In this
area the situation has progressively improved in
parallel with the transposition of ESARRs into EC
law. It is worth noting that more than 30% of all the
deficiencies found related to the States’ progress
in the publication and implementation of regulations
compliant with ESARR 2. In addition, the majority of
the audited States did not issue appropriate safety
rules for engineering and technical personnel who
undertake operational safety tasks.
Safety regulation commission Annual Safety Report 2008
■■ CE3 (State Aviation System and Safety Over-
sight Functions) - The results show that more than
50% of all the non-compliances discovered in CE-3
concerned the institutional arrangements for safety
oversight. A number of Member States audited had
problems with identifying and establishing appro-
priate arrangements as regards the responsibili-
ties, interfaces and coordination necessary for the
implementation of ESARRs, being ESARR 2 and
the ESARR 5 provisions for engineering/technical
personnel the most problematic ones.
■■ CE4 (Qualified Technical Personnel and
Training) - More than 70% of all non-compliances
related to a lack of sufficient personnel or deficien-
cies with regard to training or required qualifications.
Nevertheless, the resulting level of implementation
of CE-4 requirements was very high in the audited
States.
■■ CE5 (Technical Guidance, Tools and Provision
of Safety Critical Information) - The highest
number of issues was raised as regards the lack of
formal requirements for initial ATC training courses
to satisfy as a minimum the ECAC guidelines for
Common Core Content training. More than 30% of
the States were not able to assist their ANSPs in
identifying safety related tasks.
■■ CE6 (Licensing, Certification, Authorisation and
Approval Obligations) - More than 40% of non-
compliances were related to the NSAs’ processes
to verify the implementation by ANSPs of the on-
going ATCOs competency assessment. 33% of the
States audited did not implement proper procedures
to ensure such verification and did not alternatively
require ATC units to have procedures approved by
the Authority to ensure the ongoing competence of
ATCOs. Significant problems exist as well as regards
the approval of ATC unit training plans.
■■ CE7 (Surveillance Obligations) - More than 25%
of the non-compliances related to a lack of on-go-
ing verification of the implementation of ESARRs, or
their corresponding EC rules wherever applicable,
by ANSPs. In addition the ongoing safety oversight
of aspects related to engineering and technical staff
was not satisfactory in 11 out of 15 audited States.
7
 Top percentage of the deficiencies found for each Critical Element
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

CE 2 - Progress in publication and implementation of regulations

compliant with ESARR2

CE 3 - Institutional arrangements

CE 4 - Safety oversight Capabilities - general principles and resources

+ personnel competency

CE 5 - Required conditions for granting licences/certificates

■■ CE8 (Resolution of Safety Concerns) - 40% of
all the non-compliances were related to the lack,
CE 6 - On-going ATCO competency
or inappropriate use, of the analysis of ATM safety
occurrences for safety regulatory to improve regu-
CE 7 - Verification of the implementation of ESARR2, ESARR3, ESARR4
latory& decision-making
ESARR5 ESARR6 and other safety regulatory
processes. 11 out of 15 audited States did not de-
CE 8 - Use fo reporting and analysis of ATM safety occurences for
velop properly safety recommendations, interven-
safety regulatory matters
tions and corrective actions, nor did they monitor
effectively their implementation.

Top percentage of the deficiencies found for each Critical Element

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

CE 2 - Progress in publication and implementation of regulations

compliant with ESARR2

CE 3 - Institutional arrangements

CE 4 - Safety oversight Capabilities - general principles and resources

+ personnel competency

CE 5 - Required conditions for granting licences/certificates

CE 6 - On-going ATCO competency

CE 7 - Verification of the implementation of ESARR2, ESARR3, ESARR4

ESARR5 & ESARR6

CE 8 - Use fo reporting and analysis of ATM safety occurences for

safety regulatory matters

Sub section of each Crtical Element

with the highest number of non-conformities found

8
Pan-European Problems Detected
The following ‘Generic Findings’ stemming from the ESIMS
audits appear to indicate the existence of some pan-Euro-
pean issues requiring action at European level:
❍❍ Lack of arrangements for the safety oversight of
ATFM and ASM by NSAs, notably in the case of
the ATFM elements operated centrally by CFMU.
As already explained in the 2007 Report, this issue
was raised at SRC by the Members States audited in
ESIMS and various actions were taken to define an
approach to this matter at European level. However,
at this moment no solution has been implemented
yet. This aspect becomes more relevant after the
entry into force of ESARR 1 and Commission Regu-
lation (EC) N° 1315/2007 requiring the NSAs to ex-
ercise their safety oversight function also with regard
to ATFM and ASM organisations.
❍❍ Problems related to the implementation of some
ESARR provisions, where specific aspects
complicated the transposition of ESARR into
EC law (e.g. ESARR 4 Risk Classification Scheme
and ESARR 6). Nevertheless significant improvement
may follow in these areas as a result of the publi-
cation of Commission Regulation (EC) N° 482/2008
transposing ESARR 6 into EC law and the current
activities undertaken by the EC regarding the Risk
Classification Scheme Mandate given to EURO-
CONTROL.
❍❍ Lack of formalisation of safety oversight arran-
gements as regards cross border situations,
which appears to be a constant issue across
Europe;
❍❍ Poor implementation by NSAs of safety over-
sight of changes. This area appears to require
particular attention and support to facilitate the new
NSAs obligations as regards the acceptance of new
systems and changes to existing systems.
❍❍ Lack of specification of enforcement measures
for infringements to SES by certified providers as
required in the relevant SES regulations.
Safety regulation commission Annual Safety Report 2008
Military Aspects of ESIMS Audits
The ESIMS Programme was adopted on the basis of
Article 6.1 of the EUROCONTROL Amended Convention.
As its object is the auditing of the States’ safety oversight
capabilities, the scope of ESIMS audits also comprises the
military ATM safety regulatory arrangements. Hence, all
through the ESIMS Programme the (voluntary) co-operation
of military authorities is sought to implement this principle.
Due to varying levels of involvement of the Military in the pro-
vision of services to GAT, the depth of the audit activities
differs, ranging from instances were no audit activities take
place due to the Military not being involved in GAT, to cases
– e.g. UK and France – where the Military actively co-operate
in a comprehensive survey of their safety oversight arrange-
ments as part of the ESIMS audit of the State.
In late 2007 the Air Component of the Belgian Armed
Forces (COMOPSAIR) requested EUROCONTROL to
audit the Military ATM System in Belgium, in preparation
of its projected certification request to the Belgian Na-
tional Supervisory Authority for ANS (BSA-ANS). Indeed,
an increasing number of military authorities recognise
the requirement for adherence to internationally accepted
standards and the related conditions for certification, the
verification of the applicability (or otherwise) of SES Legisla-
tion and ESARRs and/or their enforcement within the military
ATM organisation.
Hence, COMOPSAIR was subject to an inclusive ESIMS
Audit in July 2008, the primary objective being to assess
the effectiveness of the implementation of its safety over-
sight system. The audit did not cover any aspects of the
service provision to OAT; nevertheless, operational over-
sight and supervision were found to be ensured via a com-
prehensive scheme of local, national and NATO exercises,
inspections and evaluations.
Whereas the audit of COMOPSAIR represents a resolute
step forward in the co-operation with States’ military
authorities, this audit was not part of the regular audit
schedule. Also, the final audit report, currently under de-
velopment, will only be forwarded to the Belgian Military
and its further distribution left to the discretion of the Air
Component Commander.
9
2008 ATM Safety Framework
Maturity Survey 100 Maturity score

90

80

The independent ATM Safety Framework Maturity Study, The

70 2008 ATM Safety Framework Maturity Survey is the
first commissioned in 2002 and repeated in 2004, 2006 fifth
60 survey of its type conducted. The results of the 2008

and 2007 was again conducted in 2008 within the scope survey
50 establish the extent of the progress made by the
of the European Safety Programme for ATM (ESP). The ANSP
40 and Regulator in each ECAC State withANSP respect
2002
to
ANSP 2007
participation from States in this year’s survey was very high, the
30 implementation of ATM safety requirements and ob-
ANSP 2008

with all 42 ECAC ANSPs and 39 out of 42 Regulators re- ligations.

20
The results for the 2008 survey again show an
turning questionnaires. encouraging
10
increase in overall implementation of require-
ments,
0
0
as shown
0.2
on the 0.4
graphs below
0.6
. 0.8 1
Normalised State count

100 Maturity score 100 Maturity score

90 90

80 80

70 70

60 60

50 50

40 ANSP 2002 40 Reg 2002

ANSP 2007 Reg 2007
30 30
ANSP 2008 Reg 2008
20 20

10 10

0 0
0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1
Normalised State count Normalised State count

ANSPs average maturity for all study area Regulators average maturity for all study area
100 Maturity score

90

80
The ANSP average has risen from a baseline 55% in 2002, 76% in 2007 to 81% in 2008. For the Regulators these figures
70
are 52%, 70% and 75% respectively. There has again been strong growth in the mid-range (50%-80%). The year on year
60
increases are shown in the table below2.
50

40 Reg 2002
Reg 2007
30
Reg 2008
Overall average maturity (%)
20

10 ANSPs Change Regulators Change

0

2002
0
SSAP0.2Survey 0.4 0.6 0.8
55 1
53
Normalised State count

2004 SSAP Survey 62 +7 62 +9

2006 SSAP Survey 70 +8 65 +3
2007 Survey 76 +6 71 +6
2008 Survey 81 +5 75 +4
Total change 2002 - 2008 - +26 - +22

The reasons attributed to the increases include improved familiarity with the requirements and activities that were previously
described as ‘developing’ are now classified as maturing.

2- 2004 & 2006 data omitted to improve clarity.

10
Less positively, some States still report major concerns with
double ATM regulation and many States say that there is a
glut of regulations from European institutions that has cre-
ated difficulties for States trying to follow them. At State
level there is often a lack of legislative resource, within the
Regulator or the Ministry responsible for aviation, capable
of understanding and implementing new regulations.

As in previous years, Regulators continue to recognise that

they are finding it difficult to attract and retain competent
resources and this is associated with lack of adequate lev-
els of funding. In some organisations the lack of funding
also effects the provision of training to existing staff, which
undermines the Regulator’s ability to fulfil, efficiently and ef-
fectively, its obligations.

The key difficulties for ANSPs this year can be categorised

as cultural and technical. On cultural issues problems are
reported in overcoming concerns with no-blame reporting
systems and in accepting that the public has a right to
safety performance data. On technical issues there is
lack of understanding of safety targets and how to develop
appropriate performance indicators.

Changing attitudes towards a ‘Just Culture’ is a continu-

ing issue and is proving to be a slow process, particularly
where States have a different attitude to how people who
make errors should be treated. States that are having dif-
ficulties in this area may continue to do so for some time,
particularly where organisational culture differs (or tries to
differ) significantly from National norms.

States continue to have difficulties in establishing target

levels of safety and also struggle to explain the concept and
data to the public. At the moment many organisations seem
reluctant to publish anything on target levels of safety.

The maturity surveys will be repeated in 2009 by when all

participants will be expected to have achieved at least the
70% maturity level. From 2010 a new methodology and
process is being developed with stakeholders that will con-
centrate on assessing Safety Key Performance Indicators,
Single European Sky requirements and the ICAO 8 Critical
Elements.

Safety regulation commission Annual Safety Report 2008 11

12
Chapter 3 – ATM Safety Performance

This Chapter deals with the measurement of safety performance for the ECAC area, and presents the aggregated results
of safety reporting by States.

SAFER
The Safety Analysis Function EUROCONTROL and associated Repository – SAFER - system is EUROCONTROL’s principal
tool in its safety data analysis work, and consists of a European ATM Safety Data Repository, fed by a system of regulatory
and voluntary data flows. Integrated analysis forms the basis for safety improvement measures and initiatives.

SAFER is designed to provide the ATM component of the EC’s aviation-wide reporting system, based on ECCAIRS. The
output of these activities play a key role in safety improvement (both in safety regulation and safety management).

Mandatory Data Flow Safety

Regulation SAFER “SAFER” Outputs
(Member States) including
Commission

Common ■ Safety Peformance Indicators

ATM - Safety Analysis ■ Safety Statistics
Repository Function ■ Key Risk Area Identification
■ EATM Programmes
Implementation Monitoring
Voluntary Data Flow EUROCONTROL
(Airspace users/ ANSP’s) Agency

In partnership with the EUROCONTROL Agency, SRC is Implementation of ESARR 2

constantly seeking to improve both the quality and report-
ing frequency of ATM safety data with the ultimate objective
of a swift and potentially on-line dataflow, thus enhancing
the ECAC safety performance measurement through:
■■ a more timely analysis process, permitting increased
safety analysis resulting in up-to-date safety reports
that include safety trends and key risk area infor-
mation, as well as development of Safety Key Per-
formance Indicators (KPIs) to report to the aviation
community on European ATM Safety performance.
Further progress in implementing the requirements
of ESARR 2 is indicated by the reports submitted to
EUROCONTROL by States in 2008 (covering the period
to end 2007). In a number of Member States the achieved
progress is a result of combined efforts related to the de-
velopment, introduction and implementation of national
regulations related to ESARR 2 and EC Directive 2003/42.
However ESIMS audits have indicated that there are still a
number of issues requiring States’ attention to achieve full
compliance with ESARR 2, including:

■■ meaningful inputs to safety improvement initiatives
for the ATM system in an increasingly sound and
reliable manner.
At present, these aims are being met to a limited extent.
While the quality of data being made available by stake-
holders continues to improve, the amounts of data within
the indicated flows continues to be restricted and a signifi-
cant number of States still fail to report.
❍❍ In a number of ECAC States, although some prog-
ress was noted, there is a remaining lack of a “Just
Culture” environment with regard to reporting of oc-
currences and although this most important issue is
being dealt with at all relevant levels, progress is still
disappointingly slow.
❍❍ The continued lack of resources and qualified staff
at national level, dedicated to safety data collection
and analysis

Safety regulation commission Annual Safety Report 2008 13

In the reporting session of March 2008, 27 Member States
reported AST data covering reporting year 2007. Three
States which have reported in 2007 have failed to do it in 2008
due to change in the AST Focal-Point (AST-FP) function.
To date, AST-FP’s have been nominated in 34 cases (33
States and one multi-national service provider). In the re-
porting period, there were two new Focal Points nominat-
ed in States where this function was not assigned before.
However, in 11 cases, this did not result in an AST report
being submitted to EUROCONTROL covering 2007. These
States are Armenia, Bosnia-Herzegovina, Bulgaria, Cyprus,
Croatia, Greece, Luxembourg, Monaco, Slovenia, Turkey,
Ukraine. Ten ECAC States have still to nominate AST Focal
Points, five of which are EUROCONTROL Member States
(Bosnia-Herzegovina, Bulgaria, Croatia, Montenegro and
Ukraine).
20 States per category
Level of Reporting Less than half of the baseline
More than half of the baseline
15 Above Baseline
Analysis shows a higher number of occurrences reported
and investigated, indicating a better and more mature re-
10
porting system. For each State, the level of reporting is
measured by normalising the total number of incidents
against
5 the number of flight hours in the State.
The level of incident reporting varies between States. Tak-
ing the 2003 ECAC level as a baseline3, an improvement of
the level of reporting is measurable since that time.
In 2007 a number of States reported an increased number
of ATM related incidents, some even at twice the level of
2006. It is interesting to note that the increase happened
also in States with a mature reporting system. This is evident
in the graph above, where the number of States reporting
now at a level above the baseline has increased from 13
to 15 (after another significant increase last year). For the
first time the number of States reporting above baseline is
higher than those reporting under the baseline.
The increased level of reporting is arguably supported by
introduction of new regulations by which a just culture en-
vironment is established in those States. Furthermore the
implementation of these new provisions by the ANSPs
drives the level of reporting up, thus significantly improving
the visibility of safety issues in those States.
For these reasons, it is crucial that States and EURO-
CONTROL maintain the focus on the implementation of
ESARR 2 and related EC Directives and the establishment
of a just culture environment.

The numbers of ATM related incidents used in the analysis Overall, the figures show a progressive improvement in
0
are derived
2001 directly
2002 from
2003 the 2004
AST report
2005 sent2006
by the2007
State reporting maturity. It also shows that the number of States
to EUROCONTROL SRC. The numbers in the graph show reporting has reached a plateau level beyond which
those States which have submitted AST reports and for EUROCONTROL may find it difficult to move.
which exposure data is available.
To improve the national and European reporting levels,
States who do not currently report to EUROCONTROL
20 States per category should implement full reporting in accordance with the
Less than half of the baseline ESARR 2 arrangements and related EC Directives, in-
More than half of the baseline cluding the establishment of a just culture environment.
15 Above Baseline
A recommendation to this effect will be made to the
EUROCONTROL Permanent Commission.
10

0
2001 2002 2003 2004 2005 2006 2007

Level of reporting ATM related incidents

Baseline 2003

3- Total number of ATM related incidents normalised against total flight hours for the States which submitted AST.

14
Under-Reporting to be included in a successful intermediate SRC Safety Re-
port presented at PC29 in May 2008.
3000
Average best 3 reporters To provide a more timely ECAC-wide measurement of ATM
(2001-2007)
2500 safety performance, the system now needs to be extended
Average ECAC rate
to all States, and a decision of PC29 was for States to in-

improvement
2000
troduce twice-yearly reporting with effect from September
2008 onwards.
Area of
1500

1000
Integration of Provision of Altitude Deviation
500 Data in the AST
0
2001 2002 2003 2004 2005 2006 2007 The ESARR 2 AST data currently provide considerable
information on the causes of altitude deviation incidents.
These are included in safety occurrence categories such
Current reporting levels and possible reporting levels as Level Busts, but are not sufficient to estimate the level
Number of incidents per million flight hours of risk specifically with respect to occurrences in RVSM
airspace. Further steps are therefore required in order to
As seen in the graph, the level of reporting varies widely provide a robust, mandatory and ongoing basis for altitude
3000
between States and with time. If we take the three States deviation reporting in support of RVSM operations.
Average best 3 reporters
which
2500 have the highest reporting rate and average them
(2001-2007)

between Average ECAC rate

the years 2001-2007, we find that they are at a A proposal to expand the AST to capture minimum informa-
reporting level 3.45 times the ECAC average. This is an in- tion to be used for RVSM monitoring purposes is currently
improvement

2000

crease from the average of 2001-2006, showing that the being progressed. See Chapter 4 below for further details
Area of

1500
best reporters are moving to an even higher reporting rate. regarding RVSM Safety Monitoring and the rationale for the
Applying
1000 this rate to all ECAC States we can calculate a possi- integration of Altitude Deviation Data in the AST.
ble
500
number of incidents that could have been reported. In this
way the number of incidents we receive in the AST each year
is in0 the region of 30% of the possible number of incidents,
2001 2002 2003 2004 2005 2006 2007
had all the States reported at the level of the “best” reporters.

Increased Reporting Frequency

In February 2007, it was agreed to trial an enhancement

to the AST reporting system by the inclusion of a second
reporting cycle (i.e. a second AST reporting session) in
September of each year. Each September AST reporting
session would therefore produce two reports per State:

■■ one AST to update the data for the year before (as
required),

■■ one AST containing the initial data covering the first

half of the respective year.

This allows intermediate reporting to PC in May of each

year in addition to the analysis presented in the SRC’s An-
nual Reports each November. The first trial took place in
September 2007 with 15 States reporting where the initial
sample of States participating in the trial was encouraging
and sufficiently statistically significant to enable the analysis

Safety regulation commission Annual Safety Report 2008 15

 Total 2005 = 88 (fatal 19)
Total 2006 = 99 (fatal 15)
6
Provisionnally 2007
10 Total = 77 (fatal 9)
4
Total Fatal
8 Total
2
Total ATM Contribution

6
0
Mid-Air CFIT GND Collision
4 collision acft -ground
acft-acft object

ECAC ATM CFIT

Mid-Air
SafetyGND
Performance
collision
Airborne-
Ground
GND
acft-other
10

Indicators for 2007acft-acft

8
Total Fatal
Total
Total ATM Contribution

Accidents 6

4
Accidents - Overall Numbers
2
10

2005 2006 2007 0

8 Mid-Air CFIT GND Airborne- GND
Total 2005 = 88 (fatal 19) collision Ground acft-other
Total 2006 = 99 (fatal 15) acft-acft
6
Provisionnally 2007 7
Total = 77 (fatal 9)
4 6 Number
Total of
Fatalaccident per category

2007Total
figures
5
2
4
0
Taken overall, in recent past years Collisions on the Ground
3
Mid-Air CFIT GND Collision (either between aircraft or between aircraft and vehicle/
collision acft -ground obstacle)
2 constitute the majority of accidents indicated as
acft-acft object
having an ATM contribution, and represented the totality
Number of accident per category 1
of those in 2007. For this reason, this category will be kept
aircraft with MTOW above 2250 kg 0
under 2003
close scrutiny
2004 in the future.
2005 2006 2007
10
Based on the AST reports (all 2007) and the data avail- For the category of CFIT, 2007 has shown a decrease over
able fromTotal
ICAOFatal
(covering all 2007) one accident was indi- 2006 (from 7 to 4). Three of the four CFIT accidents were
8 Total
cated as Total
having a Direct ATM Contribution. This concerned
ATM Contribution fatal but none of them had either a direct or indirect ATM
a 6non-fatal collision on the ground between aircraft and a contribution. CFIT remains the second most-significant cat-
vehicle which took place in December. egory (after Collisions on the Ground).
4
Three accidents were shown to have an Indirect ATM con-
7
tribution
2 - one reported as being a collision on the ground
Total Fatal
between aircraft and two reported as collisions on the 6
Total
0
ground between aircraft and vehicle/person/obstruction(s). 5
Mid-Air CFIT GND Airborne- GND
In 2006 an increase in overall numbers
collision of accidents
Ground was
acft-other
4
observed, but for 2007 a acft-acft
decrease is indicated together
with a decrease in fatal accidents. 3

2
Accident Categories
1

0
Notably, for aircraft with a MTOW (Maximum Take-Off
2003 2004 2005 2006 2007
Weight) of greater than 2250Kg, no Mid-Air collisions were
reported for 2007 whereas four CFIT accidents were re-
ported, of which three were fatal. Number of accident per category
2007 figures
For 2007, the updated data again show that the most sig-
nificant accident category is collision between aircraft and
vehicle/person/obstruction(s). The analysis also confirmed
that the actual and potential ATM involvement in accidents
is highest in this category.

16
900

800

700
900
600
800
500
700
400
600
300
500
200
400 120
100
300
0 100
200
2002 2003 2004 2005 2006 2007
100 80
Incidents
0 The reported data for 2007 demonstrate an increase of the
60
2002 2003 2004 2005 2006 2007 total of ATM related incidents of 8.4% which, compared
The classification of with40 the previous
AA - Total year,
inabilityisto above theATM
provide safe level of traffic growth
service
ATM-related
60 incidents A - Serious Incident (in the ECAC A -area
Seriousininability
2007;toincrease
provide safeapprox. 7% in terms of
ATM service
20 B - Partial inabilityinto provide
is based on the severity B - Major Incident flight duration and 5.3% termssafe ATM serviceof flights).
of number
50
of their effect on the safe C - Significant Incident C - Ability to provide safe but degrated ATM service
0
60
operations
40 of aircraft and E - No significant safety effect risk Ebearing
For the1999 - No effect on ATM service
2000 2001 incident
2002categories,
2003 2004compared with2007
2005 2006 the
D - Not determined D - Not determined
occupants
50 as shown in previous year, the results indicate that the percentages in
30 Not classified Not classified
this table (refer also to total numbers of the serious incidents (severity A) and the
40
EAM
20 2 / GUI 1 and EAM major incidents (severity B) have both decreased.
2 30
/ GUI 5 for more details).
60
10
As in 2006 for certain operational Risk Areas (Runway
20
As0 opposed to accidents, there is no MTOW limit for the Incursions,
50 Unauthorised Penetration of Airspace, Level
ATM
10 related
2002 incidents
2003 reported
2004 through
2005 the
2006AST, 2007
i.e. all Bust), there were marked increases in the total number of
40
the incidents are reported, regardless of the MTOW of the reported incidents, whereas the number of high risk bear-
aircraft
0 involved. ing30incidents decreased or had been maintained. One Op-
2002 2003 2004 2005 2006 2007
erational Area (Separation Minima Infringements) showed a
20
To ease interpretation, incident-related performance indi- stabilisation in the total numbers and a small decrease of se-
cators (the trends up to 2007) are normalised based on rious
10 incidents (Severity A) and major incidents (Severity B).

millions of flight hours, except for runway incursions which

0
are normalised based on millions of aircraft movements. It needs to be noted that the emerging trend with regard to
1999 2000 2001 2002 2003 2004 2005 2006 2007
900 the growing number of incidents NOT being severity clas-
General
800 Trends sified, as indicated in the intermediate SRC safety report,
700 seems to be confirmed and will be further analysed and val-
900
600 idated through the September 2008 AST reporting cycle.
800
500
700
400 Separation Minima Infringements
600
300
500
200 120
400
100
300 100
0
200 2002 2003 2004 2005 2006 2007
80
100
0 60
2002 2003 2004 2005 2006 2007
40
60
20

50
0
60
40
1999 2000 2001 2002 2003 2004 2005 2006 2007

50
30
Separation Minima Infringements
40
20
Occurrence per million flight hours and severity
60
30
10

20
0
For
50 the previous year the updated data showed an in-

2002 2003 2004 2005 2006 2007 crease of 8.7% (in absolute numbers) and 3.5% (in norma-
10 40
lised figures) compared with 2005. The final data for 2007
0 Total ATM Related Incidents demonstrate
30 a stabilization of overall numbers and a slight
2002
Occurrence per2003 2004hours and
million flight 2005severity
2006 2007 decrease in the numbers of risk bearing (severity A and B)
20

10

0
1999 2000 2001 2002 2003 2004 2005 2006 2007
Safety regulation commission Annual Safety Report 2008 17
100

80

60

40
60
20
50
0
1999 2000 2001 2002 2003 2004 2005 2006 2007 40

30

20
at the level of 2004 and 2005. With respect to the risk bear-
60 10
ing incidents (A+B) this year indicates one severity A oc-
50 currence
0 less but five more severity B’s. Furthermore the
significant
2001 severity
2002 category
2003 (C) incidents
2004 2005 show
2006 an 2007
equal
40
increase to that in B.
30
This is a Key Risk Area - see Chapter 4 for follow-up action
20

10 Runway Incursions

0
60
1999 2000 2001 2002 2003 2004 2005 2006 2007
50

Separation Minima Infringements

40
Occurrence per million flight hours and severity
30

occurrences. It also shows an increase in the number of 20

occurrences ‘not classified’ in this occurrence category,

10
which is almost back at the level of 2004.
3.0
0
For
2.5
the full reporting year 2007, the proportion in total num- 2001 2002 2003 2004 2005 2006 2007
ber of serious incidents (Severity A) decreased by almost
1%2.0 from last year whereas the number of major incidents
Runway Incursions
(Severity
1.5
B) decreased by 1.6%. Occurrence per million aircraft movements and severity
4.5 100%
Investigation
1.0 with States is ongoing in respect to some fluc- 95%
4.0
tuations in reporting for this category. Compared to the data for 2006 (reported in the 2007 Annual 90%
0.5 3.5
Safety Report), the data for the full year of 2007 indicate 85%
3.0
Near
0.0 Controlled Flight into Terrain (Near CFIT) a remarkable increase (31%) in total numbers of Runway 80%
2001 2002 2003 2004 2005 2006 2007 2.5
Incursions. This increase needs to be read in conjunction 75%
2.0
As indicated in the intermediate safety report 2008, the with the change of the ICAO definition of Runway Incursion, 70%
1.5
initial significant drop in numbers (compared to 2006) re- which effectively enlarged the scope of incidents falling 65%
1.0
quired further validation with the reporting States. In the under the new definition. 60%
0.5
overall data for 2007, the total numbers are generally back 55%
0.0 50%
At the same
2003
time,2004
the number
2005
of risk bearing
2006
runway
2007
in-
3.0
cursions decreased. Nevertheless, with the total numbers
of RI’s reported increasing, it still indicates that there are
2.5 almost two runway incursions per day in the ECAC area.
2.0
This, combined with a greater number of RI’s not severity-
1.5 classified in 2007 (around 20% of the total - an increas-
ing
4.5
trend compared to 2006) points to the need for further 100%
1.0
safety
4.0
improvement in this key risk area. 95%
0.5 90%
3.5
This
3.0
is a Key Risk Area - see Chapter 4 for follow-up action. 85%
0.0
2001 2002 2003 2004 2005 2006 2007 80%
2.5
75%
2.0
70%
Near Controlled Flight Into Terrain 1.5
65%
Occurrence per million flights hours and severity 1.0 60%
0.5 55%
50% 0.0 50%
45% Proportion Severity A 2003 2004 2005 2006 2007
40% Proportion Severity B
Proportion Severities A&B
18
35%
30%
25%
20%
15%
 8
100
80 8
7
80
60 7
6
60 6
40 5
5
20
40 4
4
20
0 3
2001 2002 2003 2004 2005 2006 2007 3
0 2
2001 2002 2003 2004 2005 2006 2007 2
1
1
0
0
2000 2001 2002 2003 2004 2005 2006 2007
2000 2001 2002 2003 2004 2005 2006 2007
7

7
6

56
Unauthorised Penetration of Airspace Aircraft Deviation from ATC Clearance
5 160
4
140
The4 2006 data in this occurrence category showed no 160
3
significant changes to the previous year (an overall increase 120
140
3
of 25.2 %) However the data submitted for 2007 show a 100
120
significant
2
1 increase in the total number of incidents reported 80
100
-17%
1
0
more than 2006 It is too early to conduct any mean- 60
ingful
0
analysis
2001 related 2003
2002 to the possible
2004 impact2006
2005 of the devel-
2007
80
40
opment of
2001 the Safety
2002 Improvement
2003 2004 Initiative
2005 2006 “Airspace
on 2007 60
20
Infringement” and the resulting European Action Plan for 40
0
Airspace Infringement Risk Reduction. 20
2000 2001 2002 2003 2004 2005 2006 2007
160 0
160
140 2000 2001 2002 2003 2004 2005 2006 2007

140
120

120
100
9
100
80 8
9
80
60 7
8
60
40 6
7
20 5
40
6
20
0 4
5
0
2001 2002 2003 2004 2005 2006 2007 3
4
2001 2002 2003 2004 2005 2006 2007 2
3
1
2
0
1 2000 2001 2002 2003 2004 2005 2006 2007
7
0
7
6 2000 2001 2002 2003 2004 2005 2006 2007

6
Aircraft Deviation from ATC Clearance
5
Occurrence per million flight hours and severity
5
4

4
3
The safety data for 2006 in this category showed an in-
3
2 crease of 9% (in absolute numbers) and 4% (in normalised
2
1
figures) compared with 2005. The reported data for the
1
full year 2007 indicate another increase of 12% compared to
0
2001 2002 2003 2004 2005 2006 2007 2006. It is noted that, as for other occurrence categories, there
0
2001 2002 2003 2004 2005 2006 2007 is an increase in the numbers not being severity classified.
Unauthorised penetration of Airspace
Occurrence per million flight hours and severity A marginal increase was observed in the high risk bearing
incidents in 2006 compared to the previous year but they
remained at low levels.
For this incident category a considerable increase of high
risk bearing incidents was observed in 2005 compared to The submitted data for the full year of 2007 however show
previous years. In 2006 however, this number decreased. a decrease of these types in this incident category. The
Although the total numbers reported increased again in number of high risk bearing incidents decreased both in
2007, the decrease in high risk occurrences continued in severities A and B.
some extent (4 less severity A) However they do remain
above the level of 2004.

This is a Key Risk Area - see Chapter 4 for follow-up action.

Safety regulation commission Annual Safety Report 2008 19

 160
140
120
100
80
60
40
600
20
0
500
2000 2001 2002 2003 2004 2005 2006 2007
400

300

Level
200 Busts 200
180
100
With respect to Level Busts, the analysis on submitted data 160
for0the full year of 2007 indicates a marked increase of 15% 140
2005 2006 2007
in the total numbers compared with last year. However the 120

analysis also shows the same total number for risk bearing 100
80
incidents compared to 2006, including one more severity A
60
and one less B.
40
20
600
0
2000 2001 2002 2003 2004 2005 2006 2007
500

400
Aircraft Deviation from Applicable ATM Regulation
300 Occurrence per million aircraft movements and severity

200
On the basis of the submitted data for the full year of 2007
100
no significant changes in this occurrence category were
0 noted.
2005 2006 2007

The overall numbers have shown a small increase only

30 100%
Level Busts compared to 2006 (2463 increased from 2425 total) how-
90%
Number of occurrence per severity ever the conclusion of last year in this category can still be
24 80%
maintained
70%
4
. The numbers of risk bearing incidents have
It 18is not yet fully clear if the increase is based on better decreased
60%
significantly (21 A and B’s versus 55 A and B’s
classification in the overall category of ”Deviation from ATC in 2006)
50% after the increase of these severity types which
Clearance”,
12 better reporting and/or an actual increase in was observed
40% in 2006.
incidents. 30%
6 ATM20%
Specific Occurrences
For risk bearing occurrences, the analysis also demonstrates 10%
0 0%
that, over the years 2005-2007, all Level Busts having a
2005 2006 2007 AA 2005
- Total inability to provide2006
safe ATM service 2007
severity classification have resulted in a separation minima
A - Serious inability to provide safe ATM service
infringement, as might be expected. AAn - Serious Incident trend of
increasing
B - Partial inability to provide safe ATM service
severity B occurrences resulting in aB -loss
Major Incident
of separation is
C - Significant Incident C - Ability to provide safe but degrated ATM service
being observed.
E - No significant safety effect E - No effect on ATM service
D - Not determined D - Not determined
This
30 is a Key Risk Area - see Chapter 4 for follow-up action.
Not classified
100%
Not classified
90%
24 80%
Aircraft Deviation from Applicable ATM Regulation
70%
Indicators in this category have been tracked since 2002,
18 60%
This category is a “basket” category, where different types when reporting of ATM Specific Occurrences became man-
50%
of12incidents (such as un-authorised penetrations of airspace datory.
40%
In 2007 25 States reported ATM specific occur-
and certain level busts) are counted. rences30%
in their AST report compared to 24 the year before.
6 This is
20%less than the total number of States reporting under
(It should be noted that certain Aircraft Deviations from ESARR2/AST
10% arrangements. This shows that in this cat-
Applicable
0 ATM Regulation are also registered in other egory 0%there is ample space for improvement. Severity clas-
categories 2005 2006
where the circumstances 2007
of the occurrence 2005
sification of the results is according2006 2007
to the table shown.
are applicable).

4- The increase in numbers reflects:

• the increases in some categories within the «basket»,
• a more consistent categorisation where incidents are categorised under multiple headings, and thus
• an overall increase in maturity of reporting systems.

20
 2002 2003 2004 2005 2006 2007
1600

1400

1200
30
1000

800
25
600
20
400
15
200
0
10
2002 2003 2004 2005 2006 2007
5 200
Total ATM Specific Occurrences For 2007, the numbers of risk bearing occurrences in-
2004 2005 2006 2007
0 creased in comparison with 2005, but are less than 2004,
2002
The total number2003 2004
of occurrences 2005
reported 2006
and 2007
the quality of and
150 thus no trend can be identified yet.

the
30 data varies between States, but overall numbers have

shown
25
a reduction from 2005 and 2006. There are also The
100 level of reporting varies greatly between States. In 2007
big variations in the number of occurrences reported in a four States reported more than 400 ATM specific occur-
20
number of States from one year to another. rences while 6 States reported less than 10 ATM specific
50
15 occurrences. Therefore, a small change in the number of
1600 States reporting on the fully-required basis could result in
0
10
1400
a significant or even dramatic change to the total figure for
Communication Surveillance Data Processing Navigation Information
5
ECAC reported ATM specific occurrences.
1200

1000
0 Moreover the results that arrive are not always categorised
2002 2003 2004 2005 2006 2007
800 into
10 the different type of occurrences required (e.g. failure of
600 communication, navigation, surveillance
2004 2005functions
2006 etc.).
2007
400 8

200
Occurrences Related to the ATM Support functions
6
0
2002 2003 2004 2005 2006 2007 As for 2006, the area of the Communication function had
1600 the4 highest number of occurrences reported in 2007, fol-
1400 lowed by the Data Processing and Surveillance functions.
Total ATM Specific Occurrences 2
1200 Per million flight hours & severity
The
0
overall numbers of occurrences related to ATM sup-
30
1000
port Communication
functions shows an Data
Surveillance increase over
Processing 2006 in Information
Navigation the case
800
Where
25 AST Focal Points have access to ANSP safety data, of communication and data processing functions and a
combined
600
20
with a good reporting system, the numbers decrease for the other functions measured.
of400ATM specific occurrences reported are high (11,836
in200
152007, 15,604 occurrences in 2006, 17,816 in 2005). 200

However,
0 it should be noted that these numbers include a 2004 2005 2006 2007
10
large proportion
2002 of minor2004
2003 technical events 2006
2005 which have
2007 no 150
safety
5 impact due to the existence of automatic mitigations,
such as back-up systems etc
0 100
2002 2003 2004 2005 2006 2007
30
50
25

20 0
Communication Surveillance Data Processing Navigation Information
15

10 Occurrences related to the ATM Support Functions

Occurrences per million flight hours
10
5
2004 2005 2006 2007
The number of risk-bearing occurrences decreased in all
0 8
2002 2003 2004 2005 2006 2007 categories except the data processing function.
6
In 2007, the Communication and Data Processing func-
Total ATM Specific Occurrences
tions
4 contained the occurrences with the highest severity
High risk occurences per million flight hours & severity
(AA+A+B).
2

0
Communication Surveillance Data Processing Navigation Information

Safety regulation commission Annual Safety Report 2008 21

 2004 2005 2006 2007

150

100

50

0
Communication Surveillance Data Processing Navigation Information

There is no clear trend regarding the risk bearing occur- 10

rences in the period 2004-2007. 2004 2005 2006 2007

8

The occurrences with the highest severity (AA – Total inability

to provide ATM Service) were indicated in the Communication 6

function (3) Surveillance and Support Information functions

4
(one each).

0
Communication Surveillance Data Processing Navigation Information

Occurrences related to the ATM Support Functions

Risk bearing occurences - Severity AA+A+B per million flight
hours

Achieved Level of ATM Safety in ECAC

The ECAC Strategy for ATM 2000+ set a high-level safety The number of accidents varies year to year, as may be
objective:- expected, but the overall trend is not increasing against
a background of increasing traffic levels. Thus, the ECAC
“ …. to improve safety levels by ensuring that the safety objective is being met as far as accidents are con-
number of ATM induced accidents and serious, cerned. However, the development of safety data reporting
or risk bearing, incidents do not increase and, by States has not so far allowed a similar comparison to be
where possible, decrease.” undertaken for serious incidents.

The graph below depicts the number of accidents involving It must be stressed that the above calculations are based
Commercial Aircraft with Direct ATM Contribution, as on a number of critical assumptions, including the rates of
reported through the AST. forecast traffic growth and the percentage contribution of
ATM within the overall number of accidents.

5 Number of accidents Flight Hours 25,000,000

These assumptions are being further validated and
ECAC traffic levels (1999-2007)
improved, supported by increased levels of safety
4 ECAC predicted traffic levels, 20,000,000
5% growth after 2007 data reporting by states, and by the work being un-
3 15,000,000
dertaken as part of the development of a Risk Clas-
sification Scheme for the Design of ATM.
Accidents with direct contribution
2 10,000,000
Trendline number of accidents
Meeting the ECAC objective will demand increas-
1 5,000,000 ingly stringent safety performance over time with
enhanced commitment by States, not only to pro-
0 0 vide comprehensive data but also to adopt with
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015

urgency the outstanding action plans published by

EUROCONTROL.
Accidents in ECAC with direct ATM contribution
& traffic growth
Real traffic growth till 2007, forecast 2008-2015

22
4.0 95%
60
3.5 90%

50 85%
3.0
80%
2.5
40 75%
2.0
70%
1.5 30

Chapter 4 – Key Safety Issues

65%
1.0 20 60%
0.5 55%
0.0 10
50%
2003 2004 2005 2006 2007 2003 2004 2005 2006 2007
0
2001 2002 2003 2004 2005 2006 2007

4.5 This Chapter includes safety issues judged by SRC to be 100%

4.0 of sufficient safety significance to justify the attention of 95%

90%
3.5 the EUROCONTROL Organisations governing bodies -
85%
3.0 the Permanent Commission and Provisional Council.
80%
2.5
75%
2.0 The identification of these issues is both the result of the
70%
1.5 safety analysis in preceding Chapters, and also through
65%
1.0 other safety activities encountered by SRC in its safety 160
60% 100%
4.5
0.5 work over the reporting period. 140 95%
55%
4.0
0.0 50%
3.5 120 90%
2003 2004 2005 2006 2007 2003 2004 2005 2006 2007
85%
Runway
3.0

2.5
Incursions 100
80%
80
Percentage
75% of Runway Incursions severity classified
2.0
Since 2003 the overall trend in the highest severity (cat- 60 70%
1.5
egory A - serious) incursions is decreasing; only a marginal Therefore
40 65% it needs to be reemphasized that this issue cer-
1.0
increase was observed in the 2006 and the numbers stabi- tainly
20 60%reveals the possibility that further risk bearing Run-
0.5
lised in the data reported for 2007 and overall numbers still way
0 Incursions could be “hidden” in the total number (i.e.
55%
0.0 50%
remain 2003
at a low level.
2004 2005 2006 2007
Runway 2001Incursions
2002 reported
2003
2003
2004
but
2004not classified).
2005
2005
2006This 2007
2006
forms
2007
part of the rationale for continued focus on the Runway
Safety Programme. States therefore need to further im-
4.5 100%
prove95%
national performance in the reporting and analysis of
4.0
occurrences,
7 90% notably the complete and consistent severity
3.5
assessment,
85% to give full visibility to the real levels of risk.
3.0 6
A recommendation
80% to this effect will be made to the EURO-
2.5 5
CONTROL
75% Permanent Commission.
2.0
4 70%
1.5
65%
1.0
Unauthorised
3
60% Penetration of Airspace
0.5 2 55%
0.0 50%
2003 2004 2005 2006 2007
Unauthorised
1 Penetration
2003 2004
of Airspace
2005
remains a safety key
2006 2007
risk
0
area. The overall number in this category increased
somewhat
2001 in 2006
2002 (5%)
2003but shows
2004 a 2005
considerable
2006 increase
2007
Runway Incursions
Occurrence per million aircraft movements and severity of 17% in 2007. The relationship with the Safety Improve-
ment Initiative on “Airspace Infringements” may well have

However with regard to the severity category B incursions 160

reported for the full year of 2007 a decrease is indicated (51 140
for 2006 and 42 for 2007)
120

100
Analysis of past years shows that category B increased in
2005, levelled in 2006 and decreased in 2007. The increase 80

in 2005 resulted from the application of a more extensive 60

severity classification scheme (82% of runway incursions 40

were classified in 2005 and 2006) and category B numbers 20
levelled in 2006. In 2007 the runway incursion data reported 0
show that the numbers of severity B still proportionately fol- 2001 2002 2003 2004 2005 2006 2007
low the rate of the severity classified incursions (80%) How-
ever the overall number of Runway Incursions not severity Unauthorised Penetration of Airspace
classified has increased by 47% compared to 2006. Occurrence per million flight hours and severity
7

Safety regulation commission Annual Safety Report 2008 4 23

3

2
 300

200

100

0
2005 2006 2007

600

500

400

had an effect on the increasing reporting rates. More spe- incorporated

300 and with wide support for its European im-
cifically the awareness in the ATM community, as well as in plementation. After final endorsement, including by SRC,
200
the aviation industry at large, of the impact on safety has the Action plan will be rolled out and set into action by the
risen substantially through the associated activities in the aviation
100
community at large.
development of the European Action Plan for Airspace In-
0
fringement Risk Reduction. The SRC views the Action Plan as an essential measure to
2005 2006 2007
reduce risk in this area, and urges its effective implemen-
Over the reporting period, severity A and B classified in- tation by States. A recommendation to this effect will be
cidents decreased slightly compared to 2006, but remain made to the EUROCONTROL Permanent Commission.
above the level of 2004. Overall reporting of this category of
incidents increased considerably with less occurrences not
30
Level Busts
100%
classified compared to the previous year. There is contin- 90%
ued demand though for a range of States to enhance their 24 80%
reporting and/or to continue their efforts in cross-border The separate tracking of this important type of incident, in- 70%
coordination with respect to general aviation (GA) move- troduced
18 for reporting in 2005, enables specific analysis in 60%
ments, specifically with respect to seasonal effects. addition to the more general category of Aircraft Deviations 50%
from
12 ATC Clearance. In 2007 the total reported data for 40%

The EUROCONTROL “Airspace Infringements” Safety Im- Level Busts show an increase of just over 15% compared 30%
20%
provement Initiative, supported by SRC, started to develop to 62006. For the risk bearing incidents (severity A and B) the
10%
the European Action Plan for Airspace Infringement Risk total numbers are equal to the previous year.
0 0%
Reduction in 2007. The main goal of developing and imple- 2005 2006 2007
menting this Europe-wide action plan is to reduce the risk
to aircraft operations caused by airspace infringements.
30 100%
90%
The initiative received wide support by aviation safety stake- 24 80%
holders and a number of data collection and risk analysis 70%
projects were carried out, including SRC participation and 18 60%
inputs. With the support of the Member State authorities, 50%
civil and military ANSPs and airspace user organisations, 12 40%
this has led to the establishment of a range of potential 30%
20%
safety improvement measures, defined at different levels 6
10%
and allocated to broad domains such as – AIM, AGC,
0 0%
AOM, ATS (FIS), NAV, Safety awareness & culture, and Pi- 2005 2006 2007
lot skills and airmanship.

The draft Action Plan indicated the assignment of safety
measures in two major categories – recommended and
proposed actions, depending on the degree of received
support and their perceived risk reduction potential. The
safety improvement actions are addressed to the differ-
ent stakeholder groups involved as action owners; AIS and
MET services providers, Air navigation service (including
FIS) providers, Military organisations (service providers and
regulators), Training organisations (whether for controllers
or pilots), Regulatory authorities (national and supranation-
al) and Airspace users.
Stakeholder consultation on the Action Plan was started
in December 2007 to ensure the establishment of a final
draft with all potential and perceived risk reduction actions
Level Busts
Number of occurrences per severity
With the submitted and updated data included, the analysis
shows:
❍❍ that all severity A occurrences, for the period 2005-
2007, have resulted in a loss of separation and
❍❍ an increasing percentage of severity B incidents
which result in a loss of separation over the same
reporting period.
Further analysis with the reporting States is needed to
detect the causes for this emerging trend. The better

24
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2005 2006 2007

100% Repeating last year’s comparison with other incident cat-

90% egories demonstrates that the proportion of risk bearing in-
80% cidents in separation minima infringement was 23% in 2006
70%
3.0 and around 20% in 2007 and for runway incursions it was
60% 10% in 2006 and 6% for 2007.
2.5
50%
40%
2.0 The AST Focal Point group analysis of this type of incidents
30%
for the reporting year 2006 showed that the main sub-cat-
20%
1.5
egories reported are: flying under Minimum Safe Altitude,
10%
1.0
0%
wrong operation of SID/STAR (turn to early, high speed),
2005 2006 2007 ILS undershoot, flying under bad weather conditions in
0.5
mountainous areas, GPWS alerts. States that reported the
0.0 majority of NCFIT have already taken remedial actions (e.g.
Level Busts resulting in Loss of Separation
2001 2002 2003 2004 2005
Percentage for severity categories A & B
2006 2007 change in the operation of SID/STAR, actions taken within
the context of Unstabilised Approach Initiative of Member
States etc). The analysis also shows that, while in 2006
categorisation of the Level Busts in other sub-categories there was little ATM involvement in this type of incidents,
like separation minima infringement is a likely explanation. the data for 2007 show an increased ATM involvement.
Nevertheless, Level Bust remains one of the major Key This will be further investigated.
Risk Areas and SRC will continue to expand its safety
analysis capabilities in order to maintain awareness and
safety enhancement in this significant area. Resourcing of ATM Safety Oversight
Different pan-European programmes (e.g. ESIMS, Safety
Near CFIT Maturity Study etc.) have identified the need to support
to Member States in developing sufficient safety oversight
The overall numbers of incidents in this category remain capabilities.
low, with the total for 2007 returning to the levels of 2004
and 2005. The proportion of risk bearing incidents (severity Commission Regulation (EC) N° 1315/2007 and ESARR 1
A and B) within the total number of Near CFITs was indi- establish that States shall ensure that NSAs have the nec-
cated to be very high in the last SRC annual report (45% in essary capability to ensure the safety oversight of all or-
2006 compared with 32% in 2005) and remains at an equal ganisations operating under their supervision, including suf-
level in 2007. (44%) ficient resources to carry out the actions identified in these
regulations. These actions are well specified in both texts
in the form of processes defined with a clear sequence of
50%
steps and outputs. Therefore, the achievement of that ob-
45% Proportion Severity A
ligation is measurable if a detailed analysis is conducted as
40% Proportion Severity B

35%
Proportion Severities A&B regards the whole set of actions required and their practical
30%
application in the context of the NSA and the State under
25% consideration.
20%
15% In 2008 SRC took action to determine the resources avail-
10% able at the NSAs to implement their safety oversight respon-
5%
sibilities. A template, known as the Safety Oversight Over-
0%
view Document (SOOD) was introduced in June 2008 to
2003 2004 2005 2006 2007
replace various previous data collection templates related to
ESIMS. The SOOD places a focus on Resourcing aspects
Near Controlled Flight Into Terrain with a view to collecting information for a centralised analysis
Proportion of high risk incidents in total number of the safety oversight resources available across Europe.

Safety regulation commission Annual Safety Report 2008 25

In this context, a number of States have provided updated
information about their levels of resources. At this point in
time there is still insufficient data for reaching conclusions
about the situation or determining a European benchmark
for the resources needed. Furthermore, additional work
may be necessary as regards a number of indicators relat-
ed to resourcing of NSAs and their data-gathering through
the SOOD or other means.
Personnel with Safety Auditor Qualification
Nevertheless, a simple and key indicator on which some in-
formation has already been gathered is the number of quali-
fied safety auditors available at the NSAs and Recognised
Organisations to conduct the audits required in Commis-
sion Regulation (EC) N° 1315/2007 and ESARR 1.
Nineteen Member States forwarded their SOOD to SRU be-
tween June and October 2008 and reported that there are,
in those countries, an aggregated total of 152 persons who
are qualified to act as safety auditors in accordance with
the requirements of Article 11(3) c, of Commission Regula-
tion (EC) N° 1315/2007. A significant proportion of these
are reported by a very small number of the larger States
(two States having 25 or more), with very low numbers in
many smaller States (as low as 1). In addition, those States
who have not yet reported are known to be at the lower
end of the scale.
Importantly, it should be noted that not all these qualified
resources are involved in the conduct of safety regulatory
audits, either fully or even part-time.
In order to evaluate whether this indicates the existence of
a sufficient level of resources, further information would be
required to measure the effectiveness and level of harmo-
nization of their qualification, and the amount of audit re-
sources required, in terms of number of audit-man neces-
sary in a State. SRC is currently considering the possibility
of launching a wider study on these aspects.
The level of information available does not allow further con-
clusions to be drawn. However it may be advisable to iden-
tify guidance for the NSAs on the amount of auditor time
to be employed in safety oversight activities. Consideration
could also be given to the experience of other safety-critical
industries. This would allow for further determination of the
NSAs’ specific needs with respect to human resources.
26
RVSM Safety Monitoring
SRC was informed at SRC31 of the main results of the
2007 RVSM Safety Monitoring Report. The total risk es-
timate (technical and operational combined) in the report
was slightly above the Target Level of Safety (TLS) set for
the EUR region, but the quality of the result for the Opera-
tional Risk estimate was very low due to the lack of credible
operational error data available.
Since then, the EUR Regional Monitoring Agency (RMA)
and SRU have liaised to seek the SRC’s advice on different
lines of action which include:
❍❍ The need to revisit the RVSM Post-Implementation
Safety Case (POSC);
❍❍ The possibility to integrate the provision of altitude
deviation data in the Annual Summary Templates
(AST) and the possible inclusion of RVSM monitor-
ing in safety oversight audits (at national, ICAO and
EUROCONTROL level).
Revision of the RVSM POSC
At the request of the European Air Navigation Planning
Group (EANPG) of ICAO, the EUROCONTROL Agency,
acting as the EUR Regional Monitoring Agency (RMA), car-
ries out an annual calculation of the vertical collision risk in
EUR RVSM airspace to ensure that the continued operation
of RVSM in European airspace meets the defined safety
criteria.
To ensure that EUR RVSM continues to meet the require-
ments of the EUROCONTROL EUR RVSM Safety Policy,
and is in accordance with the safety objectives contained in
ICAO Doc 9574, the following must be demonstrated:
Objective N° 1 That the vertical collision risk in EUR
RVSM airspace due solely to technical
height-keeping performance meets the
ICAO Target Level of Safety (TLS) of 2.5
x 10 9 fatal accidents per flight hour;
Objective N° 2 That the vertical collision risk in EUR
RVSM airspace meets the ICAO overall
TLS of 5 x 10 9 fatal accidents per flight
hour;
Objective N° 3 That the continuous operation of EUR
RVSM has not adversely affected the
overall risk of en-route mid-air collision;
Objective N° 4 That all the issues raised in the 2006
EUR RVSM Safety Monitoring Report
have been satisfactorily addressed.
An internal revision of the RVSM POSC drew attention to
the need to re-examine the applied assumptions vs. the
risks and hazards identified in 7 years of RVSM operational
experience, as well as to reconsider Safety Objective N° 3
(above). The effects of additional factors affecting risk cal-
culation, such as P-RNAV and changes to the operational
environment, also need to be assessed.
The RMA has arranged an independent review of the
POSC. This review also addresses the possible changes
to the annual EUR RVSM Safety Monitoring Report. Re-
sults are expected by the end of 2008 and changes to the
annual Report (if required) will be applied as from the next
reporting year.
In this context the assumptions and safety requirements
of the RVSM POSC are being revisited to determine their
relevance for a mature system monitoring regime, and any
new issues such as P-RNAV and evolving operational prac-
tice, which may affect the vertical estimate, can be dealt
with. Without prejudice to the development of the require-
ments, provisions can also be developed for systematic
re-evaluation at a suitable interval such as every three to
five years, to ensure that the safety requirements remain
relevant and valid.
This step should give rise to a draft set of proposed Safety
Requirements for Airspace Monitoring. It is now being pro-
posed by DAP/APN that the establishment of a set of Air-
space Monitoring Safety Requirements would also include
the closing of the POSC, which remains in place until the
completion of the new airspace monitoring regime.
The detailed timescales for these activities are still to be
determined but it is planned to have a draft set of Airspace
Monitoring Safety Requirements available in June 2009.
In the view of SRC, consideration should be given to the
further development of implementing rules by the SES
5- “(…) arrangements shall be put in place, through interregional agreement (…)”.
6- EUROCONTROL has already made a request as per Annex II of the Regulation. The SRU will be the Focal Point as to the consultation of the data.
7- Note 5 of Annex I to Directive 2003/42/EC mentions that specific operational approvals, e.g. RVSM, ETOPS, RNAV, or a design or maintenance programme, may have specific reporting
requirements for failures or malfunctions associated with that approval or programme. However, this does not cover the operational errors, which led to Safety Objectives N°2 and 3 from the
EUR RVSM Safety Policy not having been met.
Safety regulation commission Annual Safety Report 2008
rulemaking framework taking the draft set of requirements
resulting from that review as a major input. To that end it
appears essential to ensure the coordination with the EC
who could perfectly give a Mandate to EUROCONTROL to
develop such implementing rule based on the work already
initiated. In that context the EUROCONTROL framework
may also play a role to ensure the extension of the resulting
set of rules to the EUROCONTROL Member States where
EC law is not directly applicable.
Improving Altitude Deviation Reporting
There is as yet no adequate mechanism to enable and en-
force the reporting of altitude deviations in the context of
RVSM as per ICAO Annex 11, Section 3.3.5.25. Whereas
ICAO Doc 9574 in its Section 6.4 clearly explains the meth-
odology to be used to progress the evaluation of system
performance, this remains at the level of guidance material,
which cannot be deemed mandatory unless e.g. via trans-
position in the national legal order.
Nevertheless, in this respect, it is important to bear in mind
Directive 2003/42/EC and, in particular, the new require-
ments of Regulation (EC) N° 1330/2007, which lays down
implementing rules for the dissemination to interested
parties6 of information on civil aviation occurrences ((incl.
significant deviations [more than 300 ft] from intended alti-
tude regardless of cause) referred to in Art. 7(2) of Directive
2003/42/EC7. Commission Regulation (EC) N° 1330/2007
is binding in its entirety and directly applicable in all EU
Member States; it entered into force on 15 November
2007. In order to enable the Commission to prepare the
appropriate measures for exchange of information between
Member States and the Commission (as required by Art.
6.4 of Directive 2003/42/EC), the Regulation became ap-
plicable on 15 May 2008.
States are legally bound to ensure that relevant information
on safety is reported, collected, stored, protected and dis-
seminated. Still, there is a need to define the minimum re-
quired information re RVSM (given the generic nature of the
Regulation) and ensure that the information will be made
available to the RMA.
While Commission Regulation (EC) N° 1330/2007 can
provide an adequate mechanism for reporting altitude de-
viations, and its application for RVSM monitoring can be
27
subject to safety oversight audits, it only applies to those
States where EC law is applicable. Thus, EUROCONTROL
cannot undertake auditing activities on this aspect in other
ECAC States or RVSM-participating States. The only overall
solution remains to work on interregional arrangements in
concert with the ICAO Regional Planning Group (EANPG).

Integrating Altitude Deviation Data

in the ESARR 2 AST

Considerable benefit could be brought by the integration

of altitude deviation data provision into the ESARR 2 AST.
Such integration is fully in accordance with the Safety Re-
porting Task Force (SAFREP) recommendation 7, agreed
by Provisional Council, to rationalise European safety data
flows and furthermore avoids the proliferation of data bas-
es. In addition, the required periodicity of RVSM reporting
(six-monthly) is now supported by the AST process, which
is being applied on a similar periodicity.

The ESARR 2 AST data currently provide considerable

information on the causes of altitude deviation incidents.
These are included in safety occurrence categories such
as Level Busts, but are not sufficient to estimate the level
of risk specifically with respect to occurrences in RVSM
airspace. Further steps are therefore required in order to
provide a robust, mandatory and ongoing basis for altitude
deviation reporting in support of RVSM operations.

In order to modify the AST accordingly, a specific data-set

for RVSM Monitoring has yet to be defined by the RMA
and presented to SRC for agreement. It will be based on
the provisions of the ICAO Manual on RVSM Operations
(ICAO Doc 9574 - Manual on Implementation of a 300 m
(1000 ft) Vertical Separation Minimum Between FL 290 and
FL 410 Inclusive). Once these actions are completed it is
the intention of the SRC to submit to the PC at the earliest
opportunity an appropriate proposal for the modification of
the ESARR 2 AST.

SRC agreed to the principle of including RVSM monitor-

ing in safety oversight audits to confront the inconsistency
and contradictions of the current reporting mechanism. A
similar approach needs to be taken to altitude deviation re-
porting, and an appropriate update to ESARR 2/AST is pro-
posed as the optimum way forward. A recommendation to
this effect will be made to the EUROCONTROL Permanent
Commission.

28
Chapter 5 – Current and Future Developments
This Chapter focuses on:
❍❍ Significant issues and developments in the field of
ATM safety regulation, and
❍❍ Safety regulatory aspects of major ATM devel-
opments, where these aspects are essential to the
success of overall implementation.
Double Regulation
The arrival of the Single European Sky (SES) regulations
and the transposition of ESARRs into EC legislation pre-
sented the States with the issue of “Double Regulation”.
SRC set up the Double Regulation Ad-Hoc Group (DRAHG)
to address this issue. A report, including a number of rec-
ommendations was produced by the Group and submitted
by SRC to the Provisional Council for its consideration.
The recommendations of DRAHG were discussed and
agreed at Provisional Council meeting in November 2007
and the Single Sky Committee (SSC) in January 2008. The
Provisional Council also invited the SRC to further develop
those recommendations that concern ESARRs and return
to the Permanent Commission for approval at an appropri-
ate time.
In the case of ESARR 1, SRC has submitted to the Provi-
sional Council an amendment to apply the DRAHG Rec-
ommendations and achieve a full alignment with the text of
Commission Regulation (EC) N° 1315/2007 which trans-
poses ESARR 1 into EC law. Such an amendment was
identified by DRAHG as feasible due to the high level of
correspondence achieved between ESARR 1 and Com-
mission Regulation (EC) N° 1315/2007 in the transposition
process. The amendment is exclusively intended to adopt
the text of the rules transposing the relevant safety require-
ments into Community law while maintaining the existing
ESARR 1 related obligations on the EUROCONTROL Con-
tracting Parties and the scope of those obligations.
It also brings the benefit of removing potential double-
regulation issues with regard to safety oversight in
EUROCONTROL Member States where EC regulations
are directly applicable. The proposed amendment provides
a platform to take advantage of the synergies between the
EC and EUROCONTROL frameworks and support the im-
plementation of SES across the ECAC region. In particular,
ESARR 1 provides the means to ensure the implementation
Safety regulation commission Annual Safety Report 2008
of an appropriate ATM safety oversight function in EURO-
CONTROL Member States who are not members of the
EU.
The publication of Commission Regulation (EC) N° 482/2008
transposing ESARR 6 into EC law has opened the door to
the implementation of a similar course of action to apply the
recommendations of DRAHG to ESARR 6.
Additionally, actions are also foreseen as regards ESARRs
2, 3, 4 and 5. In this case, in accordance with the DRAHG
recommendations, the process to achieve a single text for
ESARRs 2, 3, 4 and 5 with their corresponding EC rules is
to be initiated by means of the introduction of measures by
the EC to address the DRAHG recommendations related
to those rules. The associated proposals for amendment of
ESARR will be submitted to the PC on due course.
SES Peer Review System
In 2008 SRC agreed a number of proposals with regard to
the articulation, relating to ESIMS, of the respective roles
of the Peer Review process and the audits of the safety
oversight system.
In the safety oversight context, the Peer Review system
offers the benefits of reviewing safety regulatory perfor-
mance, as well as identifying and sharing best practice to
achieve safety improvement. Such safety benefits can only
be realised if the judgments involved (including on what
constitutes best practice) are consistent and harmonised
- “a level playing field”. This requires (as a pre-requisite) an
assessment of safety oversight performance based on
a common safety baseline, ensuring a standardised ap-
proach. ESIMS and IUSOAP already provide a platform
for that assessment.
As foreseen in Recital 10 of Commission Regulation (EC)
N° 2096/2005, they need to be co-ordinated and articulat-
ed to complement each other. The two activities therefore
cover different, but interrelated aspects of the harmonisa-
tion of NSAs. SRC is of the view that the Peer Reviews
and ESIMS should be articulated in two layers of comple-
mentary activities; “Improvement Review” and “Asessment-
Standardisation” supporting the effective implementation of
NSA supervisory functions in SES. In that context, the Peer
Reviews could operate, to a certain extent, as a ‘manage-
ment review’ similar to the one foreseen in an ISO manage-
ment system
29
SRC also agreed that SRU would initiate the necessary co-
ordination with NSAs, Regional Groups of NSAs and the
EC to implement the actions proposed.
A way forward for the implementation of the Peer Review
Process was identified in coordination with RICBAN, a re-
gional group of NSAs from nine States. A joint proposal
was subsequently submitted by some NSAs for discussion
at the SSC meeting held on 21 May 2008. The initiative was
welcomed by the EC. It proposed an initial set of actions
to be launched in the second half of 2008. In that context,
RICBAN, SRC/SRU and the EC are working together to:
❍❍ Conduct two experimental Peer Reviews in the sec-
ond half of 2008.
❍❍ Share the outcome of those two trials with other
NSAs in a workshop to be hosted by the Spanish
NSA by the end of the year.
The final objective of these actions is to refine the Peer Re-
view concept with a view to making proposals to the EC for
the implementation of a Peer Review Procedure in 2009.
In this context RICBAN and SRC are ready to support the
EC in the drafting of a mandate to EUROCONTROL, or an
equivalent instrument, along the lines of this joint proposal.
NSA Training Initiative
The availability of appropriate expertise continues to be
a major controlling factor in the development of national
safety regulatory capabilities. EUROCONTROL supports
States in addressing this issue through the Safety Regula-
tion Training (SeRT) Programme, and is committed to en-
suring that the Programme continues to fulfil the current
regulatory needs.
Over the reporting period, SeRT has been fundamentally
reviewed, and a revised Programme – the NSA Training Ini-
tiative – designed to take account of the latest European
developments, with particular focus on the role and specific
needs of National Supervisory Authorities (NSA) in the con-
text of the Single European Sky (SES). The new, two-yearly
Programme and any additional, subsequent modules will be
offered to NSAs as a tool that will allow them to meet their
obligations under SES Legislation. It will comprise manda-
tory and optional modules, to which extra modules of either
type can be added as required. It will also support wider
EUROCONTROL objectives and changes to the European
30
regulatory framework resulting from the Second SES Pack-
age, and the extension of EASA’s competences to ATM.
The NSA Training Initiative will enable staff of NSAs and
Recognised Organisations at a European level to:
❍❍ Develop their professional knowledge and capability
in order to improve their performance in the supervi-
sion of ATM provision;
❍❍ Apply uniform standards and be aware of best prac-
tices;
❍❍ Share experiences in a European forum and develop
a professional network;
❍❍ Supply evidence that they have achieved sufficient
level of training to perform Safety Oversight func-
tions.
The new training syllabi preserve key components of cur-
rent training, such as auditing techniques, but will embrace
wider SES concepts in order to match current ATM de-
velopments. The modular structure will also allow regu-
latory personnel to follow a full training portfolio, from ab
initio to fully-trained regulator. This will assist stakeholders
in resource planning while at the same time providing the
flexibility to complement local knowledge in order to train
participants in particular regulatory activities. Start of deliv-
ery of the NSA Training Initiative will be in the first semester
2009.
Unmanned Aerial Systems
The development of widespread civil / commercial UAS
applications requires common operational, technical and
safety concepts, to ensure a seamless integration of UAS
in the existing airspace structures.
The basic flight safety regulatory principles demand that:
❍❍ Aircraft can only fly if they are designed, manufac-
tured, operated and maintained consistent with rel-
evant regulations;
❍❍ Aircraft operating crew are qualified in accordance
with applicable regulations; and
❍❍ Safety regulations exist for the air transport infra-
structure and air navigation services (ANS).
Hence, aviation safety and its associated regulations must
be developed, co-ordinated and implemented in a collective
effort involving national authorities, ANS providers (ANSP),
civil and military airspace users, aerodromes, industry, pro-
fessional organisations and relevant regional institutions.
As UAS are considered as aircraft within the meaning of
Art. 8 of the Chicago Convention, international rules, or in-
struments of international law pertaining to the safety and
operation of aircraft apply to UAS. Thus, where UAS are to
integrate with other airspace users, they should fit in with
them and with current procedures, as well as carry simi-
lar equipment (or different equipment resulting in compa-
rable performance) for flight, navigation and communica-
tion, rather than the existing ATM System being required
to adjust to accommodate UAS. Specifically, the existing
safety regulatory framework developed for and applicable
to the current air transport infrastructure and ANS provision
should be demonstrated to be valid in an equal manner.
Regulatory aspects have the capability to shape the way
in which ATM will affect, and be affected by, the growth in
UAS use. Where it is identified that civil UAS applications
can already be accommodated within existing regulatory
arrangements, it is expected that operators will identify and
exploit UAS technologies. In those cases where existing
regulations cannot accommodate civil UAS, the regulatory
framework needs to be developed to determine what tech-
nologies or procedures are essential, while the safe intro-
duction of civil UAS applications must be demonstrated at
the earliest possible stage.
The evolving development of UAS for both civil and mili-
tary applications is the main driver for EUROCONTROL
taking a prominent role for ensuring that UAS integration
into the pan-European ATM network does not result in a
negative impact of network safety, security and efficiency.
EUROCONTROL is actively engaged, in co-ordination with
ICAO, the EU, EASA, EUROCAE and NATO in determin-
ing the applicable European UAS regulatory provisions. In
direct support thereof, EUROCONTROL is also engaged in
the development of UAS certification standards and ATM
integration assessments (including the salient aspects of
safety, security and airspace efficiencies), from both civil
and military perspectives.
Under the umbrella of the FAA-EUROCONTROL Memo-
randum of Cooperation, Annex 4, Action Plan 24 (MoC
AP 24 [UAS]), EUROCONTROL and the FAA agreed on
the requirement for a dedicated UAS Action Plan, one of
Safety regulation commission Annual Safety Report 2008
its principal objectives being to derive quantified safety
requirements for UAS operations both within and outside
segregated airspace. Such agreed levels of safety will be
the basis for UAS international interoperability.
The integration of UAS into the pan-European network will
be undertaken with a view to global interoperability. The
ICAO processes will be aimed at both short-term develop-
ment of global UAS guidance material / best practices and
medium to long-term development of comprehensive UAS
SARPs / PANS. This activity will undertake to ensure that
the ICAO UAS Study Group (UAS.SG) provide the global
ICAO UAS regulatory and guidance material necessary to
sustain the European UAS integration strategies, with par-
ticular regard to safety, legal, institutional issues and global
UAS interoperability. The UAS.SG is expected to:
❍❍ Serve as the focal point and co-ordinator of all ICAO
UAS-related work, with the aim of ensuring global
interoperability and harmonisation;
❍❍ Develop a UAS regulatory concept and associated
guidance material to support and guide the regula-
tory process;
❍❍ Review ICAO SARPs, propose amendments and
co-ordinate the development of UAS SARPs with
other ICAO bodies;
❍❍ Contribute to the development of technical specifi-
cations by other bodies (e.g. terms, concepts), as
requested;
❍❍ Identify bandwidth and frequency spectrum require-
ments for UAS command and control (C²) and make
recommendations to the ICAO Aeronautical Com-
munications Panel (ACP) in support of a common
position for International Telecommunications Union
(ITU) World Radio Conference (WRC) negotiations.
31
SESAR
The implementation programme for SES – SESAR – com-
pleted its definition phase in April 2008 and the develop-
ment phase has now begun. This will involve the elabora-
tion of operational improvements in accordance with the
ATM Master Plan and the SESAR Work Programme.
Within the Definition Phase, a necessary function was iden-
tified to co-ordinate the ‘Authorities’ views on the regulatory
acceptability of SESAR safety deliverables and to ensure
the continuing adequacy of applicable safety regulatory
rules and related material. During the development phase,
this function involves a systematic and structured interac-
tion between the SESAR Joint Undertaking (JU) and the
safety regulatory framework. Such an interface will be es-
tablished and start operating by the end of 2008.
This function will play a role very similar to the one already
implemented by EUROCONTROL SRC in relation to previ-
ous pan-European projects. A similar approach is there-
fore being adopted in the case of SESAR, notably in the
transition towards new arrangements, due to its inherent
expertise and experience, its independent position and its
ability to integrate views from the Military and from Member
States outside the EU. Discussions have taken place be-
tween EUROCONTROL and the SESAR JU on the practical
operation of this function.
Safety Regulatory Review of ATM
Developments
The regulatory coordination role required in the context
of SESAR context is not new. Since its establishment the
SRC has provided advice on the development of harmon-
ised safety regulatory objectives and requirements for the
ATM System which will be implemented and enforced by
the Member States.
The imminent changes to the ATM system and the emerg-
ing role of EASA will present new challenges to States and
National Supervisory Authorities to fulfil their regulatory ob-
ligations in this transitory time. The SRC believes that it is
both fitting and essential to take the opportunity to merge
elements common to two areas of work; specifically, the
development of a Safety Regulatory Review process, and
the definition of the potential role for SESAR JU Coordina-
tion Function. Both initiatives share collective objectives to
convey the formal SRC position on safety issues, to deliver
32
a consolidated opinion for inclusion in the safety documen-
tation associated with new developments, and establish
a visible and committed role for the SRC in this period of
regulatory transition.
The SRC has launched an initiative to test the proposed
safety review method on a pilot study. The focus of the
pilot study is a safety regulatory review of the ADS-B NRA
Preliminary Safety Case prepared by the EUROCONTROL
CASCADE programme.
The SRU has completed the preliminary stages of the re-
view process. A review of the Preliminary Safety Case will
be undertaken by a working group of experts comprising
members of the SRC. The results of the review and the
formal SRC opinion will be delivered to the CASCADE Pro-
gramme manager in December 2008.
It should be noted that while the output and opinion of
any SRC safety regulatory review cannot be considered
as regulatory approval of the programme developments, it
is a valuable support to the implementation roadmap. The
output of the review should help developers anticipate and
identify safety regulatory aspects for the further stages of
a programme development, prompt early involvement of
States/NSA’s in their role as stakeholder/regulator, high-
light areas where existing regulation may be insufficient and
new regulation may be required,
The review process and method will be the framework on
which to build agreed working methods and best practices
to be applied by NSA’s to fulfil their shared oversight re-
sponsibilities, to provide a working interface between NSA’s
and other aviation entities and provide a forum for States/
NSA’s to share knowledge and experience.
Safety Oversight of ATFM
Commission Regulation (EC) N° 1315/2007 transposing
ESARR 1 into EC law and ESARR 1 itself require NSA’s
to ensure the safety oversight of organisations providing
ATFM. It should be noted that these provisions do not re-
quire certification of those organisations but do require a
commensurate set of actions to ensure the safety oversight
of ATFM.
The implementation of these requirements in ATFM has al-
ready been discussed by SRC. It had been recognised that,
while States can (and do) exercise oversight over ATFM el-
ements at national level (e.g. Flow Management Positions
(FMP’s)), no practical means exist for oversight by States
of ATFM elements outside national boundaries – principally
the Central Flow Management Unit (CFMU). A way of in-
tegrating oversight of all aspects of ATFM is therefore
required.

At SRC32 it was agreed that a solution to the issue of

the safety regulatory oversight of EUROCONTROL-based
ATFM needed to be urgently found. Lack of a means of
effective safety oversight by States in this area represents
a significant safety issue requiring fast resolution – a
factor repeatedly confirmed by ESIMS audits

Accordingly, SRC has established a Task Force (TF) to

evaluate the possible options and their feasibility, incorpo-
rating the principles that:

❍❍ The oversight of ATFM shall be carried out as a re-

quirement provided in Commission Regulation (EC)
N° 1315/2007 and ESARR 1;

❍❍ The oversight of FMP’s at national level will not ex-

clude the oversight of CFMU, and vice-versa;

❍❍ Once EASA is entrusted with ANS/ATM competen-

cies, this will fall under its responsibilities;

❍❍ For the time being the safety oversight required for

CFMU in accordance with Commission Regulation
(EC) N° 1315/2007 and ESARR 1 has not been en-
trusted to somebody. As such this gap, if no further
action is taken, will extend until the time when EASA
is entrusted with ANS/ATM competencies and is in
position to exercise them;

❍❍ The Provisional Council is the ultimate body to take

decisions on the safety regulatory aspects of ATFM
function.

SRC will report further to the Provisional Council following

evaluation of the options, including their political and institu-
tional aspects, before bringing forward a conclusive recom-
mendation. However, the urgency of the issue stresses the
need for action to meet the relevant requirements applica-
ble to the safety oversight of ATFM and an interim recom-
mendation to PC will be made, stressing the importance of
the matter and the short-term action being taken by SRC.

Safety regulation commission Annual Safety Report 2008 33

34
Chapter 6 – Conclusions

The SRC’s 2008 Annual Safety Report contains a comprehensive analysis of the safety performance of the ATM system, as
well as a detailed review of those ATM developments which are significant from a safety regulatory viewpoint. It’s principal
conclusions may be summarised as:

a) The multi-dimensional measurement of ATM safety
performance, first reported in 2007, continues to
develop and mature. Increased analysis is now pos-
sible which enables the identification of systemic
safety issues in both the operational and institutional
areas.
g) The lack of a means for oversight by States of central
ATFM functions is a significant safety issue requir-
ing fast resolution. The SRC is urgently progressing
the evaluation of options to address this situation,
in order to come forward to the Provisional Council
with proposals

b) There has been a marginal increase in levels of
reporting of safety occurrences. However, overall
progress towards full reporting by all States is too
slow.
c) Safety analysis of the achieved level of safety shows
that the ECAC safety objective continues to be met
for accidents with ATM contribution. Insufficient
data exists at this stage to support a conclusion for
serious incidents.
h) A review of future developments indicates pro-
grammes and initiatives with the potential to have
a significant effect on ATM safety. It highlights the
need for yet further safety improvement to ensure
the robust resilience to cope with these develop-
ments while preserving the safety of the ATM sys-
tem.

d) Analysis of data for incident types has revealed

continuing trends which, in some cases, lead to the
identified need for additional attention and safety
action. These are identified in the Report as Key
Risk Areas, and are the subject of separate safety
analysis and recommendations to the EUROCON-
TROL Permanent Commission.

e) In the field of Safety Regulation, measurement of

Safety Maturity has shown considerable further im-
provement. This is directly the result of continued
improvement efforts by all parties. Nevertheless, the
measurement analysis has also shown the continu-
ing difficulties faced by States, and where further
support work may be directed.

f) The data available from the ESIMS audits conducted

since November 2005 has increased significantly,
and permitted much more comprehensive analy-
sis of national safety oversight issues. This analy-
sis shows the need for further work and support as
regards the implementation by NSAs of effective
safety oversight processes and, collaboratively with
States, identifies a number of issues requiring action
at European level.

Safety regulation commission Annual Safety Report 2008 35

NOTES

36
© E uropean Organisation for the Safety of Air Navigation
EUROCONTROL January 2009

This document is published by EUROCONTROL in the interests of exchange of information. It may

be copied in whole or in part, providing that EUROCONTROL is acknowledged as a source. The
information contained in this document may not be modified without prior written permission
from EUROCONTROL.

SRC Document 44
Edition 1.0