Common SES-Certification 4-States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: 2 February 2006

Transcription

1 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 States AMC matrix ATS AIS CNS.xls 1 of 19

2 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 ANNEX 1 GENERAL REQUIREMENTS FOR THE PROVISION OF AIR NAVIGATION SERVICES 1. TECHNICAL AND OPERATIONAL COMPETENCE AND CAPABILITY 7 An air navigation service provider shall be able to provide services in a safe, efficient, continuous and sustainable manner consistent with any reasonable level of overall demand for a given airspace. To this end, it shall maintain adequate technical and operational capacity and expertise.. ORGANISATIONAL STRUCTURE AND MANAGEMENT.1. Organisational structure 3 An air navigation service provider shall set up and manage its organisation 3 according to a structure that supports the safe, efficient and continuous provision of services. The organisational structure shall define: 7 This general requirement is covered with the more detailed other requirements. They require on the one hand initial and tactical calculation and engagement of technical and operational capacity and expertise, on the other hand the keeping up of day-to-day safe, efficient, continuous and sustainable service provision. AMC for "safe,efficient,continuous and sustainable": The ANSP positively fulfills articles 3.1, 3., 8. and 9 of Annex 1 Common Requirements. AMC for "adequate technical and operational capacity and expertise": The ANSP positively fulfills articles. and 5 of Annex 1 Common Requirements. (a) the authority, duties and responsibilities of the nominated post holders, in particular of the management personnel in charge of safety, quality, security, finance and human resources related functions; 3 AMC for define : 1. The ANSP works according to: a. a documented organisational chart, showing the hierarchy of the different functions within an organisation, b. a description of the nominated postholders and the different management functions, c. a description of the departments within the organisation, and d. a description of the authority, duties and responsibilities of management functions. (b) the relationship and reporting lines between different parts and processes of the organisation. 3. The descriptions under 1. do not need to be in separate or dedicated chapters or paragraphs, but can be incorporated throughout the documents provided they are appropriately referenced.. Organisational management.. Organisational management 1 An air navigation service provider shall produce a business plan covering a minimum period of five years. The business plan shall: Analyses for 'covering a minimum period of 5 years': Provision of an annually updated five-year plan on strategic level. See below (a) set out the overall aims and goals of the provider and its strategy towards achieving them in consistency with any overall longer term plan of the provider and with relevant Community requirements relevant for the development of infrastructure or other technology; (b) contain appropriate performance objectives in terms of quality and level of service, safety and cost-effectiveness. See below See below States AMC matrix ATS AIS CNS.xls of 19

3 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 An air navigation service provider shall produce an annual plan covering the forthcoming year which shall specify further the features of the business plan and describe any changes to it. The annual plan shall cover the following provisions on the level and quality of service such as the expected level of capacity, safety and delays to flights incurred as well as on financial arrangements: (a) information on the implementation of new infrastructure or other developments and a statement how they will contribute to improving the level and quality of services; (b) indicators of performance against which the level and quality of service may be reasonably assessed; (c) the service provider s expected short-term financial position as well as any changes to or impacts on the business plan. AMC for business plan and longer term plan if appropriate : The business plan of the ANSP: a. contains a statement at least to the framework of SES-regulations and their aims and goals, giving a clear explanation of the business activities to realise these, b. is consistent with Pan-European commitments, c. covers at least a 5 years horizon, d. contains the aims and goals of the ANSP through quantitative / qualitative statements incl. rationale. If targets are used they adhere at least to international standards, if available. Starting from latest actual values, evidence will be given how to achieve the targets set (roadmap). These include quality and level of service such as planned changes to airspace structure and airports (if ANSP is affected) and other relevant developments such as expected level of capacity, safety and delays to flights incurred; and cost-effectiveness, e. displays the financial basis and sustainability, f. presents operational staff planning, and g. provides evidence on the consistency with the relevant community requirements for the development of infrastructure or other technology including the interoperability of the European Air Traffic Management network. See below See below See below See below See below AMC for annual plan : The annual plan of the ANSP details the features of the business plan for the forthcoming year in terms of cash flow plan, implementation of new infrastructure and other developments by: a. justifying / explaining changes to or impact on the business plan, b. providing indicators of performance against which the level and quality of service, may be reasonably assessed. Any indicator adheres at least to international standards, if available, for ATS providers also indicators such as level of capacity, safety and delays to flights, etc will be used, c. describing financial arrangements to cover the implementation of the annual plan, including the short term financial position, d. including a report of the execution of major projects, including a statement how they will contribute to improving the level and quality of services, and e. reporting on items such as reorganisation, relocation, changes to airspace structure and changes to airports effecting the ANSP; including an impact assessment. 3. SAFETY AND QUALITY MANAGEMENT 3.1. Safety management States AMC matrix ATS AIS CNS.xls 3 of 19

4 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 An air navigation service provider shall manage the safety of all its services. In doing so, it shall establish formal interfaces with all stakeholders which may influence directly the safety of its services. Analysis for services : Definitions can be found in the CR and art. framework regulation. Analysis for stakeholders which may influence directly the safety of its services : All third parties that if they are working in compliance with the existing rules and procedures, still need further arrangements with the ANSP to ensure the safety of the services of the ANSP. For example, airspace users are not stakeholders in this context, but airports are. AMC for establish formal interfaces : The ANSP establishes a contract, (for example a service level agreement, letter of agreement or equivalent traceable arrangements), agreed by both parties, establishing as a minimum the mutual responsibilities and operational arrangements for all safety related items between the parties, and to be documented as an integral part of the management system. 3.. Quality management system An air navigation service provider shall have in place at the latest [ years after entry into force of this regulation] a quality management system which covers all air navigation services it provides according to the following principles. It shall: (a) define the quality policy in the perspective to meet the needs by the different users as closely as possible; (b) set up a quality assurance programme that contains procedures designed to verify that all operations are being conducted in accordance with applicable requirements, standards and procedures; (c) provide evidence of the functioning of the quality system by means of manuals and monitoring documents; (d) appoint management representatives to monitor compliance with, and adequacy of, procedures to ensure safe and efficient operational practices; (e) perform reviews of the quality system in place and take remedial actions, as appropriate. An EN ISO 9001 certificate, issued by an appropriately accredited organisation, Disclosure of documentation to provide evidence on the scope only. covering the air navigation services of the provider shall be considered as a sufficient means of compliance. The air navigation service provider shall accept the disclosure of the documentation related to the certification to the national supervisory authority upon the latter s request Operations manuals 7 An air navigation service provider shall provide and keep up-to-date operations 7 manuals relating to the provision of its services for the use and guidance of operations personnel. It shall ensure that: (a) operations manuals contain instructions and information required by the 7 operations personnel to perform their duties; Analysis for "operations personnel": Operations manuals for operational staff undertaking safety relevant tasks (for ATS including technical and engineering personnel) as addressed in ESARR5 are relevant. The operational staff is located in the provision of ATS, CNS and AIS Services, each deserves an operations manual. AMC for "operations manuals (...) duties": An ANSP provides Operations Manuals to each service provided - ATS, AIS, CNS. The ATS/CNS-manuals provide as a minimum information and guidelines on the working methods and procedures to support the services, the duty and responsibility of the staff, provisions in unusal situations and emergency cases, occurance reporting. For the ATS service operational as well as technical processes are relevant. The AIS manual provides as a minimum information in accordance with the "table of contents" given in ICAO Doc 816. The ATS operations manual provides as a minimum information in accordance with attachment 1 to this document. The Technical manual provides as a minimum information in accordance with attachment to this document. Alternatively references to other documentation detailing the subjects are admitted. States AMC matrix ATS AIS CNS.xls of 19

5 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 (b) relevant parts of the operations manuals are accessible to the personnel concerned; 7 Analysis for "relevant": "Relevant" information is that content of the manual specific to the service. Analysis for "accessible": "Accessible" means that these documents are immediately available on demand within the operations room or working office of the operations personnel as defined in 3.3.a). AMC for relevant parts ( ) are accessible : 1. The ANSP works according to a described method or process of distribution, accessibility and updating of Operations Manuals, which shows clearly: a. how the distribution system works, b. which documents are accessible to certain persons, c. where these persons can find them, and d. the format in which they are accessible (hard copy, digital etc.).. The described method or process of distribution, accessibility and updating of Operations Manuals under 1: a. is in accordance with Annex 1, article 3. Common Requirements (exist in the frame of a certified QMS), and b. may be contained in the Operations Manuals documents themselves. (c) the operations personnel are expeditiously informed of the amendments to 7 the operations manual applying to their duties as well as of their entry into force. AMC for expeditiously informed : 1. The ANSP works according to a described method or process of distribution, accessibility and updating of Operations Manuals as described in Annex 1, article 3.3, part a, Common Requirements.. SECURITY 5 Recommondation from Germany: The States (BE;NE;LUX;DE) should encourage stakeholders to develop joint definitions for security over time. An air navigation service provider shall establish a security management system to ensure: 5.. Within the description by the ANSP of the method or process as specified under Annex 1, article 3.3, part b, Common Requirements, it is also clear how: a. changes and amendments of the manuals are being made, and b. their enforcement dates are communicated without undue delay to the personnel concerned. 1. The ANSP s security management system ensures the protection of all assets, personnel and data required to provide the services that are being certified against acts of unlawful interference.. The ANSP s Security Management System includes a system to ensure the protection of data from unauthorised interference. This defines: a. what data need to be protected, b. how data need to be protected, and c. whom is authorised to release data. (a) the security of its facilities and personnel so as to prevent unlawful interference with the provision of services; 5 (b) the security of operational data it receives or produces or otherwise employs, so that access to it is restricted only to those authorised. The security management system shall define: 5 5 Remark: If applicable, special attention has to be given to the access to and protection of classified data with mostly military origin in order to meet the appropriate governmental regulations... (a) the procedures relating to security risk assessment and mitigation, security monitoring and improvement, security reviews and lesson dissemination; (b) the means designed to detect security breaches and to alert personnel with appropriate security warnings; 5 5 States AMC matrix ATS AIS CNS.xls 5 of 19

6 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 (c) the means of containing the effects of security breaches and to identify recovery action and mitigation procedures to prevent re-occurrence. 5 An air navigation service provider shall ensure the security clearance of its personnel, if appropriate, and coordinate with the relevant civil and military authorities to ensure the security of its facilities, personnel and data. 5. AMC for ensure, provided that the National Civil Aviation Security Programme of the State where the site of the ANSP is physically located is applicable: 1. Where the National Civil Aviation Security Programme of the State where the centre of the ANSP is physically located is applicable, the security clearance will be: a. based on background checks carried out in compliance with this Programme, and b. delivered in compliance with this programme. 5. HUMAN RESOURCES 6 An air navigation service provider shall employ appropriately skilled personnel 6 to ensure the provision of its services in a safe, efficient, continuous and sustainable manner. In this context, it shall establish policies for the recruitment and training of personnel. 6 Personnel means: all personnel which is directly involved in the provision of ATC, FIS, AIS, Meteorological service and to all technical/engineering personnel who operate, monitor and maintain ATM equipment." Sufficient means: in general there are no unsafe, inefficient, discontinuous or unsustainable services related to a lack of personnel.. Where the need for the handling of classified (civil and/or military) material is applicable, additional security certification in accordance with national security law beyond the National Aviation Security Programme shall be considered. This applies especially to personnel involved in controlling of military air traffic and support of military operations. This includes operational personnel as well as AMC for 'continuous and sustainable manner : The ANSP: a. has sufficient personnel for its current duties, b. ensures that sufficient personnel will be available in accordance with its businessplan, c. may hire external staff to cover temporary changes in personnel, and d. has a personnel planning which shows the operational personnel needed and available, related to its current and/or future designation. AMC for employ appropriately skilled personnel': 1. The ANSP: a. has determined the basic and additional training needs of all its functions, b. has personnel which complies with the education and training needs, c. has a training program to ensure that personnel will apply to the education needs within a reasonable time, d. has determined the recurrency training needs for its operational staff, e. can show the compliance or lack off recurrency training of its operational staff, f. trainings are evaluated for adequacy, g. ensures that externally hired staff complies with the ANSP s own education and training demands, h. has a procedure and has identified authorised persons who will determine if any deviation of its operational education or training demands is acceptable to the ANSP, i. has documented the decisions of the operational deviation under h), and j. ensures the security clearance for personnel which has a safety critical function or access to safety critical areas.. One way of complying with 1b) is to hold a register containing all relevant information regarding of the staff concerned. Showing a valid license in accordance with the national law is another way of complying with 1b). States AMC matrix ATS AIS CNS.xls 6 of 19

7 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February The recruitment policy contains the following elements: a. education, b. examination, c. languages, d. medical certificate, e. age, and f. reliability (no dependency on psycho-active substances, no criminal record, security check). 6 The training policy contains the following elements: a. basic training and Additional training + examinations, b. simulation, c. pre-ojt training, d. operational competency: OJT training + Continuation training, e. additional requirements: medical certificate + language (ICAO level ), and f. granting of license and ratings. 6. FINANCIAL STRENGTH 6.1. Economic and financial capacity An air navigation service provider shall be able to meet its financial obligations, such as fixed and variable costs of operation or capital investment costs. It shall use an appropriate cost accounting system. It shall demonstrate its ability through the annual plan as referred to in part.. of this annex as well as through balance sheets and accounts as practicable under its legal statute. Use of separate cost accounting per service (ATS, CNS, MET, AIS) AMC for appropriate cost accounting system: 1. The ANSP s cost accounting system describes the applicable (short term) financial obligations in the profit and loss account, and longer term obligations in the balance sheet.. The profit and loss account and balance sheet (see under 1) provide all appropriate allocated fixed and variable costs of operations or capital investment costs and in accordance with EU- and applicable national requirements. The annual plan explains short term obligations. 6.. Financial audit In accordance with article 1() of regulation (EC) No 550/00, an air navigation service provider shall demonstrate that it is undergoing an independent audit on a regular basis. 7. LIABILITY AND INSURANCE COVER 3 An air navigation service provider shall have in place arrangements to cover its 3 liabilities arising from applicable law. Analysis for regular: Regular meaning at least on an annual basis. However, the financial year may differ from the fiscal year. AMC for shall demonstrate : The ANSP provides at least the latest record of executed independent financial audits and applicable financial audit reports in accordance with article 1() of Regulation (EC) No 550/00. Special consideration will be given to non established ANSP's (new entries). AMC for article as a whole: 1. The ANSP makes sure that the risks from all the sorts of air navigation services that are being provided are covered. The ANSP documents the way how it obtained the liability cover.. Within the framework of 1., the following risks are covered in any case: - Basic aviation risks, and - Third party liability. 3. The amount of coverage is an amount that is reasonably and commercially available on the market. States AMC matrix ATS AIS CNS.xls 7 of 19

8 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 The method employed to provide the cover shall be appropriate to the potential loss and damage in question, taking into account the legal status of the service provider and the level of commercial insurance cover available. 3 An air navigation service provider which avails itself of services of another air 3 navigation service provider shall ensure that the agreements cover the allocation of liability between them. AMC for 'ensure': In the framework of complying with the first two parts of this article, the ANSP has a list of contracted ANSPs, indicating the scope of the services rendered and the accompanying liability agreements. 8. QUALITY OF SERVICES 8.1. Open and transparent provision of services An air navigation service provider shall provide its services in an open and transparent manner. It shall publish the conditions of access to its services and establish a formal consultation process with the users of its services on a regular basis, either individually or collectively, and at least once a year. AMC for open and transparent provision of services : The ANSP ensures that: a. the conditions of access to its services are published in the Aeronautical Information Publication (AIP) or in an adequate legal, publicly accesible document, such as contracts, conventions, etc., b. a description of the formal consultation process incl. components like complaints handling, customer surveys, consultation meetings is available, c. consultation is done, orally or in writing, at least once a year with the most relevant topics from service provision with operational and technical issues including military issues and financial aspects for the service provision with stakeholders concerned, and d. documentation, agreed amongst the meeting participants, on the specific consultation(s) is available. An air navigation service provider shall not discriminate on grounds of nationality or identity of the user or the class of users in accordance with applicable Community law. AMC for not discriminate : The ANSP documents its awareness and guarantees its respective obligations for adherence by formal statements in official company policy documents. 8.. Contingency plans 7 At the latest one year after certification, an air navigation service provider shall 7 have in place contingency plans for all the services it is providing in the case of events which result in significant degradation or interruption of its services. Analysis for contingency plan : Contingency plans cover each of the services or a bundle of services the ANSP owns a certificate for. The contingency plan describes -in case of disruption of a service- whether, when (period of disruption before measures are taken) and to what degree after measure taking the continuity of service will be given. Measures can be staggered according to criteria such as the severity of the disruption, traffic density, existence and readiness of aiding unit which continues the service. The contingency plan should also provide information on a periodic contingency/emergency training to show that the plan works. For ANSPs who start their service for the first time after the certificate has been issued the contingency plan may be delivered at the latest one year after the certification date. AMC for shall have in place : An ANSP has a Contingency Plan to the services provided indicating the service level aimed at during the contingency period at the latest one year after certification. Analysis for "significant degradation or interruption of a service": Technical failures which are recovered by redundancy of components, a first-aid workaround solution or a two-way-connection are explicitly not subject to contingency. The loss of a technical system may lead to the discontinuation of the service, here the contingency plan and measures start. 9. REPORTING REQUIREMENTS States AMC matrix ATS AIS CNS.xls 8 of 19

9 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 An air navigation service provider shall be able to provide an annual report of its activities to the relevant national supervisory authority. This report shall cover its financial results without prejudice to article 1 of the service provision regulation, as well as its operational performance and any other significant activities and developments in particular in the area of safety. AMC for the whole part: 1. The ANSP keeps trough the ongoing year relevant information related to its financial, operational activities and to other significant activities and developments, in particular those in the area of safety.. The ANSP uses those data kept through the past year as core piece of information to be contained in the annual report to the relevant national supervisory authority. 3.The Annual Report includes in particular: - balance sheet, - profit and loss account, and - cash flow. The annual report shall include as a minimum: an assessment of the level and quality of service generated and of the level of safety provided; AMC for an assessment of : The ANSP reports on: a. the level and quality of services generated using among others the Key Performance Indicators (KPI's) established in the annual plan, b. customer satisfaction and the complaints registered through the past year, c. the level of the safety provided using among others the KPI's established in the annual plan, in paticular if no target level of safety exists, and d. reporting on the the underlying causes where discrepancies between the actual performance and the performance established in the annual plan have been found. the performance of the service provider compared to the performance objectives established in the business plan, reconciling actual performance against the annual plan by using the indicators of performance established in the annual plan; developments in operations and infrastructure; AMC for the whole part: The ANSP provides information in its annual report related to the relevant investments in operations, infrastructure and engineering that were made through the past year. the financial results, as long as they are not separately published in accordance with article 1(1) of the service provision regulation; information about the formal consultation process with the users of its services; AMC for information : The ANSP s annual report briefly reflects on the number, dates and general sentiment of formal user consultation held including a list of parties invited/having attended. If not done elsewhere the Annual Reports briefly describes the consultation process. States AMC matrix ATS AIS CNS.xls 9 of 19

10 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 information about the human resources policy. The ANSP reports on human recourses policy related items for the past year. AMC for 'Human resources policy': The ANSP provides statistical information on: a. recruitment & training, b. staff numbers of individual services, c. entries/leaves, and d. (...). The air navigation service provider shall make the content of the annual report available to the public under conditions set by the national supervisory authority in accordance with national law. Analysis for conditions set by the NSA: a. publication date, b. contents as far as this is required in Annex I, article 9, Common Requirements, and c. non-public parts of the annual report. Only after a consultation with the ANSP, the NSA should set conditions, where additional costs are forced to the ANSP for the publication of the annual report, such as (number, layout, media, price...). ANNEX SPECIFIC REQUIREMENTS FOR THE PROVISION OF AIR TRAFFIC SERVICES 1. OWNERSHIP 3 This Paragraph is related to ownership. The ownership shall not affect the provision of ANS services in respect of impartiality and objectivity. A provider of air traffic services shall make explicit to the national supervisory authority referred to in Art. 7() of Regulation (EC) No 550/00: its legal status, its ownership structure and any arrangements having a significant impact on the control over its assets. any links with organisations not involved in the provision of air navigation services, including commercial activities in which it is engaged either directly or through related undertakings, which account for more than 1 % of its expected revenue. Furthermore, it shall notify any change of any single shareholding which represents 10 % or more of its total shareholding Analysis for 'make explicit' 'make explicit' means that the ANSP informs the NSA without undue delay on its firm intentions regarding to the requirements in this article. Analysis for 'link' Link means a more permanent or cooperative commercial activity with other organisations (eg. joint venture, joint companies) AMC for make explicit legal status : An abstract of the chamber of commerce will be evidence for 'the ANSP's legal status. A provider of air traffic services shall take all necessary measures to prevent any situation of conflict of interests that could compromise the impartial and objective provision of its services. 3 Analysis for the article as a whole ANS provisions needs to be non-discriminatory in respect of nationality, ownership or commercial strength of the user or provider of the service or in respect of any other criterium other than the priority rules defined by law or state regulations. AMC for 'necessary measures': The ANSP works with and in accordance with a policy and instructions to staff involved in the ANS provision concerning the non-discriminatory provision of services. Annex II,. OPEN AND TRANSPARENT PROVISION OF SERVICES 1 States AMC matrix ATS AIS CNS.xls 10 of 19

11 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 In addition to the provision of Annex I, part 8.1 and where a Member State decides to organise the provision of specific ATS services in a competitive environment, a Member State may take all appropriate measures to ensure that providers of these specific air traffic services shall neither engage in conduct that would have as its object or effect the prevention, restriction or distortion of competition, nor shall they engage in conduct that amounts to an abuse of a dominant position in accordance with applicable national and Community law. 1 Analysis for article as a whole: Appears to be subject to member states (CAA) rather than ANSP's. Not applicable 3. SAFETY OF SERVICES 3.1. Safety management system General safety requirements A provider of air traffic services shall, as an integral part of the management of its services, have in place a safety management system ( SMS ) which: Analysis for article as a whole: This requirement identifies a set of minimum elements to be considered by ATM service-providers when defining the basic principles of their SMS. AMC for ensures (applicable for all parts of this article): 1. The ATSP works with appropriate policy statements to an agreed (by the NSA) qualitative or quantitative level that: a. cover the four requirements (safety management, safety responsibility, safety priority and safety objective), and b. establish a clear commitment to them.. These basic principles are not only addressed at policy level but also developed consistently throughout the SMS. 3. The points under 1. and. include a written statement of the safety policy, that: - is set by the top management of the ANSP, and - includes as a minimum the items mentioned in this article.. The ATSP is able to demonstrate to the NSA that all the parts of this article have been implemented based on the SMS- and are effective. ensures a formalised, explicit and pro-active approach to systematic safety management in meeting its safety responsibilities within the provision of its services; operates in respect of all its services and the supporting arrangements under its managerial control; and includes, as its foundation, a statement of safety policy defining the organisation s fundamental approach to managing safety (safety management); ensures that everyone involved in the safety aspects of the provision of air traffic services has an individual safety responsibility for their own actions, that managers are responsible for the safety performance of their respective departments or divisions and that the top management of the provider carries an overall safety responsibility (safety responsibility); ensures that the achievement of satisfactory safety in air traffic services shall be afforded the highest priority (safety priority); Analysis for under its managerial control : The expression means not just those services that are performed by the ATS organization itself. It also covers the products of those services supplied to it, or provided by other providers on its behalf as regards its safety performance. Analysis for top management of the provider : The most senior level of management of the provider organization that takes the legal responsibility and accountability for all acts of the organisation. in conjunction with the above in conjunction with the above AMC for 'ensures': The ANSP gives safety the highest priority up to the agreed level. After the agreed level safety will be taken into account, but is balanced between other criteria like environment and/or capacity. ensures that while providing air traffic services, the principal safety objective is to minimise its contribution to the risk of an aircraft accident as far as reasonably practicable (safety objective) Requirements for safety achievement Within the operation of the SMS, a provider of air traffic services shall: Analysis for reasonable practicable : Risks must be balanced against time, trouble, costs and difficulty of taking measures to avoid them. The greater the risk to safety, the more likely it is that it is reasonable to go to substantial effort to reduce it. (EAM3 GUI1, 3.5.). The safety management system of the ANSP shall also contain statements concerning the requirements listed in in conjunction with the above. States AMC matrix ATS AIS CNS.xls 11 of 19

12 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 ensure that personnel are adequately trained and competent for the job they are required to do, in addition to being properly licensed if so required and satisfying applicable medical fitness requirements (competency); Analysis for personnel : See the analysis for Annex 1, article 5, Common Requirements. The ATS-provider: a. addresses the competency for safety related personnel explicitly, b. defines job descriptions for safety related functions, to specify the minimum level of education for the job, the amount, type and diversity of required experience, c. sets up personnel selection criteria derived from those job descriptions, d. implements appropriate training programmes to ensure and improve the competency of those involved in safety related functions, e. includes training on safety management in those programmes, and f. monitors medical fitness of its personnel. ensure that a safety management function is identified with organisational responsibility for development and maintenance of the safety management system; ensure that this point of responsibility is independent of line management, and accountable directly to the highest organisational level. However, in the case of small organisations where combination of responsibilities may prevent sufficient independence in this regard, the arrangements for safety assurance shall be supplemented by additional independent means; and ensure that the top management of the service provider organisation is actively involved in ensuring safety management (safety management responsibility); Analysis for 'safety management function': A safety management function is either an individual or an organizational entity within the ANSP, either centralised or decentralised. In the case of an entity, responsibilities and accountabilities are attributed to individuals of that entity. Analysis for 'highest organisational level': The term highest organisational level is considered to be synonymous to the terms top management or the most senior level of management of the provider organisation that takes the legal responsibility and accountability for all acts of the organization.. ensure that, wherever practicable, quantitative safety levels are derived and are maintained for all functional systems (quantitative safety levels); Analysis for 'actively involved': It is being ensured that safety management is an integral part of the top management decision making process. Analysis for 'small organisations': Fixed criteria to define small organisations is not defined, but a pragmatic approach can be taken. The small ANSP demonstrates how they have ensured the principally required independence. It is left to the NSA to determine whether they are satisfied with the measures taken where this independence is not made through independence from line management responsibilities. Analysis for wherever practicable : All effort to get good data has been made, and the resulting data are of sufficient quality or The ANSP: quantity to do a proper analysis. When this would not be the case, however, the situation can be a. Specifies levels of safety for all functional systems, using a quantitative regarded to be 'not practical'. Examples for 'not practical' are: approach wherever practicable, a. the parameter cannot be quantified, for example subjective factors such as human experience b. Plans all management and technical activities, which are necessary to achieve or level of coordination between stakeholders, and maintain the specified level of safety, and b. there is no sufficient numerical data available due to lack of incidents, c. Periodically reviews if the levels of safety are still appropriate. c. the parameter is difficult to quantify and the amount of effort/research to establish quantitative safety level is not in balance with to the safety criticality of the system, and/or d. poor quality of data, unreliable data and many assumptions must be made. ensure that the SMS is systematically documented in a manner, which provides a clear linkage to the organisation s safety policy (SMS documentation); The ANSP makes sure that: a. the documents constituting and supporting the SMS are properly identified, referenced, stored and traceable, b. documentation control procedures and methods to manage SMS documents and other safety-related documents have been established, and c. the SMS documentation control system is linked to the safety management function within the organisation. States AMC matrix ATS AIS CNS.xls 1 of 19

13 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 ensure adequate justification of the safety of the externally provided services and supplies, having regard to their safety significance within the provision of its services (external services and supplies); The ANSP: a. assesses on safety aspects services and/or products rendered by third parties, b. sets safety levels and/or requirements for each external service and supply, c. evaluates periodically whether these levels and/or requirements are being met, d. makes records of the evaluations, and e. sees to it that if the level set and/or requirements are not being met, this situation is being repaired. ensure that risk assessment and mitigation is conducted to an appropriate level to ensure that due consideration is given to all aspects of the provision of ATM (risk assessment and mitigation). As far as changes to the ATM functional system are concerned, the provisions of part 3. of this Annex shall apply. Analysis for risk assessment and mitigation : Risk assessment and mitigation is the core of a SMS. It has to be performed at an appropriate level, that is to say, in proportion to the risks at stake or the safety criticality of the activity under consideration. Hence the depth of the risk assessment may vary and is determined by the ANSP. Risks can for example be identified and assessed by examining trends in safety data, by review of processes and actions, through safety surveys and/or monitoring, or through brainstorming sessions/expert judgement. It is possible that when a risk assessment has been performed, this may give rise to a more in-depth analysis. The ANSP s SMS caters for: a. the performance of systematic assessments of risks to the organisation s operation in the engineering and operational areas of the ANSP, which are as a minimum based on the results from safety monitoring, incident data, results from safety surveys or accident data, b. the identification and implementation of relevant mitigation actions, where appropriate, c. the documentation of these assessments and related mitigation actions, and d. the monitoring and periodical review of the validity of the assessments and the related mitigation actions. ensure that ATM operational or technical occurrences which are considered to have significant safety implications are investigated immediately, and any necessary corrective action is taken (safety occurrences). It shall also demonstrate that it has implemented the requirements on the reporting and assessment of safety occurrences in accordance with applicable national and Community law. Analysis for requirements ( ) in accordance with applicable national and Community law : This requirement covers reporting requirements of accidents, serious incidents and ATM occurrences as required by national regulations implementing the relevant EU Directives (EU Directive 9/56/EC (for accidents and serious incidents) and 003//EC (for occurrences), and any other national regulations on this subject (which could include national regulations implementing ESARR ). Analysis for 'immediately': Immediately means without undue delay and subject to appraisal by the NSA. 1. The ANSP reports on and investigates all ATM safety significant operational and technical occurrences without undue delay.. The ANSP has implemented an ATM occurrence Reporting and investigation scheme by covering the process for: a. identifying the cause of the occurrence, b. its reporting of the occurence to the entity responsible for its investigation, c. the investigation process, d. the identification of recommendations and corrective actions and their implementation, e. give feedback to the personnel originally reporting the occurence, and f. reporting the occurence to the State Requirements for safety assurance Within the operation of the SMS, a provider of air traffic services shall ensure that: - safety surveys are carried out as a matter of routine, to recommend improvements where needed, to provide assurance to managers of the safety of activities within their areas and to confirm compliance with the relevant parts of the SMS (safety surveys); This requirement requires the ANSP to systematically address safety in its management of its organisation falling under its SMS. The ANSP has documented: a. its safety survey procedure, b. its systematic program for safety survey, c. reports associated with corrective action plans, d. its survey schedule, e. qualification of survey staff, f. independence of the survey staff from the subject, and g. Implementation of corrective actions process. States AMC matrix ATS AIS CNS.xls 13 of 19

14 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February methods are in place to detect changes in functional systems or operations which may suggest any element is approaching a point at which acceptable standards of safety can no longer be met, and that corrective action is taken (safety monitoring); Analysis for 'functional system' Functional system shall mean a combination of systems, procedures and human resources organised to perform a function within the context of ATM. The ANSP: a.identifies and initiates corrective actions where deterioration is detected, ensuring follow-up of actions, b. retains formal records on performance of functional systems, and c. identifies deviation detection processes and practices. - safety records are maintained throughout the SMS operation as a basis for providing safety assurance to all associated with, responsible for or dependent upon the services provided, and to the national supervisory authority (safety records). AMC for 'ensure': The ANSP: a. specifies, in each case, the form in which safety records are to be made and who is responsible for ensuring that this is done, b. identifies the safety records to be maintained in relation with all SMS processes to provide data and traceability and facilitate the identification and solution of safety problems, c. ensures appropriate safety records and documentation for internal safety assurance processes, such as Safety Surveys and Safety Monitoring, and d. maintains safety records required by international and national safety regulatory requirements and standards Requirements for safety promotion Within the operation of the SMS, a provider of air traffic services shall ensure that: - all personnel are aware of the potential safety hazards connected with their duties (safety awareness); Analysis for potential safety hazard : No relation to occupational health. AMC for 'ensure': The ANSP creates safety awareness by e.g. internal staff training, information material (safety bulletins) and has also responsibility for appropriate awareness of contractors and external services and supply. - the lessons arising from safety occurrence investigations and other safety activities are disseminated within the organisation at management and operational levels (lesson dissemination); 1. The ANSP works according to processes to collect lessons from safety recommendations resulting from safety occurrence investigations, safety surveys and other SMS processes and sources of information.. The process under 1. ensures that information is passed to all concerned staff in the directly involved units and other units with an interest in the issues. 3. Whenever possible, the ANSP makes use of various dissemination methods to support lesson dissemination processes, such as presentations, reports, audiovisual tools.. The ANSP ensures that the information is used to improve training -if applicable. States AMC matrix ATS AIS CNS.xls 1 of 19

15 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February all personnel are actively encouraged to propose solutions to identified hazards, and changes are made to improve safety where they appear needed (safety improvement). 1. The ANSP: a. encourages personnel to propose solutions to identified hazards as well as safety improvements; dealing with proposals systematically and ensuring feedback to the originator, b. identifies areas in which safety improvements can be made and plan safety improvement actions, involving the organisation as a whole, c. establishes a SMS management review mechanism to involve the organisation s management team as a whole in the continuous improvement of safety; making use of this mechanism to review the working of the SMS and consider problems and proposals identified through it, d. uses SMS management review mechanisms to agree and authorise changes in the SMS (in accordance with amendment procedures that ensure the continuous acceptability of the SMS to the ATM Safety Regulator), and e. has a systematic process to deal with those proposals, including giving feed back to the staff on this.. This requirement means that the ANSP shall pro-actively seek the involvement of all personnel in safety issues. 3.. Safety Requirements for Risk Assessment and Mitigation with regard to changes All relevant guidance material can be found in the ESSAR explanatory material. The working group has no additional AMC's which are not already in the ESSAR documentation Section 1 Within the operation of the SMS, a provider of air traffic services shall ensure that hazard identification as well as risk assessment and mitigation are systematically conducted for any changes to those parts of the ATM functional system and supporting arrangements within his managerial control, in a manner which addresses: (a) the complete life-cycle of the constituent part of the ATM functional system under consideration, from initial planning and definition to post-implementation operations, maintenance and de-commissioning; (b) the airborne, ground and, if appropriate, spatial components of the ATM functional system, through co-operation with responsible parties; and (c) the equipment, procedures and human resources of the ATM functional system, the interactions between these elements and the interactions between the constituent part under consideration and the remainder of the ATM functional System Section The hazard identification, risk assessment and mitigation processes shall include: (a) A determination of the scope, boundaries and interfaces of the constituent part being considered, as well as the identification of the functions that the constituent part is to perform and the environment of operations in which it is intended to operate; (b) A determination of the safety objectives to be placed on the constituent part, incorporating: States AMC matrix ATS AIS CNS.xls 15 of 19

16 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 (i) An identification of ATM-related credible hazards and failure conditions, together with their combined effects, (ii) An assessment of the effects they may have on the safety of aircraft, as well as an assessment of the severity of those effects, using the severity classification scheme provided in Section ; (iii) A determination of their tolerability, in terms of the hazard s maximum probability of occurrence, derived from the severity and the maximum probability of the hazard s effects, in a manner consistent with Section ; (c) The derivation, as appropriate, of a risk mitigation strategy which: (i) Specifies the defences to be implemented to protect against the riskbearing hazards, (ii) Includes, as necessary, the development of safety requirements potentially bearing on the constituent part under consideration, or other parts of the ATM functional system, or environment of operations, and (iii) Presents an assurance of its feasibility and effectiveness; (d) Verification that all identified safety objectives and safety requirements have been met (i) Prior to its implementation of the change, (ii) During any transition phase into operational service, (iii) During its operational life, and (iv) During any transition phase till decommissioning Section 3 The results, associated rationales and evidence of the risk assessment and mitigation processes, including hazard identification, shall be collated and documented in a manner which ensures that: complete arguments are established to demonstrate that the constituent part under consideration, as well as the overall ATM functional system are, and will remain tolerably safe by meeting allocated safety objectives and requirements. This shall include, as appropriate, specifications of any predictive, monitoring or survey techniques being used; all safety requirements related to the implementation of a change are traceable to the intended operations/functions Section Hazard identification and severity assessment A systematic identification of the hazards shall be conducted. The severity of the effects of hazards in a given environment of operations shall be determined using the classification scheme shown in the following table, while the severity classification shall rely on a specific argument demonstrating the most probable effect of hazards, under the worst case scenario. [intentionally left blank - "chart severity class"] In order to deduce the effect of a hazard on operations and to determine its severity, the systematic approach/process shall include the effects of hazards on the various elements of the ATM functional system, such as the air crew, the air traffic controllers, the aircraft functional capabilities, the functional capabilities of the ground part of the ATM functional system, and the ability to provide safe air traffic services. Risk classification scheme Safety objectives based on risk shall be established in terms of the hazards maximum probability of occurrence, derived both from the severity of its effect, and from the maximum probability of the hazard s effect. States AMC matrix ATS AIS CNS.xls 16 of 19

17 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 As a necessary complement to the demonstration that established quantitative objectives are met, additional safety management considerations shall be applied so that more safety is added to the ATM system whenever reasonable. 3.3 Safety requirements for engineering and technical personnel undertaking operational safety related tasks All relevant guidance material can be found in the ESSAR 5 explanatory material. The working group has no additional AMC's which are not already in the ESSAR 5 documentation. A provider of air traffic services shall ensure that technical and engineering personnel including personnel of subcontracted operating organisations who operate and maintain ATM equipment approved for its operational use have and maintain sufficient knowledge and understanding of the services they are supporting, of the actual and potential effects of their work on the safety of those services, and of the appropriate working limits to be applied. by using ESSAR 5 guidance material by using ESSAR 5 guidance material With regard to the personnel involved in safety related tasks including personnel of subcontracted operating organisations, the provider of air traffic services shall document the adequacy of the competence of the personnel; the rostering arrangements in place to ensure sufficient capacity and continuity of service; the personnel qualification schemes and policy, the personnel training policy, training plans and records as well as arrangements for the supervision of nonqualified personnel. It shall have procedures in place for cases where the physical or mental condition of the personnel is in doubt. by using ESSAR 5 guidance material by using ESSAR 5 guidance material A provider of air traffic services shall maintain a register of information on the numbers, status and deployment of the personnel involved in safety related tasks. The register shall: (a) identify the accountable managers for safety related functions; by using ESSAR 5 guidance material by using ESSAR 5 guidance material by using ESSAR 5 guidance material by using ESSAR 5 guidance material (b) record the relevant qualifications of technical and operational personnel, against required skills and competence requirements; by using ESSAR 5 guidance material by using ESSAR 5 guidance material (c) specify the locations and duties to which technical and operational personnel are assigned, including any rostering methodology. by using ESSAR 5 guidance material by using ESSAR 5 guidance material. WORKING METHODS AND OPERATING PROCEDURES 7 A provider of air traffic services shall be able to demonstrate that its working 7 methods and operating procedures are compliant with the standards in the following annexes to the Convention on International Civil Aviation as far as they are relevant for the provision of air traffic services in the airspace concerned: Analysis for relevant : In order to be identified as relevant, the standard: a. is to apply for the services that are being provided by the ANSP, and b. is not to be filled in directly by the State concerned, but by the ANSP. AMC for article as a whole: 1. The ANSP s working methods and operating procedures are compliant with the standards that have been identified, with the USOAP-list of ICAO as a base, as relevant by the NSA. States AMC matrix ATS AIS CNS.xls 17 of 19

18 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 Annex on rules of the air (9th edition, July 1990 including all amendments up 7 to no 37); Annex 10 on aeronautical telecommunications, Volume on communication 7 procedures (6th edition, October 001 including all amendments up to no 79) ; Annex 11 on air traffic services (13th edition, July 001 including all 7 amendments up to no ). ANNEX IV 7 SPECIFIC REQUIREMENTS FOR THE PROVISION OF AERONAUTICAL 7 INFORMATION SERVICE 1. TECHNICAL AND OPERATIONAL COMPETENCE AND CAPABILITY 7 A provider of aeronautical information service shall ensure that information and 7 data is available for operations in a form suitable for: flight operating personnel, including flight crew, as well as flight planning, flight management systems and flight simulators, and providers of air traffic services which are responsible for flight information services, aerodrome flight information services and the provision of pre-flight information. A provider of aeronautical information services shall ensure the integrity of data and confirm the level of accuracy of the information distributed for operations, including the source of such information, before such information is distributed Analysis for this part as a whole: Operational competence and capability is the knowledge and expertise in providing the service which shall be demonstrated to the NSA. The ICAO USOAP lists ask for the yes/no fulfilment of Annex 15 (in point of Annex IV), but the listed AMC shall contain information and give evidence on how Annex 15 is being fulfilled in these relevant points.. Where a difference has been filed by the State concerned to ICAO on a standard that has been identified as relevant, the ANSP s working methods and operating procedures are compliant with the differing text as supplied by the State concerned to ICAO. AMC for 'ensure': The AIS-provider has: a. implemented the relevant processes, and b. aeronautical information available in accordance with the provisions of ICAO Annex 15 and ICAO Doc. 816 relevant to information and data availability. The AIS-provider has implemented the relevant processes which show the methods to ensure data quality and itegrity as outlined in the World Geodetic System (S-8) Manual (Doc 967).. WORKING METHODS AND OPERATING PROCEDURES 7 A provider of aeronautical information services shall be able to demonstrate that 7 its working methods and operating procedures are compliant with the standards in the following annexes to the Convention on International Civil Aviation as far as they are relevant for the provision of aeronautical information services in the airspace concerned: Annex 3 on meteorological service for international air navigation (15th edition, 7 July 00); Annex on aeronautical charts (10th edition, July 001 including all 7 amendments up to no 53); Annex 15 on aeronautical information services (1th edition, July 00). 7 ANNEX V 7 SPECIFIC REQUIREMENTS FOR THE PROVISION OF COMMUNICATION, 7 NAVIGATION OR SURVEILLANCE SERVICES 1. TECHNICAL AND OPERATIONAL COMPETENCE AND CAPABILITY 7 A provider of communication, navigation or surveillance services shall ensure 7 the availability, continuity, accuracy and integrity of its services. Analysis for relevant : In order to be identified as relevant, the standard: a. is to apply for the services that are being provided by the ANSP, and b. is not to be filled in directly by the State concerned, but by the ANSP. Analysis for availability, continuity, accuracy and integrity : The level of availability, continuity ( ) is not prescribed. The ANSP is free to set the level. The QMS provides for the processes and their quality figures with respect to the ICAO standards relevant to the service and their related supporting systems. AMC for article as a whole: 1. The ANSP s working methods and operating procedures are compliant with the standards that have been identified, with the USOAP-list of ICAO as a base, as relevant by the NSA.. Where a difference has been filed by the State concerned to ICAO on a standard that has been identified as relevant, the ANSP s working methods and operating procedures are compliant with the differing text as supplied by the State concerned to ICAO. The ANSP ensures compliant competence and capability by: a. working according to the relevant processes which rely on ICAO SARPS and guidance material and that are described in the QMS, and b. providing an annual report of the actually reached level of quality, which shows the fulfilment or eventual deviations to the process figures. A provider of communication, navigation or surveillance services shall confirm the quality level of the services it is providing and shall demonstrate that its equipment is regularly maintained and where required calibrated. ANNEX V,. SAFETY OF SERVICES 7 Analysis for this part as a whole: The QMS additionally delivers evidence that the ANSP s processes cover the quality of service, maintenance and calibration issues. Additionally for each particular system documentation must be availale which shows the specific maintenance and calibration provisions. AMC for confirm : 1. The ANSP works according to documented descriptions of the relevant processes in the QMS.. The documentation for each individual system contains information about its maintenance and calibration provisions. 3. During on-site inspection the NSA checks the maintenance documentation for the compliance to the required intervals according to the documented maintenance and calibration provisions. States AMC matrix ATS AIS CNS.xls 18 of 19

19 Common SES-Certification -States/Eurocontrol ANSPs Common Requirements AMCs and analyses working sheet Status: February 006 A provider of communication, navigation or surveillance services shall comply with the requirements of Annex II, part 3 on the safety of services. 3. WORKING METHODS AND OPERATING PROCEDURES 7 A provider of communication, navigation or surveillance services shall be able to 7 demonstrate that its working methods and operating procedures are compliant with the standards of Annex 10 on aeronautical telecommunications to the Convention on International Civil Aviation (Volume I: 5th edition, July 1996; Volume II: 6th edition, October 001; Volume III: 1st edition, July 1995; Volume IV: 3rd edition, July 00; Volume V: nd edition, July 001; including all amendments up to no 79) as far as they are relevant for the provision of communication, navigation or surveillance services in the airspace concerned. by using ESSAR 5 guidance material Analysis for relevant : In order to be identified as relevant, the standard: a. is to apply for the services that are being provided by the ANSP, and b. is not to be filled in directly by the State concerned, but by the ANSP. by using ESSAR 5 guidance material AMC for article as a whole: 1. The ANSP s working methods and operating procedures are compliant with the standards that have been identified, with the USOAP-list of ICAO as a base, as relevant by the NSA.. Where a difference has been filed by the State concerned to ICAO on a standard that has been identified as relevant, the ANSP s working methods and operating procedures are compliant with the differing text as supplied by the State concerned to ICAO. States AMC matrix ATS AIS CNS.xls 19 of 19