5.7.

1 Risk
Classification
Version 1.0
Contents
1 INTRODUCTION ................................................................................................. 3
2 CLASSIFICATION SCHEMES ............................................................................ 3
3 COMPETENCY REQUIRMENTS ....................................................................... 4
4 APPLICABILITY .................................................................................................. 4
5 REFERENCES ...................................................................................................... 4
Approvals ....................................................................................................................... 7
CHANGE RECORD ...................................................................................................... 7
1 INTRODUCTION
This document provides the standard definitions of safety levels for hazard severity,
frequency, probability, and risk for use by the associated M-NAV procedures. These
definitions are applied without variation to the Centre and all its systems, projects,
changes, and safety issues.

2 CLASSIFICATION SCHEMES
Classifications of severity, frequency, probability, and risk are the collective means of
defining what is meant by „safe‟ throughout M-NAV.
Safety is expressed in terms of risk, which is a combination of the probability (or
frequency) of a hazardous event, and the seriousness (severity) of its consequences.
Therefore, it is possible to equate each combination of these two attributes to a level
of risk.
There are many possible risk levels which arise from these combinations, but each is
assigned to one of only two risk classes. Any risks which are Unacceptable are
considered unsafe, whatever the circumstances. Any risks which are Acceptable are
considered safe, but even so may not represent the lowest practicably achievable
risk.
When calculating risk, the associated probability (or frequency) can be expressed
qualitatively or quantitatively.
The safety of potential and actual hazards at M-NAV is therefore determined by their
risk class, rather than their severity or likelihood alone. However, in order to arrive at
a risk class, both the severity and probability of the hazard must also be classified
since risk is a combination of the two.
A Risk Classification Scheme/Matrix specifies the maximum acceptable and
tolerable frequencies of occurrence of a (hazard) effect of a certain severity class per
reference unit. A Safety Objective Classification Scheme (SOCS) specifies the
maximum acceptable frequency of occurrence of a hazard per reference unit taking
into account the severity of the worst credible hazard effect (amongst all hazard
effects).
In absence of national safety targets set by the regulator and of a Unit FHA the ED
125 document [1] and ESARR 4 [2] have been used as a basis to define the M-NAV
Risk Classification Scheme and Safety Objective Classification Scheme.
When developing the schemes, the following assumptions and considerations were
taken into account:
 An ambition factor of 5 has been applied, except for severity 1 effects, where
ambition factor 1,55 is applied
 As recommended by ED 125 a volume of traffic equal to 50 000 fh/year has been
used to derive the RCS and SOCS which ensures an additional ambition factor in
the order of 2
 As recommended by ED 125 the total number of hazards at the ATM service
provision level is set to 125
 The complexity of Macedonian airspace is assumed to be of C4 type
 The M-NAV RCS will remain valid until 2015, i.e. the concept of operation will not
change dramatically
 The National Regulator will adopt an ambition factor that is no higher than that
described in ED 125.
If the assumptions as described here above are no longer valid, the RCS and SOCS
will be reviewed, and revised as necessary.
The classification schemes are presented in the following Tables:
 Table 1 Severity Classification Scheme
 Table 2 Definition of Qualitative Categories
 Table 3 Risk Classification Scheme
 Table 4 Safety Objectives Classification Scheme
3 COMPETENCY REQUIRMENTS
Users of those M-NAV procedures that make use of the classification schemes herein
shall have demonstrable knowledge of use of this document.

4 APPLICABILITY
The SOC‟s shall be applicable to all changes developed following the date of
publication of this updated scheme. This scheme is not to be applied retroactively to
changes under development preceding the publication of this revised scheme. The
precise use of each classification scheme is determined by the M-NAV procedures
which refer to this document. Consequently, there are no outputs arising directly from
standalone use of this document, rather they are used as part of the execution of the
external procedure.

5 REFERENCES
[1] EUROCAE ED-125, Process specification for performing risk assessment and
mitigation in ATM “in compliance” with ESARR 4
[2] Eurocontrol ESARR 4 - Risk assessment and mitigation in ATM
 1 2 3 4 5
Severity Class
[Most Severe] [Least Severe]
Effects on Operations Accidents Serious Incidents Major Incidents Significant Incidents No Immediate Effect on Safety
SEVERITY INDICATORS SET1: EFFECTS ON AIR NAVIGATION SERVICE
Effect on Air Navigation Total inability to provide or Serious inability to provide or Partial inability to provide or Ability to provide or maintain No safety effect on service
Service within the area of maintain safe service maintain safe service maintain safe service safe but degraded service
responsibility
ATCO and/or Flight Crew Workload, stress or working Workload, stress or working Workload, stress or working Workload, stress or working No effect
Working Conditions conditions are such that they conditions are such that they conditions such that their ability conditions are such that their
cannot perform their tasks at are unable to perform their is significantly impaired abilities are slightly impaired
all tasks effectively
Effect on ground ATM Total loss of functional Large reduction of functional Significant reduction of Slight reduction of functional No effect
System and/or Aircraft capabilities capabilities functional capabilities capabilities
Functional Capabilities
ATCO and/or Flight Crew Unable to cope with adverse Large reduction of the ability to Significant reduction of the Slight reduction of the ability to No effect
Ability to Cope with Adverse operational and environmental cope with adverse operational ability to cope with adverse cope with adverse operational
Operational and conditions and environmental conditions operational and environmental and environmental conditions
Environmental Conditions * conditions
Effect on Barrier model (See Inability for any “prevention”, Inability for “prevention” and/or Inability for “prevention” of “Prevention” of conflict No effect
FHA Chapter 3 –GM I) “resolution” nor “recovery” of “resolution” of conflict situation, conflict situation, “resolution” situation impaired.
conflict situation. however “recovery” possible. partially impaired.
SEVERITY INDICATORS SET 2: EXPOSURE
Exposure time The presence of the hazard is Hazard may persist for a Hazard may persist for a Hazard may persist for a short Too brief to have any safety-
almost permanent. Reduction substantial period of time moderate period of time. period of time such that no related effect
of safety margins persists even significant consequences are
after recovering from the expected.
immediate problem.
Number of aircraft exposed / All aircraft in the area of All aircraft in several ATC Aircraft within a small Single aircraft No aircraft affected
area of responsibility responsibility Sectors geographic area or an area of
low traffic density
SEVERITY INDICATORS SET 3: RECOVERY
Annunciation, Detection and Undetected misleading Ambiguous indication. Not May require some Clear annunciation. Easily Clear annunciation. Easily
Diagnosis * indication. easily detected. Incorrect interpretation. Detectable. detected, reliable diagnosis detected and very reliable
diagnosis likely Incorrect diagnosis possible diagnosis
Contingency measures No existing contingency Limited contingency measures, Contingency measures Reliable, automatic, Highly reliable, automatic,
(other systems or measures available. Operators providing only partial available, providing most of comprehensive contingency comprehensive contingency
procedures) available unprepared. Limited ability to replacement functionality. required functionality. Fall back measures measures
intervene. Operators not familiar with equipment usually reliable.
procedures or may need to Operator intervention required,
devise a new procedure at the but a practiced procedure
time. within the scope of normal
training
Rate of development of Sudden. It does not allow Fast Moderate Slow Plenty of time available.
the hazardous condition, recovery
compared to the time
necessary for annunciation,
detection, diagnosis and
application of contingency
measures
Table 1 Severity Classification Scheme
Numerous This effect will certainly happen often throughout the system lifetime
Likely This effect will certainly happen several times throughout the system lifetime
Occasional This effect may happen sometimes throughout the system lifetime
Rare It is not expected to have such an effect more than exceptionally and in some specific circumstances throughout the
system lifetime.
Extremely Rare Such an effect is not expected to happen throughout the system lifetime
Table 2 Definition of Qualitative Categories

Probability Severity of effects

Qualitative Quantitative
Probability Probability 1 2 3 4 5
Definition Definition 2,3

Numerous >10-2 Unacceptable U U U A

Likely 10-2 U U U A A

Occasional 10-4 U U A A A

Rare 10-5 U A A A A

Extremely
<10-8 A A A A Acceptable
Rare

Table 3 - Risk Classifications Scheme

Probability Severity of the worst credible hazard effects on ATM Service Provision
Qualitative Quantitative
Probability Probability 1 2 3 4 5
Definition Definition 2,3

Numerous >10-2 Unacceptable U U U A

Likely 3 x 10-3 U U U A A

Occasional 3 x 10-4 U U A A A

Rare 10-4 U A A A A

Extremely
<10-7 A A A A Acceptable
Rare

Table 4 - Safety Objectives Classifications Scheme

Note 2: Probability of event per operational hour
Note 3: These quantitative probabilities shall not be used to determine software integrity levels (SILs). To determine which SIL is required
the SWAL procedure has to be completed.
Approvals
Position / Name Signature Date

DPS Expert
Prepared:
Aleksandar Palchevski

Executive Director -
Accepted: Operations
Toni Prgomet

Executive Director –
Accepted: Systems
Živko Poposki

Safety Manager
Endorsed:
Fahrudin Hamidi

Chairman of
Authorized: Management Board
Živko Poposki

CHANGE RECORD
Edition – Revision Revision date Pages/Sections Remarks
affected
Version 1.0 15/12/2009