Description

SAFMAPs (safety function maps) are barrier models based on a structured documentation of the available defences against particular unwanted accident outcomes (e.g. midair collision). These barriers are either part of the ATM system (ground and/or airborne component) or can impact the safety performance of ATM or aircraft navigation. Each discrete barrier is considered as a safety function. The functions used are rather generic, for example the function “Pilot/driver detection that entry onto the runway protected area will be incorrect” does not specify the actual means to implement this function such as stop-bars, runway guard lights or runway status lights.

So far, three (3) barrier models have been developed and are maintained by EUROCONTROL:

• Mid-air collision en-route model - defining functions that may prevent mid-air collisions and separation minima infringement in controlled airspace class A, B and C during the en-route phase of fight.
• Mid-air collision in TMA model - defining functions that may prevent mid-air collisions and separation minima infringement in TMA/CTR airspace class B and C during the en-route, approach or initial climb phases of flight.
• Runway collision model - defining functions which may prevent runway collisions and incursions.

SAFMAPs are hierarchical structures in which each higher-level structure (function) can be decomposed into several lower-level structures (functions). The highest levels are called basic safety functions. Each of these basic functions is then decomposed into more detailed Level 1 safety functions and, in the same manner, each of the Level 1 safety functions is further decomposed into several Level 2 safety functions and so on. At present, Level 5 is the most detailed specification and not all safety function levels are necessarily decomposed to the same extent. A function is decomposed only if there is a need as demonstrated by the occurrence of several incidents that have illustrated different ways in which a particular function can be implemented and/or challenged.  

A principle applied to the construction of SAFMAPs is to include all barriers which are available and operationally deployed by the industry. This means that SAFMAPs also serve as a repository of best practices that are not necessarily required by regulations. Examples of these are the use of short-term conflict probes and A-SMGCS level 2 functions.

The following example illustrates the basic safety functions of the Mid-air collision SAFMAP, as well as the consequences of them failing - the accident precursors.

CopyrightSKYbrary

The arrows show the development of a safety event. If the first basic function ("Tactical conflict prevention") fails, the event moves to the phase "Airborne tactical conflict". It is now up to the barriers within "Tactical separation assurance" to prevent further development. If those fail as well, the event becomes "Separation infringement" and further development is to be stopped by "ATC collision avoidance".

The arrangement of functions within the same level affects the way in which they can fail. When a function is decomposed into more than one lower level barriers, their arrangement determines the conditions for failure. See the picture below for examples.

CopyrightSKYbrary

In Scenario 1, failure of any of the lower level barriers would lead to failure of the upper level barrier. In Scenario 2, all three lower level barriers need to fail in order for the event to move further. In Scenario 3, Barrier 3 and one of the the others (1 or 2) need to fail for the event to propagate further.

Because SAFMAP’s vertical and lateral structures are defined through formal logical rules, the models maintain internal rigour and can be reliably processed, analysed, and compared using mathematical methods.

Use of the SAFMAP barrier models

The SAFMAP model configurations are updated periodically in line with the findings of the analysis of the occurrence data collected within the scope of the European Network Manager collaborative process aimed at identifying operational hazards at network level and to assess the overall network safety risk. 

Besides the network risk assessment, the SAFMAP barrier models can be and have been used in support of the:

• Safety risk assessment of changes to the functional systems of ANSPs: SAFMAP enables structured identification of the impact of a change on the safety functions deployed by a service provider in ATS provision and assessment of the difference in barriers’ performance at barrier and model level. It supports building a qualitative or quantitative, absolute or relative safety argument about risk acceptability.  
• Safety risk management: SAFMAP provides a reference barrier model that enables consistent analysis of safety events and precursors. It draws on an accumulated and rich knowledge base of scenarios, contributing factors, and system behaviours, helping organisations understand how and why safety barriers succeed or fail.
• Safety Performance Measurement and Safety Intelligence: SAFMAP offers a structured and explicit risk and resilience architecture that underpins meaningful safety performance indicators, monitoring, and predictive intelligence. It allows organisations to track barrier effectiveness over time and to detect emerging vulnerabilities and resilience shifts.
• For further information and inquiries about model practical application contact Tzvetomir.BLAJEV@eurocontrol.int 

Further Reading

SAFMAP Models 2026, Levels 1 and 2, EUROCONTROL, 24 Nov 2025