Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
MAXIMISING THE ATM POSITIVE
CONTRIBUTION TO SAFETY - A BROADER
APPROACH TO SAFETY ASSESSMENT
Eric PERRIN (speaker)
Derek FOWLER
Ron PIERCE
EUROCONTROL Safety R&D Seminar
München, Germany 21-22 October 2009
even if it were 100% so, wouldthat answer…
ADS-B end-to-end systemneeds to be reliable
Separation down to “radar” levelsi.e. 5 nm or 3 nm
ADSADS--B IN NONB IN NON--RADAR AREAS RADAR AREAS –– HOW TO APPROACH SAFETY?HOW TO APPROACH SAFETY?
Radar-like services in NRA using ADS-B
whether ADS-B would be safe enough tosupport 3-5 nm separation…?
No! Risk of implementing a perfectly reliablebut unsafe ADS-B system
Operational Environment
Radar System Separation
Provision
Service
HazardsHazards
HazardsHazards
What we WANT
system to do –
Functions and
Performance
What we DON’T
want system to do -
Integrity
Pre-
existing
System-
Generated
ADSADS--B IN NONB IN NON--RADAR AREAS RADAR AREAS –– HOW TO APPROACH SAFETY?HOW TO APPROACH SAFETY?
“radar” separation minima: accuracy, resolution, refresh rate
etc of the surveillance information presented to the ATCO.
ADS-B in NRA
Good basis for a case:
ADS-B can provide the same functionality (i.e. data presented
to the Controller / support tools) and performance (data
accuracy, resolution, latency, refresh rate, coverage etc)
CANNOT CONTINUE TO
FOCUS MAINLY ON
FAILURE…!!
• Success approach:
– to show that an ATM system will be acceptably safe in the absence
of failure
– addresses the ATM contribution to aviation safety
– defined by Functional Safety Requirements
• Failure approach:
– to show that an ATM system will still be acceptably safe, takingaccount of the possibility of (infrequent) failure
– addresses the ATM contribution to aviation risk
– defined by Safety Integrity Requirements
A BROADER APPROACH TO RISK ASSESSMENT AND MITIGATIONA BROADER APPROACH TO RISK ASSESSMENT AND MITIGATION
Str
ate
gic
Co
nfl
ict
Mg
tS
tra
teg
ic C
on
flic
t M
gt
Pre-existing
Hazards
PrePre--existing existing
HazardsHazards AccidentAccident
Co
llis
ion
Av
oid
an
ceC
oll
isio
n A
vo
ida
nce
Se
pa
rati
on
Pro
vis
ion
Se
pa
rati
on
Pro
vis
ion
Pro
vid
en
ceP
rov
ide
nce
Safety
Nets
Main ATM
Functions
People, Equipment, and
procedures
System -
Generated
Hazards
System System --
Generated Generated
HazardsHazards
ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005
Risk R
Pre-existing Risk
RU’
Acceptable Risk
RA
0
Separation Provision
Collision Avoidance
Strategic Conflict Mgt
RU’ ‘
RU
Providence
ICAO GLOBAL ATM OPERATIONAL CONCEPT ICAO GLOBAL ATM OPERATIONAL CONCEPT –– RISK GRAPHRISK GRAPH
Strategic Conflict MgtStrategic Conflict Mgt
Pre-existing Hazards
Pre-existing Hazards
AccidentAccident
Collision AvoidanceCollision Avoidance
Separation ProvisionSeparation Provision
ProvidenceProvidence
OR
&
OR
&
OR
&
&
1-PS1
1-PS2
1-PS3
1-PS4
RA
FF2
FF1
System -generated Hazards
System -generated Hazards
FF3
Fu
FAULT TREE VIEWFAULT TREE VIEW
Enables us to specify success (Pnn) as well as failure (Fnn) attributes
• Safety requirements are specified for ATM to:
– maximize its contribution to aviation safety and
– minimize its contribution to the risk of an accident
• Safety Requirements cover, respectively:
– functionality & performance
– integrity (plus some additional f&p)
Broader approach = success plus failure cases
SAFETY REQUIREMENTSSAFETY REQUIREMENTS
Arg 0<<Claim that something is safe>>
Arg 1<<Argument that <A> is true>>
Arg 4<<Argument that <D> is true>>
Arg 2<<Argument that <B> is true>>
Arg 3<<Argument that <C> is true>>
C001Applies to <<Operational Environment>>
A0001<<Assumptions to be declared and validated in the Safety Case>>
J0001<<Justification for the subject of the Claim>>
[tbd] [tbd] [tbd]
<<Strategy to explain the rationale for decomposing Arg 0>>
[tbd]
Cr001<<Safe is defined by Safety Targets>>
GENERIC ARGUMENT STRUCTUREGENERIC ARGUMENT STRUCTURE
• How much?
• How obtained?
• How good?
Simple answer is Safety Assurance
EVIDENCEEVIDENCE
Objectives Objectives
ActivitiesActivities
Evidence Evidence
To produce
To achieveTo give confidenceAssurance Level (AL)
SAFETY ASSURANCE SAFETY ASSURANCE -- GENERALGENERAL
Safety Argument Safety Argument
Safety ActivitiesSafety Activities
To satisfy
Evidence Evidence
To produce
To give confidence
Assurance Level (AL)
ARGUMENT-DRIVEN SAFETY ASSURANCE
To achieve
But how do we develop a satisfactory Safety Argument?
Application Domain System i/f
User Reqts R
Design D
Specification S
Domain Properties P
P, S R
Implementation I
Real World
D S
I D
WE USE A REQUIREMENTSWE USE A REQUIREMENTS--ENGINEERING MODEL!ENGINEERING MODEL!
ATM System
i/f
Design D
P, S T
Implementation I
Aviation World
D S
I D
Safety Targets TATM Service-level
Specification S
ATM User Domain
Properties P
ATM User Domain
This leads initially to ………….
AN ATM SAFETY VERSIONAN ATM SAFETY VERSION
Arg 0SESAR En-route Operations will be acceptably safe.
Cr001Acceptably safe is defined by the Safety Targets – see Arg 1.1
Arg 1 SESAR En-route ATM system has been specified to be acceptably safe
Arg 5SESAR En-route ATM system will be shown to operate acceptably safely throughout its service life
Arg 3SESAR En-route ATM system Design has been implementedcompletely & correctly
Arg 4Transition from current state to full SESAR En-route ATM system will be acceptably safe
C001Applies to the Operational Environment described in Section 2 of the En-route Safety Design Document
A001Assumptions as per section 8.1 of the PSC
J001Justification as per Section 2.2 of the PSC
[tbd] [tbd] [tbd]
Figure 20
Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life
Arg 2 SESAR En-route ATM system has been designed to be acceptably safe
Figure 21
……TOP LEVEL ARGUMENTTOP LEVEL ARGUMENT
LIFECYCLE VIEW LIFECYCLE VIEW -- OVERALLOVERALL
Definition
Transfer into
Operation
Operation &
Maintenance
Low
er-
lev
el
Sa
fety
Arg
um
en
ts
Evid
en
ce
System Safety
Assurance Activities
Arg
0
Arg
0Design & Validation
(High-level)
Arg
1A
rg 2
Arg
4A
rg 3
Arg
5
Arg
1A
rg 2
Arg
4A
rg 3
Arg
5
Implementation &
Integration
V1
V2
V3
V4
V5
V6
V7
V0
Application Domain System i/f
User Reqts R
Design D
Specification S
Domain Properties P
P, S R
Implementation I
‘Real World'
D S
I D
Application Domain System i/f
User Reqts R
Design D
Specification S
Domain Properties P
P, S RP, S RP, S R
Implementation I
‘Real World'
D SD SD S
I DI DI D
RE Model
Definition
Transfer into Operation
Operation & Maintenance
Low
er-le
vel S
afet
y A
rgum
ents
Evidence
System Safety Assurance Activities
Arg
0
Arg 0
Design & Validation(High-level)
Arg
1A
rg 2
Arg
4A
rg 3
Arg
5
Arg 1
Arg 2
Arg 4
Arg 3
Arg 5
Implementation & Integration
Definition
Transfer into Operation
Operation & Maintenance
Low
er-le
vel S
afet
y A
rgum
ents
Evidence
System Safety Assurance Activities
Arg
0
Arg 0
Design & Validation(High-level)
Arg
1A
rg 2
Arg
4A
rg 3
Arg
5A
rg 1
Arg
2A
rg 4
Arg
3A
rg 5
Arg 1
Arg 2
Arg 4
Arg 3
Arg 5
Arg 1
Arg 2
Arg 4
Arg 3
Arg 5
Implementation & Integration
Assurance ProcessSafety Case
Arg 0SESAR En-route Operations will be acceptably safe.
Cr001Acceptably safe is defined by the Safety Targets – see Arg 1.1
Arg 1 SESAR En-route ATM system has been specified to be acceptably safe
Arg 5SESAR En-route ATM system will be shown to operate acceptably safely throughout its service life
Arg 3SESAR En-route ATM system Design has been implementedcompletely & correctly
Arg 4Transition from current state to full SESAR En-route ATM system will be acceptably safe
C001Applies to the Operational Environment described in Section 2 of the En-route Safety Design Document
A001Assumptions as per section 8.1 of the PSC
J001Justification as per Section 2.2 of the PSC
[tbd] [tbd] [tbd]
Figure 20
Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life
Arg 2 SESAR En-route ATM system has been designed to be acceptably safe
Figure 21
Arg 0SESAR En-route Operations will be acceptably safe.
Cr001Acceptably safe is defined by the Safety Targets – see Arg 1.1
Arg 1 SESAR En-route ATM system has been specified to be acceptably safe
Arg 5SESAR En-route ATM system will be shown to operate acceptably safely throughout its service life
Arg 3SESAR En-route ATM system Design has been implementedcompletely & correctly
Arg 4Transition from current state to full SESAR En-route ATM system will be acceptably safe
C001Applies to the Operational Environment described in Section 2 of the En-route Safety Design Document
A001Assumptions as per section 8.1 of the PSC
J001Justification as per Section 2.2 of the PSC
[tbd][tbd] [tbd][tbd] [tbd][tbd]
Figure 20Figure 20
Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life
Arg 2 SESAR En-route ATM system has been designed to be acceptably safe
Figure 21Figure 21
PROCESS SUMMARYPROCESS SUMMARY
SCD TCD
TCRSCR
FPM
SURV(G)RBTs
Airspace
ACA
PD(V)Nav Data
SURV(A)
Aircraft
COTR
Adjacent Airspace
. . . ..
TOLI/TCICL
.ADS data
OtherAircraft
Handover
CLR
. .
Net Mgt
ASA
RBT Revision
ACAS RA data
.
.
.
.
Weather, NOTAMs, etc.
RBT Revisions & Updates
TCICL
Nav
AOC
S&S
GCA
1
1
Flt Ctl
PD(H)
FMSFMS AP/FDAP/FD
A/FA/F
FCRW
NAVAIDSNAVAIDS
PLNR
FDPFDP
SDP(G)SDP(G)
ADSECT ALTSYSALTSYS
MTCDMTCD
MONAMONA EXEC
SRNMCSDP(A)SDP(A)
ACASACAS
TCTTCT
ASASASAS
SNETSSNETS
TA
RA
AC2
Independent Surveillance
ADS-B
AD
S-B
Mode A
/C or S
Non-standard C
OT
R
RBT Rev & Update
RBT Rev & Update RBT Rev
& Update
Conflicts
RA
Dow
nlink
RBT Rev & Update
Requests, CLR, & Transfer
Airspace Data
Manual Inputs
TAWSTAWS
Prop RBT Rev
TC-SA
1
1
A&D-MANA&D-MAN
2
2
1
CT
O / A
APT data
• The AMAN sub-function shall compute a Controlled Time of Overfly (CTO) for waypoints extending out well into En-route Airspace (typically as far as 200 nm) and down to a CTA at the Final Approach Fix or at a final merge point
• The AMAN sub-function shall generate speed advisories for Aircraft without an RTA capability
• The EXEC shall resolve any conflicts, as follows:
– where the situation is time-critical, issue an “openloop” clearance to one or both Aircraft involved, or
– where possible, and the situation is less time-critical, issue a trajectory change to resolve the conflict but return the Aircraft to its original route, or
– where proposed by the PLNR and judged appropriate, for crossing / passing traffic, delegate separation responsibility to the FCRW according to the agreed and authorized RBT
A FEW FUNCTIONAL SAFETY REQUIREMENTS A FEW FUNCTIONAL SAFETY REQUIREMENTS
●
EXECFCRW FMS FDP SDP(G)
Conflict free
MTCD
17
13
18
3
4
Conflict
56
78910
Aircraft
climbs
Aircraft wan
ts
to clim
b
11126
141516
1 2
22232425
20
19
Aircraft
climbs
Repeat
from 1
621
FCRW
rejects
FCRW
accepts