MAXIMISING THE ATM POSITIVE CONTRIBUTION TO …...MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY -A BROADER APPROACH TO SAFETY ASSESSMENT Eric PERRIN (speaker) Derek FOWLER

MAXIMISING THE ATM POSITIVE

CONTRIBUTION TO SAFETY - A BROADER

APPROACH TO SAFETY ASSESSMENT

Eric PERRIN (speaker)

Derek FOWLER

Ron PIERCE

EUROCONTROL Safety R&D Seminar

München, Germany 21-22 October 2009

even if it were 100% so, wouldthat answer…

ADS-B end-to-end systemneeds to be reliable

Separation down to “radar” levelsi.e. 5 nm or 3 nm

ADSADS--B IN NONB IN NON--RADAR AREAS RADAR AREAS –– HOW TO APPROACH SAFETY?HOW TO APPROACH SAFETY?

Radar-like services in NRA using ADS-B

whether ADS-B would be safe enough tosupport 3-5 nm separation…?

No! Risk of implementing a perfectly reliablebut unsafe ADS-B system

Operational Environment

Radar System Separation

Provision

Service

HazardsHazards

HazardsHazards

What we WANT

system to do –

Functions and

Performance

What we DON’T

want system to do -

Integrity

Pre-

existing

System-

Generated

ADSADS--B IN NONB IN NON--RADAR AREAS RADAR AREAS –– HOW TO APPROACH SAFETY?HOW TO APPROACH SAFETY?

“radar” separation minima: accuracy, resolution, refresh rate

etc of the surveillance information presented to the ATCO.

ADS-B in NRA

Good basis for a case:

ADS-B can provide the same functionality (i.e. data presented

to the Controller / support tools) and performance (data

accuracy, resolution, latency, refresh rate, coverage etc)

CANNOT CONTINUE TO

FOCUS MAINLY ON

FAILURE…!!

• Success approach:

– to show that an ATM system will be acceptably safe in the absence

of failure

– addresses the ATM contribution to aviation safety

– defined by Functional Safety Requirements

• Failure approach:

– to show that an ATM system will still be acceptably safe, takingaccount of the possibility of (infrequent) failure

– addresses the ATM contribution to aviation risk

– defined by Safety Integrity Requirements

A BROADER APPROACH TO RISK ASSESSMENT AND MITIGATIONA BROADER APPROACH TO RISK ASSESSMENT AND MITIGATION

Str

ate

gic

Co

nfl

ict

Mg

tS

tra

teg

ic C

on

flic

t M

gt

Pre-existing

Hazards

PrePre--existing existing

HazardsHazards AccidentAccident

Co

llis

ion

Av

oid

an

ceC

oll

isio

n A

vo

ida

nce

Se

pa

rati

on

Pro

vis

ion

Se

pa

rati

on

Pro

vis

ion

Pro

vid

en

ceP

rov

ide

nce

Safety

Nets

Main ATM

Functions

People, Equipment, and

procedures

System -

Generated

Hazards

System System --

Generated Generated

HazardsHazards

ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005

Risk R

Pre-existing Risk

RU’

Acceptable Risk

RA

0

Separation Provision

Collision Avoidance

Strategic Conflict Mgt

RU’ ‘

RU

Providence

ICAO GLOBAL ATM OPERATIONAL CONCEPT ICAO GLOBAL ATM OPERATIONAL CONCEPT –– RISK GRAPHRISK GRAPH

Strategic Conflict MgtStrategic Conflict Mgt

Pre-existing Hazards

Pre-existing Hazards

AccidentAccident

Collision AvoidanceCollision Avoidance

Separation ProvisionSeparation Provision

ProvidenceProvidence

OR

&

OR

&

OR

&

&

1-PS1

1-PS2

1-PS3

1-PS4

RA

FF2

FF1

System -generated Hazards

System -generated Hazards

FF3

Fu

FAULT TREE VIEWFAULT TREE VIEW

Enables us to specify success (Pnn) as well as failure (Fnn) attributes

• Safety requirements are specified for ATM to:

– maximize its contribution to aviation safety and

– minimize its contribution to the risk of an accident

• Safety Requirements cover, respectively:

– functionality & performance

– integrity (plus some additional f&p)

Broader approach = success plus failure cases

SAFETY REQUIREMENTSSAFETY REQUIREMENTS

Arg 0<<Claim that something is safe>>

Arg 1<<Argument that <A> is true>>

Arg 4<<Argument that <D> is true>>

Arg 2<<Argument that <B> is true>>

Arg 3<<Argument that <C> is true>>

C001Applies to <<Operational Environment>>

A0001<<Assumptions to be declared and validated in the Safety Case>>

J0001<<Justification for the subject of the Claim>>

[tbd] [tbd] [tbd]

<<Strategy to explain the rationale for decomposing Arg 0>>

[tbd]

Cr001<<Safe is defined by Safety Targets>>

GENERIC ARGUMENT STRUCTUREGENERIC ARGUMENT STRUCTURE

• How much?

• How obtained?

• How good?

Simple answer is Safety Assurance

EVIDENCEEVIDENCE

Objectives Objectives

ActivitiesActivities

Evidence Evidence

To produce

To achieveTo give confidenceAssurance Level (AL)

SAFETY ASSURANCE SAFETY ASSURANCE -- GENERALGENERAL

Safety Argument Safety Argument

Safety ActivitiesSafety Activities

To satisfy

Evidence Evidence

To produce

To give confidence

Assurance Level (AL)

ARGUMENT-DRIVEN SAFETY ASSURANCE

To achieve

But how do we develop a satisfactory Safety Argument?

Application Domain System i/f

User Reqts R

Design D

Specification S

Domain Properties P

P, S R

Implementation I

Real World

D S

I D

WE USE A REQUIREMENTSWE USE A REQUIREMENTS--ENGINEERING MODEL!ENGINEERING MODEL!

ATM System

i/f

Design D

P, S T

Implementation I

Aviation World

D S

I D

Safety Targets TATM Service-level

Specification S

ATM User Domain

Properties P

ATM User Domain

This leads initially to ………….

AN ATM SAFETY VERSIONAN ATM SAFETY VERSION

Arg 0SESAR En-route Operations will be acceptably safe.

Cr001Acceptably safe is defined by the Safety Targets – see Arg 1.1

Arg 1 SESAR En-route ATM system has been specified to be acceptably safe

Arg 5SESAR En-route ATM system will be shown to operate acceptably safely throughout its service life

Arg 3SESAR En-route ATM system Design has been implementedcompletely & correctly

Arg 4Transition from current state to full SESAR En-route ATM system will be acceptably safe

C001Applies to the Operational Environment described in Section 2 of the En-route Safety Design Document

A001Assumptions as per section 8.1 of the PSC

J001Justification as per Section 2.2 of the PSC

[tbd] [tbd] [tbd]

Figure 20

Argue on basis of a safe Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life

Arg 2 SESAR En-route ATM system has been designed to be acceptably safe

Figure 21

……TOP LEVEL ARGUMENTTOP LEVEL ARGUMENT

LIFECYCLE VIEW LIFECYCLE VIEW -- OVERALLOVERALL

Definition

Transfer into

Operation

Operation &

Maintenance

Low

er-

lev

el

Sa

fety

Arg

um

en

ts

Evid

en

ce

System Safety

Assurance Activities

Arg

0

Arg

0Design & Validation

(High-level)

Arg

1A

rg 2

Arg

4A

rg 3

Arg

5

Arg

1A

rg 2

Arg

4A

rg 3

Arg

5

Implementation &

Integration

V1

V2

V3

V4

V5

V6

V7

V0


User Reqts R

Design D

Specification S

Domain Properties P

P, S R

Implementation I

‘Real World'

D S

I D


User Reqts R

Design D

Specification S

Domain Properties P

P, S RP, S RP, S R

Implementation I

‘Real World'

D SD SD S

I DI DI D

RE Model

Definition

Transfer into Operation

Operation & Maintenance

Low

er-le

vel S

afet

y A

rgum

ents

Evidence

System Safety Assurance Activities

Arg

0

Arg 0

Design & Validation(High-level)

Arg

1A

rg 2

Arg

4A

rg 3

Arg

5

Arg 1

Arg 2

Arg 4

Arg 3

Arg 5

Implementation & Integration

Definition

Transfer into Operation

Operation & Maintenance

Low

er-le

vel S

afet

y A

rgum

ents

Evidence

System Safety Assurance Activities

Arg

0

Arg 0

Design & Validation(High-level)

Arg

1A

rg 2

Arg

4A

rg 3

Arg

5A

rg 1

Arg

2A

rg 4

Arg

3A

rg 5

Arg 1

Arg 2

Arg 4

Arg 3

Arg 5

Arg 1

Arg 2

Arg 4

Arg 3

Arg 5

Implementation & Integration

Assurance ProcessSafety Case










[tbd] [tbd] [tbd]

Figure 20



Figure 21










[tbd][tbd] [tbd][tbd] [tbd][tbd]

Figure 20Figure 20



Figure 21Figure 21

PROCESS SUMMARYPROCESS SUMMARY

SCD TCD

TCRSCR

FPM

SURV(G)RBTs

Airspace

ACA

PD(V)Nav Data

SURV(A)

Aircraft

COTR

Adjacent Airspace

. . . ..

TOLI/TCICL

.ADS data

OtherAircraft

Handover

CLR

. .

Net Mgt

ASA

RBT Revision

ACAS RA data

.

.

.

.

Weather, NOTAMs, etc.

RBT Revisions & Updates

TCICL

Nav

AOC

S&S

GCA

1

1

Flt Ctl

PD(H)

FMSFMS AP/FDAP/FD

A/FA/F

FCRW

NAVAIDSNAVAIDS

PLNR

FDPFDP

SDP(G)SDP(G)

ADSECT ALTSYSALTSYS

MTCDMTCD

MONAMONA EXEC

SRNMCSDP(A)SDP(A)

ACASACAS

TCTTCT

ASASASAS

SNETSSNETS

TA

RA

AC2

Independent Surveillance

ADS-B

AD

S-B

Mode A

/C or S

Non-standard C

OT

R

RBT Rev & Update

RBT Rev & Update RBT Rev

& Update

Conflicts

RA

Dow

nlink

RBT Rev & Update

Requests, CLR, & Transfer

Airspace Data

Manual Inputs

TAWSTAWS

Prop RBT Rev

TC-SA

1

1

A&D-MANA&D-MAN

2

2

1

CT

O / A

APT data

• The AMAN sub-function shall compute a Controlled Time of Overfly (CTO) for waypoints extending out well into En-route Airspace (typically as far as 200 nm) and down to a CTA at the Final Approach Fix or at a final merge point

• The AMAN sub-function shall generate speed advisories for Aircraft without an RTA capability

• The EXEC shall resolve any conflicts, as follows:

– where the situation is time-critical, issue an “openloop” clearance to one or both Aircraft involved, or

– where possible, and the situation is less time-critical, issue a trajectory change to resolve the conflict but return the Aircraft to its original route, or

– where proposed by the PLNR and judged appropriate, for crossing / passing traffic, delegate separation responsibility to the FCRW according to the agreed and authorized RBT

A FEW FUNCTIONAL SAFETY REQUIREMENTS A FEW FUNCTIONAL SAFETY REQUIREMENTS

●

EXECFCRW FMS FDP SDP(G)

Conflict free

MTCD

17

13

18

3

4

Conflict

56

78910

Aircraft

climbs

Aircraft wan

ts

to clim

b

11126

141516

1 2

22232425

20

19

Aircraft

climbs

Repeat

from 1

621

FCRW

rejects

FCRW

accepts

Documents

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO …...MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY -A BROADER APPROACH TO SAFETY ASSESSMENT Eric PERRIN (speaker) Derek FOWLER