Embed Size (px)
Citation preview
1
PRELIMINARY RESULTS FROM A EUROPEAN SAFETY R&D PROGRAM
Barry KirwanEurocontrol Experimental Centre
Bretigny/Orge, [email protected]
2
Overview
Safety Needs7 Safety R&D ‘threads’
Interim ResultsInterim Conclusions
3
Safety Needs
Recent accidents involving ATMIncreasing traffic (capacity)Advanced systems (2012; 2017; 2025)Keep ATM safeAnticipate & Resolve ProblemsLearn before accidents occur
4
1. Safety Learning & Early Warning
Interpretation of incident causes in context of new conceptExample – CORA – Conflict advisor36 relevant incidents; 6 ‘lessons’:
Detrimental quality of InformationMisjudgement by controller Over-reliance on technologySector boundariesSequence of conflictsMilitary conflictsAdded benefits of CORA-D/L
CORA Concept adapted to make it more robust
5
2. Safety Methods (Toolbox) [Enabler]
Toolbox of 30+ methods (FAA + Eurocontrol + ANSPs):Hazard and human error identification Representation in fault and event treesQuantification of events & human errors; evidence from incidents/simulations Analysis of dependence and common mode failuresEvaluation of uncertainty, sensitivity, and risk impactDetermination of safety requirementsDocumentation for re-usability
Plan: Do 1. Then do asappropriate.
1.6Issue delegation
instruction
1.6.1Decide onappropriateinstruction
Plan: Do 1. Then do 2 ifrequired. Then do 3 to 5
in order.
1.6.2Instruct pilot to
'Remain behind'
1.6.2.1Ensure
applicabilityconditions are
met/maintained||
1.6.2.2Issue
instruction(s) toensure
applicabilityconditions are
met||
1.6.2.3Issue 'remain
behind'instruction||
1.6.2.4Receive pilot
readback||
1.6.2.5Click mousebutton A over
delegated a/c||
Plan: Do 1 throughout.Then do 2 if required.
Then do 3 to 6 in order.
1.6.3Ins truct pilot 'Headingthen remain behind'
1.6.3.1Ensure
applicabilityconditions are
met/maintained||
1.6.3.2Issue
instruction(s) toensure
applicabilityconditions are
met||
1.6.3.3Issue 'heading
then remainbehind'
instruction||
1.6.3.4Receive pilot
readback||
1.6.3.5Click mousebutton A over
delegated a/c||
1.6.3.6Receive 'pilot
resuming'report||
Plan: Do 1 throughout.Then do 2 if required.
Then do 3 to 5 in order.
1.6.4Instruct pilot to 'Merge
behind'
1.6.4.1Ensure
applicabilityconditions are
met/maintained||
1.6.4.2Issue
instruction(s ) toensure
applicabilityconditions are
met||
1.6.4.3Issue 'merge
behind'instruction||
1.6.4.4Receive pilot
readback||
1.6.4.5Click mousebutton A over
delegated a/c||
Plan: Do 1 throughout.Then do 2 if required.
Then do 3 to 6 in order.
1.6.5Instruct pilot 'Headingthen merge behind'
1.6.5.1Ensure
applicabilityconditions are
met/maintained||
1.6.5.2Issue
instruction(s) toensure
applicabilityconditions are
met||
1.6.5.3Issue 'heading
then mergebehind'
instruction||
1.6.5.4Receive pilot
readback||
1.6.5.5Click mousebutton A over
delegated a/c||
1.6.5.6Receive pilot's
mergingdistance report||
S e le ct H F Is su e (e .g . “R e c o ve ry fro m F a ilu re” )
W h a t if? L ik e ly Im p ac t S a fe g u a rd s A c tio n
S e lec t n e x t H F Is su e (e .g . “S ta ffin g a n d O rg a n isa tio n ” )
Brainstorm
What Ifs
A n a lys e L ik e ly Im p ac t &S a fe g u a rd s fo r e ac h W h at if
A n aly se a ll o th e r co lu m n s fo r e ac h W h at if
6
3. Safety in Design
50%50% of accidents have their of accidents have their roots in the design phaseroots in the design phaseEEC has a safety policy, and safety plans for sector tools, traffic flow, and airport research areasSafety activities are ongoing for each project in these areasIntegrative project for 2012
7
4. Key Risk AreasLevel busts
At eight miles FL 140 Red one At eight miles At eight miles FL 140 Red one FL 140 Red one
666Climbing FL 140 Green oneClimbing FL Climbing FL 140 Green one140 Green one
222
Descending FL 150 Red one
Descending FL Descending FL 150 Red one 150 Red one
444
FL 150
FL 140
Green one, climb FL 140Green one, climb FL 140Green one, climb FL 140111
Red one, descend FL 150 Red one, descend FL 150 Red one, descend FL 150 333
Red one traffic at eight miles, level 140Red one traffic at Red one traffic at
eight miles, level 140eight miles, level 140555
8
SMART: modelling the Level Bust ‘Safety Architecture’:Hard & Soft Barriers
GenericInitiator
Prevention
Accident
Deviation from the assigned flight path
Recovery
Separation assurance by Separation assurance by airspace designairspace design
Separation assurance by Separation assurance by tactical controltactical control
Deviations Deviations recovered recovered
by ATCby ATC
Short term Conflict, detected Short term Conflict, detected and solved by ATC and solved by ATC
Emergency avoidance of imminent Emergency avoidance of imminent collisioncollision
9
10
Impact of SMART analysis
Shows where safety is and is not workingHelps identify new barriers
Resource intensiveBeing applied to level busts & interactions between safety netsSafety nets work: - SMART analysis is helping understand the pro’s and con’s of downlinking to the controller the fact that a TCAS resolution advisory (RA) has occurred in the cockpit
11
5. Integrated Risk Picture & the Safety Roadmap
StrategicAirspace, flowand capacitymanagement
Pre-tacticaldemand and
capacitybalancing
Tacticalflow andcapacity
management
Pre-departure
phase
DepartureTaxiing
Time
Departure En-route Arrival ArrivalTaxiing
Postflightphase
A year A week A day Day of Operation
MTCD D/L CORA
12
Types of insight
Failure to recognize loss of separation
Direct cause of 1.3% of all accidents; 50% of mid-air collisions
Support to controllers to reduce distractions
Support to better detect potential conflict in the medium term
Civil-military interactions
M5.2.3 Conflict due to ATC
induced deviation from
route; 10%
M5.1.2 Ineffective
strategic conflict
prevention; 40%
M5.2.1 Conflict due to
penetration of controlled
airspace; 30%
M5.2.2 Conflict in uncontrolled airspace; 10%
M5.2.4 Conflict due to pilot
induced deviation from
route; 10%
Causes of Tactical Conflicts
6. Safety Culture & the Future
Survey of 4 ATCCsMain concerns
TeamworkCommunicationsTrust in equipmentUnderstanding each other’s rolesResponsibility for safety
Past changes have not had as much impact as expected
14
7. Collaboration: working together
FAA-Eurocontrol Action Plan on Safety (AP 15)Eurocontrol Safety Team (European Air Navigation Service Providers)CAATS European Workshop on Safety R&D October 2005Seeking European Commission funding to support a Network of Excellence on Safety R&D
15
Interim Conclusions
Need safety learning: early warning and learning from incidents Safety methods exist – need more applicationSafety in design/concept stage – progress being madeKey risk areas – needs new (SMART-er?) thinkingDelivering future safety –
where do we get most return on safety investment? what extra tools, training and procedures will keep us safe? need to monitor safety to see if it is improving fast enough
Future safety culture – need to measure baseline now, and measure & understand impacts of coming changesCollaboration is needed
16
Thanks for your attention: Questions?
17
18
Guiding Principles
ATM must become a learning organisationATM must have suitable methods with which to anticipate and protect itself against risksSafety must be built in at the early stages of ATM system design, right through to implementationATM must improve safety in key risk areas
ATM must be sure that the systems it is developing will deliver the required safety levelsATM must retain its ‘High Reliability’ status and its ‘safe culture’The above collaborationshould be achieved effectively and cost-efficiently
19
Some observations…
Medium Term Safety Nets – too much reliance on last-minute defencesHuman factors importance – but this must be focused with safetySafety in degraded mode operations Safety culture – tolerating poor conditions or excessive workload/demandsAs complexity increases, second order phenomena begin to dominateWe need a roadmap and a monitoring processWe should increase capacity when it is safe to do so – this would be the policy of an industry that puts safety firstThere is a general shortage of qualified safety people in the industry – the industry as a whole is lacking in safety competence & understandingAre we really safe? Or just lucky?
20
Other Key Risk Areas: safety net interactions; low vigilance; complexity; runway incursions
Attention - I notice I’m just not focussed anymore and more complacent
Not knowing the traffic situation
Less precise & small mistakes
Missing calls, have to ask a/c to repeat call;
Surprised by call -Don’t understand a/c R/T
Spot conflict only 1-6 minutes before
Getting behind in work Not looking at the screenEasily distracted
Not knowing a/c on frequency; looking for traffic that calls in
Less pre-planningWork slowerFatigue
