8 siraj finalworkshop safety case methodology

7/29/2019 8 SIRAJ FinalWorkshop Safety Case Methodology

1/24

1

SBAS Implementation in the regions of

ACAC and ASECNA

FP7-GALILEO-2008-4.3.1 / FP7-GALILEO-2008-4.3.4

Project with Community research funding


2/24

SIRAJ Final Workshop - Rabat 28th May 2012

Introduction

SIRAJ (October 2010April 2012) is a project funded by the European Commission under the 7th

Framework program.

Main objective: to evaluate the opportunities for EGNOS service extension to the areas covered by

the ACAC and ASECNA, in the Civil Aviation domain.

Part of this evaluation consists of APV/SBAS Safety Cases of each airport.

2


3/24


APV/SBAS approachDefinition

APV SBAS (Satellite Based Augmentation System) is an extension of RNAV (GNSS) system. It provides more

specific information, more accurate guidance than non-precision systems and the major benefit compared to

non-precision: final approach vertical guidance.

EGNOS System

In Europe, it is supported by EGNOS system (European Geostationary Navigation Overlay Service). It consists of

three geostationary satellites and a network of ground stations. EGNOS achieves its aim by transmitting a

signal containing information on the reliability and accuracy of the positioning signals sent out by GPS. It

allows users to determine their position to within 1.5 meters.

European SBAS system has the following advantages:

Optimized approach routing from various arrival directions

Improved track keeping

Use of more flexible route and procedure designs Limited need for ground infrastructure

Can be implemented in areas where ILS cannot be sited for terrain or obstacle reasons

Can provide approaches to more runways without additional infrastructure costs

Increase usability of many airports

3


4/24


Description

According to the European Commission regulation N 2096/2005, any

change in ATM system needs safety analysis. In this context, the

implementation of an APV SBAS procedure requires a safety

assessment.

A Safety Case consists of providing the demonstrable evidences that

the APV SBAS approach procedure implemented at the airport is

sufficiently safe in normal conditions and under failure conditions. The

level of safety maintained from introduction to service and during the

procedure is operational.

4


5/24


EUROCONTROL has developed a generic safety assessment for the use of

APV SBAS operations in Europe.

The methodology used within this safety assessment is derived from the

process specifications defined within the EUROCONTROL Safety Assessment

Methodology (SAM). The approach is based on the development of a Functional

Hazard Analysis (FHA), a Preliminary System Safety Analysis (PSSA) and a

System Safety Analysis (SSA).

5

Methodology

Safety Case

FHA PSSA SSA


6/24


Safety Case MethodologySafety Case Methodology

SAM Methodology is based on the following steps:

SAM

Tie-bow:

6

Hazard

PSSA FHA

SAFETY OBJECTIVESSAFETY REQUIREMENTS

Barrier

Failure

Success FailureSuccess

Failure

Success

Barrier Outcome

AccidentMissed approach

No effect

Missed approachCause

Safeguard

Cause

Cause

Cause

Safeguard

TLS

Event trees

analysisFault trees analysis

Hazard

identification

Risk Trees

analysis

Operationalenvironment

analysis

Identificationof hazards

andmitigations

SafetyObjectives

SafetyRequirements

Implementation MigrationOn-going

operations

FHA PSSA SSA


7/24


APV/SBAS Safety Case

1. Overall Safety Arguments - FHA

7

Description of airport Operational Environment.

Aspects related to APV/SBAS approaches: terrain, meteorology, airport configuration, navigation aids,

infrastructure, traffic analysis, etc

EUROCONTROL documents establish basic needs for APV/SBAS approaches related to the operationalenvironment.

- Concept of Operations for APV SBAS Approach (CONOPS)

- Operational and Functional Model of LPV (FUN)

Main safety arguments have to be established to ensure that the procedure and the APV/SBAS approaches are

going to be safe.

The aim of the Safety Case is to demonstrate that the use of APV SBAS approach procedures will be acceptably

safe in operational service at the airport.

Risk of accident shall not be greater than the one that currently exists at the airport and shall be reduced as far

as reasonably practicable.

2. Operational Environment Description (OED) - FHA


8/24



8

Examples of CONOPS assumptions:Missed approach is supported by GNSS (Reversion to "GPS only -lateral only- guidance is taken into

account in the procedure design criteria. A local safety assessment might contradict this. In case of failure of

GNSS, contingency procedures specific to each approach/airport will have to be defined).

Each RNAV/GNSS approach chart includes a LNAV minima line (a RNAV/GNSS approach chart

encompasses at least a LNAV procedure)

Examples of Functional Model assumptions:

A mid and long term prediction of GNSS service is provided to aircrew

All aircraft and aircrew approved to conduct APV SBAS should be prepared to be asked to intercept the final

approach track from a radar vector on ATC demand


9/24



3. Hazard Identification - FHA

9

Hazards are the consequences of failures within the system, combination of failures and

interactions with other systems and external events in the environment of operation.

All identifications and analysis have been established through brainstorming based on APVgeneric safety case establishes general hazards. The brainstorming group is composed of Pilots,

ATCOs, Flight Procedure Designers and safety experts.

Steps to develop in this phase:To identify potential hazards that may appear at an APV/SBAS approach.

- The exposure time to the hazard

- The ability to detect the hazard and the external event occurrence

- The rate of development of the hazard (sudden, fast or slow)

To analyse every possible mitigation that may avoid the hazard or decrease its severity.

To study the worst credible scenario for each hazard.

To establish the severity class depending on the ending of each scenario.


10/24



10

Most probable hazards to

appear at an APV/SBAS

approach

Comment

OH1. Flying low while

intercepting the final

approach

Aircraft wrongly flying towards FAWP at a lower altitude than the approach

procedure minima

OH2. Attempting to intercept

the final approach path from

above

The conditions leading to this hazard are either failure to laterally intercept the

final approach track or aircraft at too high altitude prior to FAWP. In both cases

aircrew fails to intercept the glide slope and, instead of launching a MA, decides

to intercept it from above, in violation of the normal procedure.

OH3. Failure to follow the

correct final approach path

The aircraft is not on the correct final approach path due to an incorrect path,

incorrect position estimation, incorrect guidance, or incorrect maneuvering

OH4. Descending below DA

without visual

The aircraft descends below DA while aircrew has no visual contact because they

might have selected a wrong approach, obtained a wrong QNH, used the wrong

DA, etc.

OH5. Failure to execute

correct Missed Approach

Failure to follow the expected/instructed flight profile during a missed approach


Hazards analyzed by EUROCONTROL for an APV/SBAS approach. Safety case


11/24



11


External Mitigations Description

EMM1 Deviation is not towards obstacles

EMM2 Deviation is not towards another aircraft

EMM3 Recovery via ATC detection-radar

EMM4 Recovery with visual cues

EMM5 Approach is stabilizing

EMM6 Missed approach is initiated

EMM7 External conditions (dry or long runway)

EMM8 Recovery via aircrew detection on board

External Mitigation Means (EMMs) are barriers outside the system being assessed which reduce the probabilities

of the hazard effects to occur (last-moment safeguards enabling detection of hazards) or reduce the severity of

the effects.

EMMs are taken into account when assigning the severities to the hazard effects.

The EMMs may work fully or partly on the hazard itself.


12/24



12

Severity Classification (SC) Effects Frequency

Severity 1 Accidents EXTREMELY RARE

Severity 2 Serious Incidents RARE

Severity 3 Major Incidents OCCASIONAL

Severity 4 Significant Incidents LIKELY

Severity 5 No effect on safety NUMEROUS


The worst credible effect in the APV/SBAS approach procedure should determine the severity class leading tothe setting of the Safety Objective.

The worst case scenario analyzes and identifies all possible outcomes for each hazard.

The worst outcome will generate the worst scenario and severity will be established to each hazard depending

on the results.


13/24



13


Event tree for OH3 at Dakar airport.

Failure:OH3

Success

Failure

Null

Success

Failure

Null Missed Approach or Safe

LandingHighly Probable

Null Missed Approach or Safe

LandingNull

Null

Success Missed Approach or Safe

LandingNull

FailureCFIT Null

Success Missed Approach or Safe

LandingImprobable

FailureCFIT Improbable

Fly low while interceptingthe glide slope

Always

Deviation is not towardsobstacle

Highly Probable

Recovery via ATCdetection - radar

Null

Recovery with Visual cues

Probable

Consequence Frequency


14/24



4. Specification of Safety Objectives FHA

14

Safety Objectives have to be established after identifying all possible hazards with their respective worst

credible scenario.

Safety Objectives state the frequency with which a specific hazard might appear.

For SIRAJ Safety Cases all frequency values considered are qualitative.

ESARR4 document establishes the maximum frequency for each Severity Class

Severity class of the Worst Credible

hazard effect

Qualitative frequency

SC1 Extremely rare

SC2 Rare

SC3 Occasional

SC4 Likely

SC5 Numerous


15/24



5. Specification of Safety Requirements - PSSA

15

Logical architecture description:A document derived from EUROCONTROL LPV safety assesment facilitates a

description of the LPV system. It explains the types of LPV systems and its implementation on the aircraft.

Functional Safety Requirements (SR): Function Safety Requirements are placed on the system architecture. They

have the purpose of minimizing the level of risk, as low as reasonably practical, ensuring the operation of each safety

function within the APV SBAS operations at the airport.

They are based on the logical model stated by EUROCONTROL.

Safety Requirements for Integrity (IR): This kind of requirements are applied when a possible Hazard occurs. Themain purpose of these requirements is to mitigate the frequency of these hazards and satisfy the Safety Objectives,

established before.

Both groups of Safety Requirements can be classified as:

- Human Operators

- Equipment

- APV /SBAS approach procedure

- Environment and others


16/24



16

After establishing and defining the Safety Requirements, the implementation inside the airport environmenthas to be acceptably safe.

Safety Requirements are divided into four groups:

- Airspace / APV procedure

- ATC or AFIS (equipment, training and procedures)

- Aircraft and aircrew (equipment, training and procedures)

- Environment and others

This section explains the introduction of the Safety Requirements into the airport. It also specifies the

responsible group or authority that must apply each requirement.

An example of these processes is as follows:

6. Safety Requirement Implementation - PSSA

SR.10The procedure designer shall get specific trainingregarding the design, the process and the use of SW tool

supporting FAS generation.

The procedure designer should be able to certificate

and demonstrate training in the use of SW tools for

APV SBAS design and generation of the FAS data block.

Training is given by ASECNA.

ANSP

(ASECNA)

SR. No. Description ImplementationAuthority in

charge

SR.4

The aircraft operator shall ensure that the database

loaded onto the aircraft navigation system is current and

complete.

The operator should provide the company procedures

for upgrading aircraft database and a subscription for

maintenance.

Airlines


17/24



17

This part satisfies the main argument and the main criteria when the migration to the new APV SBAS is carried

out.

The migration to the APV/SBAS procedure has to be acceptably safe.

7. Migration to APV/SBAS procedures - PSSA

8. On-Going operations of APV/SBAS procedure - SSA

Actions to carry out during on-going operations:

1. Continuous monitoring.

2. Safety performance improvement. To check, analyze and solve any new hazard and improve current

safety requirements.

3. Upgrades. Study ESSP status reports and check for upgrades within the EGNOS satellites signal.

APV SBAS operations must only be used when enough EGNOS signal is available for this kind of

approaches.

4. Monitoring system in place, operation and maintenance. Air navigation service provider and

aerodrome operator are required to clearly demonstrate that the monitoring system is in place.

Operation and maintenance of this system have to be managed by trained staff.

5. Airspace modifications. Safety Requirements and Safety Objectives have to be revised and changed

if necessary for this procedure.

6. Correct procedures.

7. Incidents records and analysis.


18/24



8. On-Going operations of APV/SBAS procedure - SSA

18

Incidents and accidents may occur while applying APV SBAS procedures. It is necessary to establish aprocess to report and investigate these incidents.

1. Safety Incidents Reporting Process.An implemented system has to perform continuous safety reporting to

detect, notify, collect and analyze all data from these unusual occurrences. It is also responsible for

investigating the causes that originated the incident and suggesting recommendations to avoid it.

2. Incidents Reports. In case of an incident or accident, it is necessary to report, record, study and analyze the

case. The incident report has to be very specific and complete. All information has to be gathered together in

order to analyze it. EUROCONTROL provides generic incident reports.

3. Corrective Actions. The incident reports have to provide solutions and new measures to avoid these

incidents, learned lessons. All modifications and new measures have to be proved safe for APV SBAS

approaches.


19/24


APV/SBAS Safety CaseSIRAJ Project has studied APV/SBAS approach Safety Cases for the following airports:

- Al-Hoceima Airport, Morocco (ASECNA region)

- Lopold Sdar Senghor Airport, Dakar, Senegal (ASECNA region)

- Najran domestic Airport, Saudi Arabia (ACAC region)

19

NajranAl-Hoceima

Dakar


20/24


Al-Hoceima SCSafety Case characteristics:

- Runway: 17/35 (2500 x 45m)

- Radar: No radar available.

- Approach lights: Threshold and edge lights.

- Obstacles: No significant obstacles.

- Navigation aids: VOR/DME available for RWY17.

20


21/24


Al-Hoceima SC

Safety Case characteristics:

21

- Does it satisfy the CONOPS Document?: Some statements that are not completely validhave been added to the Safety Requirements of the APV/SBAS procedure.

- Does it satisfy the Functional Model Document?: All statements are valid for this airport.

- Other aspects: this Safety Case includes an additional possible hazard: Interference of the

trajectory with Al-Hoceima town, Spanish prohibited area and British airspace.


22/24


Dakar SC

22


- Runway: Two runways. The one chosen for

APV/SBAS approaches is Runway 18/36 (3490x 45m)

- Radar: Radar is available. No radar vectoring is

provided.

- Approach lights: Threshold and edge lights.

- Obstacles: Few obstacles on both thresholds.

- Navigation aids: VOR/DME, ALD/DME and

NDB . ILS is available for RWY36.

- Does it satisfy the CONOPS Document?: All

statements are valid for this airport.

- Does it satisfy the Functional Model

Document?: All statements are valid.

- Other aspects: Long Runway helps external

mitigations.


23/24


Najran SC

23


- Runway: 06/24 (3045 x 45m)

- Radar: No radar available. AFIS in charge of

TWR.

- Approach lights: Threshold and edge lights. No

approach lights available.

- Obstacles: Few obstacles on both thresholds.

- Navigation aids: VOR/DME for both thresholds

and ILS/DME available for RWY06.

- Does it satisfy the CONOPS Document?: All

statements are valid for this airport.

- Does it satisfy the Functional Model Document?:All statements are valid for this airport.

- Other aspects: None.


24/24


Thank you

24

8 siraj finalworkshop safety case methodology

Documents