cospace hazop report v1.6 - eurocontrol...draft cospace hazop (combined controller and pilot)...
TRANSCRIPT
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 1
COSPACE HAZOP REPORT (combined controller and pilot) Date: Wednesday, March 15, 2006 Draft: V1.6
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 2
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 3
CHANGE SHEET
Date Change
status Changes Version
09/12/05 Creation 1.0
06/01/2006 Minor changes (KZ; RG) 1.1
Minor changes (KZ; RG) 1.2
Minor changes (KZ; RG) - recommendations 1.3
Minor changes (KZ; RG) 1.4
Minor changes (KZ; RG) 1.5
Issue to RFG 1.6
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 4
Contents
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 5
ACRYNOM LIST
Abbreviation De-Code ADD Aircraft Derived Data
ADS-B Automatic Dependant Surveillance – Broadcast
AMAN Arrival Manager
ASAS Airborne Separation Assistance System
ATC Air Traffic Control
ATCO Air Traffic Control Officer
ATM Air Traffic Management
Cb Cumulonimbus
CDTI Cockpit Display of Traffic Information
CPDLC Controller Pilot Data Link Communications
CRM Crew Resource Management
DCDU Datalink Cockpit Display Unit
EEC EUROCONTROL Experimental Centre
E-TMA Extended Terminal Control Area
EXE / EXC Executive Controller
FAF Final Approach Fix
ft feet
FCU Flight Control Unit
FL Flight Level
FHA Functional Hazard Assessment
Freq Frequency
HAZOP Hazard and Operability Study
HMI Human Machine Interface
IAF Initial Approach Fix
kts knots
MCDU Multi-Function Control & Display Unit
ND Navigation Display
PF Pilot Flying
PFD Primary Flight Display
PIL Pilot
PLC Planning Controller
PNF Pilot Non Flying
R/T Radio Telephony
S&M Sequencing and Merging
Sev Severity
SSR Secondary Surveillance Radar
STCA Short Term Conflict Alert
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 6
Abbreviation De-Code TCAS Traffic Alert and Collision Avoidance System
TMA Terminal Control Area
TRM Team Resource Management
WPT Waypoint
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 7
COSPACE HAZOP REPORT
1 Introduction The CoSpace team was undertaking a HAZOP as part of the safety analysis (FHA, Functional Hazard Assessment) for Airborne Spacing / Sequencing & Merging (S&M). FHA is the first part of the EUROCONTROL Safety Assessment Methodology for developing a safety case.
1.1 Objectives of CoSpace HAZOPs HAZOP aims to determine four things:
i) identify errors associated with S&M ii) make an assessment of their causes, consequences, resulting hazards, current planned
safeguards, severity/likelihood iii) propose possible recommendations for further consideration iv) feed-forward key safety information to the S&M operational concept
It was decided to run two HAZOPs, one for the controllers and one for the pilots separately, and then a consolidation HAZOP. The controller and pilot HAZOPs were undertaken in April and May, 2005 respectively. The two HAZOPs were limited to 2 days each, and hence a complete HAZOP of the S&M procedure was not possible. The CoSpace project team participated in both sessions, with three controllers for the first HAZOP, and two pilots during the second one. All operational experts were highly experienced with S&M by participating in previous CoSpace simulations. A HAZOP consolidation session was undertaken in September, 2005 with the CoSpace project team, the same controllers and pilots. Group A HAZOP: Controllers 18-19 April, 2005 Group B HAZOP: Pilots 23-25 May, 2005 Group C HAZOP Consolidation: controllers and pilots 12-13 September, 2005
1.2 Operational Environment The operational environment that provided the basis for the HAZOP sessions was based on what was tested during the air and ground experiments. Due to the limited time, it was decided to focus only on the TMA. Details are described below (Table 1). Table 1. Operational environment characteristics
CNS/ATM capabilities
As today in large TMAs (e.g. radar, voice communication, paper strips).
Aircraft equipment
Full ADS-B out (any aircraft can be target). Full ASAS equipage (main assumption) and mixed ASAS equipage (secondary assumption). ASAS in manual (speed select) mode (i.e. no automation)
Traffic characteristics
Traffic up to full capacity (e.g. 36 arrivals per hour on one dedicated landing runway under standard conditions). Fleet mix: jets and props (props with speed not less than 220 kts).
Airspace design
Standard trajectories from IAFs to FAF with specific design (sequencing legs converging to a single merge point). Specific assumption based on current experience: two IAFs with a single landing runway at one airport.
Sector manning
Grouping the arrival control positions into one (i.e. initial/pick-up and intermediate/feeder positions grouped), and to man this single position with an executive and a planning controller.
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 8
Controller working position
As today plus graphical links (display on radar screen and interaction through the mouse) to indicate aircraft under spacing.
Separation As today in terms of radar and wake turbulence separations. This includes modified separations (e.g. for Low Visibility Procedures).
Weather conditions
No adverse conditions (e.g. no storms, no very strong winds).
2 Controller and Pilot HAZOPs 2.1 HAZOP Method
2.1.1 HAZOP preparation In order to prepare for the HAZOP sessions, an initial task analysis was developed focusing mainly on the controller tasks. This was undertaken describing the tasks of a controller controlling 2 aircraft, a target, and a reference aircraft that were already under spacing before they arrived in the TMA and that they were either:
1. from the same IAF carrying out a ‘merge’ instruction (not using sequencing legs) 2. from the same IAF carrying out a ‘heading & merge’ instruction (using sequencing legs) 3. from different IAFs carrying out a ‘merge’ instruction (not using sequencing legs) 4. from different IAFs carrying out a ‘heading & merge’ instruction (using sequencing legs)
The task analysis was expanded to encompass a more detailed set of the pilot tasks (for use in the pilot HAZOP). See Table B1 and B2 in Appendix B for both the controller and pilot tasks.
2.1.2 HAZOP method The aims and process of the HAZOP session was described to the group by the HAZOP Chairman (see Appendix A). Refresher training of the S&M procedures was undertaken by the CoSpace Project Manager using the controller and pilot presentations described in section 2.1.1 and the scenario task analysis was described. The operational environment assumptions were then discussed and agreed (listed in section 1.2). The HAZOP was then started by using task analysis and HAZOP guidewords (see Table A1, Appendix A). The controller HAZOP analysed Scenarios 1 and 4 and the pilot HAZOP analysed Scenario 4. The group:
1. decided on which task step to begin with, applied a guideword (e.g. ‘none’) 2. developed a deviation or potential errors associated with the guideword 3. discussed the potential consequences (e.g. loss of spacing) of the error 4. discussed the error in more detail with regard to the causes of the error, if it was thought
to be a potential safety or workload issue 5. estimated the errors potential severity and frequency rating (using the risk matrix
illustrated Figure A2, Appendix A) 6. identified existing safeguards 7. identified, further recommendations (if the safeguards were not thought to be adequate) 8. prioritise the most important errors at the end of the HAZOP session
The following tasks were analysed during the controller HAZOP, due to their relevance to the S&M procedures. Seven tasks were discussed from Scenario 1, where a pair of aircraft, from the same IAF, under spacing (and not under spacing), and not using sequencing leg are considered.
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 9
o Spacing cancellation and speed instruction o Sequence order o First call o Decision to use ASAS o Target selection (input code; controller HMI update) o Target identification (target confirmation) o Spacing instruction – merge (ATC instruction; input instruction, WPT and spacing value)
One task was discussed from Scenario 2, where a pair of aircraft, from the same IAF, under spacing (and not under spacing), are using the sequencing leg are considered:
o Spacing instruction – heading & merge – same IAF (ATC instruction; input instruction, WPT and spacing value)
Two additional tasks were discussed from Scenario 4, where a pair of aircraft, from different IAFs, are using the sequencing legs:
o Spacing cancellation and speed instruction o Spacing instruction – heading & merge – different IAF (ATC instruction; input instruction,
WPT and spacing value)
The following tasks were discussed during the pilot HAZOP (Scenario 4): o Spacing cancellation and speed instruction o Target selection (input code; visualization and positioning; cross-check) o Target identification (target confirmation; validation) o Spacing instruction – heading & merge (ATC instruction; pilot readback; input instruction,
WPT and spacing value; remain on navigation; feasibility check; validation)
2.1.3 HAZOP participants Controller HAZOP participants Barry KIRWAN HAZOP chairman, Safety Co-ordinator, EEC Rachael GORDON HAZOP recorder, CoSpace safety contact, EEC Karim ZEGHAL CoSpace project leader + procedure, EEC Francois VERGNE ATC Operations - CoSpace project, EEC Laurence ROGNIN Human Factors – CoSpace project, EEC Ludovic BOURSIER Approach controller – Paris, Orly Claudio COLACICCHI Approach controller – Roma Massimo ORSONI Approach controller – Roma
Pilot HAZOP participants Barry KIRWAN HAZOP chairman, Safety Co-ordinator, EEC Rachael GORDON HAZOP recorder (Day 1 and 2), CoSpace safety contact, EEC Paul HUMPHREYS HAZOP recorder (Day 3), Safety Research Team, EEC Karim ZEGHAL CoSpace project leader + procedure, EEC Francois VERGNE ATC Operations - CoSpace project, EEC Philippe PELLERIN Airbus test pilot Airline captain
2.2 Controller and Pilot HAZOP Results
2.2.1 Controller HAZOP Results A total of 46 errors were identified during the controller HAZOP. Of the 46 errors identified, 19 were given severity ratings of 3 (airmiss) and three were given severity ratings of 2 (close airmiss; errors #15; #18; #21 in Table 1). No level 1 (potential accident) severity ratings were identified (see Table 2).
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 10
At the end of the HAZOP session, the HAZOP team was asked to prioritise which of the 21 errors, identified as severity rating 3 or worse, were most important to them. The following list was compiled of the most important errors. The controller participants were asked to further identify which of these errors were of priority to them. These have been highlighted with the use of an asterisk*. Table 2. Critical errors/failure modes identified during the controller HAZOP
Ref Task Error / Failure Mode B.1 First call HMI link is missing D.5 Target selection Controller selects wrong target D.3 Target selection Pilot inputs wrong code (wrong target) F.1 Target identification Wrong target identified – wrong readback F.2 Target identification *Wrong target identified – correct readback K.7 Merge Required spacing not input by pilot K.3 Merge *Pilot enters wrong spacing J.4 Merge *Pilot puts wrong merge point I.3 Heading & merge (same IAF) *Merge without heading I.1, I.2 Heading & merge (same IAF) Heading given, no merge H.7 Heading & merge (same IAF) Pilot does not merge J.4 Heading & merge (same IAF) *Merge to wrong merge point K.1 Heading & merge (same IAF) Incorrect spacing value by controller H.1 Heading & merge (diff IAF) No instruction given I.4 Heading & merge (diff IAF) *Merge without heading N.1 Heading & merge (diff IAF) *Other a/c takes instruction O.3 Spacing cancellation Instruction given to wrong a/c O.4 Spacing cancellation No speed instruction given O.1 Spacing cancellation Instruction given, link not cancelled Q.1 Spacing cancellation Cancel wrong aircraft
2.2.2 Pilot HAZOP Results A total of 40 errors were identified during the pilot HAZOP. Of the 40 errors identified, 8 were given severity ratings of 3 (airmiss) and one was given a severity ratings of 2/3 (close airmiss;* although this was changed to a level 3 in the consolidation HAZOP). No errors with level 1 severity ratings (potential accident) were identified (see Table 3). Table 3. Critical errors/failure modes identified during the pilot HAZOP
New Ref Task Error / Failure Mode D.3 Target selection Wrong code input (and is a valid code) F.3 Target identification *Wrong target given to ATC H.5 Continue heading then merge ATC instruction not given / delayed H.6 Continue heading then merge Pilot does not input instruction, WPT, spacing J.5 Continue heading then merge Inputting wrong WPT K.6 Continue heading then merge Inputting wrong spacing value L.1 Continue heading then merge Initiate direct to WPT not done/too late L.4 Continue heading then merge Initiate direct to wrong WPT M.1 Continue heading then merge Less maintenance of spacing by speed actions
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 11
3. HAZOP Consolidation After the two HAZOP sessions, a third session was planned in which the results from the first two HAZOPs would be consolidated into one set of HAZOP Notes. Rather than going over all the errors from both HAZOPs, it was decided to focus on those errors identified as more severe (severity level 3 or worse). This process is described in detail next.
3.1 HAZOP Consolidation Method
3.1.1 HAZOP consolidation preparation A consolidation of the Notes from the 2 HAZOPs (see Appendix C) was prepared, where:
- errors classified with severity levels 2 or 3 were chosen (as there were no level 1 errors) - errors were grouped according to their task step - errors were relabeled according to the main task (A, B, C etc) and error (1,2,3 etc), B.1,
B.2 etc - errors that were identified both by the pilots and the controllers during their individual
HAZOPs were listed next to each other in the consolidated HAZOP table - comments made by the CoSpace team prior to the consolidation HAZOP were identified
(as ‘comments’) in the consolidated HAZOP table. These were to be clarified during the HAZOP consolidation session.
3.1.2 HAZOP consolidation process The objective of the HAZOP Consolidation session was to merge the two HAZOP notes to form one. To do this, both the controllers and pilots from the two HAZOP sessions participated in the HAZOP consolidation session. An additional participant came for the first day (as an observer). The schedule for the day included:
1. HAZOP aims and method was described to the group (HAZOP Chairman) 2. Refresher training of the sequencing and merging procedures (CoSpace Project Manager) 3. CoSpace Environmental Assumptions were discussed and agreed 4. CoSpace scenario task analysis was described (CoSpace Project Manager) 5. HAZOP Consolidation was started using the merged HAZOP table
o Identify similar or identical errors based on the deviation or potential errors o Agree on the potential consequences (e.g. loss of spacing) o Agree on the severity and frequency of the error o Agree on the existing safeguards and causes o Identify additional safeguards that may be required
3.1.3 HAZOP consolidation participants
Barry KIRWAN HAZOP chairman, Safety Co-ordinator, EEC Rachael GORDON HAZOP recorder (Day 1 and 2), CoSpace safety contact, EEC Karim ZEGHAL CoSpace project leader + procedure, EEC Francois VERGNE ATC Operations - CoSpace project, EEC Ludovic BOURSIER Approach controller – Paris, Orly Claudio COLACICCHI Approach controller - Roma Massimo ORSONI Approach controller - Roma Philippe PELLERIN Airbus test pilot Airline captain Bob DARBY Observer, CASCADE, EATM
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 12
3.2 Results
3.2.1 Consolidated list of controller and pilot HAZOP notes The consolidation session involved the re-assessment of the severity and frequency, where some modifications were made, and some additional ‘variants’ of errors were identified. Safeguards and recommendations were validated and sometimes refined. During the consolidation session, the controllers and pilots learnt a lot about the way in which the other side carries out their tasks, but had a consistent view of the concept and procedure. In the main, controllers and pilots were also in agreement with the severity levels and frequencies of errors. The full consolidated list of the S&M errors is provided in Appendix C. In total, from the pilot and controller HAZOP sessions and the consolidation session, 97 errors/ failure modes were identified, 8 with severity level 2, 1 with severity 2/3, 19 with severity level 3, 10 with severity 3/4, and 35 with severity level 4 (24 errors unclassified as they were considered as variants).The critical errors (those errors with severity level 2 or 3) that were discussed during the consolidation HAZOP have been categorized into 12 main categories. Table 4 displays these error categories, the number of ‘critical’ errors (severity level 3 or worse) under each error category and the highest severity identified. Table 4. Merged list of ‘critical’ errors discussed during controller and pilot HAZOPs
Task Critical Error / Failure mode Categories Severity Level
Number of errors
First call Spacing link on controller screen not consistent 3 1
Target selection Wrong aircraft selected 3 3
Target identification Wrong aircraft identified 3 3
Instruction not given or not entered (or too late) 3
3/4
1
4
Only part of instruction given or entered
2/3
3
3/4
1
1
2
Wrong merge point given or entered 3 5
Wrong spacing value given or entered 2
3
7
1
Merge not (properly) initiated 3
3/4
1
3
Spacing not (properly) maintained 3 2
Spacing instruction
Other aircraft taking instruction 2 1
Instruction not given or not entered (or partly) 3
3/4
3
1 Cancel spacing
Wrong aircraft takes cancellation instruction 3 1
3.2.2 Recommendations (categorized by type) Recommendations were identified during the HAZOP and linked to the individual errors. These recommendations have been re-categorized according to the type of recommendation, whether
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 13
it be HMI (HMI); training (T); procedural (PR); operational environment (OE); or organizational-manning (OM). The full list can be found in Appendix D. Table 4 displays the recommendations linked to the most critical errors (with severity levels of 2 or 3). The numbers in brackets (n=X) refer to the number of times the generic recommendation was cited in the HAZOP table and recommendations with an asterisk* next to them originate from the severity 2 errors. These recommendations will be examined in more detail to identify the necessary requirements for S&M. HMI – Controller
- To ensure controller selects (and clicks) correct a/c, have a dotted line (for selection) and a complete line (for identification) i.e. an additional click
- To ensure it is not possible to select a/c twice as a target (technically within ADS-B messages: ground & air) - *To ensure correct spacing value is input, an alert on link when spacing is too large or too small (e.g. HMI
colour change) - To help ensure the instruction is given to the correct a/c, efficient label anti-overlap is necessary - To check that speed instruction is given with spacing cancellation instruction, temporarily highlight speed
value on HMI (e.g. for 5s)
HMI - Pilot
- To ensure pilot inputs correct parameters (e.g. target code, merge point), DCDU should be coupled with MCDU
- *To help ensure spacing value is correct, HMI (ND, MCDU) to display target aircraft wake turbulence category (e.g. ‘H’ for Heavy)
- *To help ensure spacing value is correct, HMI to check spacing against target aircraft wake turbulence category
- To help ensure heading & merge to correct merge point, it should not be possible to enter merge point after it has been past
- To ensure pilot inputs correct merge point, consider whether ASAS page should only display tagged merge points
- To ensure ‘direct to’ is properly initiated, make ‘resume’ automatic
HMI - ADD/ASAS – use of the downlink of spacing parameters
- To check correct airborne spacing status - To check correct target is selected - To solve the problem of correct target positioning - *To check correct spacing value is selected - To check that correct merge point is selected - *To check correct instruction is selected (e.g. merge instead of heading and merge) - To check actual spacing - *To check correct a/c taking instruction - To check if ‘resume’ is initiated - To ensure correct aircraft is executing ‘cancel spacing’, put cancel spacing and speed limit by default
HMI - CPDLC Use of controller pilot datalink communication
- To ensure pilot inputs correct code - *To help ensure correct a/c takes spacing instruction
Procedures/Phraseology
- To help ensure that HMI link has the correct status, pilot should announce if under spacing (define phraseology for pilot e.g. “under spacing” each time they enter the sector and ask for more details – only if there is a doubt) Note 1: the introduction of ASAS (< 50% a/c with ASAS) will need to consider positive announcement – Note 2: Explicit co-ordination is not considered (silent co-ordination is used)
- To help ensure controller selects correct target (and clicks right target) reinforce readback of target code by pilots
- *To help ensure the correct spacing value is given by the controller the phraseology should be: “merge (waypoint) 120s behind heavy”
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 14
- To help ensure direct is initiated to the correct waypoint, emphasis reporting to ATC “merging waypoint” by checking the ND
Procedures
- To help ensure that controller clicks correct target on HMI, visual checking of crossed lines may be required or numbering sequence of a/c
- Explore methods of detecting wrong target : difficult to detect distance (e.g. a/c type);clock position is not very precise (e.g. confusion between 3 and 9 o’clock); Use bearing instead of clock position to ensure correct target positioning is given to ATC
- *Quick fallback procedures may be required if the wrong aircraft takes heading and merge instruction or if merge instruction is given instead of heading and merge instruction
- *To help ensure the correct spacing value is given by the controller, pilot should check spacing value against wake turbulence category (if they know it is a heavy in front)
- *To help ensure the correct spacing value is given by the controller (and input by pilot) define minimum spacing value (not less than radar separation) and not less than 90s
- To ensure that cancellation instruction is given and link is cancelled a handover checklist may be needed
Training - TRM/CRM (Team/Crew Resource Management)
- To help prevent against controller selecting the wrong but valid code - *To help prevent the controller from giving a merge instruction instead of a heading & merge instruction - To help prevent canceling the wrong a/c (e.g. ask for help when tired) - To understand better the maintenance of spacing by speed actions
Training - Role
- Role clarity between EXC and PLC to help prevent inconsistency between the interface and the actual situation. For example when the EXC gives an instruction, he updates the HMI.
Training - Procedure training
- *To help ensure that the wrong a/c does not take heading and merge instruction - To help prevent controller canceling the wrong aircraft - To ensure that when the cancellation instruction is given by the ATCO, the link on radar screen is updated too
Operational Environment
- To ensure aircraft merges to the correct merge point, have one merge point per runway and publish the merge points in the ASAS STAR charts; and ensure there is not a possible confusion between nearby waypoints (e.g. BOKET and MOTEK)
- To ensure pilot does not input the wrong merge point, limit number of ‘direct to’ waypoints in TMA; consistency check on WPTs (i.e. only able to perform ‘direct to’ on tagged merge points)
- *To help prevent the wrong aircraft taking the heading and merge instruction, callsign confusion measures may be required
- Clarify the impact that airline and ATC speed limitations might have on S&M (in particular on maintaining spacing)
Organisational & Manning
- Relief controllers or a third person (behind) following the situation maybe required (e.g to ensure the wrong a/c is not cancelled)
4. Conclusions and Future Work In total, from the pilot and controller HAZOP sessions and the consolidation session, 97 errors were identified, 8 with severity level 2 (plus one severity 2/3), and 19 with severity level 3. The CoSpace project is currently completing the FHA (Functional Hazard Assessment) and the
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 15
errors identified during the HAZOPs will be used as the basis for the Event Tree and Fault Tree Analysis. Although both sides learnt a lot about the way in which the other side carries out their tasks, they had a consistent view of the concept and procedure. They were also in agreement with the severity levels and frequencies of errors. Despite not addressing all situations, the three HAZOPs seemed to cover the main aspects related to S&M at least in nominal situations. Issues that were not discussed include abnormal situations (e.g. weather), mixed equipage (ASAS and non-ASAS equipped aircraft). In addition to the HAZOP sessions, small-scale simulations are currently being undertaken to further investigate a number of non-nominal situations (holding patterns, mixed ASAS and non-ASAS aircraft, wind) and to identify recovery procedures for abnormal situations (aircraft not executing S&M instruction, go-around, emergency, radio failure). In addition a session is planned to investigate potentially relevant incidents that may help to identify safety benefits and issues from the CoSpace project (SafLearn project).
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 16
Appendix A. HAZOP Description HAZOP is a structured brainstorming approach developed by ICI in the UK in the mid-70’s, but has since been applied in many other industries including recently ATM. It is most often used in the early design stages, and relies on expert consideration of potential errors related to a system description and/or specific scenarios. HAZOP aims to determine two things:
- Potential errors (including their consequences together with likely severity and anticipated frequency – usually only in qualitative terms)
- Potential Solutions to these errors where they are not negligible HAZOP is a group-based process run by an experienced chair-person, and with an important Secretarial role. The discussions are led by a Chair-person with on-line notes being recorded by the HAZOP secretary onto a laptop computer and projected onto a screen; the Secretary ensures all relevant discussion is noted, and must occasionally read back what is recorded to ensure the points recorded are fully understood by the group.. This allows all participants to view the HAZOP table, and provide immediate corrections in the event of misunderstanding. In addition, all applicable questions and comments raised during the discussion will be recorded. At the end of the session, all participants are aware of the output of the HAZOP. A copy of the minutes will be provided post-meeting to allow further comments. HAZOP cannot work in a vacuum, so in ATM it typically focuses on a set of operational scenarios, underpinned by an agreed Operating Environment description and assumptions. For Co-Space, there will in addition be a simplified ‘Task Analysis which describes what he ATCOs and Pilots do, and how they should interact. HAZOP then considers how things can go wrong, and how failures (human, technical or other) can be recovered. For example, when using speed control, there is a chance that the aircraft behind may ‘catch up’ – how is this detected and resolved by the controllers and/or pilots? What if the controller selects the wrong aircraft during the identification phase? These are examples where there could be potential errors, and where it is best if the S&M concept of operations is prepared for them, both to reduce their chances of occurrence, and to detect and resolve such errors should they arise. This is the objective of HAZOP.
Figure A1 – HAZOP Session Process
Function Failure
Mode Cause Operational
Consequence Current/ planned
safeguards
Severity (absolute
scale)
Severity (relative to
today)
Recommendations/ Comments
Identify target
Pilot unable
to identify target
Mis-understanding
with controller
Increase workload of controller and pilot
Pilot detection (readback
clock position)
? ? Explore how data link technology could be used to support both
ATCO and pilot when selecting a target during
ASAS spacing Etc. Etc.
Table A1. HAZOP Guidewords used o None, No, Not – no part of the intentions is achieved and nothing else happens o More of – quantitative increases in any relevant parameters (e.g. speed) o Less of – quantitative decreases o As well as – additional activity
2. Brainstorm Failure Modes 1. Verify Functions / Tasks
3. Analyse each row
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 17
o Repeated o Sooner than o Later than o Part of – only some of the intentions are achieved, some are not o Reverse – the logical opposite of the intention (e.g. climb instead of descent) o Other than – no part of the original intention is achieved, complete substitution
Table A2. Context factors addressed in HAZOP sessions in general
Weather Cbs, fog Airspace SIDS, holds, boundary Traffic density, mix, language HMI representation, clarity Equipment R/T, radar, CDTI Disturbances runway, AMAN Failures R/T (stuck), radar Organization night-time, other tasks, awareness, team, workload, time pressure, procedures, agreements Safety nets STCA, TCAS, MSAW
Figure A2 – Risk Matrix
SEVERITY 1
Potential Accident
2 Close
Airmiss
3 Air Miss
4 Workload
or SA
5 No effect
1 frequent (1:week)
1-1 2-1 3-1 4-1 5-1
2 Occasional (1:month)
1-2 2-2 3-2 4-2 5-2
3 Rare
(1:year)
1-3 2-3 3-3 4-3 5-3
4 Very rare
(1:10years)
1-4 2-4 3-4 4-4 5-4
Freq
uenc
y
5 Never
1-5 2-5 3-5 4-5 5-5
DRAFT CoSpace HAZOP (combined controller and pilot) Report, 11-12 September, 2005 18
Appendix B. Scenarios developed for CoSpace HAZOP Figure B1. Matrix of the 4 scenarios developed
Figure B2. Airspace used for the HAZOP
BOKET
CODYN
LOMAN
OKRIX
FAO26
MOTEK FL
ODRAN KAYEN FL+1
ILS 3000’
Same IAF Different IAFs
Merge
Heading then merge
Scenario 1
Scenario 2
Scenario 3
Scenario 4
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 19
Table B1. CoSpace HAZOP Scenario 4 A pair of aircraft (A and B), from different IAFs, A and B using sequencing leg; If B under spacing do step 2 (spacing cancellation and speed). Grey writing indicates this task step has been covered in scenario 1.
Task Step Controller PNF PF
1 First call B Identification Announce
1. Instruction
2. Read-back
3. Cancel spacing and deselect target (MCDU) 4. Execute speed (FCU)
2 Spacing
cancellation and speed for B
5. Crosscheck of speed action (PFD)
1. Instruction 2. Read-back
3. Input code (MCDU) 4. Visualisation and positioning to PNF (ND)
3 Target selection for B
5. Crosscheck of positioning (ND)
4 Target identification for B 2. Target confirmation 1. Target positioning to ATC 3. Target validation (MCDU)
1. Instruction
2. Read-back
3. Input instruction, WPT and spacing value (MCDU)
3bis. Maintain current heading
4. Check feasibility (MCDU)
5. Instruction validation (MCDU)
6. Monitor the acquisition of spacing (ND)
7. Initiate direct to WPT (MCDU)
8. Crosscheck direct to WPT (PFD)
9. Report to ATC
10. Maintenance of spacing by speed actions (FCU)
11. Crosscheck of speed
actions (PFD) and monitoring the spacing (ND)
5 Continue heading then merge for B
12. Conditional (*): Announce unable spacing
6 Descent for B Instruction Read-back + execution
7 ILS approach for B Instruction Read-back + execution
8 Spacing
cancellation and speed for B
Instruction Read-back + execution
9 ILS establishment for B Acknowledgement Report
10 Transfer B to TWR Instruction Read-back + execution
General tasks: monitoring other traffic (TCAS display) and target (ND) (PF and PNF); normal flying tasks (e.g. arrival tasks); transfer from E-TMA to TMA;
task steps relevant to ASAS in particular; (*) in case of unexpected event (e.g. technical failure).
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 20
Table B2. CoSpace HAZOP Scenario 1 A pair of aircraft (A and B), from the same IAF, not under spacing, A and B not using sequencing leg
Task Step Controller PNF PF
1 Transfer from
E-TMA to TMA First call B
Identification Announce
1. Instruction
2. Read-back
3. Input code (MCDU)
4. Visualisation and positioning to PNF (ND)
2 Target selection for B
5. Crosscheck of positioning (ND)
3 Target
identification for B
2. Target confirmation 1. Target positioning to ATC 3. Target validation (MCDU)
1. Instruction
2. Read-back
3. Input instruction, WPT and spacing value (MCDU)
3bis. Execute direct to WPT
4. Check feasibility (ND/MCDU)
5. Instruction validation (MCDU)
6. Acquisition and
maintenance of spacing by speed actions (FCU)
7. Crosscheck of speed
actions (PFD) and monitoring the spacing (ND)
4 Merge for B
8. Conditional (*): Announce unable spacing
5 Descent for B Instruction Read-back Execution
6 ILS approach for B Instruction Read-back Execution
1. Instruction
2. Read-back
3. Cancel spacing and deselect target (MCDU)
4. Execute speed (FCU)
7 Spacing
cancellation and speed for B
5. Crosscheck of speed action (PFD)
8 ILS
establishment for B
Acknowledgement Report
9 Transfer B to TWR Instruction Read-back Execution
General tasks: monitoring other traffic (TCAS display) and target (ND) (PF and PNF); normal flying tasks (e.g. arrival tasks); transfer from E-TMA to TMA task steps relevant to ASAS in particular; (*) in case of unexpected event (e.g. technical failure).
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 21
Appendix C. Consolidated Pilot and Controller HAZOP study log sheets
Task Errors Number of errors Highest severity
Sequence order identification A Sequence order not identified or identified too
late 4 4
First call B Spacing link on controller screen not consistent 3 3
Decision to use spacing C Using ASAS when not applicable 2 4
D Wrong aircraft selected 5 3 Target selection
E Only part of target selection 10 4
F Wrong aircraft identified 3 3 Target identification G Only part of target identification 6 4
H Instruction not given or not entered (or too late) 7 3
I Only part of instruction given or entered 13 2/3
J Wrong merge point given or entered 5 3
K Wrong spacing value given or entered 7 2
L Merge not (properly) initiated 6 3
M Spacing not (properly) maintained 8 3
Spacing instruction
N Other aircraft taking instruction 1 2
O Instruction not given or not entered (or partly) 10 3
P Part of cancellation instruction given 6 4 Cancel spacing
Q Wrong aircraft takes cancellation instruction 1 3
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 22
(Numbers in brackets refer to the original numbering system; grey boxes refer to error/failure modes not discussed during the consolidation HAZOP – severity level 4) Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
A. SEQUENCE ORDER NOT IDENTIFIED OR IDENTIFIED TOO LATE A.1 ATC
1. 1 Sequence order identification (EXC)
No sequence order identification (none)
- High traffic - Adverse
weather (Cb)
- No ASAS - More workload
Sev – 4 Freq - 4
- Open another freq – 2 executive ATCOs (pick-up & feeder)
- Quick sector change
- Open holding stacks
- Training – transition from working with to without ASAS
- Training - High traffic/ without ASAS
A.2 ATC
1.1 Sequence order identification (EXC)
Non-ASAS-equipped a/c in sequence (other than)
- Non-ASAS a/c not identified (HMI, strips)
- Not seen by PC
- Confusion (non-ASAS equipped a/c can be a target a/c) and ATCo may assign them as an Instructed a/c
- Workload
Sev – 4 Freq – 4/5
- Non-ASAS pilot will ask ATCO for clarification
- Check this issue with pilots - Ensure HMI is clear with respect to
ASAS and non-ASAS equipage; including non-serviceable ASAS equipage
- Tool to better identify sequence (e.g. like AMAN)
- Teamworking training – between PLC and EXE
A.3 ATC
1.1 Sequence order identification (EXC)
Planning started too far in advance (sooner than)
- Flow management error (higher volume of traffic)
- Over-trust in AMAN
- Forget other traffic coming into the sector at the last moment
- Wrong sequence - Workload for EXE
Sev – 4 Freq - 4
- EXE - More stable AMAN - AMAN calibration training for
EXE, PLC, SEQ (understanding the limits of AMAN)
A.4 ATC
1.1 Sequence order identification (EXC)
Sequence order identified late (later than)
- Overloaded PLC
- Overloaded EXE
Sev – 4 Freq – 4/5
- Open holding stacks
- Training for PLC - PLC will no longer do the co-
ordination tasks for a short period (role consolidation) task shedding/ additional role
- Team Resource Management (including E-TMA controllers) to
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 23
know their roles & what they are working towards & know how to support each other in high workload
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 24
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
B. SPACING LINK ON CONTROLLER SCREEN NOT CONSISTENT B.1 ATC
2.1 First call (EXC)
Spacing link on radar screen is missing or has wrong status
Link not drawn or not updated by previous sector
- Confusion of aircraft spacing status
- Workload - Loss of spacing (in
case link in green but not under spacing)
Sev – 3 Freq – 2
Pilot reporting when under spacing on first call EXC clicks spacing link and PLC x-checks both for TMA and E-TMA
- Define phraseology for pilot [pilot say “under spacing” each time they enter sector & ask for more details only if there is a doubt]
- Use of ADD/ASAS (downlink of aircraft spacing status)
- Explicit co-ordination is not considered (silent co-ordination is used)
- Cancel spacing by previous sector and retaining target of the a/c was ruled out because you lose some benefits and increase workload]
- Introduction of ASAS (<50% a/c with ASAS) will need to consider using positive announcement
B.2 2.1 First call (EXC)
A/c not under spacing are linked on the HMI
ASAS-equipped a/c will be indicated on HMI
- EXC will call a/c to confirm if there is a link and they do not announce they are under spacing
B.3 ATC
2.1 First call (EXC) No first call (none)
- Not applicable – standard procedures
- ATCo will request other sector to pass a/c (same as today)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 25
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
C. USING ASAS WHEN NOT APPLICABLE C.1 ATC
3. Decision to use spacing instruction (EXC)
Using ASAS when not applicable or necessary (other than)
- Inexperience; - ASAS chain
are grouped as one (to simplify picture)
- Unable for pilot to enact
- Workload
Sev – 4 Freq – 4 (initially)
- Pilot reporting when unable
- Calibration training – early phase (operational readiness testing)
C.2 ATC
3. Decision to use spacing instruction (EXC)
EXE does not agree with proposed sequence ASAS not applicable; use different sequence (reverse)
- Lack of team working
- Different levels of experience
- Workload Sev – 4 Freq - 5
- EXE makes final decision
- Team work training
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 26
Error #
TASK GUIDEWORDDEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
D. WRONG AIRCRAFT SELECTED D.1 ATC
4.1 Target selection (EXC)
Instruction given with correct aircraft (target) but controller clicks wrong (target) aircraft on radar screen
- Label overlap - SSR code
confusion - Incorrect strip
ordering in strip bay
- Overload - Working
arrangements (EXE & PLC)
- Wasting time - Need to start the
target selection again - Inconsistent view
between a/c and ATC
- Potential airprox
Sev – 3 Freq – 3
- In the phraseology, there is a double cross-check of SSR code
- Highlight of both aircraft, one after the other when clicking to do the link
- On radar screen, it is not possible to select an aircraft as target twice
- EXE maintain HMI & PLC should remind EXE to keep consistency
- Reinforce importance of readback of target SSR code by pilots (stick to phraseology)
- CPDLC will prevent inconsistency between a/c and ATC (ATC and a/c will have consistent target) but does not prevent D4
- Use of ADD/ASAS (downlink of target selected)
- On radar screen, an additional action (a click to switch from a dotted line for selection to a plain line when identified) may contribute to detect a wrong target
- Sequence ordering: Visual checking of crossed lines
- Sequence ordering: Numbering sequence of a/c (linked with AMAN)
D.2 ATC
4.3 Target selection – Input code (PNF)
Pilot inputs wrong code that is not valid (i.e. no corresponding aircraft)
- Wasting time - Need to start the
target selection againCoSpace comment: If identified as input error by the pilot, does not need to contact ATC again.]
Sev – 4 Freq – 3
- Readback - Pilot will get an
error message - Target
identification [CoSpace comment: Cannot reach this step if code does not exist]
- Pilot readback what they are inputting - Use of datalink - Address in pilot HAZOP
D.3 4. 3 Target selection – Input
Pilot inputs wrong code
- Wasting time Sev – 3 - SSR code displayed on ND
- Note: for Airbus, SSR code will be next to the target on ND (simulate
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 27
Error #
TASK GUIDEWORDDEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
PIL
code (PNF)
that is valid (i.e. a corresponding aircraft exists)
- Need to start the target selection again
- Potential airprox
Freq – 3
only during selection
- Pilot readback SSR code
- Target identification
heavy traffic and see if display looks cluttered)
- Use of ADD/ASAS (downlink of target selected)
- Use of datalink
D.4 4.1 Target selection (EXC) (not identified)
Controller gives the wrong (invalid) code
Sev – 4
D.5 4.1 Target selection (EXC)
Controller wrong (but valid) code
Busy Fatigued Workload Label overlap
- Wasting time Need to start the target selection againotential airprox
Sev – 3 Freq - 3
Pilot readback Target identification X-check from PLC
ADD (ASAS) Controller TRM Defined working practices (a routine method of working)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 28
Error #
TASK GUIDEWORDDEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
E. ONLY PART OF TARGET SELECTION DONE E.1 ATC
4.1 Target selection for B - Instruction & click (EXC)
Forget to make link (part of)
- Distraction - Overload - HMI
difficulties
- Confusion of a/c status
Sev – 4 Freq - 5
- Cross check by PLC
- Report by pilot (step 5.1)
- Relief controller (distraction) - Datalink, ADD/ASAS
E.2 ATC
4.2 Target selection for B – Readback (PNF)
No readback from pilot (none)
- Requirement for another call
- Wasting time
Sev – 4 Freq - 5
- Call pilot a second time
- Address during pilot HAZOP
E.3 PIL
4.3 Target selection for B – Input code (PNF)
Code not input (not done)
- e.g. distraction (between step 3 and 4)
- Workload - PF will notice - Blue code on
pilot HMI reinforces that task is not complete
- CRM – emphasis on discipline on finishing task (about interruptions)
- The blue line – denotes temporary (in Airbus) – alternate flight plan/go-around
- Yellow – normally denotes temporary (new FMS - that will be flown)
- Consistent HMI coding i.e. Cospace coding must be consistent with airline and airframe manufacturers practices
- The Cospace philosophy must de-emphasise the linking - the line that is joining instructed & target a/c – is it confusing? Line helps pilot identify clock position; discuss more e.g. remove target symbol?
E.4 PIL
4.3-4.5 Target selection for B – Input code (PNF); visualization & positioning (PF) cross-checking (PNF)
Code not input; visualization & positioning not done; cross-checking not done (not done)
- ATC workload (esp in small TMA)
Sev – 4 Freq - 3
- ATC call again - Step 4 not
initiated - 3 people in the
cockpit (listening)
- At what stage does ATC put HMI link? Dashed line (see ATC HAZOP)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 29
E.5 ATC
4.3 Target selection for B – input code (PNF)
Pilot gives readback, code not input (part of)
- TBD - Wasting time - New call - Start procedure again
Sev – 4 Freq - TBD
- ATCO detects that pilot does not give target identification
- Consider in pilot HAZOP
E.6 PIL
4.4 Target selection for B - Visualisation and positioning to PNF (PF)
Visualisation and positioning to PNF not done (not done)
- Cross-check failure
- Too busy - Confusing /
Inconsistent colour coding
- Interruption
- Fail to detect PNF error
Sev – 4/5 Freq – 3/4
- ATC will ask again
- PNF will ask for the positioning information (cross check)
- (4.4,4.5) Having a ‘cluttering’ blue line on the display you know that a task needs to be finished – when the task is finished the blue line should disappear (it will turn white when spacing is achieved)
- In some avionics suppliers blue does not indicate an alert/ the need for an action, yellow does for example] the lines need to be consistent with the manufacturer’s colour-coding philosophy
- Airbus – yellow is used for ‘direct-to’ (temporary flight plan)
- (4.4, 4.5,5) Best practices for CRM
E.7 PIL
4.4 Target selection for B - Visualisation and positioning to PNF (PF)
PF visualises wrong a/c (other than)
- [time wasted; - confusion]
n/a - Current HMI design (blue line) prevents this
E.8 PIL
4.4 Target selection for B - Visualisation and positioning to PNF (PF)
PF gives part of information (part of)
- [time wasted; - confusion]
- PNF will ask for further information
- Emphasise discipline in CRM
E.9 PIL
4.5 Target selection for B - Cross-check of positioning (PNF)
No cross-check (none)
- Barrier failure n/a - Airline emphasise discipline of cross-checking
- Emphasise in CRM
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 30
E.10 PIL
4.5 Target selection for B - Cross-check of positioning (PNF)
Different information on 2 MCDUs (other than)
- 2 MCDUs are working separately
- Pilots can be on a different ‘page’ from each other
- Pilots can see what the other pilot has input on the other MCDU – although not necessarily as they may be on a different ‘page’
- Is a double check required? Both PF and PNF accept the check
- Determine conditions and frequency of this cause
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 31
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
F. WRONG AIRCRAFT IDENTIFIED F.1 ATC
5.1 Target identification – Target positioning to ATC (PNF)
Wrong aircraft identified with positioning corresponding to this (wrong) aircraft
TBD - Fail to detect that the wrong aircraft has been identified
- Potential airprox
Sev – 3 Freq – 3
- SSR code - Detection: clock
position and distance;
- Monitoring merge (later) by EXC
- ATC ensures clock position is correct
- Explore methods of detecting wrong aircraft selected: difficult to detect distance (e.g. a/c type)
- Use of ADD/ASAS (downlink of target selected) – will solve the problem of target position
- Ensure it is not possible to select an aircraft twice as a target (technically within ADS-B messages)
- Note: clock position is not very precise (e.g. confusion between 3 & 9 o’clock).
- Display bearing & range on ATC HMI (can have range & bearings displayed on orange line) and pilot will give bearing & distance not clock information [Note: latency of CWP update may not correspond with the precision of the pilot’s range & bearing] CWP update rate should correspond with the a/c
F.2 ATC
5.1 Target identification – Target positioning to ATC (PNF)
Wrong aircraft identified but positioning corresponding to correct aircraft (the one expected by ATC)
TBD - Fail to detect that the wrong aircraft has been identified
- Inconsistent pictures between ground and air side
- Potential airprox
Sev – 3 Freq –3
- SSR code - Monitoring
merge by EXC
- Address in pilot HAZOP - ADD/ASAS
F.3 PIL
5.1 Target identification – Target positioning
Wrong aircraft reported to
- Error when inputting code
- Give ‘heading & merge instruction’ regarding wrong
Sev – 3 Freq – 3
- ATC should detect error (in some situations
- Look at sub-cases in-depth - Use precise bearing information
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 32
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
to ATC (PNF)
ATC
- target - General comment:
Loss of trust in system (a/c and ATC)
- Inconsistent pictures between ground and air side
- Potential airprox
it will be difficult for ATC to detect wrong target identified depending on clock position)
- Aircraft separated by 1000ft on sequencing legs [CoSpace comment: This only applies to aircraft on different sequencing leg]
instead of clock position - Use of ADD/ASAS (downlink of
target selected) - Use of datalink (SSR code uplinked)
along with code transfer from DCDU (Datalink control display unit) to MDCU
- Limitations of safeguard: Strong cross-wind (clock position could be 2 clock positions different)
- Limitation of safeguard: Aircrew and ATC sometimes have different ‘clocks’
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 33
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
G. ONLY PART OF IDENTIFICATION DONE G.1 ATC
5.1 Target identification – Target positioning to ATC (PNF)
No report from pilot (none)
- TBD - Wasting time - 2nd call
Sev – 4 Freq - TBD
- Monitoring by EXE
- ADD/ASAS
G.2 PIL
5.1 Target identification for B - – Target positioning to ATC
Report to ATC late or not done (not done / late)
- Crew busy - Frequency
busy
- Delay the spacing instruction by ATC
- Increase in ATCO & aircrew workload
- Wasting time
Sev - 4 Freq - 3
- PF can tell PNF to make a call
- ATC will contact the a/c
- Discipline of following logical process
- Managing two actions at the same time
G.3 ATC
5.1 Target identification – Target positioning to ATC
Pilots report without target code or clock position, or distance (part of)
- TBD - 2nd call - wasting time
Sev – 4 Freq - TBD
- Monitoring by EXE
- ADD/ASAS
G.4 PIL
5.2 Target identification for B – Target confirmation (EXC)
No target confirmation
- this could potentially turn into a ‘short-cut temptation’
- Aircrew will request confirmation again
- could a/c go onto 5.3 without ‘Confirmation’?
G.5 PIL
5.3 Target identification for B - target validation (PNF)
No target validation
- Busy in cockpit
- Interruptions
- Workload - Remain in
temporary state - ATC may assume
target is acquired (ATC not able to detect)
- Could ATC go on and give ASAS instruction?
Sev – 4 Freq – 4 (for short haul – more likely)
- Step 6.3 & 7.3 input ASAS instruction
- Pilot will notice the mistake shortly after as ATC will give them an instruction ‘heading & merge’; ATC may give 6.1 instruction to
- ADD - to know that target has been validated
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 34
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
merge but cannot do 6.3
G.6 PIL
5.3 Target identification for B - target validation (PNF)
Presses ‘return’ [instead of ‘validation’ button] (other than)
- Forget to insert, press wrong button
- Workload - Aircrew will have
to go through process again (perhaps without a/c and ATC checks) and may select wrong target (e.g. if in a hurry)
Sev – 4 (potential 3 if wrong target selected) Freq – 3 (same for wrong target selected)
- Re-enter input code and carry out checks again
- Instead of ‘Return’ press ‘Cancel’ and then ‘Confirm’; or have ‘Undo’ function (may not be relevant)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 35
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
H. INSTRUCTION NOT GIVEN OR NOT ENTERED (OR TOO LATE) H.1 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
No “heading then merge” instruction given
- Controller mistake
- Workload - Distraction - Fatigue - Poor training - Busy
frequency - Controller
interface (aircraft arriving in ‘remain’, spacing link on radar screen already green)
- Aircraft will continue along sequencing leg
- Spacing value not achieved (will be exceeded)
- Workload - Following sequence
is delayed - Loss of confidence
in system - Pilot may become
confused - Loss of separation
if left too long
Sev – 3/4 Freq – 4
- Monitoring (EXC & PLC)
- Pilot will call ‘unable’
- Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
- Training – highlight correct action sequence and timing for this task step
- HMI – differentiate between aircraft under ‘merge’ and aircraft under ‘remain’
- Use of ADD/ASAS (downlink aircraft spacing status)
- Constraint flight level prior to the entry of the sequencing leg
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 36
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
H.2 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
No heading then merge instruction given
- Controller mistake
- Workload - Distraction - Fatigue - Poor training - Busy
frequency
- Aircraft will continue along sequencing leg
- Spacing value not achieved (will be exceeded)
- Workload - Following sequence
is delayed - Loss of confidence
in system - Pilot may become
confused - Loss of separation
if left too long
Sev – 3/4 Freq – 3/4
- Monitoring (EXC & PLC)
- Pilot will call for clarification
- Spacing link status on radar screen not as expected (target selection status) Unless link updated (switched to green). In that case ADD/ASAS will help.
- Training – highlight correct action sequence and timing for this task step
- Constraint flight level prior to the entry of the sequencing leg
- Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
- Use of ADD/ASAS (downlink of aircraft spacing status)
H.3 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
Giving heading then merge instruction too late
- Workload - Distraction - Fatigue - Frequency
busy - Inexperience
- Exceed spacing - Delay of the
sequence - Wasting time - Time pressure on
flight crew - Controller
workload - Pilot ‘unable’ - Pilot confusion
Sev – 4 [Considered as the same hazard identified by pilot was severity 3/4 (H5)] Freq – 1
- Monitoring (EXC and PLC)
- Pilot may ask for clarification
- Training – correct action sequence and timing
- TRM - Consider ADD/ASAS ‘time-out’
alert (prompt on radar screen – e.g. within 30s from downlink of target reporting merging, need to get downlink ‘heading then merge’ activated from instructed aircraft)
H.4 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
Giving heading then merge instruction too late
Same as H3
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 37
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
H.5 PIL
7.1 Heading then merge - Instruction & click (EXC)
Instruction not given or delayed
- Remain on navigation
- Delay - Aircrew waiting
and expecting for instruction (either H&M or deselect target)
Sev – 3/4 Freq – 4
See controller HAZOP See H1 and H2 (H3 and H4 for delayed attributes)
H.6 PIL
7.3 Heading then merge - Input instruction, WPT & spacing value (PNF)
Instruction given but not entered by flight crew
Interruptions in the flight deck
- ATC assumes instruction will be followed
- Aircraft may fly towards a third aircraft (potential loss of separation)
Sev –3/4 Freq – 3
- Crosscheck PF - ATC awareness
of the situation but will only notice after the turning point is passed (e.g. 15s after)
- PNF – blue line still present (still target selection mode)
- Design of sequencing legs with vertical separation
- Confirm that sequencing legs are designed with procedure safeguard (termination procedure)
- Use of ADD/ASAS (downlink of spacing parameters & status)
H7 Merge (see D6/G7) – Input instruction, WPT & spacing value (PNF)
Instruction given but not entered by flight crew
Interruptions in the flight deck
- Loss of spacing / separation
Sev – 3 Freq – 3
- Crosscheck PF - PNF – blue line
still present (still target selection mode)
- Controller monitoring
- Use of ADD/ASAS (downlink of spacing parameters & status)
- Alert on link when spacing is too large or too small (e.g. HMI color change)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 38
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
I. ONLY PART OF INSTRUCTION GIVEN OR ENTERED I.1 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
Heading instruction given but no merge instruction (if in remain phase)
- Larger spacing required
- Pressure on controller to achieve goal
- [CoSpace comment: Not clear - Should be for next case (merge with no heading)]
- <Same as D.1>
- Aircraft will continue along sequencing leg
- Spacing value not achieved (will be exceeded)
- Workload - Following sequence
is delayed - Loss of confidence
in system - Pilot may become
confused by receiving heading instruction without merge
- Loss of separation if left too long
Sev – 3/4 Freq – 2
- Monitoring (EXC & PLC)
- Pilot will call ‘unable’
- Ask pilots what they would do (in pilot HAZOP)
- Training – highlight need to specify a limit when giving ‘continue heading’ instruction [TRM]
- Training for pilot (knowing what to expect) to increase pilot awareness
- Raise issue of procedure (heading instruction without merge) Currently heading instructions are meant to include the reason
I.2 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
Heading instruction given but no merge instruction
Same as I1 Same as I1 Sev – 3/4 Freq – 2
Pilot will call for clarification instead of ‘unable’
Same as I1
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 39
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
I. ONLY PART OF INSTRUCTION GIVEN OR ENTERED I.3 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
Merge instruction without heading instruction
- Inexperience with ASAS
- Mis-communication (between controller and pilot)
- Loss of spacing - Possible loss of
separation - Workload to
recover situation - Aircraft strong
speed reduction - Perturbation in the
sequence (impact on speed)
- Pilot ‘unable’
Sev – 2/3 Freq – 3 (Note: sev 3 if there is a quick detection; otherwise sev 2)
- Pilot may report unable (after turning only)
- PLC & EXC monitoring (not for turning but for loss of spacing or separation)
- Pilot may not be a safeguard (before turning)
- Define quick recovery procedure - Training - TRM
I.4 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
Merge instruction without heading instruction
- Inexperience with ASAS
- Mis-communication (between controller and pilot)
- Loss of spacing - Possible loss of
separation - Workload to
recover situation - Aircraft strong
speed reduction - Perturbation in the
sequence (impact on speed)
- Pilot ‘unable’
Sev – 3 Freq – 3
- Pilot reports unable (after turning only)
- PLC & EXC monitoring (not for turning but for loss of spacing or separation)
- Define quick recovery procedure - Training - TRM - Note: No descent instruction is given
at this point else severity 2 – see task step 8 (descent)
I.5 PIL
7.2 Continue heading then merge – Readback (PNF)
Read-back not done (none)
- Interruptions - Barrier failure - Workload - Time wasted - [The pilot could go
on and input the instruction without readback]
Freq – 4/5 - PF would detect & ask
- ATC would ask
- (see 4.2 and 5.2 – for other ‘readback’ errors)
I.6 PIL
7.3 Continue heading then merge - Input instruction,
Inputting wrong
- Time delay - [Workload for pilot
Sev – 4 Freq – 3/4
- a/c will have a different display and will not be
- See 8.3 (Cancel spacing) Alert when situation is not consistent with mode
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 40
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
I. ONLY PART OF INSTRUCTION GIVEN OR ENTERED WPT & spacing value (PNF)
instruction e.g. click ‘remain’ (other than)
& ATC]
able to enter a WPT
- (remain not used very often)
- procedure timing – press merge/remain etc buttons straight after ATC instruction
- [Difficult for ATC to detect error]
selected - ADD – downlink Mode being
selected (e.g. merge and remain) - Should ‘remain’ prompt be on
display? - Further analysis will be required as
options increase - Ergonomics review: position of
instruction buttons may affect the frequency of errors (to ensure error can be detected easily)
I.7 I.8 PIL
7.4 Continue heading then merge - Feasibility check (PF)
Feasibility check not done (none)
- Inexperience - Pilot does not report to ATC that it is not feasible,
- eventual deviation [ATC may think that he can go on to next task]
Sev – 4 Freq - 4
- Pilot checks for broken arrow.
- ATC observes - if they are
‘unable’ and pilot attempts to enter ‘validation’, they can not go on to the next step
- Automise ‘enable’ ‘unable’ -
I.9 PIL
7.4 Continue heading then merge - Feasibility check (PF)
Feasibility check too late (late)
- Interruptions, busy freq.
- If time for recovery no problem, if no time, as above
Sev – 4 Freq - 4
- Training, crew discipline
I.10 PIL
7.5 Continue heading then merge – Instruction validation (PNF)
Instruction validation not done (not done)
- Interruptions, busy freq.
- Continue heading Sev – 4 Freq - 4
- Pilot will see turn point approaching and nothing on scratchpad
- (Check that pilots can see turn point) - System should indicate projected
track to intercept pseudo turning waypoint (as for radial interception) in green after validation.
I.11 7.5 Continue Validate too - See #56 (7.5) Not
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 41
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
I. ONLY PART OF INSTRUCTION GIVEN OR ENTERED PIL heading then merge
– Instruction validation (PNF)
late (too late)
done
I.12 PIL
7.5 Continue heading then merge – Instruction validation (PNF)
Press ‘return’ (other than)
- Mistake - Lose data in page (waypoint spacing value
Sev – 4 Freq - 3
- Pilots will detect after
- Re-labelling buttons, ‘cancel’ instead of ‘return’ – to be reviewed (see 5.3 ‘Target validation’)
I.13 PIL
7.5 Continue heading then merge – Instruction validation (PNF)
Validate before checking feasibility (too soon)
- See 7.4 (heading & merge: check feasibility)
- System will indicate if unable
- This is not a hazard if you cannot validate
- If you can validate, invalid output on ASAS equipment may be displayed
- The system should not be able to go to ‘validation’ stage if feasibility is ‘unable’
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 42
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
J. WRONG MERGE POINT GIVEN OR ENTERED J.1 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
EXC gives instruction: Heading & merge to wrong merge point
Fatigue
- Report ‘unable’ - Possible loss of
separation - Workload - Note: this error is
more critical for parallel runways
Sev – 3 Freq – 3
- Monitoring back from the PLC
- Report ‘unable’ - Pilot reports for
clarification
- Is it possible to enter merge point after it has been past? [CoSpace Comment: No with the current interface, but if it is entered, it should lead to a query)]
- Note: BOKET & MOTEK – possible confusion for pilot
- Designing TMA: have one merge point per runway and publish the merge points in the ASAS STAR charts
- Use of ADD/ASAS (downlink of spacing parameters)
J.2 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
Same as J1 Same as J1 Same as J1 Same as J1
J.3 ATC
6.1 Merge – Instruction & click (EXC)
Controller gives wrong merge point
Same as J1 Same as J1 Same as J1
J.4 ATC
6.3 Merge – input instruction, WPT and spacing value (PNF)
Pilot puts wrong merge point
- Cockpit HMI - Overload /
distraction - Voice
communication problems
- Loss of separation - Additional
workload
Sev – 3 Freq – 3
- Monitoring of the execution of the merging instruction (by the controller)
- Pilot receives an ‘unable spacing’ from onboard system
- Limit number of points in TMA - Use of ADD/ASAS (downlink of
spacing parameters) - CPDLC coupled with MCDU - Consider whether ASAS page should
only display tagged merge points (problem with database providers)
J.5 PIL
7.3 Continue heading then merge - Input instruction,
Inputting wrong WPT
e.g. WPT with similar name close by
- Potential airprox - Additional workload
Sev – 3 Freq – 3
- Check from PF - You should only
be able to enter a
- Have a list of WPT to choose (from flight plan)
- CPDLC coupled with MCDU
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 43
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
J. WRONG MERGE POINT GIVEN OR ENTERED WPT & spacing value (PNF)
WPT that is on your flight plan
- Consider whether ASAS page should only display tagged merge points (problem with database providers)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 44
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
K. WRONG SPACING VALUE GIVEN OR ENTERED K.1 ATC
7.1 Heading then merge (same IAF) – Instruction & click (EXC)
Heading & merge correct, incorrect spacing value given by controller
- Workload - Expectation
bias (90s usual)
- Fatigue
- Loss of spacing - Exceeding spacing
(Sev 4) - Infringement of the
wake turbulence separation minimum
- Workload
Sev – 2 Freq – 2
- Marking on strip (& HMI) of Heavy, Medium etc
- Monitoring by PLC
Note: 90s spacing behind Heavy is correct in E-TMA
- Phraseology: “merge (waypoint) 120s behind heavy”
- Alert on link when current spacing is too large or too small (e.g. HMI color change)
- ‘H’ on the cockpit displays (ND, MCDU) (see K6)
- Use of ADD/ASAS (downlink of spacing parameters) + system checks spacing against a/c wake turbulence category
- Pilot detection of loss of spacing (if he knows it’s a heavy in front)
- Pilot checks spacing value against wake turbulence category
- Callsign should include ‘heavy’ in the arrival/departure phase (not ASAS specific)
- See K6 recommendations - Define min. spacing value (not less
than radar separation) not less than 90s (in that case sev 3)
K.2 ATC
7.1 Heading then merge (different IAF) – Instruction & click (EXC)
Same as K1 Same as K1 Same as K1 Same as K1 Same as K1 Same as K1
K1bis & K2bis
6.1 Merge - – Instruction & click (EXC)
Same as K1 Same as K1 Same as K1 Same as K1 Same as K1 Same as K1
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 45
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
K. WRONG SPACING VALUE GIVEN OR ENTERED K.3 ATC
6.3 Merge – input instruction, WPT and spacing value (PNF)
Pilot puts wrong spacing value
- Cockpit HMI - Overload /
distraction - Voice
communication problems
- Loss of separation (wake turbulence)
- Spacing higher than requested (sev 4)
Sev – 2 Freq – 3
- Controller monitoring
- Hear-back of pilot
- Pilot may receive an ‘unable spacing’ from onboard system
- Alert on link when spacing is too large or too small (e.g. HMI color change)
- Use of ADD/ASAS (downlink of spacing parameters)
- Pilots would prefer to have ‘heavy’ information in the instruction (see G1)
- Define min. spacing value (not less than radar separation) not less than 90s (in that case sev 3)
K.4 ATC
7.3 Heading then merge (same IAF) - Input instruction, WPT & spacing value (PNF)
Heading & merge correct, incorrect spacing value inserted by pilot
- Pilot workload
- Problems with onboard technology
- Loss of separation (wake turbulence)
- Spacing higher than requested
Same as K6 Same as K6 See K1 and K6
K.5 ATC
7.3 Heading then merge (different IAF) - Input instruction, WPT & spacing value (PNF)
Same as K6 Same as K6 Same as K6
K.6 PIL
7.3 Heading then merge - Input instruction, WPT & spacing value (PNF)
Inputting wrong spacing value
- Mis-hearing - Inexperience
- Reduced/increased spacing
- Wake vortex incident
Sev –2 Freq – 2/3
- PF detects on HMI.
- ATC should detect if significant difference
- Define range of spacing values e.g multiples of 10 (90/120)
- Define min. spacing value (not less than radar separation) not less than 90s (in that case sev 3)
- Display wake turbulence category on MCDU (this would be a cross check against spacing value given)
- See K1
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 46
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
K. WRONG SPACING VALUE GIVEN OR ENTERED K.7 ATC
6.3 Merge – input instruction, WPT and spacing value (PNF)
Required spacing not input by pilot [see H6]
- Overload/ distraction
- Voice communication problems
- Equipment failure
- Spacing over merge point won’t be achieved
- Potential loss of separation
- Controller may think a/c is under merge
Sev – 3 Freq – 3
- Controller monitoring
- Hear-back of pilot
- HMI prevents a/c to merge if spacing value is not entered (therefore pilot should detect)
- ASAS cannot be performed without a spacing value
- Alert on link when spacing is too large or too small (e.g. HMI color change)
- Use of ADD/ASAS (downlink of spacing parameters) will indicate that spacing is not entered
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 47
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
L. MERGE NOT (PROPERLY) INITIATED L.1 PIL
7.7 Heading then merge - Initiate direct to WPT (PF)
‘Direct to WPT’ not initiated / done too late
- Interruptions - Workload
After a certain time, spacing is lost
Sev – 4(3) Freq – 3
- Prompts on ND - Min 1000
vertical between legs
- Reversion to radar vectoring
- Emphasise importance of the procedural aspect to pilots & controllers including preceding sectors controllers. Linked to next item
- The ATC procedures must ensure aircraft can comply with flight level restrictions at IAF (otherwise Sev 3).
- Make ‘resume’ automatic
L.2 ATC
7.7 Heading then merge (same IAF) - Initiate direct to WPT (PF)
Full instruction given, pilot does not merge
- Erroneous pilot input
- Mis-communication
- Equipment failure (onboard)
- Lack of pilot report of ‘unable’
- Receiving TCAS TA (so forgets to merge)
- Spacing exceeded - Perturbation in the
sequence - Workload - Aircraft will
continue on sequencing leg
Sev – 3/4 Freq – 3
- Controller prediction of approximate turning point
- ATC general monitoring
- Pilot monitoring - Second call to
initiate merge
- Use of ADD/ASAS (downlink of aircraft spacing parameters)
- Constraint flight level prior to the entry of the sequencing leg (L3 only) [CoSpace comment: No consequences attached to this recommendation (eg loss of separation).]
- Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
- See L1
L.3 ATC
7.7 Heading then merge (different IAF) - Initiate direct to WPT (PF)
See L2 See L1 and L2
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 48
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
L. MERGE NOT (PROPERLY) INITIATED L.4 PIL
7.7 Heading then merge - Initiate direct to WPT (PF)
Initiate direct to wrong WPT
Selecting wrong waypoint (direct to page)
Potential loss of spacing
Sev – 3 Freq – 3
- May receive ‘unable’
- Crosscheck ‘direct to’
- Report to controller “merging WPT” Controller detection
- Consistency check on WPTs (merge and direct to WPTs),
- Cockpit interface alerts in case of inconsistency
- Airspace organisation: limit number of (direct to) WPTs
- Automation (performing the ‘direct to’)
- Emphasise reporting to ATC “merging WPT” by checking the ND
L.5 PIL
7.7 Continue heading then merge - Initiate direct to WPT (PF)
‘Direct to WPT’ initiated too soon (too soon)
- Over anticipation,
- HMI confusion
- Significant speed reduction needed,
- Eventual ‘unable’
Sev – 4 Freq – 3/4
- Crew discipline - Training - emphasis on HMI. - Automation
L.6 PIL
7.7 Continue heading then merge - Initiate direct to WPT (PF)
Select heading instead of ‘direct to’ (other than)
- Similar to L1? (staying on heading and not initiating ‘direct to’)
? - Is it possible for the pilot to select ‘heading’ during the execution stage?
- Would it be necessary to ‘cancel spacing first to be able to go on ‘heading’?
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 49
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
M. SPACING NOT (PROPERLY) MAINTAINED M.1 PIL
7.10 Heading then merge - Maintenance of spacing by speed actions (PF)
No maintenance of spacing by speed actions for e.g. greater than 2 minutes
- Distractions - Priority of
tasks
- Loss of spacing - Potential loss of
separation (if catching up)
Sev – 3 Freq – 2
- Messages on ND – pre-warning flashes (diff. 7 knots), adjust speed (diff. 15kts).
- PNF detects - PNF discipline
in case of interruptions,
- Crew discipline, prioritisation of essential tasks
- ATC
- Automation (managed speed) - Crew training (CRM) / discipline
/awareness on spacing techniques. - Use of ADD/ASAS (downlink of
spacing value) to inform ATC. - Clarify impact of airline and ATC
speed limitations on S&M (general issue for project) [CoSpace comment: Speed limit 250kt in TMA? This is relevant to 250kts limit. ASAS procedures needs to be compatible with airline, regulatory constraints]
M.2 PIL
7.6 Heading then merge – Monitor the acquisition of spacing (PF)
Focus too much on monitoring acquisition of spacing
Tunneling effect (over concentration on task)
- Other events/actions missed
- Risk of compromising normal flying tasks
Sev – ? Freq – 4/5 (high initially during crew familiarisation phase)
Crew discipline - Training (high degree of familiarization prior to actual usage)
- Automation
M.3 PIL
7.10 Heading then merge - Maintenance of spacing by speed actions (PF)
Focus too much on maintenance of spacing
Tunneling effect (over concentration on task)
Same as I.2
M.4
Hazard of spacing not maintained was not identified during controller HAZOP
See M.1
M.5 PIL
7.3bis Continue heading then merge – Maintain current
A/c does not remain on navigation [e.g.
- Unexpected turns
Sev – 4 Freq – 4
- PNF detects - ATC would
- Crew should not be able to validate merge mode while in navigation, except if merge waypoint is the ‘to’
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 50
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
M. SPACING NOT (PROPERLY) MAINTAINED heading (PF) they merge
early] (not done)
(see 7.7) detect at turn initiation, but too late
waypoint
M.6 PIL
7.3bis Continue heading then merge – Maintain current heading (PF)
Deviation for bad weather (other than)
- Weather - Deviation from planned track.
- Alert given to following a/c if the target deviates (the following a/c may need to adjust speed)
Sev – 4 Freq – 4
- Inform ATC - Respect rule, inform ATC of deviation
- ATC should have adverse weather information displayed
M.7 PIL
7.6 Continue heading then merge – Monitor the acquisition of spacing (PF)
Monitoring acquisition of spacing not done (not done-less)
- - unable to respect profile
Sev – 4 Freq – 4
- Inform ATC - This is a passive task, no consequences of ‘monitoring task not done’
M.8 PIL
7.6 Continue heading then merge – Monitor the acquisition of spacing (PF)
[Not monitoring the acquisition of spacing - unable to respect profile]
- Cannot increase speed: – too slow (perturbations in the chain)
- - too fast (LOS)
- Is this an additional hazard (to M7 above)?
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 51
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
N. OTHER AIRCRAFT TAKES INSTRUCTION N.1 ATC
7.2 Heading then merge (different IAF) – Readback (PNF)
Other aircraft taking heading & merge instruction
- Pilot callsign confusion
- Poor phraseology
- Aircraft expecting to merge when on sequencing leg
- Loss of separation - Workload - Loss of controller
situation awareness - Pertubation of
sequence of traffic
Sev – 2 Freq – 2
- Read-back (e.g. different voice)
- ATC monitoring - Pilot aware of
preceding aircraft
- Pilot training - Use of ADD/ASAS (downlink of
spacing status or parameters) - Callsign confusion reduction
measures - Rapid fallback procedures - CPDLC
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 52
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
O. CANCELLATION INSTRUCTION NOT GIVEN OR ENTERED O.1 ATC
8.1 Spacing cancellation & assign speed - Instruction & click (EXC)
Instruction given, link on radar screen not cancelled
- Workload - Not well
trained - HMI
problems - PLC doing
the clicks
- Loss of situation awareness (EXC, PLC)
- Handover problems - Loss of separation
Sev – 3 Freq –2/3
- Cross-check from PLC
- Monitoring the spacing
- Order of strips
- Use of ADD/ASAS (downlink of aircraft spacing status)
- Training (cancel spacing and speed instruction AND update link)
- Handover checklist - Training: role clarity between EXC
and PLC
O.2 ATC
8.1 Spacing cancellation & assign speed - Instruction & click (EXC)
Cancel the wrong aircraft [and click the correct aircraft on HMI]
- Label overlapping
- Workload - Distraction - Inexperience - Fatigue - PLC doing
the clicks
- Loss of situation awareness (EXC, PLC)
- Workload - Loss of separation - Confusion pilot
controller
Sev – 3 Freq – 2/3
- Paper strips - HMI indication
(yellow) of a/c to be cancelled – in advance
- PLC role dedicated to cross-checking
- Training - Relief controllers? - Third person (behind) following the
situation will not improve safety in ASAS)
- TRM – asking for help when tired - ADD/ASAS – observe link spacing
with wrong a/c - Efficient anti-label overlap - Datalink - Training: role clarity between EXC
and PLC
O.2bis
Cancel correct a/c and click on wrong a/c
- Sev - 3 - -
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 53
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
O. CANCELLATION INSTRUCTION NOT GIVEN OR ENTERED O.3 ATC
8.1 Spacing cancellation and speed instruction– instruction & click (EXC)
Instruction given to wrong aircraft [and click on this aircraft]
- Label overlap - Callsign
confusion - Workload
- a/c (far from LOMAN) takes instruction (speed reduction)
- workload from read-back & lose trust in system
- catching up of following a/c (potential LOS)
Freq – 3 Sev – 3
- Pilot seeks clarification
- Following a/c pilot reaction (reduce speed) under spacing
- Automation (cancel spacing automatically prior to the ILS)
- Note: Between LOMAN and BOKET cancel spacing by default and speed limit (automatically) Report from pilot mandatory + cancel link (publish ASAS procedure and distinguish between end of speed limit and switch automatic mode manual (cockpit) – implicit cancellation of instruction may not be acceptable by pilots (not currently acceptable in ATC – unless it is written in the charts)
- Efficient anti-overlap - Callsign confusion reduction
measures
O.4 ATC
8.1 Spacing cancellation & assign speed - Instruction & click (EXC)
Spacing cancellation without speed instruction
- Distraction - Controller
inexperience
- Catching up - Loss of separation
if too fast - Workload - Loss of accuracy
Sev – 3/4 Freq – 2
- Procedure: 250 kts max below FL100
- Pilot awareness (they know there is an a/c in front & speed - not to increase speed)
- Training – cancel spacing AND speed instruction
- ADD (speed reminder) [when canceling if speed not delivered, speed indication is highlighted? Same as line below]
- Highlight speed value on HMI (for 5s)
- Training (pilots) wait for speed instruction
- TRM training about potential errors
O.5 ATC
8.1 Spacing cancellation & assign speed for B - Instruction & click (EXC)
No instruction given (none)
- Distraction workload
- High traffic - Pilot fails to
call (R/T
- Sequence order compromised [if you want to cancel 2 a/c under spacing to rejoin them in a
Sev – 4 Freq - 4
- [Pilot will ask ATCO what is happening/ reports unable spacing if the
- Team work training - Training: for quick reactions
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 54
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
O. CANCELLATION INSTRUCTION NOT GIVEN OR ENTERED problem; late transfer)
- Poor team co-ordination
different sequence] - Increase workload
(to re-establish sequence)
- Unable to maintain spacing
controller asks B to select target]
- HMI indication (yellow) of a/c to be cancelled
O.6 ATC
8.1 Spacing cancellation and speed instruction for B – instruction & click (EXC)
ATCO forgets to issue cancel (none)
- Workload - [perhaps like O.5]
- Call from pilot (for ILS)
- Pilot will do something to capture ILS (push ILS button)
O.7 ATC
8.1 Spacing cancellation & assign speed for B - Instruction & click (EXC)
Late cancellation (later)
- Distraction - ATCOs busy
- Workload Sev – 4 Freq – 4
- Cross-check from PLC
- Self-monitoring - Paper strip order - HMI indication
(yellow) of a/c to be cancelled
- Training– cancel spacing AND speed instruction
O.8 ATC
8.1 Spacing cancellation and speed instruction for B – instruction & click (EXC)
Spacing cancellation given too soon/too late (sooner than / later than)
- Difficult to detect when the a/c is abeam the point
- Inaccuracy of the spacing – affect traffic flow
- workload
Sev – 4 Freq – 5 [similar to O.7]
- Pilot request - Pilot report - [Need to identify circumstances]
O.9 ATC
8.3 Spacing cancellation & assign speed for B –cancel spacing & deselect target (PNF)
Instruction given, link cancelled, pilot does not execute (part of)
- Pilot workload
- (TBD) - Technical
problems onboard (with
- Increase of workload (ATC)
- Unable from other pilot
- [Similar to P4 & O.10]
Sev – 4 Freq - 3
- 2nd call - When give
another target to a/c will be unable
- ADD-ASAS - Raise in pilot HAZOP (including
wrong speed input)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 55
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
O. CANCELLATION INSTRUCTION NOT GIVEN OR ENTERED MCDU)
O.10 ATC
8.3 Spacing cancellation and speed instruction for B – cancel spacing and deselect target (PNF)
Pilot forgets to cancel spacing (none)
- Pilot busy - [Similar to P.4 & O.10]
- Full automation in cockpit (spacing)
- Need to consider this scenario during the pilot HAZOP session with and without automation/ speed adjustment
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 56
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
P. PART OF CANCELLATION INSTRUCTION GIVEN P.1 ATC
8.1 Spacing cancellation & assign speed for B - Instruction & click (EXC)
Only speed instruction given – does not cancel spacing (part of)
- Distraction - Controller
inexperience
- Pilot ‘unable’ to maintain spacing
- Workload
Sev – 4 Freq - 5
- Pilot calls ‘unable’
- Training – cancel spacing AND speed instruction
P.2 ATC
8.1 Spacing cancellation & assign speed for B - Instruction & click (EXC)
HMI link cancelled, instruction not given (part of)
- Workload - Not well
trained - HMI
problems - PLC doing
the clicks
- Loss of situation awareness (EXE, PLC)
- Handover problems - Workload
Sev – 4 Freq – 4
- Cross-check from PLC
- Monitoring the speed
- ADD/ASAS - Training – cancel spacing AND
speed instruction - Handover checklist - Training: role clarity
P.3 ATC
8.1 Spacing cancellation and speed instruction for B – instruction & click (EXC)
Give cancel instruction and speed instruction (as well as)
- Cockpit constraints
- Workload increase (# instructions)
- Attention taken (cannot focus on sequence building)
- Situation awareness - Communication - Less spacing
accuracy - Go-around (incr #) - Callsign confusion - Additional
monitoring
Sev - 4 freq - 5
- (giving speed instruction not technically difficult – just workload)
- Keep spacing until a/c is with TWR with full automation
- Between LOMAN and BOKET cancel spacing by default and speed limit (automatically) Report from pilot mandatory + cancel link (publish ASAS procedure and distinguish between end of speed limit and switch automatic mode manual (cockpit)
P.4 PIL
8.2 Spacing cancellation and speed for B – Readback (PNF)
Readback done but spacing not cancelled (not done)
- Distracted by other tasks onboard
- Confusion – may think spacing is cut (ATC)
- Infringement with other a/c if a/c B
Sev – 4 Freq – 5
- Listening to communications;
- [ATC will issue instruction]
- Not following
- Clarify/highlight the procedure to follow own nav (not follow target) – to ensure there is no confusion
- System is detecting problem (too late?)
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 57
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
P. PART OF CANCELLATION INSTRUCTION GIVEN follows target without authorization from ATC
- Long sequencing leg – ATC may not detect error for a long time
target – following your own navigation
- CRM training - Warnings for pilot HMI that target
a/c is off track (may not detect all types of deviation)
- Have ADD link so ATC can detect deviation
P.5 PIL
8.4 Spacing cancellation and speed for B – execute speed (PF)
Spacing cancelled but new speed not executed (270 vs 300) (not done)
- Small diversion
P.6 PIL
8. Spacing cancellation and speed for B
General comment: Pilot has additional constraint as compared to a few years ago when entering TMA. Now he has a/c performance constraints – reducing speed for ILS.
- Traffic - Airspace
constraints - Standardizatio
n of procedures
- Comment: Issue of cancellation needs further refinement in HAZOP III
- what are the issues? What are the additional constraints?
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 58
Error #
TASK GUIDEWORD DEVIATION
/ERROR
CAUSES CONSEQUENCES RISK RANKING
RECOVERY / SAFEGUARDS
RECOMMENDATIONS
Q. WRONG AIRCRAFT TAKES CANCELLATION INSTRUCTION Q.1 PIL
8.3 Spacing cancellation and speed for B – cancel spacing & deselect target
Wrong a/c follows the cancel instruction (as well as)
- Anticipating (listening to ATC instruction to target)
- Similar to today
Sev – 3 - Do not use ‘follow’ in phraseology
- ‘Time behind’ target a/c is more precise & clear
- Is ASAS reinforcing pilot anticipation of the action? Same as today.
- Is the ‘link’ reinforcing pilots picture of following the target (and not their own nav)
- Do not use the term ‘link’
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 59
Appendix D. Complete list of recommendations Recommendations are categorized into 5 groups and were provided either during the controller HAZOP, the pilot HAZOP or the Consolidation HAZOP. The five categories are sub-divided into further categories in the tables.
1. HMI 2. Procedures 3. Training 4. Operational Environment 5. Organisation & Manning
1. HMI Recommendations
Task Error # Error/ Failure Mode Recommendations Recom #
ADD/ASAS First call B1 S3 HMI link is missing, or
wrong status ADD/ASAS - Correct HMI link status C-HMI-12
D1 S3 ATCO selects wrong target (+right target)
ADD/ASAS –check correct target is selected C-HMI-45Wrong target selection
D3 S3 pilot inputs wrong code ADD – will solve the problem of target position P-HMI-13
D5 S3 controller wrong (but valid) code
ADD (ASAS) CP-HMI-9
Part of target selection done
E1 S4 forget to make link ADD/ASAS - reminder to make link C-HMI-50
F1 S3 wrong target identified / wrong target identification given to ATC
ADD/ASAS - correct positioning C-HMI-58P-HMI-24
F1 S3 wrong aircraft identified with positioning corresponding to this (wrong) aircraft
Use of ADD/ASAS (downlink of target selected) – will solve the problem of target position
CP-HMI-12
F1 S3 wrong aircraft identified with positioning corresponding to this (wrong) aircraft
Display bearing & range on ATC HMI (can have range & bearings displayed on orange line) and pilot will give bearing & distance not clock information [Note: latency of CWP update may not correspond with the precision of the pilot’s range & bearing] CWP update rate should correspond with the a/c
CP-HMI-14
Wrong (target) aircraft identified
F3 S3 wrong target identified with wrong read-back
ADD/ASAS C-HMI-55
Only part of target identification done
G1 S4 no report from pilot ADD/ASAS – information that target identified C-HMI-52
G3 S4 pilots report without target code or clock position, or distance
ADD/ASAS C-HMI-53
J4 S3 pilot puts wrong spacing value (merge)
ADD/ASAS - Correct spacing value C-HMI-62Spacing instruction
K3 S2 required spacing not input by pilot (merge)
ADD/ASAS - Ensure spacing value is input by pilot C-HMI-60
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 60
Task Error # Error/ Failure Mode Recommendations Recom #
J1 S3 heading & merge to wrong merge point
ADD/ASAS - Correct merge point C-HMI-83
I3 S2/3 merge instruction without heading instruction
ADD/ASAS - Correct instruction C-HMI-75
N1 S2 other a/c taking heading & merge instruction
ADD/ASAS - Correct a/c taking instruction C-HMI-96
K1 S2 incorrect spacing value given by controller
ADD/ASAS - Correct spacing value C-HMI-84
H3 S4 giving heading & merge instruction too late
ADD/ASAS - ‘time-out’ alert (ATCO prompt – e.g. within 30s from downlink A, need to get downlink from B)
C-HMI-94
H2 S3/4 no heading and merge instruction given
ADD/ASAS - Ensure instruction is given? C-HMI-67
L2 S3/4 pilot does not merge ADD/ASAS - Indicate merging C-HMI-76
H6 S3/4 instruction given but not entered by flight crew
Use of ADD/ASAS (downlink of spacing parameters & status)
CP-HMI-17
M1 S3 P-HMI-58
no maintenance of spacing by speed actions (e.g. for greater than 2 seconds)
ADD to inform ATC (spacing value).
P-HMI-60
H7 S3 input instruction not done (merge)
ADD P-HMI-29
L1 S4/3 initiate direct to WPT – not done/too late
ADD - Make ‘resume’ automatic P-HMI-51
J5 S3 selecting wrong waypoint ADD P-HMI-57
I6 S4 input wrong instruction, WP or speed
ADD – downlink Mode being selected (e.g. merge and remain)
P-HMI-31
I7 S4 feasibility check Automise ‘enable’ ‘unable’ P-HMI-41
L5 S4 initiate direct to WPT – too soon
Automation P-HMI-53
L4 S3 initiate direct to WPT – Selecting wrong waypoint
Message generated to pilots P-HMI-55
O1 S3 link not cancelled ADD/ASAS - Correct MHI link status C-HMI-23
O5 S4 instruction not given ADD/ASAS - C-HMI-27
O9 S4 link cancelled, pilot does not execute
ADD/ASAS - Check that pilot has cancelled spacing
C-HMI-38
O2 S3 C-HMI-36
cancel instruction given to the wrong a/c
ADD/ASAS - Observe link spacing with wrong a/c
C-HMI-102
Spacing cancellation & assign speed
O4 S3/4 spacing cancellation without speed instruction
ADD/ASAS - Reminder to give speed instruction C-HMI-18
O5 S4 not done ADD - so ATC can detect deviation P-HMI-4
O2 S3 instruction given to wrong aircraft [and click on this aircraft]
Automation (cancel spacing automatically prior to the ILS) implicit cancellation of instruction may not be acceptable by pilots (not currently acceptable in ATC – unless it is written in the charts)
CP-HMI-46
Datalink
Target D3 S3 pilot inputs wrong code Datalink C-HMI-48
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 61
E1 S4 forget to make link Datalink (will prevent inconsistency between a/c and ATC, where ATC and a/c will have a consistent target)
C-HMI-50selection
D1 S3 ATCO selects wrong target (+right target)
Datalink will provide a cross-check C-HMI-43
D1 S3 Instruction given with correct aircraft (target) but controller clicks wrong (target) aircraft on radar screen
CPDLC will prevent inconsistency between a/c and ATC (ATC and a/c will have consistent target) but does not prevent B4
CP-HMI-6
Target identification
F3 S3 wrong target identification given to ATC
Datalink (SSR code uplinked along with code transfer from DCDU (Datalink Cockpit display unit) to MDCU
P-HMI-25
Spacing Instruction
N1 S2 Heading then merge (different IAF) – Readback (PNF) – Other aircraft taking heading & merge instruction
CPDLC
CP-HMI-42
ATC radar screen
Sequence order identification
A2 S4 non-ASAS-equipped a/c in sequence
ATC HMI – Ensure HMI is clear with respect to ASAS and non-ASAS equipage; including non-serviceable ASAS equipage
C-HMI-4
Target selection
D1 S3 ATCO selects wrong target (+right target)
ATC HMI – Dotted line (select) complete line (identification) – additional click
C-HMI-44
Target identification
F1 S3 wrong target identified with wrong read-back
ATC HMI – Ensure it is not possible to select a/c twice as a target (technically within ADS-B messages: ground & air)
C-HMI-56
J4 S3 pilot puts wrong spacing value (merge)
ATC HMI – Alert on link when spacing is too large or too small (e.g. HMI colour change)
C-HMI-61
K1 S2 ATC HMI – HMI to check spacing against a/c wake turbulence category
C-HMI-84
incorrect spacing value given by controller (heading & merge)
ATC HMI – Alert on link when current spacing is too large or too small (e.g. HMI colour change)
C-HMI-86
K3 S2 required spacing not input by pilot (merge)
ATC HMI – Alert on link when spacing is too large or too small (e.g. HMI colour change)
C-HMI-59
J1 S3 heading & merge to wrong merge point
Pilot HMI – It should not be possible to enter merge point after it has been past
C-HMI-80
Spacing Instruction
H3 S4 no heading and merge instruction given
ATC HMI – differentiate between a/c under merge and a/c under ‘remain’
C-HMI-66
O2 cancel the wrong a/c C-HMI-37
O3 S3 instruction given to wrong a/c
ATC HMI – Efficient label anti-overlap
C-HMI-103
O4 S3/4 spacing cancellation without speed instruction
ATC HMI – Highlight speed value on HMI (for 5s) C-HMI-19
Spacing cancellation & assign speed
O3 S3 instruction given to wrong a/c
Between LOMAN and BOKET cancel spacing by default and speed limit (automatically) Report from pilot mandatory + cancel link (publish ASAS procedure and distinguish between end of speed limit and switch automatic mode manual (cockpit)
C-HMI-104
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 62
Pilot HMI
Target selection
D3 S3 wrong code input Pilot HMI - SSR code will be next to the target on display (too much clutter if it is put on Nav Display)
P-HMI-11
E3 S4 Pilot HMI - Further study: The Cospace philosophy must de-emphasise the linking - the line that is joining instructed & target a/c – is it confusing? Line helps pilot identify clock position; discuss more e.g. remove target symbol?
P-HMI-10
code not input
Pilot HMI - Consistent HMI coding i.e. Cospace coding must be consistent with airline and airframe manufacturers practices. The HMI colours (blue or yellow lines) denote temporary in different airlines/manufacturers (alternate flight plan/go-around; new FMS that will be flown)
P-HMI-9
E6 S4/5 visualization and positioning to PNF not done
Pilot HMI - The lines need to be consistent with the manufacturer’s colour-coding philosophy. (In some avionics suppliers, blue does not indicate an alert/ the need for an action, yellow does for example)
P-HMI-14
E10 Unable to cross check positioning
Pilot HMI - Further study: Determine conditions and frequency of this cause (2 MCDUs are working separately)
P-HMI-18
Target identification
G6 S3/4 no target confirmation – forget to insert; presses wrong button (e.g. return)
Pilot HMI - Instead of ‘Return’ press ‘Cancel’ and then ‘Confirm’; or have ‘Undo’ function (may not be relevant)
P-HMI-27
I6 S4 Pilot HMI - Ergonomics review: position of instruction buttons may affect the frequency of errors (to ensure error can be detected easily); Have a list of WPT to choose (from flight plan)
P-HMI-34
Pilot HMI - Define range of spacing values e.g. multiples of 10 (90/120)
P-HMI-35
Pilot HMI - Define min. spacing value (not less than radar separation)
P-HMI-36
Spacing Instruction
input wrong instruction, WP or speed
Pilot HMI - Display w/v category on MCDU (this would be a cross check against spacing value given)
P-HMI-37
I6 S4 Pilot HMI - Alert when situation is not consistent with mode selected (see 2.3)
P-HMI-30
Pilot HMI - Further study: Should ‘remain’ prompt be on display?
P-HMI-32
input wrong instruction, WP or speed
Pilot HMI - Further analysis will be required as options increase
P-HMI-33
M5 S4 Pilot HMI - Crew should not be able to validate merge mode while in navigation, except if merge waypoint is the ‘to’ waypoint
P-HMI-38
remain on navigation, deviation for weather
Pilot HMI - ATC should have adverse weather information displayed
P-HMI-40
I10 S4 Pilot HMI - Check that pilots can see turn point P-HMI43
instruction validation not done
Pilot HMI - System should indicate projected track to intercept pseudo turning waypoint (as for radial interception) in green after validation.
P-HMI-44
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 63
Pilot HMI - Re-labelling buttons, ‘cancel’ instead of ‘return’ – to be reviewed (see 4.3)
P-HMI-45
I13 validated before checking feasibility
Generate ‘unable’ if profile not feasible P-HMI-47
H6 S3/4 instruction given but not entered by flight crew
Alert on link when spacing is too large or too small (e.g. HMI color change)
CP-HMI-19
J4 S3 pilot inputs wrong merge point
DCDU coupled with MCDU CP-HMI-22
Consider whether ASAS page should only display tagged merge points (problem with database providers)
CP-HMI-23
K1 S2 heading & merge correct, incorrect spacing value given by controller (same/different IAF)
‘H’ on the cockpit displays (ND, MCDU) CP-HMI-26
P4 S4 Pilot HMI - Warnings for pilot HMI that target a/c is off track (may not detect all types of deviation)
P-HMI-3
Further research: Is ASAS reinforcing pilot anticipation of the action? Same as today?
P-HMI-5
Further research: Is the ‘link’ reinforcing pilots picture of following the target (and not their own nav)
P-HMI-6
Spacing cancellation
Read-back done but cancellation not done
Do not use the term ‘link’ P-HMI-7
AMAN
A2 S4 non-ASAS-equipped a/c in sequence
AMAN - Tool to better identify sequence (e.g. like AMAN)
C-HMI-5 Sequence order identification
A3 S4 planning started too far in advance
AMAN - More stable AMAN C-HMI-7
2. Procedure Recommendations
Task Error # Error /Failure Mode Recommendations Recom #First call B1 S3 HMI link is missing, or
wrong status Define phraseology for pilot [pilot say “under spacing” each time they enter sector & ask for more details only if there is a doubt]
C-PR-11CP-PR-1
Explicit co-ordination is not considered (silent co-ordination is used)
CP-PR-2
Cancel spacing by previous sector and retaining target of the a/c was ruled out because you lose some benefits and increase workload
CP-PR-3
Introduction of ASAS (<50% a/c with ASAS) will need to consider using positive announcement
CP-PR-4
EXC will call a/c to confirm if there is a link and they do not announce they are under spacing
CP-PR-5
D5 S3 pilot inputs wrong code Working arrangements (EXE & PLC) At what stage does ATC put HMI link / dashed line ?
C-PR-40 P-PR-12
D1 S3 ATCO selects wrong target (+clicks right target)
Reinforce readback of target code by pilots C-PR-42
Target selection
D2 S4 pilot inputs wrong code (that is not valid)
Pilot readback what they are inputting C-PR-46
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 64
E10 no cross checking of positioning
Further study: Is a double check required? Both PF and PNF accept the check
P-PR-17
D1 S3 instruction given with correct aircraft (target) but controller clicks wrong (target) aircraft on radar screen
Sequence ordering: Visual checking of crossed lines
CP-PR-7
Sequence ordering: Numbering sequence of a/c (linked with AMAN)
CP-PR-8
D5 S3 controller selects wrong (but valid) code
Defined working practices (a routine method of working)
CP-PR-11
F1 S3 Wrong aircraft identified with positioning corresponding to this (wrong) aircraft
Explore methods of detecting wrong target : difficult to detect distance (e.g. a/c type)
C-PR-54 Target identification
F3 S3 wrong target positioning given to ATC
Look at sub-cases in-depth Use precise bearing information instead of clock position
P-PR-22 P-PR-23
F1 S3 Wrong aircraft identified with positioning corresponding to this (wrong) aircraft
Note: clock position is not very precise (e.g. confusion between 3 & 9 o’clock).
CP-PR-13
N1 S2 other a/c taking heading & merge instruction(diff IAF)
Rapid fallback procedure C-PR-98
I3 S2/3 giving merge instruction without heading instruction
Define quick recovery procedure C-PR-73
K1 S2 incorrect spacing value given by controller
Phraseology: “merge (waypoint) 120s behind heavy”
C-PR-85
Callsign should include ‘heavy’ in the arrival/departure phase (not ASAS specific)
C-PR-87
K3 S2 pilot inputs wrong spacing value (merge)
Ask pilots if they want ‘heavy’ information in the instruction
C-PR-63
E1 S4 ATCO forgets to make link Relief controller (distraction) C-PR-49
L2 S3/4 full instruction given, pilot does not merge (Heading then merge)
Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
C-PR-78
H2 S3/4 no heading and merging instruction given (diff IAF)
Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
C-PR-90
L1 S4 initiate direct to WPT – not done/too late
The ATC procedures must ensure a/c can comply with restrictions at IAF.
P-PR-50
Spacing Instruction
M6 S4 remain on navigation, deviation for weather
Respect rule, inform ATC of deviation P-PR-39
H2 S3/4 no “heading then merge” instruction given
Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
CP-PR-15
H2 S3/4 instruction not given or delayed
Define termination procedure (e.g. holding pattern) for the end of the sequencing leg (at the least pilot must call if reaching a pre-specified point)
CP-PR-16
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 65
H6 S3/4 instruction given but not entered by flight crew
Confirm that sequencing legs are designed with procedure safeguard (termination procedure)
CP-PR-18 (mod)
I1 S3/4 heading instruction given but no merge instruction (if in remain phase) same IAF
Raise issue of procedure (heading instruction without merge) Currently heading instructions are meant to include the reason
CP-PR-20
I1 S3/4 heading instruction given but no merge instruction (different IAF)
Raise issue of procedure (heading instruction without merge) Currently heading instructions are meant to include the reason
CP-PR-21
K1 S2 heading & merge correct, incorrect spacing value given by controller
Pilot detection of loss of spacing (if he knows it’s a heavy in front)
CP-PR-27
K1 S2 heading & merge correct, incorrect spacing value given by controller
Pilot checks spacing value against wake turbulence category
CP-PR-28
K1 S2 heading & merge correct, incorrect spacing value given by controller
Define min. spacing value (not less than radar separation) not less than 90s (in that case sev 3)
CP-PR-29
K1 S2 heading & merge correct, incorrect spacing value given by controller (different IAF)
CP-PR-34
K1 S2 heading & merge correct, incorrect spacing value given by controller (different IAF)
CP-PR-35
K6 S2 Pilot puts wrong spacing value
Define min. spacing value (not less than radar separation) not less than 90s (in that case sev 3)
CP-PR-36
L4 S3 Initiate direct to wrong WPT
When performing the ‘direct to’ emphasise reporting to ATC “merging WPT” by checking the ND
CP-PR-39
P3 S4 speed instruction as well as spacing cancellation
Keep spacing until a/c is with TWR with full automation
C-PR-99
O1 S3 link not cancelled Handover checklist C-PR-25
Spacing cancellation and speed instruction
P2 S4 link cancelled, instruction not given
Handover checklist C-PR-29
P4 S4 Read back done but spacing not cancelled by pilot
Clarify/highlight the procedure to follow own nav (not follow target) to ensure there is no confusion
P-PR-1
general Issue of cancellation needs further refinement in HAZOP 3
P-PR-63
3. Training Recommendations
Task Error # Error / Failure Mode Recommendations Recom #
Controller Skills Training
Sequence order identification
A1 S4 No sequence order identified
Skill – transition from working with to without ASAS
C-T-1
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 66
Skill – High traffic/ without ASAS C-T-2
A3 S4 planning started too far in advance
Skill - AMAN calibration training for EXE, PLC, SEQ (understanding the limits of AMAN)
C-T-8
Decision to use spacing instruction
C1 S4 using ASAS when not applicable or necessary
Skill / Calibration training – early phase (operational readiness testing)
C-T-13
Target selection
D5 S3 controller selected wrong (but valid) code
Controller TRM CP-T-10
Spacing Instruction
I1 S3/4 heading instruction given but no merge instruction
Skill Training for pilot (knowing what to expect) to increase pilot awareness
C-T-72
I3 S2/3 giving merge instruction without heading instruction
Training - TRM C-PR-91
Spacing cancellation & assign speed
O5 S4 no cancellation instruction Skill Training for quick reactions C-T-16
O1 S3 instruction given, link on radar screen not cancelled
Training (cancel spacing and speed instruction AND update link)
CP-T-43
Pilot Skills Training
Target identification
G2 S4 target identification not done or late
Discipline of following logical process P-T-20
Managing two actions at the same time P-T-21
Spacing instruction
L1 S4/3 initiate direct to WPT – not done/too late
Emphasise importance of the procedural aspect to pilots & controllers including preceding sectors controllers.
P-T-49
L5 S4 initiate direct to WPT – too soon
Training - emphasis on HMI. P-T-52
M2 focus too much on monitoring acquisition of spacing
CP-T-40
M3 focus too much on maintenance of spacing
(high degree of familiarization prior to actual usage)
CP-T-41
TRM Training Decision to use spacing instruction
C2 S4 EXE does not agree with proposed sequence (ASAS not applicable; different sequence)
TRM (Team Resource Management)- Team work training
C-T-14
Sequence order identification
A4 S4 sequence order identified late
TRM - (including E-TMA controllers) to know their roles & what they are working towards & know how to support each other in high workload
C-T-10
A2 S4 non-ASAS-equipped a/c in sequence
TRM - Team-working training – between PLC and EXE
C-T-6
Spacing Instruction
H3 S4 giving heading & merge instruction too late
TRM C-T-93
I3 S2/3 merge instruction without heading instruction
TRM Training C-T-74
Spacing cancellation & assign speed
O4 S3/4 spacing cancellation without speed instruction
TRM training about potential errors C-T-21
O2 S3 cancel the wrong a/c TRM – asking for help when tired C-T-35
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 67
O5 S4 no instruction TRM - Team work training C-T-15
CRM Training
Target selection
E3 code not input CRM to emphasise discipline on finishing task (about interruptions)
P-T-8
E6 S4/5 visualization and positioning to PNF not done
Best practices for CRM (visualization and positioning; cross-check of positioning) Emphasise discipline in CRM
P-T-15
E9 cross checking of positioning
Emphasise in CRM P-T-16
Spacing instruction
M1 S3 no maintenance of spacing by speed actions
Crew training/awareness on spacing techniques. P-T-59
I9 S4 feasibility check too late Training, crew discipline P-T-42
Spacing cancellation
O5 S4 no instruction given CRM training P-T-2
Role Training
Sequence order identification
A4 S4 sequence order identified late
Role - Training for PLC - PLC will no longer do the co-ordination tasks for a short period (role consolidation) task shedding/ additional role
C-T-9
Spacing cancellation & assign speed
O1 S3 instruction given, link not cancelled
Role Training: role clarity C-T-26
P2 S4 link cancelled, instruction not given
Role Training: role clarity C-T-30
O2 S3 cancel the wrong aircraft [and click the correct aircraft on HMI]
Training: role clarity between EXC and PLC CP-T-44
Procedure Training
Spacing Instruction
H3 S4 giving heading & merge instruction too late
Procedure Training – correct action sequence and timing
C-T-92
H2 S3/4 no heading and merge instruction given
Procedure Training – highlight correct action sequence and timing for this task step
C-T-65
Procedure Training – correct action sequence and timing
C-T-88
I1 S3/4 heading instruction given but no merge instruction
Procedure Training – highlight need to specify a limit when giving ‘continue heading’ instruction [TRM]
C-T-71
Procedure - Define quick recovery procedure; Training - TRM
C-T-91
N1 S2 other a/c taking heading & merge instruction
Pilot training C-T-95
Spacing cancellation & assign speed
O7 S4 late cancellation Procedure Training C-T-31
O2 S3 cancel the wrong a/c Procedure Training C-T-32
P1 S4 only give speed instruction – does not cancel spacing
Procedure Training C-T-22
P2 S4 link cancelled, instruction not given
Procedure Training C-T-28
DRAFT Cospace Pilot HAZOP Report, 23-25 May, 2005 68
O4 S3/4 spacing cancellation without speed instruction
Procedure Training C-T-17
O1 S3 instruction given, link not cancelled
Procedure Training C-T-24
O4 S3/4 spacing cancellation without speed instruction
Procedure training (pilots) - to ensure that pilots wait for speed instruction
C-T-20
4. Operational Environment Recommendations
Task Error # Error / Failure Mode Recommendations Recom #
Spacing Instruction
J1 S3 heading & merge to wrong merge point
TMA Design e.g. BOKET & MOTEK – possible confusion for pilot
C-OE-81
TMA Design –have one merge point per runway and publish the merge points in the ASAS STAR charts
C-OE-82
J4 S3 TMA Design - Limit number of points in TMA C-OE-64
L4 S3
pilot inputs wrong merge point
initiate direct to wrong waypoint
Consistency check on WPTs/(merge and direct to WPTs)
P-OE-54
Airspace organisation – limit number of direct to WPTs
P-OE-56
H2 S3/4 no heading and merge instruction given (same diff IAF)
Constraint flight level prior to the entry of the sequencing leg
C-OE-68 C-OE-89
H6 S3/4 input instruction not done Confirm that sequencing legs are designed with procedure safeguard
P-OE-28
L2 S3/4 full instruction given, pilot does not merge
Constraint flight level prior to the entry of the sequencing leg
C-OE-77
N1 S2 other a/c taking heading & merge instruction (diff IAF)
Callsign confusion reduction measures C-OE-97
M1 S3 no maintenance of spacing
Clarify impact of airline and ATC speed limitations on CoSpace (general issue for project)
P-OE-61
O3 S3 instruction given to wrong a/c
Callsign confusion reduction measures C-OE-105
Spacing cancellation and speed instruction P6 canceling spacing Comment: pilot has additional constraint as
compared to earlier when entering TMA. Now he has a/c performance constraints – reducing speed for ILS.
P-OE-62
5. ATCO - Organisation & Manning Recommendations
Task Error # Error / Failure Mode Recommendations Recom #O2 S2/3 cancel the wrong a/c Relief controllers C-OM-33Spacing
cancellation & assign speed Third person (behind) following the situation C-OM-34