eurocontrol safety r&d seminar · respect of letter of agreement (loa) operati onal conseq...

Safety R&D SeminarEUROCONTROL

25-27 Otober 2006Barcelona - SPAIN

/ 14

Anne DamidauSofréavia

(Paper written by Anne Damidau, Barry Kirwan and Petra Scrivani)

Safety Getting Real:

Safety insights from Simulations

EUROCONTROLSafety R&D Seminar



/ 14

Safety implication into simulations

Pro-active approach description

Example: Gate-to-Gate WP4 simulations

Benefits vs. constraints and potential solutions

Presentation outline



/ 14

Implication of safety into simulation: Why?

Classical Predictive Safety assessment a somewhat

‘clinical’ and static

Gain an operational view of the concepts

■ Objectives :

● To collect safety issues during simulations :

what could go wrong?

What is the severity?

Can the event be detected, how?

● To derive safety recommendations to improve safety



/ 14

Implication of safety into simulation: Different approaches to be used

■ The reactive approach:

● Natural evolution of the variables in the simulations

● Collection of safety insights on the base of what was observed

during the exercises or reported by controllers ■ The pro-active approach:

● Preparation of the environment from which safety information is

gathered:

which hazardous situations have to be presented to the

controller,

When,

And how to present them.

● Collection of safety insights on the base of what was prepared

during the observation of exercises or debriefing with

controllers



/ 14

Proactive approach description

Identification and Selection of Hazards to be injected

Observation of exercises

Debriefing/interviews

Final debriefing

Previous analyses

-Scenarios preparation-Supporting materialBefore simulations

During simulations

After simulationsData analysis

Data compilation

Detailed scenarios for hazards injection

Safety insight collected

Detailed list of hazards: Validation of severity class;

mitigation means and recommendations

identification



/ 14

Example: Gate-to-Gate WP4 simulationsBefore simulation: put hazard into context

Input a climb to 2 FL higher

After receiving a FL clearance

KLM1877

0835HR

Go to higher flight level when in climb

A1 & A2 Input the

direct the point before the cleared point

After receiving a DCT clearance

BRT238

0825DD

Go to wrong direct point

ActionWhenActs on

TimeApprox

Sector

Event Name

Sample

*** (severe)Severity

-Rec

Classical Practice

Tactical Controller assistance

Safegua

rds

- risk of no respect of separation or no

respect of Letter of Agreement (LOA)

Operati

onal

conseq

uences

-no detection of MONA reminderFailure

mode

MONATool

Implement the problem solutionTask

SA-MTCD-69/ (other project)N°

Ask Pilots to perform wrong action

Hazards selection



/ 14

Example: Gate-to-Gate WP4 simulationsDuring simulation: gain experience on hazards

Safety debriefing with

involved controllers

using a safety debriefing sheet

PC would help to detect by closely monitoring the warning. Especially when the aircraft does not downlink CAP data.

Can you think of any fall-back actions which could mitigate this situation?

5What is the severity level when the situation is detected?

Depends on the geometry (if an aircraft above What is the severity level when the situation is not detected?

Label overlap=> couldn’t have seen the warning What could have made the situation worse?

No effectWhat could have been the worst credible consequence if the situation was detected?

If both controllers don’t look at the FL error warning, the a/c can go to the wrong FL and that

could lead to a conflict.

What could have been the worst credible consequence if the situation was not detected?

Pilot errorWhat do you think were the factors that contributed to the event?

No because with D/L there is no more read-back of the FL clearance

Other ways of detecting the hazard?

FL error warning How did you notice/detect that there was a hazardous situation (or potential hazard)?

LOT265 doesn’t follow the clearance FL (injected event in HM sector, Org1/ Run4).

Describe the hazardous situation (or potential situation):

Controllers’ debriefingQuestions

SDS-4: FL error - Observed (scripted event)



/ 14

Example: Gate-to-Gate WP4 simulationsAfter simulation: Operationally grounded hazards

With the platform environment conditions, probability of non detection was assessed by controllers to be high. Recommendations provided below are proposed to reduce significantly the probability of non detection at an acceptable level according to controllers (very low):1.The MONA algorithm should assume the a/c can take time to follow new clearance; a timer could be defined in order to give the fewer false alerts possible. 2.Prioritisation of warnings has to be taken into account. 3.A human factors analysis should determine the efficiency of MONA visual alarm.

REC

3 (according to ESARR4)Severity

Causes: 1) In the platform, once the controller changes the trajectory, the algorithm does not assume that the a/c smoothly and sometimes slowly goes to next cleared WPT/FL => both controllers disregard real MONA alerts 2) Labels overlapping can hide MONA warning to both the EC and PC. 3) Another warning in row 0, which overwrites current MONA warning. 4) MONA fails to detect a deviationConsequence: MTCD false detection, detection of wrong conflicts and in the worst credible case to large reduction in separation with ATC controlling the situation (because STCA will trigger).

Assessment

Controllers do not detected an aircraft doesn’t comply with the clearance Hazard

Task: Implement the problem solution t(LAT DEV and FL DEV alerts) / Tool: MONA



/ 14

Example: Gate-to-Gate WP4 simulationsAfter simulation: Operationally grounded hazards

With the platform environment conditions, probability of non detection was assessed by controllers to be high. Recommendations provided below are proposed to reduce significantly the probability of non detection at an acceptable level according to controllers (very low):1.The MONA algorithm should assume the a/c can take time to follow new clearance; a timer could be defined in order to give the fewer false alerts possible. 2.Prioritisation of warnings has to be taken into account. 3.A human factors analysis should determine the efficiency of MONA visual alarm.

REC

3 (according to ESARR4)Severity

Causes: 1) In the platform, once the controller changes the trajectory, the algorithm does not assume that the a/c smoothly and sometimes slowly goes to next cleared WPT/FL => both controllers disregard real MONA alerts 2) Labels overlapping can hide MONA warning to both the EC and PC. 3) Another warning in row 0, which overwrites current MONA warning. 4) MONA fails to detect a deviationConsequence: MTCD false detection, detection of wrong conflicts and in the worst credible case to large reduction in separation with ATC controlling the situation (because STCA will trigger).

Assessment

Controllers do not detected an aircraft doesn’t comply with the clearance Hazard

Task: Implement the problem solution t(LAT DEV and FL DEV alerts) / Tool: MONA

In red: New

safety insights

collected during

the simu



/ 14

Benefits vs. constraints and potential solutions (1/4)

■ Main Benefits:

● Safety assessors:

Prioritize the information to be collected

Complement the results derived from other more

conventional safety analysis techniques (e.g. HAZOPs;

reliability and error databases; etc.) with:

➘ more operational hazards

➘ recommendations with operational credibility

➘ Understanding of controllers’ safety priorities



/ 14


● Operational experts:

Become accustomed to safety analysis concepts and

issues

Help in reporting their “safety” experience on the real

operations (pro-active safety culture).

● Simulation team:

Can then receive information on the concepts under

evaluation, enriched by details coming from a different

point of view.



/ 14


■ Constraints

● Interference with the other validation measures if hazards

injection during measured exercises

To run dedicated safety exercises in which hazards will be

injected at a predetermined time,

● Injection of hazards if not managed properly can affect

controllers trust on the system under assessment.

Define a plan of hazards injection (e.g. from less severe

hazards to most severe ones)

Have a stabilized platforms



/ 14


● Focus only on hazards injected

Mix both approaches pro-active and reactive ones enabling

to identify new potential hazards



/ 14

Thanks for your attention!!

Any questions??

eurocontrol safety r&d seminar · respect of letter of agreement (loa) operati onal conseq...

Documents