eurocontrol safety r&d seminar · respect of letter of agreement (loa) operati onal conseq...
TRANSCRIPT
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 1 / 14
Anne DamidauSofréavia
(Paper written by Anne Damidau, Barry Kirwan and Petra Scrivani)
Safety Getting Real:
Safety insights from Simulations
EUROCONTROLSafety R&D Seminar
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 2 / 14
Safety implication into simulations
Pro-active approach description
Example: Gate-to-Gate WP4 simulations
Benefits vs. constraints and potential solutions
Presentation outline
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 3 / 14
Implication of safety into simulation: Why?
Classical Predictive Safety assessment a somewhat
‘clinical’ and static
Gain an operational view of the concepts
■ Objectives :
● To collect safety issues during simulations :
what could go wrong?
What is the severity?
Can the event be detected, how?
● To derive safety recommendations to improve safety
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 4 / 14
Implication of safety into simulation: Different approaches to be used
■ The reactive approach:
● Natural evolution of the variables in the simulations
● Collection of safety insights on the base of what was observed
during the exercises or reported by controllers ■ The pro-active approach:
● Preparation of the environment from which safety information is
gathered:
which hazardous situations have to be presented to the
controller,
When,
And how to present them.
● Collection of safety insights on the base of what was prepared
during the observation of exercises or debriefing with
controllers
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 5 / 14
Proactive approach description
Identification and Selection of Hazards to be injected
Observation of exercises
Debriefing/interviews
Final debriefing
Previous analyses
-Scenarios preparation-Supporting materialBefore simulations
During simulations
After simulationsData analysis
Data compilation
Detailed scenarios for hazards injection
Safety insight collected
Detailed list of hazards: Validation of severity class;
mitigation means and recommendations
identification
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 6 / 14
Example: Gate-to-Gate WP4 simulationsBefore simulation: put hazard into context
Input a climb to 2 FL higher
After receiving a FL clearance
KLM1877
0835HR
Go to higher flight level when in climb
A1 & A2 Input the
direct the point before the cleared point
After receiving a DCT clearance
BRT238
0825DD
Go to wrong direct point
ActionWhenActs on
TimeApprox
Sector
Event Name
Sample
*** (severe)Severity
-Rec
Classical Practice
Tactical Controller assistance
Safegua
rds
- risk of no respect of separation or no
respect of Letter of Agreement (LOA)
Operati
onal
conseq
uences
-no detection of MONA reminderFailure
mode
MONATool
Implement the problem solutionTask
SA-MTCD-69/ (other project)N°
Ask Pilots to perform wrong action
Hazards selection
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 7 / 14
Example: Gate-to-Gate WP4 simulationsDuring simulation: gain experience on hazards
Safety debriefing with
involved controllers
using a safety debriefing sheet
PC would help to detect by closely monitoring the warning. Especially when the aircraft does not downlink CAP data.
Can you think of any fall-back actions which could mitigate this situation?
5What is the severity level when the situation is detected?
Depends on the geometry (if an aircraft above What is the severity level when the situation is not detected?
Label overlap=> couldn’t have seen the warning What could have made the situation worse?
No effectWhat could have been the worst credible consequence if the situation was detected?
If both controllers don’t look at the FL error warning, the a/c can go to the wrong FL and that
could lead to a conflict.
What could have been the worst credible consequence if the situation was not detected?
Pilot errorWhat do you think were the factors that contributed to the event?
No because with D/L there is no more read-back of the FL clearance
Other ways of detecting the hazard?
FL error warning How did you notice/detect that there was a hazardous situation (or potential hazard)?
LOT265 doesn’t follow the clearance FL (injected event in HM sector, Org1/ Run4).
Describe the hazardous situation (or potential situation):
Controllers’ debriefingQuestions
SDS-4: FL error - Observed (scripted event)
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 8 / 14
Example: Gate-to-Gate WP4 simulationsAfter simulation: Operationally grounded hazards
With the platform environment conditions, probability of non detection was assessed by controllers to be high. Recommendations provided below are proposed to reduce significantly the probability of non detection at an acceptable level according to controllers (very low):1.The MONA algorithm should assume the a/c can take time to follow new clearance; a timer could be defined in order to give the fewer false alerts possible. 2.Prioritisation of warnings has to be taken into account. 3.A human factors analysis should determine the efficiency of MONA visual alarm.
REC
3 (according to ESARR4)Severity
Causes: 1) In the platform, once the controller changes the trajectory, the algorithm does not assume that the a/c smoothly and sometimes slowly goes to next cleared WPT/FL => both controllers disregard real MONA alerts 2) Labels overlapping can hide MONA warning to both the EC and PC. 3) Another warning in row 0, which overwrites current MONA warning. 4) MONA fails to detect a deviationConsequence: MTCD false detection, detection of wrong conflicts and in the worst credible case to large reduction in separation with ATC controlling the situation (because STCA will trigger).
Assessment
Controllers do not detected an aircraft doesn’t comply with the clearance Hazard
Task: Implement the problem solution t(LAT DEV and FL DEV alerts) / Tool: MONA
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 9 / 14
Example: Gate-to-Gate WP4 simulationsAfter simulation: Operationally grounded hazards
With the platform environment conditions, probability of non detection was assessed by controllers to be high. Recommendations provided below are proposed to reduce significantly the probability of non detection at an acceptable level according to controllers (very low):1.The MONA algorithm should assume the a/c can take time to follow new clearance; a timer could be defined in order to give the fewer false alerts possible. 2.Prioritisation of warnings has to be taken into account. 3.A human factors analysis should determine the efficiency of MONA visual alarm.
REC
3 (according to ESARR4)Severity
Causes: 1) In the platform, once the controller changes the trajectory, the algorithm does not assume that the a/c smoothly and sometimes slowly goes to next cleared WPT/FL => both controllers disregard real MONA alerts 2) Labels overlapping can hide MONA warning to both the EC and PC. 3) Another warning in row 0, which overwrites current MONA warning. 4) MONA fails to detect a deviationConsequence: MTCD false detection, detection of wrong conflicts and in the worst credible case to large reduction in separation with ATC controlling the situation (because STCA will trigger).
Assessment
Controllers do not detected an aircraft doesn’t comply with the clearance Hazard
Task: Implement the problem solution t(LAT DEV and FL DEV alerts) / Tool: MONA
In red: New
safety insights
collected during
the simu
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 10 / 14
Benefits vs. constraints and potential solutions (1/4)
■ Main Benefits:
● Safety assessors:
Prioritize the information to be collected
Complement the results derived from other more
conventional safety analysis techniques (e.g. HAZOPs;
reliability and error databases; etc.) with:
➘ more operational hazards
➘ recommendations with operational credibility
➘ Understanding of controllers’ safety priorities
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 11 / 14
Benefits vs. constraints and potential solutions (2/4)
● Operational experts:
Become accustomed to safety analysis concepts and
issues
Help in reporting their “safety” experience on the real
operations (pro-active safety culture).
● Simulation team:
Can then receive information on the concepts under
evaluation, enriched by details coming from a different
point of view.
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 12 / 14
Benefits vs. constraints and potential solutions (3/4)
■ Constraints
● Interference with the other validation measures if hazards
injection during measured exercises
To run dedicated safety exercises in which hazards will be
injected at a predetermined time,
● Injection of hazards if not managed properly can affect
controllers trust on the system under assessment.
Define a plan of hazards injection (e.g. from less severe
hazards to most severe ones)
Have a stabilized platforms
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 13 / 14
Benefits vs. constraints and potential solutions (4/4)
● Focus only on hazards injected
Mix both approaches pro-active and reactive ones enabling
to identify new potential hazards
Safety R&D SeminarEUROCONTROL
25-27 Otober 2006Barcelona - SPAIN
Page 14 / 14
Thanks for your attention!!
Any questions??