safety guidance and airports recommendations for thegalileo.cs.telespazio.it/medusa/public/national...
TRANSCRIPT
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Philip Church
26th November 2013, Beirut
Safety guidance and
recommendations for the
introduction of RNAV
procedures
Overview
MEDUSA Beirut
The regulatory requirement
Options for implementation
Key risks from ATC perspective
Key risks from Airline perspective
Lessons from practical experience
Commission Implementing Regulation (EU) No
1035/2011
“It should be recognised in particular that
• firstly, safety management is that function of air
navigation services which ensures that all safety risks
have been identified, assessed and satisfactorily
mitigated, and that,
• secondly, a formal and systematic approach to safety
management and management systems, towards a total
system approach, will maximise safety benefits in a
visible and traceable way.”
MEDUSA Beirut
Commission Implementing Regulation (EU) No
1035/2011
“Within the operation of the SMS, providers of air traffic services shall ensure that hazard identification as well as risk assessment and mitigation are systematically conducted for any changes to those parts of the ATM functional system and supporting arrangements within their managerial control, in a manner which addresses:
….
(b) the airborne, ground and, if appropriate, spatial components of the ATM functional system, through cooperation with responsible parties;”
-----------------------------------------------------------------------
“The results, associated rationales and evidence of the risk assessment and mitigation processes, including hazard identification, shall be collated and documented”
MEDUSA Beirut
What is the safety case trying to prevent?
Localisation of CONOPS
Local Safety Objectives
HAZARD identification
Risk assessment
Safety Case development
MEDUSA Beirut
Ongoing Safety Management Planning
• Safety Requirements are met through
• Design – e.g. reliability, procedures, etc
• ATCO awareness through training and familiarisation
• Transition assurance and readiness
• Ongoing safety management and assurance / maintained safety
margin
° Arrangements to ensure ATCOs remain familiar with system
° Contingency arrangements
– What are the arrangements for old system decommission?
° Arrangements to monitor alerting functions
° Maintenance planning and arrangements
° Arrangements to monitor occurrence and fault reports
° Unit Safety (Case?) arrangements
MEDUSA Beirut
Some considerations for monitoring of risk
• A number of factors influence the probability of an
accident occurring
• These factors could be termed as “barriers”
• The effectiveness of these barriers increases or decreases over
time in response to changing environments, services etc.
• A combination of leading and lagging indicators can be defined
to assess the effectiveness of some of these key barriers, and
report them to the Board
• E.g. Top 10 risk of a catastrophic accident
• How to monitor and evaluate this risk, in the absence of the
specific outcome
MEDUSA Beirut
Ongoing safety risk in an organisation
Tolerable level of
safety = ICAO norms =
1E-08 per flight hour
Actual
safety
level
Safety
margin
Initiative in
response to
specific risk
Degrading safety margin
due complacency or
changing context
In order to measure this, there needs to be
a mature reporting system
(despite more reporting leading to the
appearance of more incidents) MEDUSA Beirut
Relating the probability of an accident to
measurable metrics
• It isn’t an exact linear sequence, but the relationship
between the accident and the underlying barriers
(which prevent the accident occurring) can be
presented as probabilities
For every 1 accident…
…we tend to have 10
non-fatal accidents…
…and 600 minor
occurrences
(unsafe acts)
…30 serious reportable
incidents…
Data on probability based on Heinrich model from Industrial
Accident Prevention: A Safety Management Approach MEDUSA Beirut
Methodology
• Number of different options
• SAE ARP1476 (Fault and Event Tree Analysis, FMEA)
• ED-125
• Probability Risk Assessments
• Eurocontrol SAM
° PSSA
° FHA
° SSA
• ESARRs
• For PBN:
• the assessment needs to be more operationally than technically
focused
• The HAZARD needs to be set at the right level to set the Safety
Requirements
MEDUSA Beirut
Scope of the Safety Case
MEDUSA Beirut
Operational Environment Aircraft type, Traffic levels, Weather, Terrain, Type of airspace
Aircraft
Procedures
Equipment
Human
ATM System
Procedures
Equipment
Human
ATM Services ATC Hazards
Causes, focusing
on the deltas
Linking the Hazard Assessment to Safety
Requirements
Operational
Hazards
Contributing Factors &
Operational Outcomes
Bow Tie Model
Safety Targets
Derivation
Safety Objectives
specified
Quantitative Fault
Tree Analysis on
contributing
factors
Integrity,
Functional/
Performance
and SWAL
Safety
Requirements
Specified
Hazard Log
Qualitative Event
Tree Analysis on
operational
outcomes
MEDUSA Beirut
Hazard Assessment – Example of the Bow-tie Model
Safety Objective Safety Target Safety Requirements
MEDUSA Beirut
Ops
failures
Ops
failures
Justification for safety objectives – e.g. major
occurrences
Safety target,
SC3, ACC e.g. 4E-05 / ATSU hour
Non ATM
related ATM related
Not a factor quantitatively,
since target only includes
ATM-related factors
H-01 H-02
Ops
failures Ops
failures
Ops
failures
Ops
failures
Organised into 4
hazards for clarity –
target divided equally 1E-05 1E-05
H-03
Ops
failures
Ops
failures
Ops
failures
1E-05
H-04
Ops
failures
Ops
failures
Ops
failures
1E-05
Safety Objective
MEDUSA Beirut
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Key risks from ATC
perspective
There are some limitations and drawbacks of RNAV
implementation to be aware of…
• New operational techniques required for controllers
and pilots
• Mixed aircraft operations between traditional and RNAV
can cause increases in controller workload in some
cases
• Controller skills to radar vector need to be maintained
while typically conducting RNAV operations
• In busy areas, Arrival Managers (AMANs) required by
ATC in order to effectively sequence aircraft for
approach
• RNAV approach fix typically requires 2nm (or more)
before Final Approach Fix (FAF)
MEDUSA Beirut
PBN means more dependence on aeronautical data
MEDUSA Beirut
PBN means more dependence on aeronautical data
• Tegucigalpa, Honduras (MHTG) RNAV (RNP)
Rwy 02 South
• RF leg information (arc radius), fixes and RNP
data is necessary to code the procedure.
However, some ARINC data supplied by the
publishing authority either cannot be used or
can cause issues with the FMS.
• the inbound/outbound course information, bank
angle information and some altitude constraints
are not used and can cause issues with FMSs.
MEDUSA Beirut
It means access to instrument approaches for less
equipped airfields
• Local RF multipath environment
• More requests from aerodromes in Class G
• Improved access
• Use of approach if ILS down for maintenance
• Improved/increased IMC approaches, etc
• Extract of the Barra AIP publication
• Note the link to the Class G issues
• How is this impacted by the decommissioning of navigation
aids?
• What are the alternates?
MEDUSA Beirut
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Key risks from Operators
perspective
MEDUSA Beirut
• Fly ability
• Reversion procedures / aerodromes
• Additional track miles added (business issue)
• Check the charts for Perugia
• Variability from MAP airspace requirements (i.e. 1 NM
obstacle surface)
• Suitability of proposed mitigations (human or
procedural for undetected errors)
• e.g. GNSS offset issue / checking VOR radial – pilots
never saw this
Aircraft operators have different priorities – still to
be considered from ‘operational risk’ perspective
Missed Approach Segment path length
MEDUSA Beirut
Are the proposed mitigations actually sound?
• Suitability of proposed mitigations (human or
procedural for undetected errors)
• e.g. GNSS offset issue / checking VOR radial – pilots
never saw this
MEDUSA Beirut
Mandatory Occurrence Reports (MORs)
MEDUSA Beirut
Event type Number of
occurrences First Report Latest report
Incorrect or unavailable wind data
provided 4 April 1976 November 2003
Incorrect QFE/QNH to a/c 6 December 1977 February 2001
Crashed in poor visibility 1 November 1981
Loss of separation between helicopters 1 November 2004
Descended below decision height 1 June 2003
NDB procedural problem 1 March 1983
Helicopter landed on wrong rig 11 July 1989 November 2004
Misidentified rig 2 May 1990 August 1994
NDB off on rig 1 March 1981
NDB interference 4 April 1986 June 1994
Loss of weather radar 1 February 1984
Erroneous ADF display 1 April 1996
Loss of displays 1 August 1999
Malfunction of altimeter 5 August 1985 March 2001
Helicopter Operations Monitoring Programme
(HOMP) events
• The two incidents recorded are:
• Helicopter climbing into cloud on approach
° Flight crew inadvertently climbed 50ft into cloud base
• Helicopter breaking vertical minima on approach
° Flight crew incorrectly flew approach at below minimum descent
height
MEDUSA Beirut
Confidential Human Factors Incident Reporting
Programme (CHIRP) - Hazards
• Pilot descending below MDH
• Weather radar not calibrated
• Approach too close to rig (horizontal minima now
changed)
• Approach below deck height (vertical minima now
revised)
• Miscommunication between crew
• Weather radar not calibrated
• Crew breaking minima / ad quality of Met data
• Pilot descending below MDH
MEDUSA Beirut
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Specific examples
Terrence B. Lettsome International Airport
MEDUSA Beirut
Terrence B. Lettsome International Airport
MEDUSA Beirut
Terrence B. Lettsome International Airport
• Setting Hazard level:
• 41 ‘operational’ hazards reduced to 5
• Example Hazard discarding:
MEDUSA Beirut
Hazard
identity Description Reason for discarding
29 No guidance while conducting missed approach in
case of GPS failure
The service architecture considered in this study will make provisions for
this. In absence of GPS, an unguided missed approach will still be available,
and this unguided procedure is assumed to be safe in itself.
30 ATCO doesn’t know integrity of GPS signal Not a hazard (but a potential mitigation).
31 One aircraft interferes with GPS of other aircraft Unlikely to occur unless separation minima have already been severely
breached.
33 Failure of ATC to pass caution on approach ban Not specific to GPS operations.
34a Pilot not flying procedure as designed –
deliberate
Deliberate deviation from procedures is considered outside the scope of
this assessment.
36 Not sufficient promulgation of regulations and
requirements Not a hazard. Not GPS specific.
38 Lack of standard approach lighting Similar to PAPI failure. This may increase the chances of having to perform
a missed approach, but this in itself is not a hazard.
39 Instrument approach to non-instrument runway Similar to PAPI failure. This may increase the chances of having to perform
a missed approach, but this in itself is not a hazard.
MEDUSA Beirut
• Key conclusions:
• Assumed that ATC radar cover would be available to check for
errors
• Suitability of the obstacle survey
• No real-time monitoring of GPS. RAIM may not work correctly if
there is a simultaneous failure of multiple satellites.
• Assumed EASA would assess the acceptability of the risk of loss
of GNSS approach capability for multiple aircraft due to
satellite failure or RAIM holes.
• Concern that GPS receiver certification tests may not be
adequate to identify all problems and that RAIM is insufficiently
specified by the relevant standards.
• International agreement essential !
Terrence B. Lettsome International Airport
Mielec aerodrome, Poland
• Objectives:
• Develop an airfield specific Safety Case for EGNOS based LPV
operations
• Provide an opportunity for PANSA staff to be involved in the
development process ensuring buy-in & understanding
• Lessons:
• Involvement of the local actors (including CAA) is essential
• Choice of aerodrome for a pilot study
• Ensuring the applicability of the safety case
• A joined-up team
MEDUSA Beirut
MEDUSA Beirut
• VFR only aerodrome
• RFF Category 2
• Taxiway – 12m width
• Runway – 2498 x 45m
The ‘pilot’ aerodrome
APP LGT THR LGT PAPI TDZ
RWY CEN
LGT
RWY EDG
LGT
RWY end
LGT SWY LGT
RWY 09 None None None None None None None None
RWY 27
"Lucz" - 2D
type/200
medium
constant
intensity
Green None None None
1900 m/every
90 m/white
600 m/every
90m/yellow/
constant
intensity
Red, distance
of 488m from
end
None
Validity of ‘generic’ CONOPS
MEDUSA Beirut
Category Mielec CONOPS Eurocontrol CONOPS
ATS AFIS provided at aerodrome. ATC provided at aerodrome.
Airspace Uncontrolled airspace of Class G. Controlled airspace assumed.
Aerodrome Non-instrument RWY – which needs to be
upgraded to instrument RWY.
Instrument RWY.
Surveillance Non-radar environment. Both radar and non-radar environments
considered.
Traffic 98% of traffic is GA with aircraft up to 5,700kg. CONOPS covers all types of traffic.
Flight crew Both single-pilot and multi-pilot operations taken
into account in CONOPS. Single-pilot IFR
operations are common at Mielec.
Both single-pilot and multi-pilot operations taken
into account in CONOPS. The emphasis is put on
multi-crew operations.
Safety nets Airborne and ground-based safety nets not
considered due to the nature of Mielec traffic and
the fact that ATC is not provided.
Safety nets were identified as potential barriers.
Missed
Approach
Contingency procedure based on dead-reckoning
only. Conventional navigation is not available.
Contingency procedure based on conventional
navigation or dead reckoning where conventional
navaids are not available.
Establishment of TLS
• Needed to reflect the local environment – generic TLS
based on statistics applicable to CS25 aircraft. (for 2009 movements: CS23 = 21,842; CS25 = 350)
• Steps required:
1. Determine the source of the TLS for the Eurocontrol generic
safety case (CS25)
2. Determine the accident rate for CS25 operations for CFIT, MAC
and Landing
3. Determine equivalent accident rates for CS23 operations
4. Use the ratio to set the local TLS, i.e.
rateaccidentfatalaeroplanesLarge
rateaccidentfatalaeroplanesSmallTLSGSCTLSMielec ii
____
______
where: i - is type of accident (CFIT, LA, MAC)
TLSGSC _ - is the TLS from the EUROCONTROL generic safety assessment
MEDUSA Beirut
Bouchs Aerodrome
• Non standard concept Fixed Wing PinS
• Required “Aeronautical Study” – ICAO methodology
• A description of problems and objectives;
• Selection of procedures, methods and data sources;
• Identification of undesired events;
• An analysis of causal factors, severity and likelihood;
• A description of risk;
• Identification of possible mitigating measures;
• An estimation of the effectiveness of mitigating measures;
• Choice of mitigating measures;
• Presentation of results.
MEDUSA Beirut
Bouchs Aerodrome
MEDUSA Beirut
Bouchs Aerodrome
MEDUSA Beirut
Bouchs Aerodrome
MEDUSA Beirut
MEDUSA Beirut
• Risk and mitigations needed to be compared as deltas
to existing operations – assessed whether further
needed
• What safety objective should be selected for non CS25
aircraft?
Buochs
Cause Applicable
Hazard Mitigation(s)
Currently
existing
Flight crew selected input
of the wrong navigation
source
#8 Flight crew training (existing LPV/LNAV)
Y
Flight crew incorrectly
selected altitude (QNH) #9 Flight crew training (existing LPV/LNAV)
Y
#9 RAD alt cross check N
#9 SBAS guidance on LPV procedure N
#9 Bespoke flight crew training N
(See Note 2)
Flight crew fail to follow
guidance #9 Visual contact
Y
Flight crew select
incorrectly minima for
crew/aircraft rating
#10 Operational approval
Y
#10 Bespoke flight crew training N
(See Note 2)
MEDUSA Beirut
• PinS Procedure published
in ICAO Doc 8168
• SBAS criteria for
helicopters not yet
complete
• EASA – Eurocontrol
agreed to use FAA based
criteria
• Trial database developed
with Jeppesen
Interlaken
Interlaken
1. No flight possible
2. Operational delays
3. Software not released for OPS
4. Modified EGNOS Receiver Installation
not possible
5. Additional loose equipment interferes
with helicopter system
6. Flight Crew unfamiliar of the function /
limitations of the new navigation
software
7. Incorrect Approach navigation data
8. Helicopter is leaving protected area and
collides with terrain or obstacle
9. Lack of GPS and EGNOS signal
10. Credential and support of Rega
Helicopter operation reduced (noise)
MEDUSA Beirut
Pro
babilit
y (
P)
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6
1,2,6 8
3,4,5 10
7
1 1 2 3
10 4 5
8,9
1 2 3 4 5
Consequences (C)
Interlaken
• Role of Regulators
• Controlled airspace / Uncontrolled airspace
• ATC
• Primary means of navigation
• Acceleration of adoption
• Role of ICAO
• Specification of design criteria
• Aerodrome 4-letter code assignment
MEDUSA Beirut
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime Philip Church
Thank you for your
attention