the role of safety in surveillance procurement
DESCRIPTION
Presentation at ESAV'11, in Capri (Italy), September 2011 Presenter: James Hanson of Helios [email protected] _______________________________________________________________________ Follow Helios via Linkedin, www.twitter.com/askhelios and www.facebook.com/askheliosTRANSCRIPT
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Assessing the safety of WAM over a non-radar surveillance area
James Hanson Ben Stanley
The approach to a surveillance safety case is strongly tied to cost-efficiency
• Surveillance procurement is more complex than ever• long-term investment• choice & competition• pressure to reduce costs• regulatory pressure
• Safety must not be compromised• safer = increased cost• avoid over-engineering• a difficult dilemma…
There are several commercial and regulatory drivers that influence surveillance infrastructure decisions
Regulatory
increase access to airspaceimproved services
De-commission or replace old radarsBetter mix of OpEx/CapExReduce maintenance/engineering costsEnhanced dataOffer new servicesDate enhancements for ATCO toolsNew operational requirements
Airlines
GA
ANSPS
Greater autonomy (airborne surveillance)Lower unit rate
Draft SPI IR: Art 12 Para 5 “the most cost efficient means”Draft ACID IR (eg through Mode S, CCAMS etc)
Performance schemeDe-fragmentation, FABs etc
Commercial
A surveillance safety case will be needed which must consider both theoretical and practical performance
• A safety case will be needed prior to operation• Sets safety-related requirements to pro-
actively control risk as per Reg 2096/2005• Avoids unnecessary costs post-procurement
attempting to “back-engineer”
• Safety cases should be• Proactive, ie safe by design
° when working° during failures
• Reactive / predictive° Important due to inexperience with WAM° validate theoretical performance in design° refine the system based on actual performance
Under normal conditions, proof of safe design can be made in comparison to the reference system
• We can show that safe separations can be maintained if we have similar 95% values to the reference system (eg SSR) but…
• WAM behaves differently• dependent on geometry of sensors not range• we must trust manufacturer’s models on accuracy• supported by validation of accuracy through flight trials (at minimum
altitudes)• EUROCONTROL are developing mathematical proofs
4
Normal conditions
Determine Requirements(eg accuracy)
Justify compliance of
reference system
Demonstrate Equivalence/improvement
The characterisation of WAM position accuracy is not necessarily the same as for radar
5
BUT…How can we be assured of the behaviour of the error curve
outside the 95% bounds?Also, does the WAM error distributions curve have a
Gaussian behaviour similar to radar errors?
If 95% of errors fall within set bounds equivalent to current
3 or 5NM separation performance, we can be
reasonably assured of appropriate performance
error
probability
Under failure conditions, modeling probabilities can become rather complex
• Over a large non-radar area, PoD must reflect a geometrical spread of Rx and Tx, each with its own:• failure rates• repair rates• communications availabilities• power reliabilities
• Broad conservative assumptions may mean that the system is over-designed in many places unnecessarily.
6
Failure conditions
Consider hazards
IdentifyCausal factors
Model probabilities
Eg loss of position
Eg probability of detection
Complex!
Modeling failure rates accurately maximises the opportunity to design the system cost-effectively
• Analysis of failure rates across the surveillance volume allows ANSPs to:• Apply appropriate levels of redundancy to
across the service volume• Take advantage of operational mitigations
most appropriate for a particular region• Set Service Level Agreements (SLA) with
communications and power providers• Gain a better understanding of the
designed systems’ ability to meet a safety objective
7
Insert diagram
Failure plots can look at airspace as a patchwork of differing probability of detection
• Each ‘patch’ is influenced by• The number of interrogators in view• The number of receivers in view• The reliability of each receiver/interrogator
Rx
Tx
>3 Rx2 Tx
>3 Rx1 Tx
2 Rx1 Tx
1 Rx1 Tx
3 Rx0 Tx
2 Rx0 Tx
1 Rx0 Tx
>3 Rx2 Tx
>3 Rx1 Tx
2 Rx1 Tx
1 Rx1 Tx
3 Rx0 Tx
2 Rx0 Tx
1 Rx0 Tx
Other factors
MTTR, failure rates, power, comms etc
Following design and implementation, validation can help assure and improve system safety and performance
• Reactive / predictive – i.e. validation• Necessity of flight trials• Integrity monitoring, can be used to provide
confidence during operation° Confirmation of the contributing sensors to
position reports° hazard detection to lower the hazard severity of
effect° additional receivers will provide further integrity
checks ° ASTERIX Category 19 ‘status’ messages provide
further insight
• Both normal (accuracy) and failure (PoD) cases must be validated
Conclusions
• Safety is an ANSP responsibility• The safety case has an important role in relation to
cost-effective procurement• The distributed nature of WAM in an NRA environment
adds complexity to the safety case• Accurate modelling of the WAM system is the key to
balancing the cost and safety arguments• Validation is essential
10
www.askhelios.com
Space
Telecoms
Air Traffic Management
Airports
Rail
Maritime
Thank you for your attention
James [email protected]