maximising the atm positive contribution to safety a
play

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A BROADER - PowerPoint PPT Presentation

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A BROADER APPROACH TO SAFETY ASSESSMENT Eric PERRIN (speaker) Derek FOWLER Ron PIERCE EUROCONTROL Safety R&D Seminar Mnchen, Germany 21-22 October 2009 ADS- -B IN NON B IN NON-


  1. MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A BROADER APPROACH TO SAFETY ASSESSMENT Eric PERRIN (speaker) Derek FOWLER Ron PIERCE EUROCONTROL Safety R&D Seminar München, Germany 21-22 October 2009

  2. ADS- -B IN NON B IN NON- -RADAR AREAS RADAR AREAS – – HOW TO APPROACH SAFETY? HOW TO APPROACH SAFETY? ADS Radar-like services in NRA using ADS-B Separation down to “radar” levels i.e. 5 nm or 3 nm ADS-B end-to-end system needs to be reliable even if it were 100% so, would that answer… whether ADS-B would be safe enough to support 3-5 nm separation…? No! Risk of implementing a perfectly reliable but unsafe ADS-B system

  3. ADS- -B IN NON B IN NON- -RADAR AREAS RADAR AREAS – – HOW TO APPROACH SAFETY? HOW TO APPROACH SAFETY? ADS What we WANT Operational Environment system to do – Functions and Performance CANNOT CONTINUE TO Hazards Hazards FOCUS MAINLY ON FAILURE…!! Pre- existing Radar System ADS-B in NRA Separation Provision Service Hazards Hazards System- What we DON’T Generated Good basis for a case: want system to do - Integrity ADS-B can provide the same functionality (i.e. data presented “radar” separation minima: accuracy, resolution, refresh rate to the Controller / support tools) and performance (data etc of the surveillance information presented to the ATCO. accuracy, resolution, latency, refresh rate, coverage etc)

  4. A BROADER APPROACH TO RISK ASSESSMENT AND MITIGATION A BROADER APPROACH TO RISK ASSESSMENT AND MITIGATION • Success approach: – to show that an ATM system will be acceptably safe in the absence of failure – addresses the ATM contribution to aviation safety – defined by Functional Safety Requirements • Failure approach: – to show that an ATM system will still be acceptably safe, taking account of the possibility of (infrequent) failure – addresses the ATM contribution to aviation risk – defined by Safety Integrity Requirements

  5. ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005 ICAO GLOBAL ATM OPERATIONAL CONCEPT 2005 Strategic Conflict Mgt Strategic Conflict Mgt Separation Provision Separation Provision Collision Avoidance Collision Avoidance Providence Providence Pre- -existing existing Pre Pre-existing Accident Accident Hazards Hazards Hazards System - - System System - Generated Generated Generated Hazards Hazards Hazards Safety Main ATM Functions Nets People, Equipment, and procedures

  6. ICAO GLOBAL ATM OPERATIONAL CONCEPT – – RISK GRAPH RISK GRAPH ICAO GLOBAL ATM OPERATIONAL CONCEPT Acceptable Pre-existing Risk Risk Strategic Conflict Mgt Separation R U Provision R U’ Collision Avoidance Providence R U’ ‘ R A 0 Risk R

  7. Accident Accident FAULT TREE VIEW FAULT TREE VIEW R A & 1-P S4 Providence Providence OR F F3 & 1-P S3 Collision Avoidance Collision Avoidance OR F F2 System - & System - 1-P S2 Separation Provision Separation Provision generated generated Hazards Hazards OR F F1 & 1-P S1 Strategic Conflict Mgt Strategic Conflict Mgt Pre-existing Pre-existing Enables us to specify success (P nn ) Hazards F u Hazards as well as failure (F nn ) attributes

  8. SAFETY REQUIREMENTS SAFETY REQUIREMENTS • Safety requirements are specified for ATM to: – maximize its contribution to aviation safety and – minimize its contribution to the risk of an accident • Safety Requirements cover, respectively: – functionality & performance – integrity (plus some additional f&p ) Broader approach = success plus failure cases

  9. GENERIC ARGUMENT STRUCTURE GENERIC ARGUMENT STRUCTURE Cr001 <<Safe is defined by C001 Safety Targets>> Applies to <<Operational Arg 0 Environment>> <<Claim that something is safe>> A0001 <<Assumptions to be J0001 declared and validated <<Justification for the << Strategy to explain the in the Safety Case>> subject of the Claim>> rationale for decomposing Arg 0>> Arg 1 Arg 2 Arg 3 Arg 4 <<Argument that <<Argument that <<Argument that <<Argument that <A> is true>> <B> is true>> <C> is true>> <D> is true>> [tbd] [tbd] [tbd] [tbd]

  10. EVIDENCE EVIDENCE • How much? • How obtained? • How good? Simple answer is Safety Assurance

  11. SAFETY ASSURANCE - - GENERAL GENERAL SAFETY ASSURANCE Objectives Objectives Assurance To give confidence To achieve Level (AL) Activities Activities To produce Evidence Evidence

  12. ARGUMENT-DRIVEN SAFETY ASSURANCE Safety Argument Safety Argument To satisfy To give confidence To achieve Assurance Safety Activities Safety Activities Level (AL) To produce Evidence Evidence But how do we develop a satisfactory Safety Argument?

  13. WE USE A REQUIREMENTS- -ENGINEERING MODEL! ENGINEERING MODEL! WE USE A REQUIREMENTS P, S R Real World User Reqts R D S Specification S Design D Application System i/f Domain I D Domain Properties P Implementation I

  14. AN ATM SAFETY VERSION AN ATM SAFETY VERSION P, S T Aviation World Safety Targets T ATM Service-level D S Specification S Design D ATM User ATM i/f Domain System I D ATM User Implementation I Domain Properties P This leads initially to ………….

  15. Cr001 …TOP LEVEL ARGUMENT TOP LEVEL ARGUMENT C001 … Acceptably safe is Applies to the Operational defined by the Safety Environment described in Targets – see Arg 1.1 Section 2 of the En-route Arg 0 Safety Design Document SESAR En-route Operations will be acceptably safe. A001 Assumptions as per J001 section 8.1 of the PSC Justification as per Argue on basis of a safe Section 2.2 of the PSC Specification and Logical Design, full Implementation of that design, safe Transition into service and Safety Monitoring for whole operational service life Arg 3 Arg 1 Arg 2 Arg 4 Arg 5 SESAR En-route SESAR En-route Transition from SESAR En-route SESAR En-route ATM system has ATM system has current state to ATM system will ATM system been specified to been designed to full SESAR En- be shown to Design has been be acceptably be acceptably route ATM operate acceptably implemented safe safe system will be safely throughout completely & acceptably safe its service life correctly Figure 20 Figure 21 [tbd] [tbd] [tbd]

  16. LIFECYCLE VIEW - - OVERALL OVERALL LIFECYCLE VIEW System Safety Assurance Activities V0 Arg 1 Arg 1 Definition V1 V2 Arg 2 Arg 2 Lower-level Safety Arguments Design & Validation (High-level) V3 Evidence Arg 0 Arg 0 Arg 3 Implementation & Arg 3 V4 Integration V5 Arg 4 Transfer into Arg 4 Operation V6 Arg 5 Arg 5 Operation & Maintenance V7

Recommend


More recommend