Development of the Safety Case for LPV at Monastir

MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 1

Development of the Safety Case for LPV at Monastir

Euromed GNSS II project/MEDUSA Final event on GNSS for aviation

Your logo here

Philip Church Principal Consultant [email protected]


Agenda

The requirement for safety

The design for implementation

Methodology

Implementation for Monastir

Conclusions of the safety assessment


Scope of the Safety Case

Operational Environment Aircraft type, Traffic levels, Weather, Terrain, Type of airspace

Aircraft

Procedures

Equipment

Human

ATM System

Procedures

Equipment

Human

ATM Services

ATC Hazards

Causes, focusing

on the deltas


Design for implementation


Ongoing Safety Management Planning – Safety Requirements are met through

• Design – e.g. reliability, procedures, conformance with standards

• ATCO awareness through training and familiarisation

• Transition assurance and readiness

• Ongoing safety management and assurance / maintained safety margin • Arrangements to ensure ATCOs remain familiar with system

• Contingency arrangements • What are the arrangements for old system decommission?

• Arrangements to monitor alerting functions

• Maintenance planning and arrangements

• Arrangements to monitor occurrence and fault reports

• Unit Safety (Case?) arrangements


Some considerations for monitoring of risk

• A number of factors influence the probability of an accident occurring • These factors could be termed as “barriers”

• The effectiveness of these barriers increases or decreases over time in response to changing environments, services etc.

• A combination of leading and lagging indicators can be defined to assess the effectiveness of some of these key barriers, and report them to the Board

• E.g. Top 10 risk of a catastrophic accident

• How to monitor and evaluate this risk, in the absence of the specific outcome


Ongoing safety risk in an organisation

Tolerable level of

safety = ICAO norms =

1E-08 per flight hour

Actual

safety

level

Safety

margin

Initiative in

response to

specific risk

Degrading safety margin

due complacency or

changing context

In order to measure this, there needs to be

a mature reporting system

(despite more reporting leading to the

appearance of more incidents)


Relating the probability of an accident to measurable metrics

• It isn’t an exact linear sequence, but the relationship between the accident and the underlying barriers (which prevent the accident occurring) can be presented as probabilities

For every 1 accident…

…we tend to have 10 non-

fatal accidents…

…and 600 minor

occurrences (unsafe

acts)

…30 serious reportable

incidents… Data on probability based

on Heinrich model from

Industrial Accident

Prevention: A Safety

Management Approach


Methodology


Methodology

• Number of different options

• SAE ARP1476 (Fault and Event Tree Analysis, FMEA)

• ED-125

• Probability Risk Assessments

• Eurocontrol SAM

• PSSA

• FHA

• SSA

• ESARRs

• For PBN:

• the assessment needs to be more operationally than technically focused

• The HAZARD needs to be set at the right level to set the Safety Requirements


Linking the Hazard Assessment to Safety Requirements

Operational Hazards

Contributing Factors & Operational Outcomes

Bow Tie Model

Safety Targets Derivation

Safety Objectives specified

Quantitative Fault Tree Analysis on contributing factors

Integrity, Functional/ Performance and SWAL Safety Requirements Specified

Hazard Log

Qualitative Event Tree Analysis on operational outcomes


Hazard Assessment – Example of the Bow-tie Model

Safety Objective Safety Target Safety Requirements


Ops failures

Ops failures

Justification for safety objectives – e.g. major occurrences

Safety target, SC3, ACC

e.g. 4E-05 / ATSU hour

Non ATM related

ATM related Not a factor quantitatively, since target only includes ATM-related factors

H-01 H-02

Ops failures Ops

failures

Ops failures

Ops failures

Organised into 4 hazards for clarity – target divided equally

1E-05 1E-05

H-03

Ops failures

Ops failures

Ops failures

1E-05

H-04

Ops failures

Ops failures

Ops failures

1E-05

Safety Objective


What is the safety case trying to prevent?

Localisation of CONOPS

Local Safety Objectives

HAZARD identification

Risk assessment

Safety Case development


Implementation for Monastir


Monastir – Top Level Safety Argument


Customisation of CONOPS

• The operational environment describes: • the level of ATS provided

• traffic types/levels

• CNS equipment

• airport ground equipment

• airspace and existing procedures

• Assumptions confirmed by local operational and technical experts

• The EUROCONTROL CONOPS provides generic concept of operations for APV SBAS approach • Essential to that these are validated locally to ensure safety

assessment remains valid


Local safety requirements – safety classification

• Not only the classification – also the content of the safety assessment


Local safety requirements – Hazard Log


Nominal operations

• Claim that conducting APV SBAS and LNAV/APV Baro approach operations are safe by design when all systems are working normally

• Combination of all elements: • flight crew

• aircraft avionics

• flight databases

• ATCOs, and

• EGNOS signal

• Show that the operations are consistent with established requirements for system integration, reliability and safety


Nominal operations

• Important to consider risk from an operational perspective, with involvement of operational and technical experts, early in the analysis as part of a ‘top-down’ process

• Use Cases were derived where the operation could be affected by the procedures (changes) introduced based on the step-by-step flight profile through final approach: • intercepting the final approach path

• follow the final approach path

• descend to DA

• (execute correct Missed Approach )

• Does not propose any new requirements – simply asserts that existing ones are complied with


Non-nominal operations

• Claim addresses the risks of failures of APV SBAS and LNAV/APV Baro operations as implemented at Monastir aerodrome:

• CONOPS contains no known deficiencies

• All hazards correctly identified and assessed

• All mitigations captured as safety requirements or assumptions as appropriate



• HAZID held in Rome, June 2013 with representatives from the airport, procedure design and flight ops

• HAZID panel did not note any new additional hazards that would exist in the implementation at Monastir: • Hazard H3 - Fly low while intercepting the final approach path (vertical

profile);

• Hazard H4 - Attempt to intercept the final approach path from above (vertical profile);

• Hazard H6 - Failure to follow the correct final approach path;

• Hazard H7 - Descending below Decision Altitude (DA) without visual;

• Hazard H8 - Failure to execute correct MA.




Non-nominal operations – FTA/ETA


Non-nominal operations – Integrity requirements (SOs)

Cause (Event) Probability of occurrence

[per approach]

Procedure validation error 4.20 E-04

Error in coding the procedure 1.00 E-08

Procedure publishing error 1.00 E-07

Aircraft DB coding/packing error 1.00 E-07

Error in DB loading tools 1.00 E-08

High pressure given by ATC/AFIS 1.63 E-06

High pressure given by MET system 1.26 E-06

High pressure set by pilot 1.63 E-06


Non-nominal operations - TLS

Accident type TLS in accidents per approach

Controlled flight into terrain

(CFIT)

1.0 x 10-8

Landing accident 2.0 x 10-7

Mid-air collision (MAC) 1.0 x 10-10


Non-nominal operations – setting SOs


Practical design and implementation steps

• The design and implementation of APV SBAS and LNAV/APV Baro at Monastir, when deployed, fully satisfies the specified functional and performance SRs and IRs

• Presents evidence consistent with the following sub-claims: • Assumptions for aircraft equipment and operators are adequately

specified and validated for the implementation of APV SBAS and LNAV/APV Baro

• Safety requirements and assumptions for ATC (people and equipment) are adequately specified and met/validated for the implementation of APV SBAS and LNAV/APV Baro

• The APV SBAS and LNAV/APV Baro procedures are demonstrated to be practical


Transition into operation

• APV SBAS and LNAV/APV Baro are acceptable for initiation of operations, with transition risks fully addressed and mitigated as appropriate, i.e. • The APV SBAS and LNAV/APV Baro procedures are accepted as meeting

the safety requirements • HMI is shown to be satisfactory • There are sufficient trained staff to operate and maintain the system • The APV SBAS (LPV) and LNAV/APV Baro procedures are published and

promulgated to all relevant people • Validation flight trials have been successfully completed • All appropriate regulatory approvals to operate the procedure have been

obtained • Any remaining system shortcomings have been highlighted and accepted

for operation, including any unvalidated assumptions • A transition and reversion plan has been developed


In service safety monitoring

• The risks associated with operating APV SBAS and LNAV/APV Baro at Monastir will be monitored in service and corrective actions taken as necessary

• Imperative that the safety of the APV SBAS and LNAV/APV Baro procedures at Monastir are monitored to ensure that safety is not eroded • Safety management

• SBAS status and performance monitoring

• Change management

• Incident reporting


Conclusions of the safety assessment


Conclusions

Hazard ID Safety objective Achieved

probability of occurrence

Objective met

H3 6.40 E-05 4.63 E-06

H4 2.67 E-04 4.77 E-06

H6 6.40 E-05 1.78 E-06

H7 4.00 E-08 2.29 E-08

H8 2.00 E-07 1.22 E-07

• Compliance with the safety requirements, validation of the assumptions and fulfilment of the safety argument claims through evidence will support the overall claim of the assessment that APV SBAS and LNAV/APV Baro procedures at Monastir are acceptably safe for introduction and continued operational use


Business

Development of the Safety Case for LPV at Monastir