EUROCONTROL EXPERIMENTAL CENTRE · 2019. 2. 18. · EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL EUROCONTROL EXPERIMENTAL CENTRE LEVEL BUST STUDY USING SAFETY

EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION

EUROCONTROL

EUROCONTROL EXPERIMENTAL CENTRE

LEVEL BUST STUDY USING SAFETY PRINCIPLES

EEC Report No. 402

Project SFT-1-RD MODS

Issued: January 2006

The information contained in this document is the property of the EUROCONTROL Agency and no part should be reproduced in any form without the Agency’s permission.

The views expressed herein do not necessarily reflect the official views or policy of the Agency.

REPORT DOCUMENTATION PAGE

Reference: EEC Report No. 402

Security Classification: Unclassified

Originator: EEC – SRT (Safety Research Team)

Originator (Corporate Author) Name/Location: EUROCONTROL Experimental Centre Centre de Bois des Bordes B.P.15 F - 91222 Brétigny-sur-Orge Cedex FRANCE Telephone: +33 (0)1 69 88 75 00

Sponsor: EATM

Sponsor (Contract Authority) Name/Location: EUROCONTROL Agency 96, Rue de la Fusée B - 1130 Brussels BELGIUM Telephone: +32 2 729 90 11 WEB Site: www.eurocontrol.int

TITLE: LEVEL BUST STUDY USING SAFETY PRINCIPLES

Authors Adrian Gizdavu (EEC) Corinne Bieder (Dedale) Jean Paries (Dedale)

Date 01/2006

Pages x + 71

Figures 14

Tables 1

Annexes 1

References --

EEC Contact Adrian Gizdavu

Project SFT-1-RD MODS

Task No. Sponsor

Period 2003 - 2005

Distribution Statement: (a) Controlled by: Head of SRT (b) Special Limitations: None (c) Copy to NTIS: YES / NO

Descriptors (keywords): Level Bust, SMART, Safety Principles, Safety Architecture.

Abstract:

This report describes a Level Bust study made using Safety Principles (developed based on the SMART methodology).

A safety architecture was developed by a team of experts consisting of ATM Experts, Pilots, Human Factors Experts, and Incident Investigators. Later on, real incidents were analysed using the safety architecture and each safety principle was analysed to see how good or bad it was performing for all the incidents analysed.

After completing this exercise, a clear statistic of the performance of each safety principle was calculated, the weakest safety principles were identified, and conclusions and recommendation were made accordingly.

www.eurocontrol.int

Level Bust Study Using Safety Principles EUROCONTROL

Project SFT-1-RD-MODS - Report No. 402 v

SUMMARY

This report describes a Level Bust study made using Safety Principles (developed after SMART methodology).

A Safety Principle is defined as; any assumption made about what is supposed to make the ATM system safe in the a priori safety model.

The Safety Architecture is defined as the logical, hierarchical combination of Safety Principles that compose that safety protections associated with a Generic Initiator.

The Safety Architecture or the safety model of a generic ATM system consists of safety protection barriers and fences, which are all made from numerous safety principles.

A Safety Architecture of a generic ATM system was developed by a team of experts consisting of; ATM Experts, Pilots, Human Factor Experts, and Incident Investigators. The safety architecture was meant to show not only the weak safety principles but the very strong ones as well.

Later on, real incidents were analysed using the safety architecture and each safety principle was analysed to see how good or bad it was behaving for all the incidents analysed.

After completing this exercise, a clear statistic of the behaviour of each safety principle was calculated. Some solutions to overcome the level bust problem were proposed, and later on “simulated” into the safety architecture.

Conclusions and recommendation were made accordingly.

EUROCONTROL Level Bust Study Using Safety Principles

vi Project SFT-1-RD-MODS - EEC Report No. 402

Page intentionally left blank


Project SFT-1-RD-MODS - Report No. 402 vii

TABLE OF CONTENTS

LIST OF ANNEXES......................................................................................................... VIII

LIST OF FIGURES .......................................................................................................... VIII

LIST OF TABLES............................................................................................................ VIII

DEFINITIONS, ABBREVIATIONS AND ACRONYMS...................................................... IX

LIST OF ABBREVIATIONS .............................................................................................. IX

1. INTRODUCTION...........................................................................................................1 1.1. CONTEXT ...................................................................................................................... 1

1.1.1. Background .......................................................................................................1 1.1.2. Justification........................................................................................................1 1.1.3. Level Bust Definition..........................................................................................2

1.2. PROJECT DESCRIPTION ............................................................................................. 3 1.3. OBJECTIVES ................................................................................................................. 3

2. CONDUCT ....................................................................................................................4 2.1. THE SMART GENERAL APPROACH ........................................................................... 4

2.1.1. SMART Objectives ............................................................................................4 2.1.2. Concepts and Process ......................................................................................4

2.2. THE SMART SPECIFIC APPROACH FOR LEVEL BUST STUDY ............................... 8 2.2.1. The Safety Architecture .....................................................................................8 2.2.2. Data Collection ................................................................................................10 2.2.3. Project Team ...................................................................................................10

3. RESULTS....................................................................................................................11 3.1. SAFETY PRINCIPLES ROBUSTNESS ASSESSMENT.............................................. 11

3.1.1. Presentation of the Outcomes .........................................................................11 3.2. EXPLANATION OF THE ASSESSMENTS .................................................................. 13

3.2.1. Not Applicable SP............................................................................................13 3.2.2. No Cross SP....................................................................................................14 3.2.3. Red or Seriously “Reddish” SPs......................................................................16 3.2.4. Left Blank Although “Greenish” SPs................................................................16 3.2.5. Left Blank by Lack of Information SPs.............................................................20 3.2.6. Red SPs ..........................................................................................................22 3.2.7. Yellow SPs ......................................................................................................23 3.2.8. Not so Critical SPs...........................................................................................25

3.3. OVERALL RESULTS ................................................................................................... 26 3.4. ANALYSIS OF THE MAIN WEAKNESSES.................................................................. 28

3.4.1. Safety Principles PA2- PB2 (ATC Message Clarity)........................................28 3.4.2. Safety Principles PA4- PB4: The Crew/aircraft System Correctly

Understands the Contents of the Instruction/clearance Captured .................30 3.4.3. Safety Principles PA5 and PB5: The Crew/aircraft System Properly

Implements the Clearance/instruction as Understood ...................................31 3.4.4. Safety Principle PC1: Airspace Design allows for Detection and Correction

of Deviations from Assigned Flight Paths before Becoming a Threat ............33


viii Project SFT-1-RD-MODS - EEC Report No. 402

3.4.5. Safety Principles PA6 -PB6: Aircraft do not Change Path without Instruction to do so.........................................................................................33

4. SIMULATION OF POSSIBLE CHANGES ..................................................................35 4.1. IMPACT OF THE INTRODUCTION OF A DOWNLINK OF THE FMS SELECTED

FLIGHT LEVEL TO ATC .............................................................................................. 35 4.1.1. Assumptions ....................................................................................................35 4.1.2. Local Impacts ..................................................................................................35 4.1.3. Overall Safety Impact of the Downlink Option .................................................36

4.2. IMPACT OF THE INTRODUCTION OF BOTH DOWN & UP LINK ............................. 38 4.2.1. Assumptions ....................................................................................................38 4.2.2. Local Impacts ..................................................................................................38 4.2.3. Overall Safety Impact of the Uplink & Downlink Option...................................40

5. CONCLUSIONS AND RECOMMENDATIONS...........................................................42 5.1. CONCLUSIONS ........................................................................................................... 42 5.2. RECOMMENDATIONS ................................................................................................ 43

5.2.1. Consistency Between Airspace Design and ATM Anticipation Capabilities ....43 5.2.2. ATC – Crew/Aircraft System Communication..................................................43

TRADUCTION EN LANGUE FRANÇAISE .......................................................................45

LIST OF ANNEXES ANNEX A - Level Bust Safety Architecture ..................................................................................... 55

LIST OF FIGURES Figure 1: The course of safety impairment ...................................................................................... 5 Figure 2: The safety architecture ..................................................................................................... 5 Figure 3: Decomposition of the safety principles ............................................................................. 6 Figure 4: Matching the incident reports into the safety architecture ................................................ 7 Figure 5: Safety principles colour meaning...................................................................................... 7 Figure 6: Safety architecture of a single incident ............................................................................. 8 Figure 7: The level bust safety architecture ..................................................................................... 9 Figure 8: The robustness assessment........................................................................................... 11 Figure 9: First level of the level bust safety architecture................................................................ 55 Figure 10: Decomposition of the prevention safety architecture (P AB1 – P AB4) ........................ 56 Figure 11: Decomposition of the prevention safety architecture (P AB5 – P AB6) ........................ 57 Figure 12: Decomposition of the prevention safety architecture (P C1 – P C2)............................. 58 Figure 13: Decomposition of the prevention safety architecture (P C3 – P C6)............................. 59 Figure 14: Decomposition of the recovery safety architecture....................................................... 60

LIST OF TABLES Table 1: Project team..................................................................................................................... 10


Project SFT-1-RD-MODS - Report No. 402 ix

DEFINITIONS, ABBREVIATIONS AND ACRONYMS

In order to ensure clarity and readability, the following conventions are applied in this document:

• “shall” used whenever a mandatory requirement is expressed. • “should” used in order to express a recommendation. • “may” used in order to express an option. • “will” used in order to express the future.

LIST OF ABBREVIATIONS

Abbreviation De-Code ANSP Air Navigation Service Provider ASMT Automatic Safety Monitoring Tool ATC Air Traffic Control

ATCO Air Traffic Controller AWY AirWaY CFL Cleared Flight Level

CFMU Central Flow Management Unit FL Flight Level

LoA Letters of Agreement MTCD Medium Term Conflict Detection

MUDPIE A Multi-User Data Processing Interactive Environment for Simulations Tool OLDI On-line Data Interchange PLN Planning Controller RT Real Time

RVSM Reduced Vertical Separation Minima SID Standard Departure Route SP Safety Principle

STAR Standard Arrival Route STCA Short Term Conflict Alert TMA Terminal Manoeuvring Area TWR Tower (Aerodrome Control) T1 Situation reaching below an acceptable safety threshold

XFL EXit Flight Level


x Project SFT-1-RD-MODS - EEC Report No. 402

Page Intentionally left blank


Project SFT-1-RD-MODS - Report No. 402 1

1. INTRODUCTION

1.1. CONTEXT

Level Bust/altitude deviation is a problem as old as flight. Improved safety management and reporting systems have given us a more accurate appreciation of the size of the problem.

TCAS/ACAS has reduced the risk of two aircraft equipped with ACAS colliding by a factor of 25. However, the incidence of Level Busts does not appear to be declining and may be higher than we think.

Although the risk of a mid-air collision has reduced significantly following the introduction of ACAS, increased growth in air traffic means that we must find solutions to the Level Bust issue now. Reducing Level Busts and the risks associated with them is a challenge for the whole air transport community.

1.1.1. Background

Once every half-hour, somewhere in the world, an aircraft is busting its cleared level. Once each day, the loss of separation results in aircraft passing within a mile of each other1.

1.1.2. Justification

Level Busts reported in UK airspace by NATS ATC:

• 1999 308 • 2000 308 • 2001 281 • 2002 293

Incident reports from operators in last three years:

• Reports by ATC on BAW 35 • Reports by BAW 98 • Reports by ATC on BRY 7 • Reports by BRY 15

1 SISG12 meeting, Brussels 4 April 2003 - Level Bust Task Force 1 "En Route to reducing Level Busts" - presentation given by John Barrass.


2 Project SFT-1-RD-MODS - EEC Report No. 402

abian

TOTA 209

1.1.3. Level Bust Definition

A level bust is defined as a situation in which a flight does not capture or does not maintain the

There is some diversity - and possibly still some ambiguity- of the situations covered by the above

ALT (due to altimeter setting, AP offset, etc).

igned FL/ALT due to technical problems, turbulence,

4. T above the assigned one, or a climb to a FL/ALT below the assigned

5. cent to a FL/ALT below the assigned one, or a climb to a FL/ALT above the assigned

6. anent flight at the wrong FL/ALT.

Level Bust reports by UK operators in Europe in the last 3 years:

• France 29 • Spain 19 • Italy 14 • Belgium 12 • Germany 11 • Switzerland 8 • Netherlands 7 • Unspecified UAS 16 • Other Countries 11

TOTAL 127

Level Bust reports by UK operators worldwide in last 3 years:

• Europe 127 • North America 30 • North Atlantic O 19 AC • Far East 14 • Russia 7 • Gulf / Ar 6 • Africa 6 L

Flight Level or Altitude assigned to it by ATC with a deviation of more than 300ft.

definition of a level bust, which can be for example:

1. A permanent deviation from the assigned FL/

2. An overshoot during FL/ALT capture.

3. A momentary deviation from the assmountain wave, etc.

A descent to a FL/ALone.

A desone.

A perm



1.2. PROJECT DESCRIPTION

Level busts are one of the most dangerous steps towards a mid-air collision. A level bust is broadly defined as a situation in which a flight does not maintain the Flight Level assigned to it by ATC. EUROCONTROL had started to organise Level Bust Workshops in 2002 and then established a Level Bust Task Force to develop both an action plan and a “tool kit” aiming at the reduction of level busts.

One of the objectives of the task force was to find ideas and solutions on how to improve level busts in the current design and practices of the ATM system. Mid 2003, Eurocontrol launched a project to start exploring the potential benefits of a study using safety principles in relation to level busts. The method was called SMART (Safety Management Assistance and Recording Tool).

The first effort was dedicated to the development of a safety architecture making explicit the existing measures put in place to prevent level busts or to recover them after they occurred.

A well-developed safety architecture being available, the second phase of work aimed at deriving relevant safety lessons as regards level bust issues from the analysis of real events using the background material developed in the previous phase.

1.3. OBJECTIVES

1. Discover causes that might make Level Bust appear.

2. Develop a vision of Level Bust across Europe using the SMART tool.

3. Identify weaknesses that may create Level Busts.

4. Develop a model of safety architecture relevant for Level Bust.

5. Identify weak points and assess their relative importance.

6. Issue recommendations to overcome weaknesses of the protections against Level Bust incidents.



2. CONDUCT

2.1. THE SMART GENERAL APPROACH

2.1.1. SMART Objectives

The objective of SMART is to provide an enhanced tool to support Safety Management based on operational feedback. SMART is intended to facilitate the extraction of “safety lessons” from reported events and to support safety-related decision-making. It is an attempt to reach beyond the limits of existing approaches mainly based on causal analysis of incidents. The main limitation of causal approaches is that causal attribution is the subjective application of the analyst’s safety model(s) to an event. This easily leads to self-fulfilling prophecies: if the analysts believe that ATCOs errors are a major cause of incidents, most incidents will refer to ATCOs errors in their analysed causality and this will confirm that ATCOs errors cause incidents. The originality of SMART lies in its attempt to explicate an overall a priori model of ATM safety through a top down analysis. This a priori safety model will then be assessed and challenged through operational feedback from reported events. It will also allow the proactive exploration of the impact of the safety information gathered through an individual event (e.g. the acknowledged weakness of a safety assumption in the model) across similar or different situations. Such an approach will not only allow to learn things we do not know about ATM Safety, but also to learn generic lessons rather than lessons on a singular event.

2.1.2. Concepts and Process

The key idea underlying SMART is to make the Safety Model that presided over design choices explicit (design being used in a broad sense, i.e. design of equipment, organization, training, procedures…), and to put it into the test of reality. While most design assumptions remain implicit, they have nevertheless been made, even if unconsciously, and they reflect the beliefs designers (in a broad sense) have on how safety is ensured. For example, when no backup is available to possibly recover the omission of an action prescribed in a procedure, the underlying implicit assumption is that the ATCO will always perform the actions prescribed in the procedure, or that the risk created by a failure to do so is acceptable. Such an assumption is named a “Safety Principle” in the SMART vocabulary. The overall Safety Model mentioned above is the structured and articulated list of interacting Safety Principles.

The Safety Model is made explicit for each one of a series of critical generic incidents, named “Generic Initiators” in SMART vocabulary.

Generic Initiators are events that would naturally develop into an accident in the absence of recovery action.

The course of safety impairment can be compared with a ball oscillating in its intrinsic safety called “prevention” area. When a deviation from its assigned flight path occurred, the ball will reach its Generic Initiator, event from which an accident sequence will develop if no recovery action is taken. Here the “recovery” area starts and will continue unless an accident happened. After the accident the “mitigation” area starts.



Figure 1: The course of safety impairment

The concept of Generic Initiator therefore allows clustering various hazardous situations around one accidental mechanism. The concept of Generic Initiator also allows a first generalization of the lessons derived from a singular event. The logical structure of interacting Safety Principles supposed to prevent the occurrence of the Generic Initiator, recover from this Generic Initiator before it develops into an accident, or mitigate the consequences of the accident, shall it eventually occur is called the “Safety Architecture” of the Generic Initiator considered. It is represented as follows:

Figure 2: The safety architecture



Each area of the SMART model (prevention, recovery, or mitigation) consists of several safety barriers. Each safety barrier is made from several “Safety Principles”. Each safety principle can be decomposed the same way, consisting in several barriers made from different, more detailed, safety principles.

Figure 3: Decomposition of the safety principles

Lessons from operational feedback are derived from the “confrontation” of Safety Principles to reality, through any acceptable method: analysis of incidents, audits, experiments, expert judgement, and the like. When incident reports are used, this confrontation consists of a record of the behaviour of relevant Safety Principles in the reported situation (i.e. was the SP successful <true> or did it fail <false>?). The raw information derived from reported events will take the following form.



Figure 4: Matching the incident reports into the safety architecture

The real meanings of the colour coded safety principles should mean:

Figure 5: Safety principles colour meaning



After completing such an exercise, the safety architecture of a single incident should look, for example, as follows:

Figure 6: Safety architecture of a single incident

At the end, after repeating this exercise with all incidents available, the SMART method will help us to asses the “healthiness” of each safety principle, and the healthiness of our entire system. We can see if there are some safety barriers in our system, where those barriers are, and whether they “hold” or whether only providence is keeping us away from an accident.

At the end, the SMART assessment will show us where we can put in place some sort of processes so as to increase the health of the safety principles that do not hold, and create a stronger defence line in prevention or at least in the recovery stage.

To study the new created processes (new defences), they can be simulated into the safety architecture and see immediately the effect, if the system is healthier or not.

2.2. THE SMART SPECIFIC APPROACH FOR LEVEL BUST STUDY

2.2.1. The Safety Architecture

SMART is intended to facilitate the extraction of “safety lessons” from reported events and to support safety-related decision-making. The SMART approach consists of explicating an overall a priori model of ATM safety, a logical structure of interacting Safety Principles supposed to prevent the occurrence of the Generic Initiator, recover from this Generic Initiator before it develops into an accident, or mitigate the consequences of the accident, shall it eventually occur. The high-level strategies of the safety model are as follows:



Figure 7: The level bust safety architecture

Each line of strategy is then decomposed into a series of Safety Principles, which are in their turn decomposed into lower level Safety Principles, and again, until a level of detail (compatible with the available incident information) is reached. The complete safety architecture developed for Level Bust is available in Annex A (or in an Excel file format in the Level Bust Report CD).

The a priori safety model is then assessed and challenged through operational feedback from reported events. Lessons from operational feedback are derived from the recording of Safety Principles “behaviour” during the reported event (was the SP successful <true> or did it fail <false>?).

The mitigation process was not considered for this particular project. To study mitigation processes after a mid air collision was not the objective of Level Bust Study.



2.2.2. Data Collection

The most important part of Level Bust study was to find as many as possible investigation reports of real level bust incidents. The investigations needed to be as detailed as possible, describing the ATM part as well as the aircrew part.

The initial thought was to analyse some 100 investigation reports on level bust. Going through the reports, we realised that a lot of reports were a repetition of the same type of event, or else there were not so many reports in some areas.

At the end, a total of 35 events, representing a variety of scenarios in a variety of contexts, and provided by four different sources, were analysed. The sources of the incident reports were three ANSPs and one airline:

• 16 from NATS • 11 from BA • 3 from the French DGAC • 6 from MUAC

The studied events were real events that occurred in the last three years.

2.2.3. Project Team

The team that created the safety architecture and than studied all the available level bust investigation reports, was formed from several experts in different domains:

Table 1: Project team

Organisation Number of experts Expertise Name

1 ATM Adrian Gizdavu EUROCONTROL EEC

1 ATM Tewes Jurgen

EUROCONTROL MUAC 1 ATM / Incident investigator Philip Marien

1 ATM Alex Bristol

1 ATM / Incident investigator Marcus Dacre

1 Scientific Hellen Finney

1 ATM Paul Jones

NATS

1 Safety Analyst Neil May

BA 1 Pilot Mike O’Leary

1 HF Jean Paries DEDALE

1 HF Corinne Bieder

Total 11



3. RESULTS

3.1. SAFETY PRINCIPLES ROBUSTNESS ASSESSMENT

3.1.1. Presentation of the Outcomes

It also appeared that relatively little information was available in the event reports, so that many of the questions explicitly raised by SMART through the Safety Principles behaviour cannot find a clear answer, except when the reported information can be completed with investigators’ knowledge about the events. Even more obvious is the lack of relevant information about what happened in the cockpit, to be able to fully understand which defence(s) failed.

The following table is a hard copy of the SMART software screen, showing the aggregated outcome of the assessment of the safety principles robustness as performed by the expert group for all the studied events. The first column shows the reference number and the first words of the safety principles (the complete description of each safety principle can be found in Annex A). The second column shows the history of the behaviour of each safety principle, i.e. the number of events in which the “behaviour” of the corresponding safety principle has been assessed to be “not applicable” (grey), “successful” (green), “unsure” (yellow), or “failed” (red).

When a judgement could be derived by the working group, using the corresponding SMART methodology, from that history of behaviour about the “robustness” of a specific safety principle, it appears as a coloured highlighting of the safety principle wording. With reference to the SMART colour code - red for clearly weak; yellow for unreliable, should be monitored – only “red” and “yellow” assessments were made.

Figure 8: The robustness assessment



Figure 8: The robustness assessment (cont'd)



Once these robustness assessments is made for the concerned Safety Principles at different levels of decomposition, the logical status of compound safety principles was computed and the consistency of the assessment was checked.

3.2. EXPLANATION OF THE ASSESSMENTS

The assessment of the robustness of a safety principle (SP) is an assessment of the level of trust a risk manager is still ready to put in the assumption, based on:

• the actual behaviour of the assumption in the real events where it was called upon; • the role of the SP in the safety architecture.

For SPs playing a safety critical role in the safety architecture, the very first “red cross” i.e. failure in a real event deserves to lose trust in this SP, from a risk management viewpoint. Although conservative, this rule is a way to make sure that no critical safety issue will be missed.

This situation has not been encountered as such since the safety architecture as developed by the expert group does not include any common mode failure and prevention as well as recovery does include redundant lines of protection.

Therefore, assessing the level of trust one can still have in each SP was a little more subtle.

3.2.1. Not Applicable SP

The SP has not been called upon in any of the events analysed and was even declared not applicable in some of them.

In such case, the SP was left blank. Not enough events were analysed to determine that these SPs would never be applicable. This was the case for the following SPs:

SP Number SP Description

49 The crew/aircraft system properly understands chart-based ATM clearances/instructions

269 The assigned FL is correctly transmitted by colleagues during transfer

270 The assigned FL is correctly recorded through an electronic label



3.2.2. No Cross SP

The SP has not been called upon in any of the events analysed.

In such cases, the SP was left blank. This was the case for the following SPs:


55 The crew/aircraft system corrects deviations from intended (according to their understanding of the clearance /instruction) flight path before acceptable tolerance is exceeded

56 The ATM system detects deviations from the assigned flight path early enough to allow a correction before acceptable tolerance is exceeded

57 The ATM system issues appropriate corrective instructions early enough to allow a correction before acceptable tolerance is exceeded

58 The crew/aircraft system correctly understands corrective instruction(s) early enough to allow a correction before acceptable tolerance is exceeded

59 The crew/aircraft system correctly implements corrective instruction(s) before acceptable tolerance is exceeded

77 The pilots concerned have the skill to "see" an avoidance solution

78 Pilots follow rule of the air

79 Rules of the air allow for compatible avoidance solutions

82 PNF transfers imminent collision risk alert to PF or takes over if applicable

88 PNF can communicate avoidance suggestion efficiently

89 Flight deck procedures allow for efficient pilot role distribution concerning see & avoid action

90 Pilots follow see & avoid role distribution

103 At least one pilot actually understands chart based ATM instructions

104 If in doubt, pilots cross check their understanding of chart based instructions

105 Pilots detect and correct errors in their understanding of chart based instructions

106 Pilots report their FL/ALT (and other flight path parameters) target when changing frequency

107 Next sector ATCOs check reported (flight path parameters) FL/ALT against assigned one

108 Next sector ATCOs detect and correct errors in the reported (flight path parameters) FL/ALT

116 The ATCO in contact with the A/C detects a lateral deviation from the assigned flight path if any before T1

117 The ATCO in contact with the A/C detects a longitudinal deviation from the assigned flight path if any before T1

118 The ATCO in contact with the A/C detects a time deviation from the assigned flight path if any before T1

120 Another party detects a lateral deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

121 Another party detects a longitudinal deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

122 Another party detects a time deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

136 At least one pilot actually understands chart based ATM instructions

137 If in doubt, pilots cross check their understanding of chart based instructions

138 Pilots detect and correct errors in their understanding of chart based instructions

139 Pilots report their FL/ALT (and other flight path parameters) target when changing frequency


141

Next sector ATCOs detect and correct errors in the reported (flight path parameters) FL/ALT




164 In the case of a recognition of the 'risk of collision' by another ATCO than the ATCO in charge, the ATCO not in charge correctly transfers the 'risk of collision' information to the ATCO in charge if applicable

173 National ATS provider phraseology is shared by the pilots concerned

192 The correct clearance is confirmed to the crews by ATCOs

193 Crews correctly understand the confirmed & correct clearance



200 Third party ATCOs detect FL/ALT (flight path parameters) errors in the pilots' messages

201 Third party ATCOs report FL/ALT (flight path parameters) errors in the pilots' messages to ATCOs on duty

209 A corrective instruction is issued in a clear and unambiguous way to the crew before acceptable tolerance is exceeded

210 The crew properly understand the corrective instruction

211 Wrong inputs are corrected by crews before acceptable tolerance is exceeded

215 ATCOs correctly use a "standard" ICAO phraseology in the appropriate language

216 Standard ICAO phraseology is shared by the pilots concerned

217 ATCOs correctly use national ATS provider phraseology

218 National ATS provider phraseology is shared by the pilots concerned

219 The speed and pace of the ATCOs speech are low enough to be understandable by all pilots involved in all aircraft

220 The number of instructions included in each ATCO message is small enough to be understandable by all pilots involved in all aircraft

221 The tone of ATCOs' speech is adapted to the content of the message

222 The accent used by ATCOs is understandable by all pilots involved in all aircraft

223 ATM HMI is properly operated, messages are unclipped

224 No malicious interference, no vocal interference occurred

225 Transmission related hardware & software are operating properly

226 The quality of the RT signal is not impaired by background noise (e.g. introduced by weather )

233 If in doubt, pilots cross check their understanding of ATCOs (FL/ALT) instructions

234 Pilots detect and correct errors in their understanding of ATCOs (FL/ALT) instructions

235 Crews query about ATM clearances/ instructions when unsure of their understanding

236 The correct clearance is confirmed to the crews by ATCOs

237 Crews correctly understand the confirmed & correct clearance

240 Pilots report their FL/ALT (flight path parameters) target when changing frequency



243 Third party ATCOs (e.g. supervisor) monitor RTF communication

244 Third party ATCOs detect FL/ALT (flight path parameters) errors in the pilots' messages

245 Third party ATCOs report FL/ALT (flight path parameters) errors in the pilots' messages to ATCOs on duty

246 Third party pilots monitor RTF communication

247 Third party pilots detect FL/ALT (flight path parameters) errors in other pilots' messages

248 Third party pilots report FL/ALT (flight path parameters) errors in other pilots' messages to ATM

252 Wrong inputs are detected by the ATM system before acceptable tolerance is exceeded

253 A corrective instruction is issued in a clear and unambiguous way to the crew before acceptable tolerance is exceeded




254 The crew properly understand the corrective instruction

255 Wrong inputs are corrected by crews before acceptable tolerance is exceeded

261 In the case of TCAS RA(s), the TCAS instruction is compatible with the engaged manoeuvres if any

262 In the case of TCAS RA(s), doubt is not induced in crews' minds by ever more stringent opposite instructions from ATC

263 In the case of TCAS RA(s), doubt is not induced in crews' minds by their representation of the situation (e.g. TCAS RA compatible with previous TCAS TA if any, compatible with terrain and/or traffic in the vicinity as perceived by the crews…)

3.2.3. Red or Seriously “Reddish” SPs

The SP does not play a safety critical role in the safety architecture, but turned out to fail each time it was called for in a real event or most of the times with an unsure behaviour in the other cases although involved in a sufficient number of events to induce a reasonable suspicion.

In such case, the SP was judged non-robust. From a risk management point of view, turning this SP to red, does not mean that it needs to be reinforced immediately, or that corrective actions of any kind must be taken, but it constitutes a good “attention getter”. Hence, these SPs were turned red although it is a conservative measure in order to avoid missing a safety issue later on.

This was the case for the following SPs:


43 The airspace design is such that the separation of predefined routes is compatible with the design specifications of ATC capabilities of detection and reaction in real time so that recovering a deviation before it would lead to a conflict

44 Routes making a deviation from one of them unrecoverable before it would lead to a conflict with an A/C on another one are not used simultaneously by ATC

101 The incorrect understanding by the pilot/AC system, if any, is detected and corrected by the read back hear back process between ATCOs and crews

102 An incorrect understanding by the pilot/AC system is detected and corrected by the read back hear back process by third party (pilots, supervisor)

189 If in doubt, pilots cross check their understanding of ATCOs (FL/ALT) instructions

190 Pilots detect and correct errors in their understanding of ATCOs (FL/ALT) instructions

195 ATCOs detect and correct errors in the pilots' read back messages

208 Wrong inputs are detected by the ATM system before acceptable tolerance is exceeded

3.2.4. Left Blank Although “Greenish” SPs

The SP worked each time it was called upon in a real event, or there is not sufficient information to say so but the SP never turned out to fail for sure.

In such case, the SP was left blank. From a risk management point of view, turning a SP to green means that it can be considered 100% robust hence no longer monitored in any situation although experience “tested” it in a limited number of situations. These SPs were left blank in order not to be too optimistic and possibly miss a safety issue later on.





1 The instructions delivered by ATM don't lead to conflicting 4D paths

3 The crew/aircraft system correctly captures/picks up all the instructions addressed to it

7 Conflicting 4D paths built on purpose or not by ATC are anticipated and a relevant re-instruction is generated by ATC early enough to allow for preventing the separation with a converging A/C from reaching below an acceptable safety threshold

11 The crew/aircraft system correctly captures/picks up all the corrective instructions addressed to it

12 The crew/aircraft system correctly understands the contents of the corrective instruction/clearance captured if any (immediate process taking place when receiving the instruction)

13 The crew/aircraft system properly implements the corrective clearance/instruction as understood (within an acceptable time frame, at acceptable rates …)

17 The crew/aircraft system correctly captures/picks up all the recovery instructions addressed to it

18 The crew/aircraft system(s) correctly understands the contents of the recovery instruction/clearance captured (immediate process taking place when receiving the instruction)

19 The crew/aircraft system properly implements the recovery clearance/instruction as understood (within an acceptable time frame, at acceptable rates …)

20 The collision avoidance system detects the risk of imminent collision before the situation becomes unrecoverable

21 The collision avoidance system derives at least one relevant collision resolving option/solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

22 The collision avoidance system makes at least one relevant collision resolving option/solution available in a clear way to the crew/aircraft systems involved by the resolving option/solution before the situation becomes unrecoverable

23 The crew/aircraft systems involved properly receive at least one relevant collision resolving option/solution (global resolving option i.e. as compatible manoeuvres for both A/C) before the situation becomes unrecoverable

24 The crew/aircraft systems involved select a relevant collision resolving option/solution if various options are made available as the one to be implemented

25 The resolving option/solution selected is timely and properly implemented by both crew/aircraft systems involved (including no maneuver independently from the relevant global resolving option selected, within an acceptable time frame, at acceptable rates…)

27 AIP charts & Notams are available, and published in a legible & understandable way for flight ops charts designers

29 The crew/aircraft system properly understands chart-based ATM clearances/instructions

30 The instruction is actually implementable for the real situation of the day (e.g. within flight envelope, not too late to capture, ..) i.e. the instruction/clearance relevant from an ATC viewpoint is also relevant from the cockpit viewpoint i.e. the ATCO

32 The systems supporting the management of the flight path work properly

33 The A/C (ailerons, engines, rudder...) responds properly to demands from systems supporting the management of the flight path

37 The ATM system issues appropriate instructions early enough to allow a correction before acceptable tolerance is exceeded

38 The crew/aircraft system correctly understands instruction(s) early enough to allow a correction before acceptable tolerance is exceeded

46 The ATCO in contact with the deviating A/C issues a relevant re-instruction to the crew/aircraft system before T1




47 Verbal communication is transmitted to the crew/aircraft system in a clear and understandable way

50 The instruction is actually implementable for the real situation of the day (e.g. within flight envelope, not too late to capture, ..) i.e. the instruction/clearance relevant from an ATC viewpoint is also relevant from the cockpit viewpoint i.e. the ATCO

51 Proper inputs are made to systems supporting the management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

52 The systems supporting the management of the flight path work properly

53 The A/C (ailerons, engines, rudder...) responds properly to demands from systems supporting the management of the flight path

62 Accurate A/C trajectory data is built by the radar

63 The conflict situation is clearly visible on radar screen

65 The ATCO in control notices and recognizes STCA warning before an imminent collision situation develops

68 The collision avoidance system captures proximity information before the situation becomes unrecoverable

69 The collision avoidance system recognizes risk of imminent collision before the situation becomes unrecoverable (from proximity info captured)

70 The collision avoidance system transfers "risk of collision" alert to resolution providers before the situation becomes unrecoverable

71 The ATCOs concerned produce a global relevant avoidance solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

73 TCAS design specifications (e.g. algorithm) are able to produce relevant resolving solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

74 TCAS equipment is consistent with design specifications

75 Conditions (geometry; time limitations…) are within design envelope

76 TCAS functioning is not impaired by untimely actions (correctly set, maintained, …)

80 Relevant instructions corresponding to the solution are transmitted to crew(s) in a clear and unambiguous way (including the urge to act if any)

81 Cockpit(s) HMI present(s) the TCAS solution in a clear and unambiguous way to the flight crew(s)

84 Crews properly discriminate instructions addressed to them

85 Crews properly understand RT instructions (including urgency aspects)

86 Crews notice ACAS(s) RA(s) in due time if any

87 Crews correctly interpret ACAS RA if any

91 Each flight crew involved is covered by priority rules applicable to the situation

92 The priority rules applicable to the flight crews involved do allow for compatible solutions to be selected in both/all cockpits

93 Priority rules applicable to them are followed by the flight crews involved

98 The crew/aircraft system properly receives verbal ATM clearances/instructions

110 Proper inputs are made to systems supporting the lateral management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

111 Proper inputs are made to systems supporting the longitudinal management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

112 The A/C has a unique call sign

114 The crew doesn't identify itself to any callsign but its own one

123 ATCOs are aware of the traffic situation

124 ATCOs generate an appropriate solution and instruction before T1




125 The ATCO in contact with the deviating A/C issues the appropriate clearance/instruction to the relevant aircraft before T1

131 The crew/aircraft system properly receives verbal ATM clearances/instructions

132 Crews have sufficient resources left to pay attention to ATM clearances/instructions

133 A correct perception of verbal ATM clearances/ instructions leads to a correct understanding of the message by the crews

142 Proper inputs are made to systems supporting the vertical management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

143 Proper inputs are made to systems supporting the lateral management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

144 Proper inputs are made to systems supporting the longitudinal management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

145 Accurate A/C position data is available to the radar

147 TCAS switched on and fully operational (including not impaired) on at least one A/C

148 At least mode C transmitting properly accurate information on the other A/C

149 Situation within the design envelope of TCAS (closure rate, data quality)

150 Visibility allows for conflicting A/C detection (including night vision)

157 The ATCO in control recognizes STCA warning

158 Situation within TCAS specification for risk of collision recognition (including sufficient quality information available; geometry of the conflict; …)

159 TCAS algorithm is able to predict collision within its design envelope (specs are OK)

160 TCAS works as per design (construction OK, no impairment, as regards the risk of collision recognition function -possibly overlap with R B1.1.B1 addressing the information capture function…)

162 In the case of a recognition by the ATCO in charge of the 'risk of collision', transfer to the ATCO is immediate (always green)

163 In the case of both TCAS on and risk of collision recognized, TCAS correctly coordinates with the other TCAS (if applicable)

165 All flight crews share the same priority rules

166 The contents of the priority rules actually allow for compatible solutions to be selected in all cockpits involved

167 In the case of TCAS RA(s), the confidence of crew(s) in TCAS is not undermined

168 The crews involved know the priority rules applicable to them

169 The instructions coming from the source having priority in this situation are compatible with crews' perceived safe avoidance maneuver in this situation

171 Standard ICAO phraseology is shared by the pilots concerned

180 Transmission related hardware & software are operating properly

181 The quality of the RT signal is not impaired by background noise (e.g. introduced by weather )

182 RTF equipment works properly

183 RTF equipment is operated properly (set, tuned)

188 At least one pilot actually understands the clearance/instructions perceived

202 Third party pilots monitor RTF communication

206 The crew sets/programs the right height/altitude/FL target (correct value)

212 The ATCO(s) are properly aware of the assigned FL/ALT

214 The ATCOs actually detect the existing discrepancy before T1

227 RTF equipment works properly




228 RTF equipment is operated properly (set, tuned)

232 At least one pilot actually understands the clearance/instructions perceived

249 The crew correctly sets the altitude reference

250 The crew sets/programs the right height/altitude/FL target (correct figure and consistent with the reference)

251 The crew timely engages and maintains the correct implementation "mode"

256 Relative A/C proximity is clearly visible on radar screen (not overlap of labels...)

259 The ATCO in control notices STCA warning before the situation becomes unrecoverable

267 The assigned FL is correctly noted on the STRIP

268 The assigned FL is correctly noted on the relevant charts (e.g. SIDs & STARS)

271 The actual FL is correctly displayed by the Mode C channel

273 ATCOs monitor ALT/FL match after each pilot ALT/FL report

274 The information is available, readable on the radar screen

277 The crew uses right units (e.g. inches vs. hp), right values when setting the altitude reference

278 The crew correctly sets the altitude reference to the right value

279 The actual FL/ALT is correctly reported by pilots

280 The crew correctly determines the relevant altitude reference

281 The crew uses right units (e.g. inches vs. hp), right values when setting the altitude reference

282 The crew correctly sets the altitude reference to the right value

3.2.5. Left Blank by Lack of Information SPs

The SP does not play a major role in the safety architecture and:

• was called upon in several events with a variety of actual behaviours in these events that don’t converge or were mainly unsure behaviours;

• was called upon in too few events to allow for a natural conclusion regarding its robustness.

In such cases, the SP was left blank. Not enough information was available to make a proper decision as regards the level of trust that can be associated to it and it is not a problem not to have such assessment made as far as risk management is concerned given the role of the SP.





10 (In the actual situation) ATC makes the corrective instruction (including no instruction) available to the crew/aircraft system in a clear and unambiguous way early enough to allow for preventing the separation with a converging A/C from reaching below an acceptable safety threshold.

12 The crew/aircraft system correctly understands the contents of the corrective instruction/clearance captured if any (immediate process taking place when receiving the instruction)

15 (In the actual situation) The ATCO in control becomes aware of the conflict situation (if applicable) before an imminent collision situation develops

16 The ATCO in control issues a relevant (from an ATC viewpoint) corrective instruction (including no instruction) before an imminent collision situation develops

35 The crew/aircraft system corrects deviations from intended (according to their understanding of the clearance /instruction) flight path before acceptable tolerance is exceeded

39 The crew/aircraft system correctly implements instruction(s) before acceptable tolerance is exceeded

41 The crew/aircraft system is and remains willing to rely on the ATM system as regards its path

42 The crew/aircraft system is and remains able in principle to maintain its path (no emergency situation)

48 The crew/aircraft system properly understands verbal ATM clearances/ instructions

54 The crew/aircraft system detects deviations from intended (according to their understanding of the clearance /instruction) flight path early enough to allow a correction before acceptable tolerance is exceeded

60 The airspace design is such that the separation of predefined routes is compatible with the design specifications of ATC capabilities of detection and reaction in real time so that recovering a conflict situation before it would lead to an imminent collision

61 Routes making a conflict due to a deviation from one of them unrecoverable before it would lead to an imminent collision situation with an A/C on another one are not used simultaneously by ATC

67 The ATCO in control recognizes the conflict situation from his colleague's warning before an imminent collision situation develops

72 The solution anticipated by ATCO(s) is not compromised by unexpected A/C behaviour

83 Crews properly receive RT instructions

126 Another party makes a relevant corrective action available to the ATCO before T1

127 In the situation, ATCOS correctly use an ATM phraseology shared by Flight Crews

128 ATCOs articulate the instructions in a clear way

129 Transmission medium is clear and properly operated

130 The shared ATM phraseology used is by design unambiguous for the situation

134 The incorrect understanding by the pilot/AC system, if any, is detected an corrected by the read back hear back process between ATCOs and crews

135 An incorrect understanding by the pilot/AC system is detected and corrected by the read back hear back process by third party (pilots, supervisor)

151 Pilots scan for conflicting traffic

152 Conflicting A/C is within cockpit field of vision

153 Conflicting A/C is visible (lighting conditions, bearing, etc.)

155 The ATCO in control recognizes the risk before the situation becomes unrecoverable (no doubt induced by lack of STCA warning or any other reason)

161 Crews recognize correctly the collision risk visually

172 ATCOs correctly use national ATS provider phraseology

174 The speed and pace of the ATCOs speech are low enough to be understandable by all pilots involved in all aircraft




175 The number of instructions included in each ATCO message is small enough to be understandable by all pilots involved in all aircraft

176 The tone of ATCOs' speech is adapted to the content of the message

177 The accent used by ATCOs is understandable by all pilots involved in all aircraft

178 ATM HMI is properly operated, messages are unclipped

179 No malicious interference, no vocal interference occur

196 Pilots report their FL/ALT (flight path parameters) target when changing frequency

199 Third party ATCOs (e.g. supervisor) monitor RTF communication

203 Third party pilots detect FL/ALT (flight path parameters) errors in other pilots' messages

204 Third party pilots report FL/ALT (flight path parameters) errors in other pilots' messages to ATM

229 Cockpit task sharing allow for proper attention being paid to ATC communications

230 Workload level & on going crew activity (including cabin crew interactions) allow for proper attention being paid to ATC

231 Noise level in the cockpit is low enough to allow for proper attention being paid to RT

238 Pilots read back ATCOs instructions according to their understanding

239 ATCOs detect and correct errors in the pilots' read back messages

257 The ATCO in control notices from radar information imminent collision situation before the situation becomes unrecoverable

260 Another ATCO detects the proximity situation before the situation becomes unrecoverable

272 The number of A/C on the radar screen is low enough to allow FL monitoring at an acceptable frequency and ATCOs actually monitor the situation

3.2.6. Red SPs

SPs playing a too important role in the safety architecture to leave them blank or even yellow, given the repeated failures in events, even if successes were observed.

The SP plays such a role in the safety architecture that its failure leads to losing a whole protection layer. Therefore, failure of such SPs significantly weakens the existing safety system. Experience has shown through a number of events that failure of this SP is likely to happen although it is not always the case. Although the judgment is not obvious from these SPs various behaviours in the events analysed. Leaving them blank is likely to lead to no specific monitoring of their behaviour. Turning them to yellow would still be a weak attention getter for a risk manager, focused on the red colour.





8 The surrounding routes possibly used are by design far away enough to allow for the deviation to be corrected before it would lead to a conflict (unacceptable safety threshold) with an A/C anywhere on these surrounding routes

34 The crew/aircraft system anticipates deviations from intended (according to their understanding of the clearance /instruction) flight path early enough to allow a correction before acceptable tolerance is exceeded

36 The ATM system anticipates deviations from the assigned flight path early enough to allow a correction before acceptable tolerance is exceeded

40 The crew/aircraft system correctly discriminates instructions addressed to other A/C, if any, from instructions addressed to itself

45 ATC becomes aware of a deviation from the assigned flight path early enough to allow for preventing the separation with a converging A/C if any from reaching below an acceptable safe threshold (before T1)

115 The ATCO in contact with the A/C detects a vertical deviation from the assigned flight path if any before T1

205 The crew correctly sets the altitude reference

3.2.7. Yellow SPs

SPs playing a too important role in the safety architecture to leave them blank, that happened to fail a few times, although mainly succeeded or were repeatedly unsure, although intuitively considered robust by most people.

The SP plays such a role in the safety architecture that its failure leads to losing a whole protection layer. Therefore, failure of such SPs significantly weakens the existing safety system. Experience has shown through a number of events that failure of this SP is likely to happen although rarely compared to successes or that their behaviour is rather unsure although intuitively considered very robust by most people. Although the judgment is not obvious from these SPs various behaviours in the events analysed, leaving them blank is likely to lead to no specific monitoring of their behaviour. Turning them to red is too conservative, given their repeated successes or unsure behaviour and would not allow discriminating them from the previous ones. However, leaving them blank would lead to either insufficient monitoring given their role in the safety architecture or going on with intuitive ideas that turn out to be disputable.





2 ATC makes its instructions available to the crew/aircraft system in a clear and unambiguous way

4 The crew/aircraft system correctly understands the contents of the instruction/clearance captured if any (immediate process taking place when receiving the instruction)

5 The crew/aircraft system properly implements the clearance/instruction as understood (within an acceptable time frame, at acceptable rates …)

6 The crew/aircraft system doesn't change path independently from instruction/clearance addressed to it by ATC

9 (In the actual situation) ATC actually detects a deviation from the assigned flight path and derives a relevant (from an ATC viewpoint) corrective instruction (including no instruction) early enough to allow for preventing the separation with a converging

14 The surrounding routes possibly used are by design far away enough to allow for a conflict situation with an A/C anywhere on these surrounding routes to be recovered before it would lead to an imminent collision situation

26 verbal communication is transmitted to the crew/aircraft system in a clear and understandable way

28 The crew/aircraft system properly understands verbal ATM clearances/ instructions

31 Proper inputs are made to systems supporting the management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

64 The ATCO in control notices the conflict situation from the radar picture (raw data) before an imminent collision situation develops

66 Another ATCO notices the conflict situation and makes his colleague aware of the situation before an imminent collision situation develops

94 (In the situation) ATCOS correctly use an ATM phraseology shared by Flight Crews

95 ATCOs present the information in a clear, understandable and usable way

96 Transmission medium is clear and properly operated

97 The shared ATM phraseology used is by design unambiguous for the situation

99 Crews properly perceive verbal ATM clearances/instructions (have enough resources to do it and actually do it)

100 A correct perception of verbal ATM clearances/ instructions leads to a correct understanding of the message by the crews

109 Proper inputs are made to systems supporting the vertical management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

113 The crew correctly picks up the correct callsign in the ATCO's message (technically receives it properly & perceives it properly)

119 Another party detects a vertical deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

146 The ATCO in control becomes aware of the imminent collision situation before the situation becomes unrecoverable

154 The ATCO in control detects (using radar info) the risk of imminent collision from the proximity info captured before the situation becomes unrecoverable (i.e. has enough time to screen radar picture + info presented in such a way that collision risk can be anticipated + …)

156 STCA detects the risk of imminent collision from proximity information captured

170 ATCOs correctly use a "standard" ICAO phraseology in the appropriate language

184 Cockpit procedures allow for proper attention being paid to ATC communications

185 Cockpit task sharing allow for proper attention being paid to ATC communications




186 Workload level & on going crew activity (including cabin crew interactions) allow for proper attention being paid to ATC

187 Noise level in the cockpit is low enough to allow for proper attention being paid to RT

194 Pilots read back ATCOs instructions according to their understanding

207 The crew timely engages and maintains the correct implementation "mode" (or maintains correct manual inputs if manual flight)

213 The ATCO(s) become aware of the actual FL/ALT before T1

258 STCA delivers a warning before the situation becomes unrecoverable

275 ATCOs scan radar screen for ALT/FL mismatch at any time (climb, descent, alt capture) before T1

276 The crew correctly determines the relevant altitude reference (i.e. they know and are aware they should use QNH or standard...)

283 STCA delivers a warning before the situation develops into an imminent collision situation

3.2.8. Not so Critical SPs

Not so critical SPs in the safety architecture that turned out to fail each time they were called upon, but they were not involved in enough events to turn them definitely red.

For these SPs, given their non-critical role but their suspicious behaviour, monitoring remains sufficient from a risk management viewpoint. Therefore, they were turned to yellow to constitute a reasonable attention getter without being too alarming.



191 Crews query about ATM clearances/ instructions when unsure of their understanding



3.3. OVERALL RESULTS

This assessment of the robustness of the various SPs of the safety architecture leads to the following global picture of the health of the safety system in place:

ACCIDENT

The collision avoidance

system detects the risk of imminent

collision before the situation

becomes unrecoverable


system derives at least one

relevant collision resolving

option/solution (coherent

solution taking into account

both A/C) before the situation

becomes unrecoverable


system makes at least one


option/solution available in a

clear way to the crew/aircraft

systems involved by the

resolving option/solution

before the situation becomes

unrecoverable

The crew/aircraft

systems involved

properly receive at least one


option/solution (global resolving

option i.e. as compatible

manoeuvres for both A/C) before

the situation becomes

unrecoverable

The crew/aircraft

systems involved select

a relevant collision resolving

option/solution if various options

are made available as the

one to be implemented

The resolving option/solution

selected is timely and properly

implemented by both

crew/aircraft systems involved

(including no maneuver

independently from the

relevant global resolving option selected, within an acceptable time frame, at

acceptable rates…)

R B1 - (20) R B2 - (21) R B3 - (22) R B4 - (23) R B5 - (24) R B6 - (25)

The surrounding routes possibly

used are by design far away enough to allow

for a conflict situation with an A/C anywhere

on these surrounding routes to be recovered

before it would lead to an imminent collision situation

(In the actual situation) The

ATCO in control becomes aware

of the conflict situation (if applicable) before an imminent collision situation develops

The ATCO in control issues a relevant (from

an ATC viewpoint) recovery

instruction (including no instruction) before an imminent collision situation develops

The crew/aircraft

system correctly captures/picks

up all the recovery

instructions addressed to it

The crew/aircraft system(s) correctly

understands the contents of the

recovery instruction/clearance captured

(immediate process taking

place when receiving the instruction)

The crew/aircraft

system properly implements the

recovery clearance/instru

ction as understood (within an

acceptable time frame, at

acceptable rates …)

R A1 - (14) R A2 - (15) R A3 - (16) R A4 - (17) R A5 - (18) R A6 - (19)

GENERIC INITIATOR: A/C reaching below an acceptable safe threshold (time to collision, distance, whatever the unit)



ACCIDENT


used are by design far away enough to allow for the deviation to be corrected before it would

lead to a conflict (unacceptable

safety threshold) with

an A/C anywhere on

these surrounding

routes

(In the actual situation) ATC actually detects a deviation from

the assigned flight path and

derives a relevant (from

an ATC viewpoint) corrective instruction

(including no instruction) early enough to allow for preventing the separation

with a converging A/C from reaching

below an acceptable

safety threshold (before T1)

(In the actual situation) ATC

makes the corrective instruction

(including no instruction)

available to the crew/aircraft system in a clear and

unambiguous way early

enough to allow for preventing the separation


below an acceptable

safety threshold (before T1)

The crew/aircraft


up all the corrective


The crew/aircraft

system correctly understands the contents of the

corrective instruction/clearance captured if any (immediate process taking


The crew/aircraft

system properly implements the

corrective clearance/instru




P C1 - (8) P C2 - (9) P C3 - (10) P C4 - (11) P C5 - (12) P C6 - (13)

Deviation from the assigned flight path (including level bust) Conflicting 4D paths built on purpose or not

by ATC are anticipated and a relevant re-instruction is generated by

ATC early enough to allow for preventing the separation


below an acceptable

safety threshold

ATC makes its instructions


unambiguous way

The crew/aircraft


up all the instructions

addressed to it

The crew/aircraft

system correctly understands the contents of the instruction/clearance captured if any (immediate process taking


The crew/aircraft

system properly implements the clearance/instru




The crew/aircraft

system doesn't change path

independently from

instruction/clearance addressed

to it by ATC

P B1 - (7) P B2 P B3 P B4 P B5 P B6



ACCIDENT

The instructions delivered by

ATM don't lead to conflicting 4D

paths

ATM makes its instructions


unambiguous way

The crew/aircraft


up all the instructions

addressed to it

The crew/aircraft

system correctly understands the contents of the instruction/clearance captured if any (immediate process taking


The crew/aircraft

system properly implements the clearance/instru




The crew/aircraft

system doesn't change path

independently from

instruction/clearance addressed

to it by ATC

P A1 - (1) P A2 - (2) P A3 - (3) P A4 - (4) P A5 - (5) P A6 - (6)

The safety architecture shows that the prevention layer is globally weak, because both “designed separation” and “tactical control based separation” heavily rely on a proper understanding (PA4 and PB4) and implementation (PA5 and PB5) of verbal instructions by aircrews, which are both fragile.

The detection (PC2) of deviations is weak because detection is based on the perception of actual deviations by controllers, rather than on anticipated deviations.

The implementation monitoring process is based on the same weak channel (verbal communication) as prevention, and is picking information too early in the implementation process (at the perception phase) so none of the consecutive failures can be detected by it.

In complex and dense airspace like large TMAs the design of relative trajectories is such that there is no room for deviations (PC1 is red). The system is not error tolerant: a deviation leads to a risky situation.

In the next paragraphs, the robustness of individual Level 1 safety principles is reviewed and discussed in more detail, through their decomposition.

3.4. ANALYSIS OF THE MAIN WEAKNESSES

3.4.1. Safety Principles PA2- PB2 (ATC Message Clarity)

The clarity of ATCOs messages (e.g. phraseology) is not always perfect, but the proportion of level bust incidents in which an obviously ambiguous ATC message has been found to be the triggering factor is rather low. This may be specific to the sample of incidents considered, possibly due to a good adherence to standard phraseology and fluency in English of the ATCOs in the Control Centres considered. But the fact that apparently clear messages can be easily misunderstood shows that only marginal improvements in the reliability of the understanding of instructions by crews can be expected through improving the quality of the verbal messages sent by ATCOs (e.g. phraseology, accent, …).

Furthermore, as shown by the decomposition below, it may well be difficult to improve significantly the message clarity.



ATM makes its instructions available to the crew/aircraft system in a clear and

unambiguous way

In the situation, ATCOS correctly use an ATM

phraseology shared by Flight Crews

ATCOs articulate the

instructions in a clear way Transmission medium is

clear and properly operated

The shared ATM phraseology used is by

design unambiguous for the situation

The speed and pace of the ATCOs speech are low

enough to be understandable by all pilots

involved in all aircraft

The number of instructions included in each ATCO

message is small enough to be understandable by all

pilots involved in all aircraft

The tone of ATCOs' speech is adapted to the content of

the message

The accent used by ATCOs is understandable by all

pilots involved in all aircraft

The speed and pace of the speech is constrained by the number of messages to be issued, and the diversity of accents even among native English speakers makes it very difficult to really standardise the messages. Only a comprehensive phonetic definition of the phraseology, and a thorough training for all controllers and pilots, including the native English speakers, could contribute a significant step ahead.



3.4.2. Safety Principles PA4- PB4: The Crew/aircraft System Correctly Understands the Contents of the Instruction/clearance Captured

These safety principles turn out to be quite weak. In their decomposition, the following conditions were identified as driving the first understanding attempt (before error detection and correction):

The crew/aircraft system correctly

understands the content of the instruction/clearance captured if any

(immediate process taking place when receiving the instruction)

The incorrect understanding by the pilot/AC system, if any, is detected and corrected by the read back hear back process by third parties (other crews,

supervisor...)

The incorrect understanding by the pilot/AC system, if any, is detected an corrected by the read back hear back process between ATCOs and crews

The crew/aircraft system properly receives verbal ATM

clearances/instructions

Crews have sufficient resources left to pay attention to ATM clearances/instructions

A correct perception of verbal ATM clearances/ instructions leads to a

correct understanding of the message by the crews

Crews query about ATM clearances/ instructions

when unsure of their understanding

The correct clearance is confirmed to the crews by

ATCOs

Crews correctly understand the confirmed & correct

clearance

At least one pilot actually understands the

clearance/instructions perceived

If in doubt, pilots cross check their understanding of

ATCOs (FL/ALT) instructions

Pilots detect and correct errors in their understanding

of ATCOs (FL/ALT) instructions

Pilots challenge unusual/unexpected

instructions

Particularly, the assumption that a correct perception of verbal ATM clearances/instructions by the crews leads to a correct understanding of the message, is often wrong because understanding is very context dependent. Pilots mainly match what they hear to what they expect, and wrong expectations easily lead to wrong understanding. The assumption that pilots would crosscheck their understanding in case of doubt, and correct their errors was proved wrong in most of the relevant events analysed.



Furthermore, the read-back/hear-back process turned out to be very weak:

The incorrect understanding by the pilot/AC system, if any, is detected an corrected by the read back hear back process between ATCOs and crews

It is decomposed in the safety architecture into two conditions:

Pilots read back ATCOs instructions according to their understanding

ATCOs detect and correct errors in the pilots' read back messages

Concerning the left-hand condition above, the read-back does not really allow checking the “crew understanding”, but only the PNF perception. Indeed, the check is performed through an immediate read-back of the message by the PNF. In fact, what is checked then is a “repeat the message” function, i.e. the transit of the message from the PNF ears to his/her mouth. Such a function gets quickly automated through routine, and does not necessarily involve understanding the message properly. Whereas what is of interest for safety is not only what the PNF actually understands, but also what the PF actually understands to be commanded to the A/C (and beyond that, what the “A/C” is finally commanded to do).

Concerning the right-hand safety principle above, it is very weak as well. Controllers mainly match what they hear to what they expect to hear, and they easily miss wrong acknowledgements, as shown by several of the analysed incidents. Consequently, even the PNF perception itself is poorly monitored. The read-back/hear-back process is unreliable as a monitoring process for the same kind of reasons that makes the message understanding unreliable. In other words, there is a common mode weakness in the message decoding and in the monitoring of the message decoding.

3.4.3. Safety Principles PA5 and PB5: The Crew/aircraft System Properly Implements the Clearance/instruction as Understood

There is a long process taking place, or supposed to take place, in the cockpit from perception of an ATC message to actual implementation:

• understanding of the message by PNF, • understanding of the message by PF, • communication between PNF and PF, • matching and consensus building about the meaning of the message, • action on controls by PF and/or PNF, • check of actions by PNF and/or PF, • check and cross check of action outcome (instruments reaction, A/C reaction…).

While trying to conduct the SMART analysis it appeared that ATM doesn’t know much about what actually goes on in the cockpit, and particularly about the potential “failure modes” of the understanding/implementation process in relationship with a specific ATC message and context. This is true for the ATCOs during real time interactions with the crews. This is also true for post incident analysis by ATC. The cockpit is a black box for ATC, and vice versa. Ground-air communication is not really seen as a collaborative process, and there is no collaborative investigation process in place between airlines and ATM. It is difficult for ATM to get data from airlines and for airlines to get data from ATM.



The background assumption is that if the message by the controller is incorrect, there is nothing to understand from the cockpit side, and if the message from the controller is correct, the crew should behave as instructed. In addition, by lack of a shared safety model, it is difficult for ATM to use data about what happened in the cockpit when they are available.

The SMART decomposition of the safety principle that the crew/aircraft system properly implements the clearance/instruction as understood, is as follows:

The ATM system anticipates deviations from the assigned

flight path early enough to allow a correction before acceptable tolerance is

exceeded

The ATM system issues appropriate instructions early enough to allow a

correction before acceptable tolerance is exceeded

The crew/aircraft system correctly understands

instruction(s) early enough to allow a correction before

acceptable tolerance is exceeded

The crew/aircraft system correctly implements instruction(s) before


The crew/aircraft system anticipates deviations from intended (according to their understanding of the clearance /instruction) flight path early enough to allow a correction

before acceptable tolerance is exceeded

The crew/aircraft system corrects deviations from intended (according to their understanding of the clearance

/instruction) flight path before acceptable tolerance is exceeded

The instruction is actually implementable for the real situation of the day (e.g.

within flight envelope, not too late to capture, ..) i.e. the

instruction/clearance relevant from an ATC

viewpoint is also relevant from the cockpit viewpoint i.e. the ATCO's knowledge of the situation is complete

enough ...

Proper inputs are made to systems supporting the

management of the flight path (e.g. FMS, AP,

avionics, ALT instruments…) The systems supporting the management of the flight

path work properly

The A/C (ailerons, engines, rudder...) responds properly to demands from systems

supporting the management of the flight path

Wrong inputs are detected by the ATM system before


A corrective instruction is issued in a clear and

unambiguous way to the crew before acceptable tolerance is exceeded

The crew properly understand the corrective

instruction

Wrong inputs are corrected by crews before acceptable

tolerance is exceeded

The crew correctly sets the altitude reference

The crew sets/programs the right height/altitude/FL target

(correct figure and consistent with the

reference)

The crew timely engages and maintains the correct implementation "mode"

As shown by the robustness assessment made from the incidents analysed, the setting of the altitude reference by the crew is a particularly unreliable process. The next level of decomposition shows that opportunities for errors are indeed multiple.

The crew correctly determines the relevant altitude reference (i.e. they know and are aware they should use QNH or standard…)

The crew uses right units (e.g. inches vs. hp), right values when setting the altitude reference

The crew correctly sets the altitude reference to the right value



However, the main weakness is probably that there is no immediate monitoring of the implementation of ATC instructions in the cockpit. The corresponding safety principle has been judged red.

Wrong inputs are detected by the ATM system before acceptable tolerance is

exceeded

This is perfectly understandable, as actual targets and flight modes input to the A/C systems are unknown to the ATCOs. Only visible deviations (on radar screen) on actual primary trajectory parameters are detectable, which constitutes a high inertia monitoring process. Consequently, deviation anticipation capabilities are very poor.

Finally, a better task sharing, a better crew resource management, principles based on a better understanding of the “failure modes” of the implementation process in the cockpit, may allow for some local improvement. However, as for the “ATC message clarity” issue, it is doubtful that such unilateral effort could lead to a very significant reliability improvement of vertical clearances implementation.

3.4.4. Safety Principle PC1: Airspace Design allows for Detection and Correction of Deviations from Assigned Flight Paths before Becoming a Threat

This safety principle also exhibits a major weakness at least for a complex airspace, like a large TMA, where any altitude deviation due to a wrong selected altitude by the pilot, virtually leads to an unsafe situation (and then requires a recovery process). In practice, many level busts/deviations do not actually lead to an unsafe situation thanks to the low density of airspace occupation (the probability of actually having a conflicting A/C in the most critical position is very low). In other words, when providence is left aside, the airspace design does not allow an error tolerant operation.

3.4.5. Safety Principles PA6 -PB6: Aircraft do not Change Path without Instruction to do so

In the current situation, we have the following safety model:

The crew/aircraft system doesn't change path independently from

instruction/clearance addressed to it by ATC


discriminates instructions addressed to other A/C, if any, from instructions

addressed to itself

The crew/aircraft system is and remains willing to rely on the ATM

system as regards its path

The crew/aircraft system is and remains able in principle to maintain its

path (no emergency situation)

Apart from emergency situations in which A/C are unable to maintain cleared trajectory (turbulence, technical failure...), which are rather rare, the main issue here is callsign confusion, leading to a clearance spurious perception.



The decomposition of the callsign discrimination principle is as follows:

The crew/aircraft system correctly discriminates instructions addressed to

other A/C, if any, from instructions addressed to itself

The A/C has a unique call sign

The crew correctly picks up the correct callsign in the ATCO's message (technically receives it properly & perceives it properly)

The crew doesn't identify itself to any callsign but its own one

Concerning callsign confusion, the same statement as for generic communication can be made, only marginal improvements can reasonably be expected through strategies like careful callsign attribution, communication protocols, or phraseology improvements.



4. SIMULATION OF POSSIBLE CHANGES

Since the airspace design, ATM anticipation capabilities issues, only intervenes in one prevention layer, which only exists in case a level bust occurs, the simulations were focused on the crew-aircraft communication issue.

The changes induced by the first recommendation i.e. that concerning a change in the read-back process are hard to anticipate without further investigation, especially as far as feasibility of such process is concerned and human factors related impacts.

Therefore, the simulations were carried out based on the two following options:

1. Introduction of a downlink of the selected level (selected altitude) to ATC, to allow a proper monitoring of the pilot maneuver,

2. Introduction of datalink between ATC and the A/C, ATC shall uplink the cleared flight level/altitude to the A/C and as a result, the A/C shall downlink the selected flight level/altitude to the ATC. This shall prevent callsign confusions and shall reduce the risk of “misunderstanding by the A/C” of the ATCO’s instruction.

Since these simulations were a first exploration without additional data collection, the results are optimistic and do not include any possible “side effect” related to such changes, although some potential drawbacks are nevertheless mentioned in the discussion of local impacts. Moreover, in order to locate and emphasize the potential improvements, SPs of which reliability is improved by the change have been turned to hatch green (although no real data is available).

4.1. IMPACT OF THE INTRODUCTION OF A DOWNLINK OF THE FMS SELECTED FLIGHT LEVEL TO ATC

4.1.1. Assumptions

All A/C and ATCC are equipped to transmit/receive ADS-B (Automatic Dependant Surveillance Broadcast) and “Selected Flight Level Warning” where the FMS selected FL is broadcast via ADS-B and compared to the controller input CFL.

4.1.2. Local Impacts

4.1.2.1. Safety Principles PA5 and PB5: The crew/aircraft system properly implements the clearance/instruction as understood

The next paragraph explains how the safety principles’ robustness would be affected by the implementation of a downlink of the FMS selected Flight Level to ATC computers. It is based on the re-analysis of the 35 events already analysed in the first part of the study. In each case, the colours of the concerned SPs have been re-assessed on the assumption that:

• all A/C were equipped with a downlink capability allowing ATC to detect that the selected FL in FMS is different from the cleared level;

• that the system is reliable and efficient, so that ATCOs actually detect differences between the FL selected in the FMS and the cleared level.



A hatched green is used to show that in this case, the safety principle “Wrong inputs are detected by the ATM system before acceptable tolerance is exceeded” would presumably be reliable (which would still be to be confirmed by experience of course).

Wrong inputs are detected by the ATM system before


A corrective instruction is issued in a clear and

unambiguous way to the crew before acceptable tolerance is exceeded

The crew properly understand the corrective

instruction

Wrong inputs are corrected by crews before acceptable

tolerance is exceeded




reference)


The rest of the safety architecture nevertheless shows that additional conditions have to be met before the level 1 safety principle…

The crew/aircraft system properly implements the clearance/instruction as understood (within an acceptable time

frame, at acceptable rates …)

… can be presumed robust as well. For example, a corrective instruction must be issued in a clear and unambiguous way to the crew before acceptable tolerance is exceeded. This capability will not be directly affected by the implementation of downlink information about the FMS selected FL to ATCOs. However, it could be indirectly affected, either positively (e.g. knowing the actual wrong selected FL can help the controller to figure out what is the best corrective clearance) or negatively (e.g. knowing the actual wrong selected FL can influence the controller judgement).

4.1.3. Overall Safety Impact of the Downlink Option

ACCIDENT

The collision avoidance system detects the risk of imminent collision


unrecoverable

The collision avoidance system

derives at least one relevant

collision resolving option/solution

(coherent solution taking into

account both A/C) before the

situation becomes unrecoverable


makes at least one relevant

collision resolving option/solution available in a


systems involved by the resolving option/solution


unrecoverable

The crew/aircraft systems involved properly receive

at least one relevant collision


(global resolving option i.e. as compatible

maneuver for both A/C) before the


The crew/aircraft systems involved select a relevant

collision resolving option/solution if various options





implemented by both crew/aircraft systems involved


independently from the relevant global resolving option selected,

within an acceptable time

frame, at acceptable

rates…)

R B1 - (20) R B2 - (21) R B3 - (22) R B4 - (23) R B5 - (24) R B6 - (25)



ACCIDENT The surrounding routes possibly


for a conflict situation with an A/C anywhere on these surrounding

routes to be recovered before it would lead to an imminent collision

situation


ATCO in control becomes aware of

the conflict situation (if

applicable) before an imminent

collision situation develops

The ATCO in control issues a

relevant (from an ATC viewpoint)

recovery instruction

(including no instruction) before

an imminent collision situation

develops


captures/picks up all the recovery




recovery instruction/clearan

ce captured (immediate

process taking place when

receiving the instruction)

The crew/aircraft system properly implements the

recovery clearance/instruction as understood

(within an acceptable time


R A1 - (14) R A2 - (15) R A3 - (16) R A4 - (17) R A5 - (18) R A6 - (19)





safety threshold) with an A/C

anywhere on these surrounding

routes


actually detects a deviation from the

assigned flight path and derives a relevant (from


(including no instruction) early enough to allow

for preventing the separation with a converging A/C from reaching

below an acceptable safety

threshold (before T1)




available to the crew/aircraft

system in a clear and unambiguous way early enough

to allow for preventing the

separation with a converging A/C from reaching


threshold (before T1)


captures/picks up all the corrective


The crew/aircraft system correctly understands the contents of the

corrective instruction/clearance captured if any




corrective clearance/instruction as understood



P C1 - (8) P C2 - (9) P C3 - (10) P C4 - (11) P C5 - (12) P C6 - (13)

Deviation from the assigned flight path (including level bust)

Conflicting 4D paths built on

purpose or not by ATC are

anticipated and a relevant re-instruction is

generated by ATC early enough to

allow for preventing the



threshold



system in a clear and unambiguous

way


captures/picks up all the instructions

addressed to it


instruction/clearance captured if any




clearance/instruction as understood


frame, at acceptable rates

…)

The crew/aircraft system doesn't

change path independently

from instruction/clearance addressed to it

by ATC

P B1 - (7) P B2 P B3 P B4 P B5 P B6



ACCIDENT

The instructions delivered by ATM

don't lead to conflicting 4D

paths




way



addressed to it












by ATC

P A1 - (1) P A2 - (2) P A3 - (3) P A4 - (4) P A5 - (5) P A6 - (6)

4.2. IMPACT OF THE INTRODUCTION OF BOTH DOWN & UP LINK

4.2.1. Assumptions

The uplink option considered in the following simulation is not based on the current version of the CPDLC, but rather on the performances that would allow for enhancing safety as they were described in the recommendations. The main characteristics of the uplink envisaged here are the following:

• Datalink (CPDLC – Controller Pilot Data Link Communications) and ADS-B, for the second case (Introduction of datalink between ATC and the A/C),

• timing of the up link is comparable to that of downlink, which is not the case for the actual CPDLC. Actually, it takes normally 2 min and can take up to 5 min, making it usable for strategic control only whereas in the simulation, it is envisaged for tactical control as well;

• datalink is used in substitution to R/T rather than in parallel with R/T,

• all A/C and ATCC are equipped to transmit/receive ADS-B (Automatic Dependant Surveillance Broadcast) and “Selected Flight Level Warning” where the FMS selected FL is broadcast via ADS-B and compared to the controller input CFL.

4.2.2. Local Impacts

4.2.2.1. Safety Principles PA5 and PB5: The crew/aircraft system properly implements the clearance/instruction as understood

The next paragraph discusses how the safety principles’ robustness would be affected by the implementation of a direct uplink of the cleared flight levels to the A/C flight management computer, in parallel to the transmission to the crew. It is based on the re-analysis of the 35 events analysed and in each case, the colours of the concerned SPs have been re-assessed on the assumption that:

• all A/C were equipped with an uplink capability allowing ATC to transfer the cleared FL to the FMS for crew approval (“kind of” CPDLC);

• system was reliable and efficient, so that ATCOs can actually transfer the cleared FL to the FMS, and pilots can actually understand and approve the clearances.



A hatched green is used to show that in this case, the safety principle “The crew sets/programs the right height/altitude/FL target (correct figure and consistent with the reference)” would presumably be reliable.




reference)


The rest of the safety architecture nevertheless shows that additional conditions have to be met before the level 1 safety principle…

The crew/aircraft system properly implements the clearance/instruction as understood (within an acceptable time frame, at acceptable rates …)

… can be presumed robust as well.

For example, “The crew correctly sets the altitude reference” is currently unreliable and will only be directly affected by the implementation of an uplink transfer of the clearances into the FMS if the altitude reference is included in the clearance. Similarly, “The crew timely engages and maintains the correct implementation mode” will probably not be directly affected, but it could be indirectly affected either positively or negatively, depending on the corresponding HMI design in the cockpit.

4.2.2.2. Safety Principles PA6 -PB6: Aircraft do not change path without instruction to do so

The uplink option would guarantee a selective clearance addressing process. Therefore, we would presumably have the following safety model:

The A/C has a unique call sign

The crew correctly picks up the correct callsign in the ATCO's

message (technically receives it properly & perceives it properly)

The crew doesn't identify itself to any callsign but its own one

Clearance address discrimination would be presumably much more reliable, so we can use the hatched green code for the two above safety principles. The main weak point would be fixed, but before we can claim that, the higher-level safety principle is presumably robust….

The crew/aircraft system correctly discriminates instructions addressed to

other A/C, if any, from instructions addressed to itself

…. the status of “The A/C has a unique call sign” must be assessed.

At the same time, a selective clearance addressing would on the other hand have some impact on other aspects of the safety architecture. It would cancel the benefit of party line (pilots monitoring all in the same frequency). It would possibly modify the clearance understanding conditions by the crew, depending on the way it is implemented (vocal, display, etc.). It may make the detection and the understanding of the clearance in the cockpit easier or more difficult. For example, one could assume that the attention need, and then the workload, would be lower, because there would be no need for monitoring the RTF anymore. However, some side effects could well be introduced.

Therefore, the safety architecture should be reviewed in detail, with the perspective to anticipate the impact of the implemented solution on the different safety principles.



4.2.3. Overall Safety Impact of the Uplink & Downlink Option

ACCIDENT

The collision avoidance system detects the risk of imminent collision


unrecoverable


derives at least one relevant

collision resolving option/solution

(coherent solution taking into

account both A/C) before the



makes at least one relevant

collision resolving option/solution available in a


systems involved by the resolving option/solution


unrecoverable

The crew/aircraft systems involved properly receive

at least one relevant collision


(global resolving option i.e. as compatible

manoeuvres for both A/C) before

the situation becomes

unrecoverable

The crew/aircraft systems involved select a relevant

collision resolving option/solution if various options





implemented by both crew/aircraft systems involved


independently from the relevant global resolving option selected,

within an acceptable time

frame, at acceptable

rates…)

R B1 - (20) R B2 - (21) R B3 - (22) R B4 - (23) R B5 - (24) R B6 - (25)



for a conflict situation with an A/C anywhere on these surrounding

routes to be recovered before it would lead to an imminent collision

situation


ATCO in control becomes aware of

the conflict situation (if

applicable) before an imminent

collision situation develops

The ATCO in control issues a

relevant (from an ATC viewpoint)

recovery instruction

(including no instruction) before

an imminent collision situation

develops


captures/picks up all the recovery




recovery instruction/clearan

ce captured (immediate

process taking place when

receiving the instruction)


recovery clearance/instruction as understood



R A1 - (14) R A2 - (15) R A3 - (16) R A4 - (17) R A5 - (18) R A6 - (19)




ACCIDENT




safety threshold) with an A/C

anywhere on these surrounding

routes


actually detects a deviation from the

assigned flight path and derives a relevant (from


(including no instruction) early enough to allow

for preventing the separation with a converging A/C from reaching

below an acceptable safety threshold (before

T1)





system in a clear and unambiguous way early enough

to allow for preventing the


below an acceptable safety threshold (before

T1)


captures/picks up all the corrective



corrective instruction/clearance captured if any




corrective clearance/instruction as understood



P C1 - (8) P C2 - (9) P C3 - (10) P C4 - (11) P C5 - (12) P C6 - (13) Deviation from the assigned flight path (including level bust)

Conflicting 4D paths built on

purpose or not by ATC are

anticipated and a relevant re-instruction is

generated by ATC early enough to

allow for preventing the



threshold




way



addressed to it












by ATC

P B1 - (7) P B2 P B3 P B4 P B5 P B6

The instructions delivered by ATM

don't lead to conflicting 4D

paths




way



addressed to it












by ATC

P A1 - (1) P A2 - (2) P A3 - (3) P A4 - (4) P A5 - (5) P A6 - (6)



5. CONCLUSIONS AND RECOMMENDATIONS

5.1. CONCLUSIONS

The current situation seems to be a rather weak prevention layer, this weakness being hidden by the role of low airspace occupation density (alias for “providence”), and a rather efficient recovery layer.

Both “designed separation” and “tactical control based separation” heavily rely on a proper understanding and implementation of verbal instructions by aircrews, which are both fragile.

The detection and correction of deviations are weak because detection is based on the actual perception of deviations by controllers, not on anticipated deviations

The implementation monitoring process is based on the same weak channel (verbal communication) and is picking information too early in the implementation process (at the perception phase) so none of the consecutive failures can be detected by it.

In complex and dense airspace like large TMAs the design or relative trajectories is such that there is no room for deviations. The system is not error tolerant, a level/altitude deviation may lead to a dangerous situation. Departure routes intersecting arrival routes one Flight Level below a holding stack, gives no margin for error if the climbing aircraft is busting its cleared flight level. The recovery of such a situation is poor as well, usually is TCAS and providence that saves the day.

The clarity of ATCOs messages can be a trigger factor in level bust incidents. The fact that apparently clear messages can be easily misunderstood shows that only marginal improvements in the reliability of the understanding of instructions by crews can be expected through improving the quality of the verbal messages sent by ATCOs

The assumption that a correct perception of verbal ATM clearances/instructions by the crews leads to a correct understanding of the message, is often wrong because understanding is very context dependent. Pilots mainly match what they hear to what they expect, and wrong expectations easily lead to wrong understanding.

The assumption that pilots would crosscheck their understanding in case of doubt, and correct their errors was proved wrong in most of the relevant events analysed.

There is a long process taking place, or supposed to take place, in the cockpit from perception of an ATC message to actual implementation. Here is a long chain where error may occur and obviously trigger a level bust incident.

Concerning callsign confusion, the same statement as for generic communication can be made, only marginal improvements can reasonably be expected through strategies like careful callsign attribution, communication protocols, or phraseology improvements.

Improving the understanding between the ATCO and the A/C (including that of their intentions) seems to be a promising way to enhance safety. If uplink of a clearance and downlink of the selected Flight Level have been explored through simulation as options to do so, and datalink as envisaged in the simulation shows extremely interesting results, other ways can be envisaged and need to be envisaged. Datalink as referred to in the SMART simulation remains an extremely long-term option since it would require a technology much more advanced than the currently supporting datalink systems (CPDLC).



Alternative ways to overcome some of the main ATC-aircraft communication weaknesses, more realistic in a short or medium term do exist such as the two steps read back process aforementioned. Still, such change requires further investigation reaching beyond the sole use of the SMART approach since fine human factor mechanisms are involved.

5.2. RECOMMENDATIONS

5.2.1. Consistency Between Airspace Design and ATM Anticipation Capabilities

In some areas, it seems that there is a real inconsistency between airspace design and ATM anticipation capabilities, making the system intolerant to any vertical deviation in the sense that such an event directly leads to a safety relevant situation. Although not easy to implement, the recommendations to overcome this limitation (existing only in some areas), would be to:

1. Change the design of predefined routes to increase the time available to recover a deviation before it leads to a serious conflict (e.g. make sure the smallest separation takes place on stabilized trajectories rather than on trajectories with rates of change that decrease the reaction time, if recovery is needed).

2. Design the departure routes so as not to intersect arrival routes, or at least not to intersect them at the IAF (Initial Approach Fix), nor where the holding stacks are.

3. Enhance the ATM capabilities to anticipate deviations through a monitoring of the flight parameters rate of change rather than of real time position.

5.2.2. ATC – Crew/Aircraft System Communication

The analysis of the most critical weaknesses highlights the role played by the communication between ATC and the crew/aircraft system rather than the ATCO and the PNF. Safety enhancement relies on a significant change in the communication philosophy (not only process) to make sure that the ATCO’s message actually gets through to the A/C and that the ATCO gets insights on the A/C understanding of his/her clearance and intentions. This extended loop could be achieved through various processes, more or less technology-based such as:

1. A modification of the read-back process to include at some point the selected targets (selected Flight Level) to be commanded to the A/C. For instance, a two stage read-back could be introduced:

a) a short acknowledgment by the pilot, (like “roger”) immediately after receiving the clearance,

b) once the implementation has been initiated and targets (selected Flight Level) about to be activated, read-back by PNF of the value displayed on the instruments,

c) Such a process would not prevent callsign confusion.

2. An ATM uplink of the Cleared Flight Level to the aircraft, using CPDLC. This shall prevent callsign confusion, RT misunderstanding of the cleared Flight Level, but today can be used only for non-time critical clearances and it is still a possibility of error because pilot has understand the written message and correctly implement it into the FMS (aircraft systems).



3. An ATM uplink of the Cleared Flight Level to the aircraft, direct to the FMS. This procedure doesn’t exist in present, and has to be validated.

4. A downlink of the FMS selected Flight Level to ATC, using the existing ADS-B, to allow for a proper monitoring of the air situation by ATC. Such a process would not prevent callsign confusion but the ATC shall have a clear view of what is the aircraft going to perform.

5. A combination of the last 3 points (2/3 and 4). In terms of level bust prevention would be the best solution but not realistic because of the existing technology.

Étude des Transgressions de Niveau de Vol fondée sur les Principes de Sécurité EUROCONTROL

Projet SFT-1-RD-MODS – Rapport CEE n° 402 45

TRADUCTION EN LANGUE FRANÇAISE

SYNTHESE Le présent rapport décrit une étude sur les transgressions de niveau de vol réalisée sur la base des « Principes de Sécurité » (développés d’après la méthode SMART).

« Un principe de sécurité » se définit comme une hypothèse formulée sur ce qui est censé rendre le système ATM sûr dans le modèle de sécurité défini à priori.

L’ « Architecture de Sécurité » se définit comme la combinaison logique et hiérarchique des principes de sécurité qui constituent les protections de sécurité liées à un « Initiateur Générique ».

L’architecture de sécurité, ou modèle de sécurité, d’un système ATM générique consiste en une série de barrières et de grilles de protection, qui découlent toutes de nombreux principes de sécurité.

L’architecture de sécurité d’un système ATM générique a été mise au point par une équipe composée d’experts ATM, de pilotes, d’experts des facteurs humains et de responsables des enquêtes sur les incidents. L’objectif était de mettre en lumière non seulement les principes de sécurité imparfaits mais aussi ceux particulièrement efficaces.

Par la suite, de véritables incidents ont été étudiés au moyen de l’architecture de sécurité et chaque principe de sécurité a fait l’objet d’une analyse de « comportement », positif ou négatif, pour tous les incidents considérés.

Une fois cet exercice achevé, des statistiques claires ont été élaborées sur le « comportement » de chaque principe de sécurité. Quelques solutions visant à pallier les transgressions de niveau de vol ont été proposées, puis «simulées» dans le cadre de l’architecture de sécurité.

Des conclusions et recommandations ont été rédigées en conséquence.

1. INTRODUCTION

1.1. CONTEXTE

Le problème des transgressions de niveau de vol et des écarts d’altitude remonte aux origines de l’aviation. L’amélioration de la gestion de la sécurité et des systèmes de notification nous permet de cerner plus précisément l’ampleur du problème.

Grâce au TCAS et à l’ACAS, le risque de collision entre deux aéronefs équipés d’un ACAS a pu être réduit d’un facteur de 25. Pour autant, l’incidence des transgressions de niveau de vol ne semble pas décliner et pourrait être plus importante que nous le pensons.

Bien que le risque d’abordage en vol se soit considérablement réduit à la suite de l’introduction de l’ACAS, la croissance du trafic aérien nous impose de trouver, sans plus attendre, des solutions au problème des transgressions de niveau de vol. La réduction de ces transgressions et des risques qu’elles comportent constitue un défi pour la communauté aéronautique dans son ensemble.

EUROCONTROL Étude des Transgressions de Niveau de Vol fondée sur les Principes de Sécurité

46 Projet SFT-1-RD-MODS - Rapport CEE n° 402

rien supérieur non spécifié

127

1.1.1. Rappel

Toutes les trente minutes, quelque part dans le monde, un appareil transgresse son niveau de vol autorisé. Chaque jour, la perte de séparation signifie que deux aéronefs se rapprochent à moins d’1 NM l’un de l’autre2.

1.1.2. Justification

Nombre de transgressions de niveau de vol dans l’espace aérien du Royaume-Uni notifiées par les centres ATC de NATS :

• 1999 308 • 2000 308 • 2001 281 • 2002 293

Nombre d’incidents notifiés par les opérateurs aériens ou les contrôleurs au cours des trois dernières années :

• Notifications ATC sur BAW 35 • Notifications de BAW 98 • Notifications ATC sur BRY 7 • Notifications de BRY 15

Nombre de transgressions de niveau de vol notifiées par les opérateurs aériens britanniques en Europe au cours des 3 dernières années.

• France 29 • Espagne 19

Italie 14 •

Belgique 12 •

• Allemagne 11 • Suisse 8 • Pays-Bas 7 • Espace aé 16 • Autres pays 11 • Total

2 Réunion du SISG12, à Bruxelles, le 4 avril 2003 – Équipe spéciale n° 1 sur la transgression des niveaux de vol, « En route to reducing Level Busts » - présentation de M. John Barrass.



Nombre de transgressions de niveau de vol notifiées par les opérateurs aériens britanniques au niveau mondial au cours des 3 dernières années.

• Europe 127 • Amérique du Nord 30 • Contrôle régional océanique de l’Atlantique Nord 19 • Extrême-Orient 14 • Russie 7 • Pays du Golfe / Pays arabes 6 • Afrique 6 • TOTAL 209

1.1.3. Définition des Transgressions de Niveau de Vol

Une transgression de niveau de vol est définie comme une situation dans laquelle un vol ne stabilise pas ou ne maintient pas le niveau de vol ou l’altitude qui lui a été assigné par l’ATC et, ce faisant, accuse un écart de plus de 300 pieds.

La définition ci-dessus recouvre des situations diverses (comportant parfois encore certaines ambiguïtés), telles que :

1. un écart permanent par rapport au niveau de vol ou à l’altitude assigné(e) pour cause de mauvais paramétrage de l’altimètre, compensation de l’AP, etc. ;

2. un dépassement au cours de la saisie du niveau de vol ou de l’altitude ;

3. un écart momentané par rapport au niveau de vol ou à l’altitude assigné(e), par suite de problèmes techniques, de turbulences, d’ondes orographiques, etc. ;

4. une descente à un niveau de vol ou à une altitude supérieur(e) à ce qui a été assigné, ou une montée à un niveau de vol ou à une altitude inférieur(e) à ce qui a été assigné ;

5. une descente à un niveau de vol ou à une altitude inférieur(e) à ce qui a été assigné, ou une montée à un niveau de vol ou à une altitude supérieur(e) à ce qui a été assigné ;

6. un vol évoluant en permanence à un niveau de vol ou une altitude incorrect(e).

1.1.4. Description du Projet

Les transgressions de niveau de vol constituent l’un des plus dangereux facteurs d’abordage en vol. Une transgression de niveau de vol se définit globalement comme une situation dans laquelle un appareil ne maintient pas le niveau de vol qui lui a été assigné par l’ATC. EUROCONTROL a commencé à organiser des ateliers sur les transgressions de niveau de vol en 2002, puis a mis sur pied une équipe spéciale (Task Force) chargée d’élaborer un plan d’action ainsi qu’une « boîte à outils » en vue de la réduction des transgressions de niveau de vol.

L’un des objectifs de l’équipe spéciale était de rechercher des idées et des solutions en réponse au problème des transgressions de niveau de vol, compte tenu de la conception actuelle du système ATM et des pratiques en vigueur. À la mi-2003, EUROCONTROL a lancé un projet visant à analyser l’intérêt potentiel d’une étude qui mettrait les principes de sécurité en rapport avec les transgressions de niveau de vol.



La méthode appliquée a été baptisée SMART (pour Safety Management Assistance and Recording Tool – Outil d’enregistrement et d’assistance à la gestion de la sécurité).

Dans un premier temps, l’action a été centrée sur le développement d’une architecture de sécurité explicitant les mesures mises en place pour prévenir les transgressions ou les corriger.

Une fois que cette architecture bien structurée a été établie, la deuxième phase de travail a consisté à tirer des enseignements pertinents, en termes de sécurité, des phénomènes de transgression, à partir de l’analyse d'événements réels, effectuée à l’aide des données de base issues de la phase précédente.

1.2. OBJECTIFS

1. Mettre en évidence les situations susceptibles d'entraîner des transgressions de niveau de vol.2. Développer une vision des transgressions de niveau de vol dans l’ensemble de l‘Europe, au moyen de l’outil SMART.

3. Cerner les failles qui peuvent conduire à des transgressions de niveau de vol.

4. Élaborer un modèle d’architecture de sécurité intégrant la problématique des transgressions de niveau de vol.

5. Identifier les points faibles et évaluer leurs incidences relatives.

6. Formuler des recommandations en vue de pallier l’insuffisance des protections existantes face aux incidents liés aux transgressions de niveau de vol.



2. CONCLUSIONS ET RECOMMANDATIONS

2.1. CONCLUSIONS

Il semble que la situation actuelle n’offre qu’une apparence de prévention, cette lacune étant masquée par l’effet de la faible densité de trafic dans l’espace aérien (autrement dit, par la « providence »), ainsi que par un dispositif de récupération plutôt efficace.

La « séparation systémique » et la « séparation liée au contrôle tactique » reposent toutes deux sur une bonne compréhension et une application correcte des instructions verbales par les équipages de conduite, deux éléments qui ne peuvent être tenus pour acquis.

La détection et la correction des écarts sont insuffisants parce que la détection repose sur la perception concrète des écarts par les contrôleurs, et non sur les écarts anticipés.

Étant donné que le processus de suivi de la mise en oeuvre se fonde sur le même canal imparfait (la communication verbale) et recueille des informations trop tôt dans le processus de mise en oeuvre (lors de la phase de perception), il ne permet de détecter aucune des lacunes qui s’ensuivent.

Dans un espace aérien complexe et dense, comme c’est le cas des grandes TMA, les trajectoires nominales ou relatives sont telles qu’elles n’autorisent aucun écart. Le système ne tolère aucune erreur, car un écart de niveau de vol ou d’altitude peut engendrer une situation dangereuse. Lorsque des routes de départ croisent des routes d’arrivée en dessous d’une aire d’attente à une distance verticale équivalente à un niveau de vol, il n’existe aucune marge d’erreur si l’appareil ascendant transgresse son niveau de vol autorisé. La récupération d’une telle situation est aussi très aléatoire, et repose généralement sur le TCAS ou la providence.

La clarté des messages des contrôleurs peut s’avérer un facteur décisif dans les incidents impliquant des transgressions de niveau de vol. Le fait que des messages en apparence clairs puissent aisément donner lieu à des malentendus montre qu’une meilleure qualité des messages verbaux transmis par les contrôleurs ne pourra améliorer que marginalement la fiabilité de la compréhension des instructions transmises à l’équipage.

L’idée selon laquelle la perception correcte, par l’équipage, des clairances et des instructions ATM communiquées verbalement induit une bonne compréhension du message se confirme rarement, car la compréhension est éminemment fonction du contexte. Souvent, les pilotes assimilent ce qu’ils entendent à ce qu’ils attendent, et des attentes erronées peuvent aisément conduire à une mauvaise compréhension.

L’hypothèse selon laquelle les pilotes vérifieraient par recoupement leur compréhension d’un message en cas de doute, et corrigeraient leurs erreurs, n’a pas résisté à l’analyse de la plupart des événements retenus.

Dans le cockpit, un long processus se déroule, ou doit se dérouler, entre la perception d’un message ATC et son application concrète, une succession d’événements où le risque d’erreur est réel et pourrait entraîner un incident de transgression de niveau de vol.

Concernant les confusions d’indicatifs, les remarques formulées à propos de la communication en général s’appliquent également : des stratégies telles que l’attribution scrupuleuse des indicatifs d’appel, les protocoles de communication, ou l’aménagement de la phraséologie ne peuvent valablement apporter que des améliorations marginales.



Améliorer la compréhension entre les contrôleurs et les équipages (notamment au niveau de leurs intentions) semble une option prometteuse pour le renforcement de la sécurité. Si la transmission par liaison montante d’une autorisation et la transmission par liaison descendante du niveau de vol sélectionné ont été étudiées par simulation en tant qu’options envisageables, et si la liaison de données, telle qu’elle est envisagée dans la simulation, affiche des résultats extrêmement intéressants, d’autres voies peuvent et doivent être envisagées. La liaison de données dont il est question dans la simulation SMART reste véritablement une option à très long terme puisqu’elle suppose le recours à une technologie bien plus avancée que celle qui existe actuellement comme support aux systèmes de liaison de données (CPDLC).

Il existe d’autres solutions pour pallier quelques-unes des principales faiblesses de la communication entre l’ATC et l’aéronef, plus réalistes à court ou moyen terme, comme le processus susmentionné de répétition pour vérification en deux temps. Pour autant, un tel changement appelle un examen plus approfondi, au-delà du simple recours à l’approche SMART, étant donné qu’il fait intervenir des mécanismes précis en rapport avec les facteurs humains.

2.2. RECOMMANDATIONS

2.2.1. Cohérence entre l’Organisation de l’Espace Aérien et les Capacités d’Anticipation de l’ATM

Une profonde incohérence semble régner, dans certaines zones, entre l’organisation de l’espace aérien et les capacités d’anticipation de l’ATM, ce qui rend le système intolérant à tout écart vertical, un tel événement entraînant immédiatement une situation préoccupante du point de vue de la sécurité. Bien qu’elles ne soient pas simples à mettre en oeuvre, les recommandations pour pallier cette limitation (qui ne prévaut pas partout) seraient les suivantes :

1. Modifier la structure des routes prédéfinies, dans le but d’accroître le temps de réaction disponible pour corriger un écart avant que celui-ci ne mène à un conflit grave (par exemple, veiller à ce que la séparation la plus faible soit appliquée sur des trajectoires stabilisées plutôt que sur des trajectoires dont la variabilité inhérente réduit le délai de réaction, en cas de rectification nécessaire).

2. Concevoir les routes de départ de manière à éviter tout croisement avec les routes d’arrivée, ou tout au moins que ce croisement ne se produise ni à la balise d’approche initiale (IAF), ni au niveau des aires d’attente.

3. Améliorer les capacités de l’ATM pour anticiper les écarts, par une surveillance de la vitesse d’évolution des paramètres de vol plutôt que de la position en temps réel.

2.2.2. Communication ATC – Equipage / Système de Bord

L’analyse des insuffisances les plus critiques met en évidence le rôle de la communication entre l’ATC et l’équipage ou le système de bord, plutôt qu’entre le contrôleur et le pilote (PNF). L’amélioration de la sécurité passe par un changement en profondeur de la philosophie de communication (pas seulement des processus) pour veiller à ce que les messages des contrôleurs parviennent correctement aux aéronefs et que les contrôleurs puissent juger la compréhension, par l’équipage, de la clairance donnée ou des intentions du cockpit.



Ce mécanisme en boucle élargie pourrait trouver sa concrétisation au travers de différents processus, reposant dans une plus ou moins large mesure sur la technologie, par exemple :

1. Une modification de la procédure de répétition pour vérification, aux fins d’y inclure, à un stade donné, les cibles définies (niveau de vol sélectionné) qui doivent être communiquées à l’aéronef. À titre d’exemple, il serait possible de mettre en place une procédure de répétition pour vérification en deux temps :

a) un bref accusé de réception (comme « roger ») transmis par le pilote, immédiatement après réception de la clairance ;

b) une fois le processus mis en œuvre et les cibles (niveau de vol sélectionné) sur le point d’être activées, le PNF répète, pour vérification, la valeur affichée sur les instruments ;

c) un tel système n’empêcherait pas les confusions d’indicatif d’appel.

2. Une transmission par liaison ATM montante du niveau de vol autorisé vers l’appareil, au moyen du CPDLC. Cette solution permettrait d’éviter la confusion des indicatifs d’appel, ou la mauvaise compréhension radiotéléphonique du niveau de vol autorisé, mais aujourd’hui, elle ne peut être appliquée qu’aux clairances à facteur temps «non critique» et une erreur reste possible car le pilote doit encore comprendre le message écrit et l’encoder correctement dans le FMS (système de bord).

3. Une transmission par liaison ATM montante du niveau de vol autorisé vers l’appareil, directement dans le FMS. Cette procédure n’existe pas pour le moment et devrait être validée.

4. Une transmission par liaison descendante du niveau de vol sélectionné par le FMS vers l’ATC, au moyen de l’actuel ADS-B, ce qui permet un suivi correct de la situation aérienne par l’ATC. Un tel système ne permettrait pas d’éviter les confusions d’indicatifs d’appel, mais l’ATC aurait une vision claire de la manière dont l’appareil va manoeuvrer.

5. Une combinaison des 3 points qui précèdent (2, 3 et 4). En termes de prévention des transgressions de niveau de vol, ce serait la meilleure solution, mais elle n’est pas réaliste car la technologie actuelle ne le permet pas.



Page intentionnally left blank


Project SFT-1-RD-MODS - EEC Report No. 402 53

ANNEX


54 Project SFT-1-RD-MODS – EEC Report No. 402

Page Intentionally left blank



ANNEX A - LEVEL BUST SAFETY ARCHITECTURE3

ACCIDENT: Mid-air Collision of the position uncertainty spheres around A/C

Avoid collision centred on the 2 conflicting A/C R B1

R B2

R B3

R B4

R B5

R B6

Conflict situation detected and ATC issues new instructions to A/C before it results in an imminent

collision risk R

A1 R

A2 R

A3 R

A4 R

A5 R

A6 Rec

over

y


ATC issues new instructions when A/C deviate from expected trajectories before the deviation results in

a conflict P

C1 P

C2 P

C3 P

C4 P

C5 P

C6

Prev

en-

tion


ATC issues new instructions to A/C before planned trajectories result in a conflict

P B1

P B2

P B3

P B4

P B5

P B6

Planned A/C 4D trajectories avoid conflict situations P A1

P A2

P A3

P A4

P A5

P A6 Pr

even

tion

Figure 9: First level of the level bust safety architecture

3 The Excel file of the safety architecture can be found on the CD of the Level Bust Study Using Safety Principles Report.




P B1

P B2

P B3

P B4

P B5

P B6


P A2

P A3

P A4

P A5

P A6 P

reve

ntio

n

P AB2 A1 A1 P AB2 A1 A2 P AB2 A1 A3 P AB2 A1 A4

P AB2 A1 P AB2 A2

P AB2 A1 A1 B1

P AB2 A1 A1 A1 P AB2 A1 A1 A2

P AB2 A1 A1 B2

P AB2 A1 A2 A1 P AB2 A1 A2 A2 P AB2 A1 A2 A3 P AB2 A1 A2 A4


P AB4 A1 P AB4 A2

P AB4 A1 B1

P AB4 A1 A1 P AB4 A1 A2 P AB4 A1 A3

P AB4 A1 C1

P AB4 A1 A1 A1 P AB4 A1 A1 A2

P AB4 A1 A1 A3 A1 P AB4 A1 A1 A3 A2 P AB4 A1 A1 A3 A3

P AB4 A1 A1 A3 B1 P AB4 A1 A1 A3 B2 P AB4 A1 A1 A3 B3

P AB4 A1 B1 A1 P AB4 A1 B1 A2

P AB4 A1 C1 A1 P AB4 A1 C1 A2 P AB4 A1 C1 A3

P AB4 A1 C1 B1 P AB4 A1 C1 B2 P AB4 A1 C1 B3

P AB4 A1 C1 C1 P AB4 A1 C1 C2 P AB4 A1 C1 C3


P AB4 A2 B1 P AB4 A2 B2 P AB4 A2 B3


Figure 10: Decomposition of the prevention safety architecture (P AB1 – P AB4)




P B1

P B2

P B3

P B4

P B5

P B6


P A2

P A3

P A4

P A5

P A6 Pr

even

tion

P AB5 A1 P AB5 A2 P AB5 A3 P AB5 A4

P AB5 B1 P AB5 B2

P AB5 C1 P AB5 C2 P AB5 C3 P AB5 C4


P AB5 A2 A1 A1 P AB5 A2 A1 A2 P AB5 A2 A1 A3

P AB5 A2 A1 B1 P AB5 A2 A1 B2 P AB5 A2 A1 B3 P AB5 A2 A1 B4

P AB5 A2 A1 A1 A1 P AB5 A2 A1 A1 A2 P AB5 A2 A1 A1 A3

P AB6 A1 P AB6 A2 P AB6 A3


Figure 11: Decomposition of the prevention safety architecture (P AB5 – P AB6)




ATC issues new instructions when A/C deviate from expected trajectories before the deviation results in a

conflict

P C1

P C2

P C3

P C4

P C5

P C6

Prev

enti

on


P C1 A1

P C1 B1

P C2 A1 P C2 A2

P C2 A1 A1 P C2 A1 A2 P C2 A1 A3 P C2 A1 A4

P C2 A1 B1 P C2 A1 B2 P C2 A1 B3 P C2 A1 B4

P C2 A1 A1 A1 P C2 A1 A1 A2 P C2 A1 A1 A3

P C2 A1 A1 A1 A1

P C2 A1 A1 A1 B1

P C2 A1 A1 A1 C1

P C2 A1 A1 A1 D1

P C2 A1 A1 A2 A1 P C2 A1 A1 A2 A2

P C2 A1 A1 A2 B1

P C2 A1 A1 A3 A1 P C2 A1 A1 A3 A2

P C2 A1 A1 A3 B1 P C2 A1 A1 A3 B2


P C2 A2 A1 B1 P C2 A2 A1 B2

Figure 12: Decomposition of the prevention safety architecture (P C1 – P C2)




ATC issues new instructions when A/C deviate from expected trajectories before the deviation results in a

conflict

P C1

P C2

P C3

P C4

P C5

P C6

Prev

enti

on


P C3 A1 P C3 A2

P C3 A1 A1 P C3 A1 A2 P C3 A1 A3 P C3 A1 A4

P C3 A1 A1 A1 P C3 A1 A1 A2

P C3 A1 A1 B1 P C3 A1 A1 B2

P C3 A1 A2 A1 P C3 A1 A2 A2 P C3 A1 A2 A3 P C3 A1 A2 A4


P C5 A1 P C5 A2

P C5 A1 A1 P C5 A1 A2 P C5 A1 A3

P C5 A1 B1

P C5 A1 C1

P C5 A1 A1 A1 P C5 A1 A1 A2



P C5 A1 A3 B1 P C5 A1 A3 B2 P C5 A1 A3 B3

P C5 A1 B1 A1 P C5 A1 B1 A2

P C5 A1 C1 A1 P C5 A1 C1 A2 P C5 A1 C1 A3

P C5 A1 C1 B1 P C5 A1 C1 B2 P C5 A1 C1 B3

P C5 A1 C1 C1 P C5 A1 C1 C2 P C5 A1 C1 C3

P C5 A2 A1 P C5 A2 A2 P C5 A2 A3

P C5 A2 B1 P C5 A2 B2 P C5 A2 B3

P C6 A1 P C6 A2 P C6 A3 P C6 A4

P C6 B1 P C6 B2

P C6 C1 P C6 C2 P C6 C3 P C6 C4


P C6 A2 A1 B1 P C6 A2 A1 B2 P C6 A2 A1 B3 P C6 A2 A1 B4

P C6 A2 A1 A1 A1 P C6 A2 A1 A1 A2 P C6 A2 A1 A1 A3

P C6 A2 A1 P C6 A2 A2 P C6 A2 A3

Figure 13: Decomposition of the prevention safety architecture (P C3 – P C6)



ACCIDENT: Mid-air Collision of the position uncertainty spheres around A/C

Avoid collision centred on the 2 conflicting A/C R B1

R B2

R B3

R B4

R B5

R B6

Conflict situation detected and ATC issues new instructions to A/C before it results in an imminent

collision risk

R A1

R A2

R A3

R A4

R A5

R A6

Rec

over

y


R A1 A1

R A1 B1

R A2 A1 R A2 A2 R A2 A3

R A2 B1 R A2 B2 R A2 B3

R A2 C1 R A2 C2 R A2 C3 R A2 C4

R B1 A1 R B1 A2 R B1 A3

R B1 A1 A1 R B1 A1 A2

R B1 A1 B1 R B1 A1 B2 R B1 A1 B3

R B1 A1 C1 R B1 A1 C2 R B1 A1 C3 R B1 A1 C4

R B1 A1 A2 A1 R B1 A1 A2 A2

R B1 A1 A2 B1 R B1 A1 A2 B2

R B1 A1 A2 C1 R B1 A1 A2 C2

R B1 A2 B1 R B1 A2 B2

R B1 A2 C1 R B1 A2 C2 R B1 A2 C3

R B1 A2 D1

R B1 A2 A1 R B1 A2 A2

R B1 A3 A1

R B1 A3 B1

R B1 A3 C1

R B2 A1 R B2 A2

R B2 B1 R B2 B2 R B2 B3 R B2 B4

R B2 C1 R B2 C2 R B2 C3

R B3 A1

R B3 B1

R B3 C1

R B4 A1 R B4 A2 R B4 A3

R B4 B1 R B4 B2

R B4 C1 R B4 C2 R B4 C3R B5 A1 R B5 A2 R B5 A3

R B5 A2 A1 R B5 A2 A2 R B5 A3 A1 R B5 A3 A2 R B5 A3 A3

R B5 A3 A3 A1 R B5 A3 A3 A2 R B5 A3 A3 A3

Figure 14: Decomposition of the recovery safety architecture



Decomposition of the Safety Architecture in Safety Principles

Prevention

The two prevention lines, before “Deviation from the assigned flight path (including level bust)”, can be applied only one or the other – they do not apply both at the same time.

“SP (Safety Principle) Identifier" is the identification of each safety principle, as they occur in the safety architecture, developed in a logical structure.

“SP (Safety Principle) Number” is the identification number assigned by the software used for the behaviour calculation and simulations of the analysed incidents.

SP Identifier SP No SP Description

P AB1 1 The instructions delivered by ATM don't lead to conflicting 4D paths

P AB2 2 ATM makes its instructions available to the crew/aircraft system in a clear and unambiguous way

P AB2 A1 26 Verbal communication is transmitted to the crew/aircraft system in a clear and understandable way

P AB2 A1 A1 94 In the situation, ATCOS correctly use an ATM phraseology shared by Flight Crews

P AB2 A1 A1 A1 170 ATCOs correctly use a "standard" ICAO phraseology in the appropriate language

P AB2 A1 A1 A2 171 Standard ICAO phraseology is shared by the pilots concerned

P AB2 A1 A1 B1 172 ATCOs correctly use national ATS provider phraseology

P AB2 A1 A1 B2 173 National ATS provider phraseology is shared by the pilots concerned

P AB2 A1 A2 95 ATCOs articulate the instructions in a clear way

P AB2 A1 A2 A1 174 The speed and pace of the ATCOs speech are low enough to be understandable by all pilots involved in all aircraft

P AB2 A1 A2 A2 175 The number of instructions included in each ATCO message is small enough to be understandable by all pilots involved in all aircraft

P AB2 A1 A2 A3 176 The tone of ATCOs' speech is adapted to the content of the message

P AB2 A1 A2 A4 177 The accent used by ATCOs is understandable by all pilots involved in all aircraft

P AB2 A1 A3 96 Transmission medium is clear and properly operated

P AB2 A1 A3 A1 178 ATM HMI is properly operated, messages are unclipped

P AB2 A1 A3 A2 179 No malicious interference, no vocal interference occur

P AB2 A1 A3 A3 180 Transmission related hardware & software are operating properly

P AB2 A1 A3 A4 181 The quality of the RT signal is not impaired by background noise (e.g. introduced by weather)

P AB2 A1 A4 97 The shared ATM phraseology used is by design unambiguous for the situation

P AB 2 A2 27 AIP charts & Notams are available, and published in a legible & understandable way for flight ops charts designers

P AB3 3 The crew/aircraft system correctly captures/picks up all the instructions addressed to it

P AB4 4 The crew/aircraft system correctly understands the contents of the instruction/clearance captured if any (immediate process taking place when receiving the instruction)

P AB4 A1 28 The crew/aircraft system properly understands verbal ATM clearances/ instructions




P AB4 A1 A1 98 The crew/aircraft system properly receives verbal ATM clearances/instructions

P AB4 A1 A1 A1 182 RTF equipment works properly

P AB4 A1 A1 A2 183 RTF equipment is operated properly (set, tuned)

P AB4 A1 A2 99 Crews have sufficient resources left to pay attention to ATM clearances/instructions

P AB4 A1 A2 A1 184 Cockpit procedures allow for proper attention being paid to ATC communications

P AB4 A1 A2 A2 185 Cockpit task sharing allow for proper attention being paid to ATC communications

P AB4 A1 A2 A3 186 Workload level & on going crew activity (including cabin crew interactions) allow for proper attention being paid to ATC

P AB4 A1 A2 A4 187 Noise level in the cockpit is low enough to allow for proper attention being paid to RT

P AB4 A1 A3 100 A correct perception of verbal ATM clearances/ instructions leads to a correct understanding of the message by the crews

P AB4 A1 A3 A1 188 At least one pilot actually understands the clearance/instructions perceived

P AB4 A1 A3 A2 189 If in doubt, pilots cross check their understanding of ATCOs (FL/ALT) instructions

P AB4 A1 A3 A3 190 Pilots detect and correct errors in their understanding of ATCOs (FL/ALT) instructions

P AB4 A1 A3 B1 191 Crews query about ATM clearances/ instructions when unsure of their understanding

P AB4 A1 A3 B2 192 The correct clearance is confirmed to the crews by ATCOs

P AB4 A1 A3 B3 193 Crews correctly understand the confirmed & correct clearance

P AB4 A1 B1 101 The incorrect understanding by the pilot/AC system, if any, is detected an corrected by the read back hearback process between ATCOs and crews

P AB4 A1 B1 A1 194 Pilots read back ATCOs instructions according to their understanding

P AB4 A1 B1 A2 195 ATCOs detect and correct errors in the pilots' readback messages

P A-B4 A1 C1 102 An incorrect understanding by the pilot/AC system is detected and corrected by the read back hearback process by third party (pilots, supervisor)

P AB4 A1 C1 A1 196 Pilots report their FL/ALT (flight path parameters) target when changing frequency

P AB4 A1 C1 A2 197 Next sector ATCOs check reported (flight path parameters) FL/ALT against assigned one

P AB4 A1 C1 A3 198 Next sector ATCOs detect and correct errors in the reported FL/ALT (flight path parameters)

P AB4 A1 C1 B1 199 Third party ATCOs (e.g. supervisor) monitor RTF communication

P AB4 A1 C1 B2 200 Third party ATCOs detect FL/ALT (flight path parameters) errors in the pilots' messages

P AB4 A1 C1 B3 201 Third party ATCOs report FL/ALT (flight path parameters) errors in the pilots' messages to ATCOs on duty

P AB4 A1 C1 C1 202 Third party pilots monitor RTF communication

P AB4 A1 C1 C2 203 Third party pilots detect FL/ALT (flight path parameters) errors in other pilots' messages

P AB4 A1 C1 C3 204 Third party pilots report FL/ALT (flight path parameters) errors in other pilots' messages to ATM

P AB4 A2 29 The crew/aircraft system properly understands chart-based ATM clearances/instructions

P AB4 A2 A1 103 At least one pilot actually understands chart based ATM instructions

P AB4 A2 A2 104 If in doubt, pilots cross check their understanding of chart based instructions

P AB4 A2 A3 105 Pilots detect and correct errors in their understanding of chart based instructions




P AB4 A2 B1 106 Pilots report their FL/ALT (and other flight path parameters) target when changing frequency

P AB4 A2 B2 107 Next sector ATCOs check reported FL/ALT (flight path parameters) against assigned one

P AB4 A2 B3 108 Next sector ATCOs detect and correct errors in the reported (flight path parameters) FL/ALT

P AB5 5 The crew/aircraft system properly implements the clearance/instruction as understood (within an acceptable time frame, at acceptable rates…)

P AB5 A1 30

The instruction is actually implementable for the real situation of the day (e.g. within flight envelope, not too late to capture...) i.e. the instruction/clearance relevant from an ATC viewpoint is also relevant from the cockpit viewpoint i.e. the ATCO's knowledge of the situation is complete enough...

P AB5 A2 31 Proper inputs are made to systems supporting the management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P AB5 A2 A1 109 Proper inputs are made to systems supporting the vertical management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P AB5 A2 A1 A1 205 The crew correctly sets the altitude reference

P AB5 A2 A1 A1 A1 276 The crew correctly determines the relevant altitude reference (i.e. they know and are aware they should use QNH or standard…)

P AB5 A2 A1 A1 A2 277 The crew uses right units (e.g. inches vs. hp), right values when setting the altitude reference

P AB5 A2 A1 A1 A3 278 The crew correctly sets the altitude reference to the right value

P AB5 A2 A1 A2 206 The crew sets/programs the right height/altitude/FL target (correct figure and consistent with the reference)

P AB5 A2 A1 A3 207 The crew timely engages and maintains the correct implementation "mode"

P AB5 A2 A1 B1 208 Wrong inputs are detected by the ATM system before acceptable tolerance is exceeded

P AB5 A2 A1 B2 209 A corrective instruction is issued in a clear and unambiguous way to the crew before acceptable tolerance is exceeded

P AB5 A2 A1 B3 210 The crew properly understand the corrective instruction

P AB5 A2 A1 B4 211 Wrong inputs are corrected by crews before acceptable tolerance is exceeded

P AB5 A2 A2 110 Proper inputs are made to systems supporting the lateral management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P AB5 A2 A3 111 Proper inputs are made to systems supporting the longitudinal management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P AB5 A3 32 The systems supporting the management of the flight path work properly

P AB5 A4 33 The A/C (ailerons, engines, rudder...) responds properly to demands from systems supporting the management of the flight path

P AB5 B1 34 The crew/aircraft system anticipates deviations from intended (according to their understanding of the clearance /instruction) flight path early enough to allow a correction before acceptable tolerance is exceeded

P AB5 B2 35 The crew/aircraft system corrects deviations from intended (according to their understanding of the clearance /instruction) flight path before acceptable tolerance is exceeded

P AB5 C1 36 The ATM system anticipates deviations from the assigned flight path early enough to allow a correction before acceptable tolerance is exceeded

P AB5 C2 37 The ATM system issues appropriate instructions early enough to allow a correction before acceptable tolerance is exceeded

P AB5 C3 38 The crew/aircraft system correctly understands instruction(s) early enough to allow a correction before acceptable tolerance is exceeded




P AB5 C4 39 The crew/aircraft system correctly implements instruction(s) before acceptable tolerance is exceeded

P AB6 6 The crew/aircraft system doesn't change path independently from instruction/clearance addressed to it by ATC

P AB6 A1 40 The crew/aircraft system correctly discriminates instructions addressed to other A/C, if any, from instructions addressed to itself

P AB6 A1 A1 112 The A/C has a unique call sign

P AB6 A1 A2 113 The crew correctly picks up the correct callsign in the ATCO's message (technically receives it properly & perceives it properly)

P AB6 A1 A3 114 The crew doesn't identify itself to any callsign but its own one

P AB6 A2 41 The crew/aircraft system is and remains willing to rely on the ATM system as regards its path

P AB6 A3 42 The crew/aircraft system is and remains able in principle to maintain its path (no emergency situation)

P C1 8 The surrounding routes possibly used are by design far away enough to allow for the deviation to be corrected before it would lead to a conflict (unacceptable safety threshold) with an A/C anywhere on these surrounding routes

P C1 A1 43

The airspace design is such that the separation of predefined routes is compatible with the design specifications of ATC capabilities of detection and reaction in real time so that recovering a deviation before it would lead to a conflict (unacceptable safety threshold) with an A/C anywhere on another predefined route is feasible in principle

P C1 B1 44 Routes making a deviation from one of them unrecoverable before it would lead to a conflict with an A/C on another one are not used simultaneously by ATC

P C2 9

(In the actual situation) ATC actually detects a deviation from the assigned flight path and derives a relevant (from an ATC viewpoint) corrective instruction (including no instruction) early enough to allow for preventing the separation with a converging A/C from reaching below an acceptable safety threshold (before T1)

P C2 A1 45 ATC becomes aware of a deviation from the assigned flight path early enough to allow for preventing the separation with a converging A/C if any from reaching below an acceptable safe threshold (before T1)

P C2 A1 A1 115 The ATCO in contact with the A/C detects a vertical deviation from the assigned flight path if any before T1

P C2 A1 A1 A1 212 The ATCO(s) are properly aware of the assigned FL/ALT

P C2 A1 A1 A1 A1 267 The assigned FL is correctly noted on the STRIP

P C2 A1 A1 A1 B1 268 The assigned FL is correctly noted on the relevant charts (e.g. SIDs & STARS)

P C2 A1 A1 A1 C1 269 The assigned FL is correctly transmitted by colleagues during transfer

P C2 A1 A1 A1 D1 270 The assigned FL is correctly recorded through an electronic label

P C2 A1 A1 A2 213 The ATCO(s) become aware of the actual FL/ALT before T1

P C2 A1 A1 A2 A1 271 The actual FL is correctly displayed by the Mode C channel

P C2 A1 A1 A2 A2 272 The number of A/C on the radar screen is low enough to allow FL monitoring at an acceptable frequency and ATCOs actually monitor the situation

P C2 A1 A1 A2 B1 279 The actual FL / ALT is correctly reported by pilots

P C2 A1 A1 A3 214 The ATCOs actually detect the existing discrepancy before T1

P C2 A1 A1 A3 A1 273 ATCOs monitor ALT/FL match after each pilot ALT/FL report

P C2 A1 A1 A3 A2 274 The information is available, readable on the radar screen

P C2 A1 A1 A3 B1 275 ATCOs scan radar screen for ALT/FL mismatch at any time (climb, descent, alt capture) before T1

P C2 A1 A1 A3 B2 276 The information is available, readable on the radar screen




P C2 A1 A2 116 The ATCO in contact with the A/C detects a horizontal deviation from the assigned flight path if any before T1

P C2 A1 A3 117 The ATCO in contact with the A/C detects a longitudinal deviation from the assigned flight path if any before T1

P C2 A1 A4 118 The ATCO in contact with the A/C detects a time deviation from the assigned flight path if any before T1

P C2 A1 B1 119 Another party detects a vertical deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

P C2 A1 B2 120 Another party detects a horizontal deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

P C2 A1 B3 121 Another party detects a longitudinal deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

P C2 A1 B4 122 Another party detects a time deviation from the assigned flight path and makes it clear to the ATCO in charge before T1

P C2 A2 46 The ATCO in contact with the deviating A/C issues a relevant re-instruction to the crew/aircraft system before T1

P C2 A2 A1 A1 123 ATCOs are aware of the traffic situation

P C2 A2 A1 A2 124 ATCOs generate an appropriate solution and instruction before T1

P C2 A2 A1 A3 125 The ATCO in contact with the deviating A/C issues the appropriate clearance/instruction to the relevant aircraft before T1

P C2 A2 A1 B1 126 Another party makes a relevant corrective action available to the ATCO before T1

P C2 A2 A1 B2 125 The ATCO in contact with the deviating A/C issues the appropriate clearance/instruction to the relevant aircraft before T1

P C3 10 ATM makes its instructions available to the crew/aircraft system in a clear and unambiguous way

P C3 A1 47 Verbal communication is transmitted to the crew/aircraft system in a clear and understandable way

P C3 A1 A1 127 In the situation, ATCOS correctly use an ATM phraseology shared by Flight Crews

P C3 A1 A1 A1 215 ATCOs correctly use a "standard" ICAO phraseology in the appropriate language

P C3 A1 A1 A2 216 Standard ICAO phraseology is shared by the pilots concerned

P C3 A1 A1 B1 217 ATCOs correctly use national ATS provider phraseology

P C3 A1 A1 B2 218 National ATS provider phraseology is shared by the pilots concerned

P C3 A1 A2 128 ATCOs articulate the instructions in a clear way

P C3 A1 A2 A1 219 The speed and pace of the ATCOs speech are low enough to be understandable by all pilots involved in all aircraft

P C3 A1 A2 A2 220 The number of instructions included in each ATCO message is small enough to be understandable by all pilots involved in all aircraft

P C3 A1 A2 A3 221 The tone of ATCOs' speech is adapted to the content of the message

P C3 A1 A2 A4 222 The accent used by ATCOs is understandable by all pilots involved in all aircraft

P C3 A1 A3 129 Transmission medium is clear and properly operated

P C3 A1 A3 A1 223 ATM HMI is properly operated, messages are unclipped

P C3 A1 A3 A2 224 No malicious interference, no vocal interference occur

P C3 A1 A3 A3 225 Transmission related hardware & software are operating properly

P C3 A1 A3 A4 226 The quality of the RT signal is not impaired by background noise (e.g. introduced by weather)

P C3 A1 A4 130 The shared ATM phraseology used is by design unambiguous for the situation

P C3 A2 27 AIP charts & Notams are available, and published in a legible & understandable way for flight ops charts designers




P C4 11 The crew/aircraft system correctly captures/picks up all the corrective instructions addressed to it

P C5 12 The crew/aircraft system correctly understands the contents of the instruction/clearance captured if any (immediate process taking place when receiving the instruction)

P C5 A1 48 The crew/aircraft system properly understands verbal ATM clearances/ instructions

P C5 A1 A1 131 The crew/aircraft system properly receives verbal ATM clearances/instructions

P C5 A1 A1 A1 227 RTF equipment works properly

P C5 A1 A1 A2 228 RTF equipment is operated properly (set, tuned)

P C5 A1 A2 132 Crews have sufficient resources left to pay attention to ATM clearances/instructions

P C5 A1 A2 A1 184 Cockpit procedures allow for proper attention being paid to ATC communications

P C5 A1 A2 A2 229 Cockpit task sharing allow for proper attention being paid to ATC communications

P C5 A1 A2 A3 230 Workload level & on going crew activity (including cabin crew interactions) allow for proper attention being paid to ATC

P C5 A1 A2 A4 231 Noise level in the cockpit is low enough to allow for proper attention being paid to RT

P C5 A1 A3 133 A correct perception of verbal ATM clearances/ instructions leads to a correct understanding of the message by the crews

P C5 A1 A3 A1 232 At least one pilot actually understands the clearance/instructions perceived

P C5 A1 A3 A2 233 If in doubt, pilots cross check their understanding of ATCOs (FL/ALT) instructions

P C5 A1 A3 A3 234 Pilots detect and correct errors in their understanding of ATCOs (FL/ALT) instructions

P C5 A1 A3 B1 235 Crews query about ATM clearances/ instructions when unsure of their understanding

P C5 A1 A3 B2 236 The correct clearance is confirmed to the crews by ATCOs

P C5 A1 A3 B3 237 Crews correctly understand the confirmed & correct clearance

P C5 A1 B1 134 The incorrect understanding by the pilot/AC system, if any, is detected an corrected by the read back hearback process between ATCOs and crews

P C5 A1 B1 A1 238 Pilots read back ATCOs instructions according to their understanding

P C5 A1 B1 A2 239 ATCOs detect and correct errors in the pilots' readback messages

P C5 A1 C1 135 An incorrect understanding by the pilot/AC system is detected and corrected by the read back hearback process by third party (pilots, supervisor)

P C5 A1 C1 A1 240 Pilots report their FL/ALT (flight path parameters) target when changing frequency

P C5 A1 C1 A2 241 Next sector ATCOs check reported (flight path parameters) FL/ALT against assigned one

P C5 A1 C1 A3 242 Next sector ATCOs detect and correct errors in the reported FL/ALT (flight path parameters)

P C5 A1 C1 B1 243 Third party ATCOs (e.g. supervisor) monitor RTF communication

P C5 A1 C1 B2 244 Third party ATCOs detect FL/ALT (flight path parameters) errors in the pilots' messages

P C5 A1 C1 B3 245 Third party ATCOs report FL/ALT (flight path parameters) errors in the pilots' messages to ATCOs on duty

P C5 A1 C1 C1 246 Third party pilots monitor RTF communication

P C5 A1 C1 C2 247 Third party pilots detect FL/ALT (flight path parameters) errors in other pilots' messages




P C5 A1 C1 C3 248 Third party pilots report FL/ALT (flight path parameters) errors in other pilots' messages to ATM

P C5 A2 49 The crew/aircraft system properly understands chart-based ATM clearances/instructions

P C5 A2 A1 136 At least one pilot actually understands chart based ATM instructions

P C5 A2 A2 137 If in doubt, pilots cross check their understanding of chart based instructions

P C5 A2 A3 138 Pilots detect and correct errors in their understanding of chart based instructions

P C5 A2 B1 139 Pilots report their FL/ALT (and other flight path parameters) target when changing frequency

P C5 A2 B2 140 Next sector ATCOs check reported FL/ALT (flight path parameters) against assigned one

P C5 A2 B3 141 Next sector ATCOs detect and correct errors in the reported (flight path parameters) FL/ALT

P C6 13 The crew/aircraft system properly implements the clearance/instruction as understood (within an acceptable time frame, at acceptable rates…)

P C6 A1 50

The instruction is actually implementable for the real situation of the day (e.g. within flight envelope, not too late to capture...) i.e. the instruction/clearance relevant from an ATC view point is also relevant from the cockpit viewpoint i.e. the ATCO's knowledge of the situation is complete enough...

P C6 A2 51 Proper inputs are made to systems supporting the management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P C6 A2 A1 142 Proper inputs are made to systems supporting the vertical management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P C6 A2 A1 A1 249 The crew correctly sets the altitude reference

P C6 A2 A1 A1 A1 280 The crew correctly determines the relevant altitude reference (i.e. they know and are aware they should use QNH or standard…)

P C6 A2 A1 A1 A2 281 The crew uses right units (e.g. inches vs. hp), right values when setting the altitude reference

P C6 A2 A1 A1 A3 282 The crew correctly sets the altitude reference to the right value

P C6 A2 A1 A2 250 The crew sets/programs the right height/altitude/FL target (correct figure and consistent with the reference)

P C6 A2 A1 A3 251 The crew timely engages and maintains the correct implementation "mode"

P C6 A2 A1 B1 252 Wrong inputs are detected by the ATM system before acceptable tolerance is exceeded

P C6 A2 A1 B2 253 A corrective instruction is issued in a clear and unambiguous way to the crew before acceptable tolerance is exceeded

P C6 A2 A1 B3 254 The crew properly understand the corrective instruction

P C6 A2 A1 B4 255 Wrong inputs are corrected by crews before acceptable tolerance is exceeded

P C6 A2 A2 143 Proper inputs are made to systems supporting the lateral management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P C6 A2 A3 144 Proper inputs are made to systems supporting the longitudinal management of the flight path (e.g. FMS, AP, avionics, ALT instruments…)

P C6 A3 52 The systems supporting the management of the flight path work properly

P C6 A4 53 The A/C (ailerons, engines, rudder...) responds properly to demands from systems supporting the management of the flight path

P C6 B1 54 The crew/aircraft system detects deviations from intended (according to their understanding of the clearance /instruction) flight path early enough to allow a correction before acceptable tolerance is exceeded




P C6 B2 55 The crew/aircraft system corrects deviations from intended (according to their understanding of the clearance /instruction) flight path before acceptable tolerance is exceeded

P C6 C1 56 The ATM system detects deviations from the assigned flight path early enough to allow a correction before acceptable tolerance is exceeded

P C6 C2 57 The ATM system issues appropriate corrective instructions early enough to allow a correction before acceptable tolerance is exceeded

P C6 C3 58 The crew/aircraft system correctly understands corrective instruction(s) early enough to allow a correction before acceptable tolerance is exceeded

P C6 C4 59 The crew/aircraft system correctly implements corrective instruction(s) before acceptable tolerance is exceeded


Recovery

R A1 14 The surrounding routes possibly used are by design far away enough to allow for a conflict situation with an A/C anywhere on these surrounding routes to be recovered before it would lead to an imminent collision situation

R A1 A1 60

The airspace design is such that the separation of predefined routes is compatible with the design specifications of ATC capabilities of detection and reaction in real time so that recovering the conflict situation before an imminent collision situation develops is feasible in principle

R A1 B1 61 Routes making the conflict due to a deviation from one of them unrecoverable before it would lead to an imminent collision situation are not used simultaneously by ATC

R A2 15 (In the actual situation) The ATCO in control becomes aware of the conflict situation (if applicable) before an imminent collision situation develops

R A2 A1 62 Accurate A/C trajectory data is built by the radar

R A2 A2 63 The conflict situation is clearly visible on radar screen

R A2 A3 64 The ATCO in control notices the conflict situation before an imminent collision situation develops

R A2 B1 -4 Accurate A/C trajectory data is built by the radar

R A2 B2 283 STCA delivers a warning before an imminent collision situation develops

R A2 B3 65 The ATCO in control notices and recognizes STCA warning before an imminent collision situation develops

R A2 C1 -5 Accurate A/C trajectory data is built by the radar

R A2 C2 -6 The conflict situation is clearly visible on radar screen

R A2 C3 66 Another ATCO notices the conflict situation and makes his colleague aware of the situation before an imminent collision situation develops

R A2 C4 67 The ATCO in control recognizes the conflict situation from his colleague's warning before an imminent collision situation develops

R A3 16 The ATCO in control issues a relevant (from an ATC viewpoint) recovery instruction (including no instruction) before an imminent collision situation develops

4 This Safety Principle was developed after the introduction of the data into the software. 5 This Safety Principle was developed after the introduction of the data into the software. 6 This Safety Principle was developed after the introduction of the data into the software.




R A4 17 The crew/aircraft system correctly captures/picks up all the recovery instructions addressed to it

R A5 18 The crew/aircraft system(s) correctly understands the contents of the recovery instruction/clearance captured (immediate process taking place when receiving the instruction)

R A6 19 The crew/aircraft system properly implements the recovery clearance/instruction as understood (within an acceptable time frame, at acceptable rates…)

R B1 20 The collision avoidance system detects the risk of imminent collision before the situation becomes unrecoverable

R B1 A1 68 The collision avoidance system captures proximity information before the situation becomes unrecoverable

R B1 A1 A1 145 Accurate A/C position data is available to the radar

R B1 A1 A2 146 The ATCO in control becomes aware of the imminent collision situation before the situation becomes unrecoverable

R B1 A1 A2 A1 256 Relative A/C proximity is clearly visible on radar screen (not overlap of labels...)

R B1 A1 A2 A2 257 The ATCO in control notices from radar information imminent collision situation before the situation becomes unrecoverable

R B1 A1 A2 B1 258 STCA delivers imminent collision warning before the situation becomes unrecoverable

R B1 A1 A2 B2 259 The ATCO in control notices STCA warning before the situation becomes unrecoverable

R B1 A1 A2 C1 Relative A/C proximity is clearly visible on radar screen (not overlap of labels...)

R B1 A1 A2 C2 260 Another ATCO detects the proximity situation before the situation becomes unrecoverable

R B1 A1 B1 147 TCAS switched on and fully operational (including not impaired) on at least one A/C

R B1 A1 B2 148 At least mode C transmitting properly accurate information on the other A/C

R B1 A1 B3 149 Situation within the design envelope of TCAS (closure rate, data quality)

R B1 A1 C1 150 Visibility allows for conflicting A/C detection (including night vision)

R B1 A1 C2 151 Pilots scan for conflicting traffic

R B1 A1 C3 152 Conflicting A/C is within cockpit field of vision

R B1 A1 C4 153 Conflicting A/C is visible (lighting conditions, bearing, etc.)

R B1 A2 69 The collision avoidance system recognizes risk of imminent collision before the situation becomes unrecoverable (from proximity info captured)

R B1 A2 A1 154

The ATCO in control detects (using radar info) the risk of imminent collision from the proximity info captured before the situation becomes unrecoverable (i.e. has enough time to screen radar picture + info presented in such a way that collision risk can be anticipated + …)

R B1 A2 A2 155 The ATCO in control recognizes the recognized risk before the situation becomes unrecoverable (no doubt induced by lack of STCA warning or any other reason)

R B1 A2 B1 156 STCA detects the risk of imminent collision from proximity information captured

R B1 A2 B2 157 The ATCO in control recognizes STCA warning

R B1 A2 C1 158 Situation within TCAS specification for risk of collision recognition (including sufficient quality information available; geometry of the conflict…)

R B1 A2 C2 159 TCAS algorithm is able to predict collision within its design envelope (specs are OK)

R B1 A2 C3 160 TCAS works as per design (switched on, construction OK, no impairments, as regards the risk of collision recognition function…)

R B1 A2 D1 161 Crews recognize correctly the collision risk visually




R B1 A3 70 The collision avoidance system transfers "risk of collision" alert to resolution providers before the situation becomes unrecoverable

R B1 A3 A1 162 In the case of a recognition by the ATCO in charge of the 'risk of collision', transfer to the ATCO is immediate (always green)

R B1 A3 B1 163 In the case of both TCAS on and risk of collision recognized, TCAS correctly coordinates with the other TCAS (if applicable)

R B1 A3 C1 164 In the case of a recognition of the 'risk of collision' by another ATCO than the ATCO in charge, the ATCO not in charge correctly transfers the 'risk of collision' information to the ATCO in charge if applicable

R B2 21 The collision avoidance system derives at least one relevant collision resolving option/solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

R B2 A1 71 The ATCOs concerned produce a global relevant avoidance solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

R B2 A2 72 The solution anticipated by ATCO(s) is not compromised by unexpected A/C behaviour

R B2 B1 73 TCAS design specifications (e.g. algorithm) are able to produce relevant resolving solution (coherent solution taking into account both A/C) before the situation becomes unrecoverable

R B2 B2 74 TCAS equipment is consistent with design specifications

R B2 B3 75 Conditions (geometry; time limitations…) are within design envelope

R B2 B4 76 TCAS functioning is not impaired by untimely actions (switched on, correctly set, maintained…)

R B2 C1 77 The pilots concerned have the skill to "see" an avoidance solution

R B2 C2 78 Pilots follow rule of the air

R B2 C3 79 Rules of the air allow for compatible avoidance solutions

R B3 22 The collision avoidance system makes at least one relevant collision resolving option/solution available in a clear way to the crew/aircraft systems involved by the resolving option/solution before the situation becomes unrecoverable

R B3 A1 80 Relevant instructions corresponding to the solution are transmitted to crew(s) in a clear and unambiguous way (including the urge to act if any)

R B3 B1 81 Cockpit(s) HMI present(s) the TCAS solution in a clear and unambiguous way to the flight crew(s)

R B3 C1 82 PNF transfers imminent collision risk alert to PF or takes over if applicable

R B4 23 The crew/aircraft systems involved properly receive at least one relevant collision resolving option/solution (global resolving option i.e. as compatible manoeuvres for both A/C) before the situation becomes unrecoverable

R B4 A1 83 Crews properly receive RT instructions

R B4 A2 84 Crews properly discriminate instructions addressed to them

R B4 A3 85 Crews properly understand RT instructions (including urgency aspects)

R B4 B1 86 Crews notice ACAS(s) RA(s) in due time if any

R B4 B2 87 Crews correctly interpret ACAS RA if any

R B4 C1 88 PNF can communicate avoidance suggestion efficiently

R B4 C2 89 Flight deck procedures allow for efficient pilot role distribution concerning see & avoid action

R B4 C3 90 Pilots follow see & avoid role distribution

R B5 24 The crew/aircraft systems involved select a relevant collision resolving option/solution if various options are made available as the one to be implemented

R B5 A1 91 Each flight crew involved is covered by priority rules applicable to the situation




R B5 A2 92 The priority rules applicable to the flight crews involved do allow for compatible solutions to be selected in both/all cockpits

R B5 A2 A1 165 All flight crews share the same priority rules

R B5 A2 A2 166 The contents of the priority rules actually allow for compatible solutions to be selected in all cockpits involved

R B5 A3 93 Priority rules applicable to them are followed by the flight crews involved

R B5 A3 A1 167 In the case of TCAS RA(s), the confidence of crew(s) in TCAS is not undermined

R B5 A3 A2 168 The crews involved know the priority rules applicable to them

R B5 A3 A3 169 The instructions coming from the source having priority in this situation are compatible with crews' perceived safe avoidance maneuver in this situation

R B5 A3 A3 A1 261 In the case of TCAS RA(s), the TCAS instruction is compatible with the engaged manoeuvres if any

R B5 A3 A3 A2 262 In the case of TCAS RA(s), doubt is not induced in crew’s minds by ever more stringent opposite instructions from ATC

R B5 A3 A3 A3 263

In the case of TCAS RA(s), doubt is not induced in crew’s minds by their representation of the situation (e.g. TCAS RA compatible with previous TCAS TA if any, compatible with terrain and/or traffic in the vicinity as perceived by the crews…)

R B6 25

The resolving option/solution selected is timely and properly implemented by both crew/aircraft systems involved (including no maneuver independently from the relevant global resolving option selected, within an acceptable time frame, at acceptable rates…)

EUROCONTROL EXPERIMENTAL CENTRE · 2019. 2. 18. · EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL EUROCONTROL EXPERIMENTAL CENTRE LEVEL BUST STUDY USING SAFETY

Documents