© Luigi Macchi 2009 Resilience Engineering Approach to Safety Assessment: An Application of FRAM for the MSAW system Eurocontrol Safety R&D seminar 21 October 2009 Munich Luigi Macchi
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
© Luigi Macchi 2009
Resilience Engineering Approach to Safety Assessment: An Application of FRAM for the
MSAW system
Eurocontrol Safety R&D seminar
21 October 2009
Munich
Luigi Macchi
© Luigi Macchi 2009
• Objective• A safety assessment case: the MSAW• FRAM functions• Scenario and instantiation• Conclusion
Outline
© Luigi Macchi 2009
Objective
•A safety assessment study using Resilience Engineering principles
•Application of the Functional Resonance Analysis Method (FRAM)
•Identify emergent risks due to the combination of variability of normal performance
© Luigi Macchi 2009
Purpose of Minimum Safe Altitude Warning system:
To alert ATCO to potentially hazardous situations with sufficient warning time for appropriate instructions to be issued to pilot
3 functionalities:
5.General Terrain MonitoringMSAW should provide alerts where an eligible aircraft:– Is inside an area where the minimum usable flight level is higher than the aircraft’s flight level,– Has a rate of descent that the minimum safe altitude will be penetrated,– Has a rate of climb that it is insufficient to obtain the minimum safe altitude.
6. Minimum Radar Vectoring Altitudes MonitoringMSAW should provide an alert for situations where the current position of an eligible aircraft is below the Minimum Radar Vectoring Altitude (MRVA).
7. Approach Path MonitoringMSAW should detect in case an eligible aircraft deviates, or is predicted to deviate from the approach path of an adapted airport.
© Luigi Macchi 2009
FRAM safety assessment
1.Model ATC and MSAW functions
2.Define a scenario + assumptions
3.Evaluate possible performance variability
© Luigi Macchi 2009
6 parameters:
Input (I): that which the function processes or that which starts the function
Output (O): that which is the result of the function, either an entity or a state change
Preconditions (P): conditions that must exist before a function can be executed
Resources (R): that which the function consumes to produce the output
Time (T): temporal constraints affecting the function (with regard to starting time, finishing time, or duration)
Control (C): how the function is monitored or controlled
Description of System Functions
© Luigi Macchi 2009
FRAM functions
UPDATE MET DATAI
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
UPDATE FDPSI
P
C
O
R
T
PLANNINGI
P
C
O
R
T
MONITORINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
TSECTOR-SECTOR
COMMUNI-CATIO
I
P
C
O
R
T
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
STRIP MARKINGI
P
C
O
R
T
© Luigi Macchi 2009
FRAM functions
UPDATE MET DATAI
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
UPDATE FDPSI
P
C
O
R
T
PLANNINGI
P
C
O
R
T
MONITORINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
TSECTOR-SECTOR
COMMUNI-CATIO
I
P
C
O
R
T
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
STRIP MARKINGI
P
C
O
R
T
GENERATE MSAW ALERT
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED SRR
CODES
I
P
C
O
R
T
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
© Luigi Macchi 2009
FRAM functions
UPDATE MET DATAI
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
UPDATE FDPSI
P
C
O
R
T
PLANNINGI
P
C
O
R
T
MONITORINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
TSECTOR-SECTOR
COMMUNI-CATIO
I
P
C
O
R
T
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
STRIP MARKINGI
P
C
O
R
T
GENERATE MSAW ALERT
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED SRR
CODES
I
P
C
O
R
T
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
MANAGE RESOURCESI
P
C
O
R
T
MANAGE COMPETENCEI
P
C
O
R
T
MANAGE PROCEDURESI
P
C
O
R
T
MANAGE TEAMWORKI
P
C
O
R
T
MANAGE WORKING
CONDITIONSI
P
C
O
R
T
© Luigi Macchi 2009
Scenario: Stuttgart approach
Stuttgart airport
Aircraft#1
Aircraft#2
DLS 512
Final ApproachFix point
Stuttgart airport
Aircraft#1
Aircraft#2
DLS 512
Final ApproachFix point
© Luigi Macchi 2009
Clearances
• Aircraft #1 identified, proceed direct to DLS 512, descend altitude 5000 FT-QNH 1027
• Aircraft #2 identified, descend FL60, proceed direct to DLS 512
• Aircraft #1 descend altitude 4000 FT, turn right heading 230, cleared ILS25
• Aircraft #2 descend altitude 4000 FT-QNH 1027, turn left heading 210, cleared ILS25
• Aircraft #1 contact tower• Aircraft #2 contact tower
© Luigi Macchi 2009
Assumptions • Organisational functions produce precise outputs
–No variability is induced• Technological functions are properly designed and
implemented– No variability is induced
• ‘Generate MSAW alert’ triggers an alert (for Aircraft #1)• The MSAW function ‘Enable MSAW alert transmission’ is
performed imprecisely • Aircraft #1 descend altitude 4000 FT, turn right heading 230,
cleared ILS2 is issued earlier than expected• The remaining functions are performed with acceptable
precision and timing
© Luigi Macchi 2009
Evaluation of performance variability
Dampening effect No dampening effectDampening effect
Long Term basisShort Term basis
Shape the contextDesigned to be
stable, reliable, and predictable
Adjust their performance to current working
conditions
Delayed effect on performance variability StableVariable
Organisational TechnologicalHuman
© Luigi Macchi 2009
Evaluation of performance variabilityOutput of a function is the I-P-C-R of another function
The timing of the Output of a function affects the available time for downstream functions
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
ALERT INHIBIT AIRSPACE
VOL DEFINED
MSAW FUNCTION ENABLED
MET DATA
© Luigi Macchi 2009
Output characterisation
I: Output to downstream functions is imprecise as well as delayed, reducing available time
H: Output to downstream functions is imprecise but correctly timed
G: Output to downstream functions is imprecise and too early
Imprecise
F: Output to downstream functions is acceptable but delayed, reducing available time
E: Output to downstream functions is acceptable with the right timing
D: Output to downstream functions is acceptable but too early
Acceptable
C: Output to downstream functions is precise but delayed, reducing available time
B: Output to downstream functions is precise with the right timing
A: Output to downstream functions is precise but too early
Precise
Precision
Too lateOn timeToo early
Temporal characteristics
© Luigi Macchi 2009
Aspect’s quality and Performance variability
DampingIncrease
High
Medium
Small
Medium
High
Small
BE
ADC
FG
H
I
The median of the quality of the aspects is the quality of the output.
© Luigi Macchi 2009
Instantiation 1
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
Teamwork
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
PLANNINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
T
FLIGHT & RADAR DATA
SYSTEM MESSAGE
ALERT INHIBIT SSR CODES DEFINED
ALERT INHIBIT AIRSPACE
VOL DEFINED
MSAW FUNCTION ENABLED
MET DATA
FLIGHT POSITION A/C 2 MONITORED
FLIGHT POSITION A/C 1MONITORED
CLEARANCE PLAN A/C 1
CLEARANCE PLAN A/C 2
A/C 1: RADIO CONTACT
ESTABLISHED
A/C 2: RADIO CONTACT
ESTABLISHED
CLEARANCE A/C2:
Aircraft #2 identified,
descend FL60,
proceed direct to DLS 512
Model functions
Organisational functions
MSAW functions
Procedure
Technical trainingProcedure
Technical training
Procedure
Procedure
Teamwork
STRIP MARKINGI
P
C
O
R
T
Technical training
MONITORINGI
P
C
O
R
T
Technical training
Technical training
FLIGHT & RADAR DATA DISPLAYED
MET DATA DISPLAYED
SYSTEM MESSAGE
Technical training
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
CLEARANCE A/C 1:
Aircraft #1 identified,
proceed direct to DS 512,
descend altitude 5000FT-QNH 1027
Procedure
MANAGE COMPETENCEI
P
C
O
R
T
MANAGE PROCEDURESI
P
C
O
R
T
MANAGE TEAMWORKI
P
C
O
R
T
GENERATE MSAW ALERT
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED SRR
CODES
I
P
C
O
R
T
© Luigi Macchi 2009
Instantiation 2
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
PLANNINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
T
STRIP MARKINGI
P
C
O
R
T
FLIGHT & RADAR DATA
SYSTEM MESSAGE
ALERT INHIBIT SSR CODES DEFINED
ALERT INHIBIT AIRSPACE
VOL DEFINED
MSAW FUNCTION ENABLED
MET DATA
FLIGHT POSITION A/C 2 MONITORED
FLIGHT POSITION A/C 1MONITORED
FLIGHT & RADAR DATA DISPLAYED
MET DATA DISPLAYED
SYSTEM MESSAGE
CLEARANCE PLAN A/C 1
CLEARANCE PLAN A/C 2
A/C 1: RADIO CONTACT
ESTABLISHED
A/C 2: RADIO CONTACT
ESTABLISHED
CLEARANCE A/C 1: descend altitude 4000FTturn right heading 230
cleared ILS25
CLEARANCE A/C2:
descend altitude 4000FT-QNH 1027
turn left heading 210 cleared ILS25
Model functions
Organisational functions
MSAW functions
Teamwork
Teamwork
Procedure
Procedure
Procedure
ProcedureTechnical training
Technical training
Technical training
Technical training
Technical training
MONITORINGI
P
C
O
R
T
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
Technical training
Procedure
MANAGE COMPETENCEI
P
C
O
R
T
MANAGE PROCEDURESI
P
C
O
R
T
MANAGE TEAMWORKI
P
C
O
R
T
GENERATE MSAW ALERT
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED SRR
CODES
I
P
C
O
R
T
© Luigi Macchi 2009
Instantiation 3
ENABLE MSAW ALERT
TRANSMI-SSION
I
P
C
O
R
T
PROVIDE MET DATAI
P
C
O
R
T
DISPLAY DATA ON
CWPI
P
C
O
R
T
PROVIDE FLIGHT & RADAR DATA
I
P
C
O
R
T
PLANNINGI
P
C
O
R
T
PILOT –ATCO
COMMUNI-CATION
I
P
C
O
R
T
STRIP MARKINGI
P
C
O
R
T
FLIGHT & RADAR DATA
SYSTEM MESSAGE
ALERT INHIBIT SSR CODES DEFINED
ALERT INHIBIT AIRSPACE
VOL DEFINED
MSAW FUNCTION ENABLED
MET DATA
FLIGHT POSITION A/C 2 MONITORED
FLIGHT POSITION A/C 1MONITORED
FLIGHT & RADAR DATA DISPLAYED
MET DATA DISPLAYED
SYSTEM MESSAGE
MSAW alert generated
CLEARANCE PLAN A/C 1
CLEARANCE PLAN A/C 2
A/C 1: RADIO CONTACT
ESTABLISHED
A/C 2: RADIO CONTACT
ESTABLISHED
CLEARANCE A/C 1: Contact tower
CLEARANCE A/C2: Contact tower
Model functions
Organisational functions
MSAW functions
Teamwork
Teamwork
Procedure
Procedure
Procedure
ProcedureTechnical training
Technical training
Technical training
Technical training
Technical trainingMONITORINGI
P
C
O
R
T
ISSUE CLEARANCE
TO PILOTI
P
C
O
R
T
Technical training
Procedure
MANAGE COMPETENCEI
P
C
O
R
T
MANAGE PROCEDURESI
P
C
O
R
T
MANAGE TEAMWORKI
P
C
O
R
T
GENERATE MSAW ALERT
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE ALERT-
INHIBITED SRR
CODES
I
P
C
O
R
T
© Luigi Macchi 2009
Conclusion
• Presented the application of the Functional Resonance Analysis Method to perform a safety assessment study for the Minimum Safe Altitude Warning system.
• Look for risks due to the combination of variability of normal performance rather than to system failures or breakdowns.
• An inappropriate enabling of the alert transmission in combination with a ‘trivial’ anticipation of a clearance could result in a degraded performance of the monitoring function.
• Shows the added value of a resilience engineering approach when evaluating the potential impact of the introduction of new equipments in the ATM domain.
© Luigi Macchi 2009
Thanks for the attention
Related Documents
![Universal Airlinesuvairlines.com/admin/resources/RPVM.pdfN09 45.0 EIN 36.8 Descend to 5000' ROUTING 01.9 E124 18.0 Descend to 4000 Mcr [DJ5ØJj Descend to 4000 ROUTING STAR 17 [17]](https://static.cupdf.com/doc/110x72/6094f01510b17f1bd676a982/universal-n09-450-ein-368-descend-to-5000-routing-019-e124-180-descend-to-4000.jpg)
