6th FP Project FP6 -503192

Functional Hazard Assessment and very Preliminary System Safety Assessment Report Final version

Stéphane Paul Thales ATM

Document No: Version No: Classification: Number of pages:

D1.3.9 1.0 Public 241

Project Funded by European Commission, DG TREN The Sixth Framework Programme Strengthening the competitiveness Contract FP6 -503192

Project Manager Michael Roeder Deutsches Zentrum für Luft und Raumfahrt Lilienthalplatz 7, D-38108 Braunschweig, Germany Phone: +49 (0) 531 295 3026, Fax: +49 (0) 531 295 2180 Email: [email protected] Web page: http://www.dlr.de/emma

© 2006, EC Sponsored Project Emma (Copyright Notice in accordance with ISO 16016) The reproduction, distribution and utilization of this document as well as the communication of its contents to other without explicit authorization is prohibited. This document and the information contained herein is the property of Deutsches Zentrum für Luft- und Raumfahrt and the EMMA project partners. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design. The results and findings described in this document have been elaborated under a contract awarded by the European Commission, under contract FP6 -503192.

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Distribution List Member Type

No.

POC

Distributed

1

Internet Intranet DLR

http://www.dlr.de/emma https://extsites.dlr.de/fl/emma Jörn Jakobi

X X X

2

AENA

Francisco José Rodríguez Angelina

X

3

AI

Marianne Moller

X

4

SELEX

Giuliano d'Auria

X

5

ANS_CR

Miroslav Tykal

X

6

BAES

Stephen Broatch

X

7

STAR

Max Koerte

X

8

DSNA

Nicolas Marcou

X

Web

Contractor

Name

9

ENAV

Antonio Nuzzo

X

10

NLR

Jürgen Teutsch

X

11

PAS

Alan Gilbert

X

12

TATM

Stéphane Paul

X

13

THAV

Alain Tabard

X

15

AUEB

Konstantinos G. Zografos

X

16

CSL

Libor Kurzweil

X

17

DAV

Rolf Schroeder

X

18

DFS

Klaus-Ruediger Täglich

X

19

EEC

Stéphane Dubuisson

X

20

ERA

Jan Hrabanek

X

21

ETG

Thomas Wittig

X

22

MD

Phil Mccarthy

X

23

SICTA

Claudio Vaccaro

X

24

TUD

Christoph Vernaleken

X

CSA

Karel Muendel

X

14

Sub-Contractor

N.N.

Customer

EU

Morten Jensen

X

Additional

EUROCONTROL

Paul Adamson

X

TUDelft

Erik Theunissen

X

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

2 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Document Control Sheet Project Manager Responsible Author Additional Authors

Reviewers

Subject / Title of Document: Related Task: Deliverable No. Save Date of File: Document Version: Reference / File Name Number of Pages Dissemination Level Target Date

ROEDER Michael PAUL Stéphane TATM LUPINSKI Françoise, BERNAT Jean TATM BERTHON Guy, GAYRAUD Pierre, THAV TABARD Alain MARCOU Nicolas, Isabelle Daguzon DSNA VINAGRE SOLANS Lluis AENA NUZZO Antonio ENAV VALENTINO Angelo SELEX Functional Hazard Assessment and very Preliminary System Safety Assessment Report WP1.3 D1.3.9 2006-10-11 1.0 D139_FHAvPSSA_V1.0.doc 241 Public 2006-02-28

Change Control List (Change Log) Date

Issue

2004-04-02 2004-04-27

0.01 0.02

2004-05-10

0.03

2004-05-13

0.04

2004-06-22

0.05

2004-07-16

0.06

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Changed Items/Chapters

Initial draft. All, but mainly refined system description. All.

Comment

Made compliant to Thales ATM quality manual.

Made to be more compliant with EUROCONTROL safety assessment methodology. Distributed to DSNA, THAV. Distributed to DLR, NLR, AHA, Françoise Lupinski. No feedback yet from DSNA, THAV, DLR, NLR, AHA.

Reduced drawing size Quotation from Alan Gilbert. Some comments by F. Lupinski (including re-organised appendixes) New document references Table of contents shows appendixes Corrected footers & headers Started to fill-in appendixes A & B Better introduction to appendix B After KOM between TATM and DSNA. Fused appendixes F and G Distribution to THAV for 2nd KOM. Major contribution to appendixes A, B, C and D

Public

3 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

Changed Items/Chapters

2004-07-29

0.07

2004-08-09

0.08

2004-08-17

0.09

2004-08-20

0.10

2004-08-23

0.11

2004-09-08

0.12

Template update, footer corrections. Major contribution to appendixes A, B, C and D Revised structure for chapter 3 + start of ICAO requirement collection. Note on security. Explanations on switchover. Explanations on detection vs. non-detection of failure modes. Appendixes A, B, C and D including: • Comments by Françoise Lupinski. • Suppression of the C3O0_01 data flow. End of ICAO requirement collection related to safety. Appendixes A, B, C and D. Formalisation of operational effects. Change of “unavailability of…” to “temporary interruption of…” Use of automatic numbering for operational effects. Appendixes A, B, C and D including: • Still more explanations on the structure of the tables in appendixes C and D. • Aircraft on-board guidance becomes an external function. Data on time management in secondary surveillance sensors. Inputs on recording

2004-10-28

0.13

2004-11-12

0.14

2004-12-13

0.15

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Inputs on technical supervision and time management by Françoise Lupinski. Corrections linked to comments from Guy Berthon. All.

Update of ICAO & SAM references. Related change of title and introduction chapter to

Public

Comment

After KOM between TATM and THAV. Consolidated with all AGATE failure conditions (except for interfaces with cockpit). Provided to Françoise Lupinski for review Distribution to THAV before visio-conference.

Sent to NLR (on NLR request).

Sent to DSNA and THAV so they can start their own contributions.

Based on inputs by Holger Neufeldt. Sent to Airbus (on their request). Provided to ANS-CR and EUROCONTROL during SP1 meeting in Brussels. Distribution to Jean BERNAT, Thales ATM safety engineer on the C-ATM project.

Integration of DSNA contributions dated 02 November 2004. Integration of THAV contributions, dated 12 October 2004, received 03 November 2004. Distribution to THAV and TATM.

4 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

2005-01-05

0.16

2005-01-18

0.17

2005-01-22

0.18

2005-02-01

0.19

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Changed Items/Chapters

present new PSSA aspects. New term definitions. Inputs on EUROCONTROL’s ASMGCS level 1 and 2 safety case by NATS and Helios Technology. Update of hazard identification, severity allocation and safety objectives. Annex F: more details to explain derivation of safety objectives per A-SMGCS implementation level. Better summary in chapter 3. Slight rewording of operational effects and hazards. Updated aircraft equipment definition (from THAV). Considerations for hazard identification in relationship to aircraft equipment in annex E (from THAV). Suppression of annex G. Justification of share of the TLS allocated to equipment depending on A-SMGCS implementation level, and re-organisation of annex F. Relaxation of severity definition in Figure 13. Updated chapter 3. Renamed and filled in chapter 4. Spelling. Explanations on formula for share of safety objective between equipment, and people + procedures. Document modified online (everywhere) during FHA meeting at Bagneux on 20-21 January 2005 with DSNA & THAV. Mainly, new hazards were identified, with a split per A-SMGCS implementation level. A-SMGCS boundary justification. Recommendations of operational effects and hazards tables recopied in §4. Explanations on possible

Public

Comment

After review/comments by Françoise Lupinski. Sent to Nicolas Marcou & Françoise Lupinski.

After review/comments by Françoise Lupinski. Integrates part of the contribution by Guy Berthon sent by e-mail. Distribution to THAV and DSNA.

After receiving comments on version 0.16 by DSNA (not all comments integrated). Distributed to meeting participants.

5 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

2005-02-02

0.20

2005-02-02

0.21

2005-02-14

0.22

2005-02-28

0.23

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Changed Items/Chapters

redundancy of HMI. Split of §3.2.1 into implementation levels, and update of list of hazards per level. Following identification of new hazards (version 0.18), links between operational effects and hazards re-established. Check and corrections of all references to ICAO manual. New section named “A target level of safety for A-SMGCS” based on input by DSNA (email dated 31 Jan). New section named “Safety and safety nets”. Correction of bugs in headers. Suppression of references to AHA work (including in figures). Renewed explanations on TLS share. Re-computation of safety objectives. Add of a password to open document. Addition of ICAO implementation level table in annex E. Replace “irrelevant” by “no effect” on safety. Integration of part of the contribution from Thales Avionics in §1.6, §1.7, and §2.2. Check & completion of list of acronyms. Addition of an “initial version” label to this release, as it is agreed that the final release will be published after the workshop. More details on computations of value of safety objectives in appendix F. Figure 8, and corresponding text. Rewording of “Temporary interruption of...” definition. Notion of system boundary replaced by interface. New question on impact expectation once the full concept

Public

Comment

Distributed to EMMA consortium during SP1 workshop (on 10 February). Distributed to AENA for review. Comments on release 0.20 by Françoise Lupinski. Contributions of Thales Avionics related to §4.2, §5.1, appendix A, and appendix E have not been withheld for integration.

Integrates official peer review comments by Angelo Valentino (SELEX) Integrates additional peer review comments by AENA and ENAV. Last contribution on other hazards by DSNA. Some comments by Jean Bernat.

6 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

2005-03-02

0.24

2005-03-02 2005-03-07

0.25 0.26

2005-04-05

0.27

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Changed Items/Chapters

of operations is developed. Operational effects labelled for traceability. Updated list of hazards originating from people and procedures. New ICAO recommendation added. Enhanced definition of system operational state. Corrected severity assessment criteria for hazards 1, 3, and 4. Note to explain hazard 5 unexpected event. Note significance of the greyed out rows in FMEA. More explanations on the 4 operational effects categories. In accordance with the Vocabulaire Electrotechnique International (VEI191) replacement of failure mode by fault mode and failure modes and effects analysis (FMEA) by fault modes and effects analysis. Updated A-SMGCS data and control flows (Table 14). Rewording of arguments related to use of TCAS with respect to severity. Update of figure 20. Update of note related to HZ-05. Introduction of name of reviewers. Based on THAV input, section 1.6.2., and introduction of annex E. Update of failure definition. New doc references. Review of AGATE document status. Table 9 corrected. Better explanations on structure of the analysis tables for table 15. Corrected header of table 16. Annunciation changed with announcement and structure of the severity analysis table

Public

Comment

Thales ATM internal review of comments with Françoise Lupinski DLR formal review Contains updated contribution from Thales Avionics. Distribution to THAV and DSNA.

After Bengt Collin’s (Eurocontrol) comments send via Morten. After Rodolfo Piedra’s (EC) comments. Distributed during FHA workshop.

7 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

Changed Items/Chapters

2005-09-26

0.31

corrected. Figure 21 Appendix E, caption added for superscripts (1), 1*, 2*, 3*, and 4*. Shift to final version Inclusion of FHA workshop questionnaire New section (§1.6.3) on scenario implementation levels (SIL) and update of terminology everywhere in text. New section (§4.3) on recommendations for the adaptation to a specific environment Description of hazard effects and related severity. Change of title of D141. New appendix H for 2nd workshop short report. Typos. Adaptation of chapter 3 to reflect updates of annexes. New §1.6.4.

2006-01-30

0.32

Appendix H

2005-04-06

0.28

2005-06-06

0.29

2005-09-12

0.30

§1.3.3 §1.6.2 §1.7.3 §1.7.6 §3.2.2.1 §3.3 §3.4.1 New §3.4.3 and §3.4.4 §5.2 Appendix F All

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comment

Modifications related to 1st FHA workshop feedback comments

Modifications related to 2nd FHA workshop feedback comments Delivery for approval to all workshop participants.

Last contribution by DSNA on scenario implementation level (SIL) and frequently asked questions. Final delivery to DLR for delivery to EC. Addition of CVs of participants to 2nd FHA workshop. Editorial practices clarified. Introduction about the used prescriptive method. More data on the A-SMGCS levels 1 and 2 preliminary safety case by EUROCONTROL, because it has reached release 1.0. New data on TUDelft work. Simplified TLS computations New table for summary of hazard severities Extended explanations a scalar product. Cross-check of numerical illustration, and crosscheck with EUROCONTROL A-SMGCS safety case Change of definition of probability of occurrence to be in line with NATS' mapping of undeveloped outcomes. Cross-check of SIL II results with EUROCONTROL A-SMGCS safety case Typographical corrections. Submission to DLR for internal project review

8 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Date

Issue

2006-02-07

0.33

2006-10-11

1.0

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Changed Items/Chapters

File Name changed to EMMA standards, Distribution list updated, target date updated EC approval.

Public

Comment

and/or delivery to EC. Formal review by DLR. Submission to EC.

9 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Before an A-SMGCS is actually made operational, a safety assessment should take place in order to provide a good understanding of the safety impact caused by the application of the system but also the safety impact in case of failure of elements of the system. ICAO manual on Advanced Surface Movement, Guidance and Control System (A-SMGCS).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

10 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Table of Contents 1 Scope .......................................................................................................................................................................14 1.1 Identification.....................................................................................................................................................14 1.2 Project overview ...............................................................................................................................................14 1.3 Document overview..........................................................................................................................................14 1.3.1 Purpose ......................................................................................................................................................14 1.3.2 Applicability ..............................................................................................................................................16 1.3.3 Editorial practices ......................................................................................................................................16 1.3.4 Document structure....................................................................................................................................16 1.3.5 Meaning of “final” version ........................................................................................................................16 1.3.6 Safety versus security ................................................................................................................................17 1.4 Safety assessment methodology .......................................................................................................................17 1.4.1 First step: identification of potential equipment failures ...........................................................................18 1.4.2 Step two: identification of hazards ............................................................................................................19 1.4.3 Step three: assessment of hazard severity..................................................................................................19 1.4.4 Step four: specification of safety objectives and identification of safety requirements ............................21 1.5 System overview...............................................................................................................................................22 1.5.1 System mission ..........................................................................................................................................22 1.5.2 System boundaries .....................................................................................................................................24 1.5.3 About procedures.......................................................................................................................................26 1.6 Operational scenario .........................................................................................................................................26 1.6.1 The different meanings behind “A-SMGCS implementation levels”........................................................26 1.6.2 A conservative approach............................................................................................................................28 1.6.3 The ICAO's generic implementation levels applied to EMMA, focusing on the worst credible cases .....28 1.6.4 EMMA scenario implementation levels ....................................................................................................29 1.6.5 Airborne equipment technologies and flight crew role .............................................................................32 1.6.6 Concept of operations and its impact on exposure time ............................................................................32 1.6.7 Follow-up...................................................................................................................................................33 1.7 State of the art...................................................................................................................................................33 1.7.1 A target level of safety for A-SMGCS ......................................................................................................33 1.7.2 The AGATE functional hazard assessment ...............................................................................................35 1.7.3 A-SMGCS levels 1 and 2 preliminary safety case by EUROCONTROL.................................................37 1.7.4 Operational hazard assessment by the C-ATM project .............................................................................40 1.7.5 The FHA of Maastricht upper area control centre.....................................................................................40 1.7.6 Safety assessment for on-board equipment ...............................................................................................41 1.7.7 ICAO requirements and their impacts on this assessment.........................................................................43 1.7.8 Safety and safety nets ................................................................................................................................47 1.7.9 State-of-the-art conclusion.........................................................................................................................47 2 Referenced documents.............................................................................................................................................48 2.1 Applicable documents ......................................................................................................................................48 2.2 Other relevant publications...............................................................................................................................48

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

11 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

2.2.1 Emma deliverables ....................................................................................................................................48 2.2.2 Thales ATM publications ..........................................................................................................................48 2.2.3 Publications from other EMMA consortium partners ...............................................................................48 2.2.4 External publications .................................................................................................................................49 3 Main results of the functional hazard assessment and very preliminary system safety assessment ........................50 3.1 Identification of potential equipment failures...................................................................................................50 3.1.1 Functional decomposition..........................................................................................................................50 3.1.2 Identification of data & control flows .......................................................................................................51 3.1.3 Posting of fault modes on each data & control flow..................................................................................51 3.2 Identification of hazards ...................................................................................................................................53 3.2.1 Hazards originating from equipment .........................................................................................................53 3.2.2 Other hazards and share of the target level of safety .................................................................................55 3.3 Assessment of hazard severity..........................................................................................................................59 3.4 Specification of safety objectives .....................................................................................................................60 3.4.1 Introduction ...............................................................................................................................................60 3.4.2 Numerical illustration ................................................................................................................................63 3.4.3 Cross-check of numerical illustration ........................................................................................................63 3.4.4 Cross-check with EUROCONTROL A-SMGCS safety case....................................................................64 4 Recommendations ...................................................................................................................................................65 4.1 Recommendations for the specification, design and development...................................................................65 4.2 Recommendations to the ICAO manual on A-SMGCS ...................................................................................66 4.3 Recommendations for the adaptation of the functional hazard assessment and very preliminary system safety assessment to a specific environment .....................................................................................................................66 5 Notes........................................................................................................................................................................68 5.1 Acronyms..........................................................................................................................................................68 5.2 Term definitions ...............................................................................................................................................71 Appendix A - Functional decomposition....................................................................................................................83 Appendix B - Data and control flows .........................................................................................................................89 Appendix C - External fault modes and effects analysis ..........................................................................................102 Appendix D - Internal fault modes and effects analysis...........................................................................................114 Appendix E - Identification of hazards.....................................................................................................................166 Appendix F - Assessment of hazard severity and probability of occurrence ...........................................................205 Appendix G - 1st workshop questionnaire, analysis and lessons learnt ....................................................................227 Appendix H - 2nd workshop short report ..................................................................................................................238

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

12 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

13 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1 Scope 1.1 Identification This document is a functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) report performed for a generic advanced surface movement, guidance and control system (A-SMGCS). • Document Name: Functional Hazard Assessment and very Preliminary System Safety Assessment Report • EMMA No.: D1.3.9 • Revision: 1.0 • File Name: D139_FHAvPSSA_V1.0.doc

1.2 Project overview The project is named “European Airport Movement Management by A-SMGCS” with the acronym EMMA. The duration of the project is 2 years, with a follow-up in EMMA-2 (another 2.5 years). The project is organised in six different sub-projects. There are three ground-related sub-projects and one on-boardrelated sub-project. Based on an advanced operational concept, three functional level III advanced surface movement, guidance and control systems (A-SMGCS) will be implemented at three European airports: PragueRuzynĕ, Toulouse-Blagnac and Milano-Malpensa. The systems are to be tested operationally (i.e. with live traffic). The three ground-related sub-projects and the on-board-related sub-project are autonomous, but are inter-linked with the sub-projects ‘concept’ and ‘validation’ to guarantee that the different systems are based on a common ASMGCS interoperable air-ground co-operation concept and that all are validated with the same criteria. On-site long-term trials are to ensure the assessment of benefit estimations. The results of the test phase shall feed back to the concept of operations, and are intended to set standards for future implementation in terms of: (a) common operational procedures, (b) common technical and operational system performance, (c) common safety requirements, and (d) common standards of interoperability with other ATM systems. These standards shall feed the relevant documents of international organisations involved in the specification of A-SMGCS, i.e. mainly ICAO, EUROCAE / RTCA, and EUROCONTROL.

1.3 Document overview 1.3.1 Purpose The purpose of this functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) report is to provide safety objectives and recommendations (i.e. potential safety requirements) for advanced surface movement, guidance and control systems (A-SMGCS), prior to design, development and operation. Why a combined FHA and PSSA? A system (e.g. an A-SMGCS) can be described at a sufficiently abstract level so that no breakdown is made in terms of equipment, people or procedure. According to [2], a functional hazard assessment (FHA) should be performed at this level, and the result (i.e. the safety objectives) should stay valid, irrespective of the level of automation. The safety assessment follow-up should then be performed by a series of preliminary system safety assessments (PSSA). In the first PSSA step, the share of responsibilities between people, procedures and equipment may be taken into account as any other specific (local) implementation issue. During the PSSA, the high-level safety objectives (originating from the FHA) are split between equipment, people or procedure, down to the

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

14 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

transistor or to the line of code if so required. Each PSSA-iteration corresponds to a design or implementation choice. Each decision to change one of these choices invalidates the whole corresponding PSSA, but should (ideally) not impact the FHA. But is the above approach really applicable to A-SMGCS safety assessment? The above states that an FHA is independent of the level of automation (i.e. independent of the ICAO A-SMGCS level of implementation). Therefore, an A-SMGCS FHA should be strictly identical to a SMGCS FHA, and is therefore of no direct interest in this project. The purpose of this report is to assess the changes in terms of safety when automation is introduced. Focus is therefore on (new) equipment and on the way to use it. This explains why this functional hazard assessment has been combined with a very preliminary system safety assessment. Because A-SMGCS related procedures are not yet mature (cf. §1.5.3), this safety assessment does not consider the complete system (i.e. people, procedures and equipment), but focuses mainly on A-SMGCS equipment services, as specified in the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. The D1.3.9 report considers all relevant functional implementation levels (i.e. level-II, level-III, level-IV and level-V) as defined in [32]. Except for the aforementioned limitations, the safety process followed in this document conforms to the EUROCONTROL air navigation system (ANS) safety assessment methodology (SAM) [2], as detailed in §1.4. It first identifies potential equipment failures, or more precisely observable failures on the data and control flows (i.e. fault modes). Operational effects and mitigation means are described successively at equipment and at system level.

Aerodrome ATC level A-SMGCS level System mitigation

Equipment level Equipment failure Equipment mitigation

Operational effects at equipment level

External mitigation

Hazards = operational effects at A-SMGCS level

Operational effects at aerodrome ATC level (i.e. failure condition)

Figure 1: A hazard is expressed at the boundary of the scope of the system under assessment

Hazards are identified at the boundary of the A-SMGCS. The hazards considered here all originate from equipment failures, so they only constitute a subset of all possible hazards. The process then assesses the severity of the hazards, based on the analysis of the operational consequences (i.e. hazards effects), at system level, on the safety of aircraft operations, within a generic operational environment (cf. §1.6). Then, based on the target level of safety defined in the ICAO manual on A-SMGCS [32] for aircraft taxi operations, this report provides qualitative or quantitative statements (i.e. safety objectives) that define the maximum probability at which the identified hazards can be tolerated to occur. The document concludes on recommendations (i.e. potential safety requirements) that should help reach those safety objectives.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

15 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.3.2 Applicability This document is not applicable to any specific programme. This document is built as a generic functional hazard assessment and very preliminary system safety assessment report to be reused, as a template, in all advanced surface movement, guidance and control system (A-SMGCS) equipment programmes that comply to the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32].

1.3.3 Editorial practices In the writing of this report (and with the exception of §1.6.1), the ICAO conventions for the notations of the five levels of A-SMGCS implementation for particular aerodromes [32] have been used. They range from I (i.e. SMGCS) to V (i.e. full A-SMGCS). However, to avoid confusion with the EUROCONTROL A-SMGCS implementation levels, we have decided (during the 1st EMMA FHA workshop) to refer, in this document, to the ICAO implementation levels by the name “scenario implementation levels”, abbreviated by SIL. The use of acronyms is discouraged in safety documentation, as clarity is more important than brevity. Thus all acronyms are expanded at least once in each section. It is clearly agreed that "severity" applies to "hazard effects", not to "hazards". However, in this document we have only worked on the worst credible case of hazard effects (without developing event trees for hazards) and therefore the shorthand "hazard severity" is commonly used to designate the severity of the worst credible case effect of the hazard.

1.3.4 Document structure This document consists of an overview and series of appendices providing the safety assessment details. This report provides: • a project overview, a system overview and a safety assessment methodology overview (cf. §1), • a list of referenced documents (cf. §2), • the main results of the functional hazard assessment and preliminary system safety assessment steps (cf. §3), • recommendations (cf. §4), • appendices providing the detailed analysis.

1.3.5 Meaning of “final” version Most EMMA deliverables are delivered in two steps: an “initial” version, and a “final” version. This document is no exception. This document is the “final” version. This section explains the main differences between the “initial” version and the “final” version of the document. First, the “initial” version had a confidential level of dissemination. This “final” version is public. Next, the “initial” version was published prior to the two functional hazard assessment workshops organised by Thales ATM with the air navigation service providers who are involved in EMMA, and some other stakeholders. This “final” version now includes all the feedback collected during the workshops and post-workshops comments. Finally, this “final” version contains the complete contribution from Thales Avionics relating to the on-board part.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

16 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.3.6 Safety versus security Depending of the origin of the feared event, a distinction is made between: • safety, when the origin of the feared event is accidental, • security, when the origin of the feared event is intentional. Safety, and therefore this assessment, is normally not concerned by malevolent behaviours. However, considering the current psychosis that followed the 11th September 2001 attack, a few security issues have been considered when and where the system was seen as most vulnerable.

1.4 Safety assessment methodology The safety assessment process recommended by EUROCONTROL consists of three major phases: • functional hazard assessment (FHA), • preliminary system safety assessment (PSSA), • system safety assessment (SSA). The objectives of the FHA, the PSSA and the SSA are as follows. The functional hazard assessment (FHA) analyses the potential consequences on safety resulting from the loss or degradation of system functions. Using service experience, engineering and operational judgement, the severity of each hazard effect is determined qualitatively and is placed in a class. Safety objectives determine the maximum tolerable probability of occurrence of a hazard, in order to achieve a tolerable risk level. The preliminary system safety assessment (PSSA) determines if the proposed system architecture is likely to achieve the safety objectives. PSSA examines the proposed system architecture and determines how faults of system elements and/or external events could cause or contribute to the hazards and their end-effects identified in the FHA. Next, it supports the selection and validation of mitigation means that can be devised to eliminate, reduce or control the hazards and their end-effects. System safety requirements are derived from safety objectives; they specify the potential means identified to prevent or to reduce hazards and their end-effects to an acceptable level in combination with specific possible constraints or measures. The system safety assessment (SSA) collects arguments, evidence and assurance to ensure that each system element as implemented meets its safety requirements and that the system as implemented meets its safety objectives throughout its lifetime. It demonstrates that all risks have been eliminated or minimised as far as reasonably practicable in order to be acceptable, and subsequently monitors the safety performance of the system in service. The safety objectives are compared with the current performances to confirm that they continue to be achieved by the system. This section details the steps followed in this document for this functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA). For more details on the general objectives of the two other assessment steps (i.e. PSSA and SSA), please refer to the safety assessment methodology in [2]. Figure 2 (on page 20) details the process leading to: • the specification of A-SMGCS safety objectives and the identification of safety requirements, and • the role played by each partner in this functional hazard assessment1 and very preliminary system safety assessment. In the figure, the two main inputs to the study are shown in bold green, at the upper and lower end of the diagram, whilst the outputs are highlighted in red italics.

1

According to safety assessment methodology [2], human factors and ergonomic expertise, and software/hardware engineering are not required during functional hazard assessment.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

17 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.4.1 First step: identification of potential equipment failures The first and main input to this report is the operational and performance requirements that are contained in the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. The terms “system”, “equipment” and “total system” have been used in that document, opening some ambiguity on the significance of “system”. Even though the term “system” is used in the acronym A-SMGCS, the main scope of the ICAO manual on ASMGCS is clearly the equipment2. Indeed, in the manual, procedures and actors (i.e. controller, pilot, and vehicle driver) tasks are not addressed. On the contrary and in agreement with [2], in this report, the term “system” is used to designate a combination of physical components, procedures and human resources organised to perform a function. Therefore, so as to avoid confusion in this document, when referring to the A-SMGCS as specified in [32], it will always be suffixed by the term “equipment”: A-SMGCS equipment. Because A-SMGCS related procedures are neither mature, nor sometimes even defined, this report cannot consider the complete advanced surface movement, guidance and control system, but often needs to focus on A-SMGCS equipment. In particular, during the first step of the study, which aims at identifying what can go wrong with the system (i.e. identification of potential failures), this document only addresses the identification of potential equipment function failures. See also §1.3.1 for more reasons to focus on equipment. The causes of an equipment function failure are numerous (e.g. software bug, hardware failure, power supply interruption, overflow, misrouting, etc.) and seldom relevant3 in a hazard assessment. The importance is on the ways the equipment function failure reveals itself, at the function output. In this document, these “ways” are modelled very simply as fault modes (previously called failure modes). This report makes use of three types of fault modes: • “Loss of…”, when referring to the total function loss, as normally provided by the equipment; • “Temporary interruption of…”, when referring to a certain duration (specified in the “acceptable outage” column of Table 5-9 on page 101) during which the function is not provided by the equipment, but below the duration above which it is declared lost; • “Corruption of…” in all the other cases. The “loss of…” fault mode comprehends the cases when: • the output of the function is really lost (e.g. in case of a non-secure connection), • the output of the function is delayed to such an extent that it has become obsolete, and thus cannot be used any more. Further, for all fault modes, the two cases “without detection” and “with detection” are taken into account. Our choice to model potential equipment failures with the above list of fault modes, implies that a consensus is reached on a clear and non ambiguous: • functional decomposition (of the A-SMGCS equipment), and • on the interfaces (i.e. mainly data and control flows) between these functions, and • on the interfaces of these functions with external equipments (e.g. approach or area control centre). The level of detail of the functional decomposition must be sufficient to obtain significant results during the safety assessment, but must avoid to loose relevance with too much details. The level of detail has been set using the EUROCAE WG-41 minimum aviation system performance standards (MASPS) [33] and the industrial knowledge of Thales ATM and Thales Avionics, as equipment manufacturers. The result of that consensus, including ICAO requirements and DSNA as end-user, is provided in appendix A. It represents a common view on A-SMGCS by an ATC systems industry, an avionics industry, and an air traffic management service provider.

2 3

Anybody’s system is somebody else’s subsystem! The causes may however be relevant in the recommendations provided.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

18 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Based on the functional decomposition (cf. appendix A) and the corresponding data and control flows (cf. appendix B), the analysis of the fault modes is done successively: • from an external point of view, and • from an internal point of view. In the external point of view, the complete A-SMGCS equipment is considered as a black box, and the fault modes of all external data & control flows are analysed4. The results are given in appendix C. In the internal point of view, the complete A-SMGCS equipment is considered as a white box, and all the fault modes of all the internal data and control flows are analysed. The results are given in appendix D. In the first step of this safety assessment, related to the identification of potential equipment failures, care has been taken to analyse neither the effects nor the mitigation means beyond the sole equipment domain. Thus, this study is totally re-usable in any operational environment. In the second step related to hazard identification, the scope of the failure effects and mitigation means is re-opened to the complete system, i.e. including people and procedures. However, in order not to be too much site-dependant, the worst credible case is always considered (i.e. no event tree has been filled in).

1.4.2 Step two: identification of hazards According to [2] and [19], a hazard is any condition, event, or circumstance that could induce an accident. This definition is not in accordance with ESSAR 3, and is too vague to be useful in the context of safety assessment. In the safety assessment methodology (SAM) version 1.0, a hazard was defined as a potentially unsafe condition (i.e. a state, not an event). When identifying hazards, different levels of hazards can be considered (cf. Figure 1 on page 15). Ideally hazards should be at the level of the air navigation system or service (cf. SAM v2.0, FHA, guidance material B1, §4). However, since the scope of an A-SMGCS is reduced to a sub-level of this air navigation system, the hazards herein are identified at the boundary of the A-SMGCS, but they encompass all elements of that subsystem, i.e. people (controllers, pilots, and drivers), procedures and equipment. Failures (and in particular the equipment failures as identified in appendixes C and D) may induce hazards. Some equipment fault modes may not have any effect for the operators, and so, are not related to any hazard. This may be due to redundancy facilities that may palliate functional equipment failures (e.g. dual nodes, similar function available on adjacent working positions), or even to functional redundancy (e.g. the radar tracking function with the raw video fallback function). Thus, step 2 of this safety assessment consists in the determination of the effects of the potential equipment failures from an air traffic control (ATC) viewpoint, at the boundary of the A-SMGCS. This is done by systematic consideration of the potential effects of the previously identified fault modes on aircraft operations, taking account of all mitigation means (people & procedures) that are an integral part of the A-SMGCS. The list of hazards resulting from this analysis is presented in appendix E.

1.4.3 Step three: assessment of hazard severity The purpose of the 3rd step of this safety assessment is to classify the severity associated with each identified hazard, by considering the worst credible consequences on the safety of flight operations (i.e. combining level of loss of separation and degree of ability to recover from the hazardous situation by means external to the ASMGCS). The hazard severity classification scheme (cf. Table 5-3 on page 79) is used for this purpose.

4

This analysis is sometimes referred to as the analysis of the robustness of the A-SMGCS equipment vis-à-vis external events.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

19 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

A-SMGCS Target Level of Safety ICAO manual on A-SMGCS Surveillance Target Level of Safety

Control Target Level of Safety etc.

Surveillance People TLS

Surveillance Equipment TLS

etc.

Surveillance Procedures TLS

DSNA + TATM + THAV

Guidance Target Level of Safety etc.

Control Equipment TLS etc.

Safety requirements

Routing Target Level of Safety

Routing Equipment TLS etc.

Guidance Equipment TLS etc.

Surveillance safety objectives

Control safety objectives

Routing safety objectives

Guidance safety objectives

Severity of surveillance related hazards

Severity of control related hazards

Severity of routing related hazards

Severity of guidance related hazards

Surveillance related hazards

Control related hazards

Routing related hazards

Guidance related hazards

Surveillance equipment failures

Control equipment failures

Routing equipment failures

Guidance equipment failures

TATM + THAV

Equipment system engineering: functional decomposition and data flow identification

ICAO manual on A-SMGCS

Operational and performance requirements

Figure 2: Detailed process leading to the specification of safety objectives, and role of each partner Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

20 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

An advanced surface movement, guidance and control system (A-SMGCS) is only a small part of the global air traffic management system. It contributes to the application of a certain number of critical ATM services (e.g. exercising safe separation and control over aircraft on the manoeuvring area). It shares these critical services with the voice communication system (VCS). Even in case of a complete loss of A-SMGCS information delivery to controllers, present procedures are so that controllers can still exercise air traffic control (ATC) in a degraded mode by using radio communications (i.e. VCS is considered as an A-SMGCS backup facility in case the A-SMGCS enters the failed mode) or even light signals (cf. ICAO doc. 4444, §7.5.3.2.3 Communication requirements and visual signals.) Thus, critical services are still operational due to VCS5 or light signals. Moreover, as highlighted in the AGATE study [21], “unlike air control, the ground control allows for the stopping6 of traffic if the criticality of a situation justifies it.” Consequently, AGATE has assumed that A-SMGCS hazard severity cannot be more than hazardous (i.e. severity class 2). In our view, this analysis may be true for approach and for en-route air traffic control. But on the ground, if a dangerous situation develops unbeknownst to the controller, or if, due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on December 6th), there is no external mitigation mean that can help avoid the accident. Thus, such a hazard would be catastrophic (i.e. severity class 1). The results of the hazard severity assessment are documented in appendix F.

1.4.4 Step four: specification of safety objectives and identification of safety requirements The final step of the functional hazard assessment (FHA) is concerned with the provision of system safety objectives and recommendations (that eventually may become equipment safety requirements as part of the very preliminary system safety assessment). In Figure 2 (i.e. the safety assessment detailed process of page 20), this step is shown in red. It is the converging point between the top-down approach, which started from an externally defined target level of safety (TLS), and the bottom-up approach, which started from the advanced surface movement, guidance and control system (A-SMGCS) equipment decomposition and the analysis of the A-SMGCS equipment potential failures. At the top, the target level of safety defines a tolerable level of risk. An acceptable or tolerable risk is a willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled. To accept or tolerate a risk means that it is not regarded as negligible or something that might be ignored, but rather as something that needs to be monitored and reduced if possible (e.g. by implementing safety requirements). The ICAO manual on A-SMGCS [32] states in §4.1.1.2: “A-SMGCS target level of safety should be 1 x 10-8 (per operation).” This figure has been accepted as is for this safety assessment. Readers with particular interest on this subject may however refer to §1.7.1 for more details. As a follow on, we have provided a split of the risk between the people, the procedures and the equipment. These figures cover each A-SMGCS scenario implementation levels (cf. Figure 26 on page 206), and are used in the specification of our system safety objectives. Safety objectives specify the maximum acceptable or tolerable probability for the occurrence of a hazard of a given severity, in order to achieve an acceptable or tolerable risk level. Where appropriate they also specify a maximum

5

6

Statement from a controller in Prague during the BETA (operational Benefit Evaluation by Testing an A-SMGCS) tests: "What’s all this? Give me a mike, and I can control anything." This is true, however en-route controllers can solve conflicts in a 3D environment, whereas only two dimensions are available on the ground.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

21 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

exposure time. Safety objectives are specified qualitatively or quantitatively, as appropriate. The results are documented in appendix F. Finally, safety requirements are derived from the safety objectives: they specify the potential means identified to prevent functional failures or to reduce their effects to an acceptable risk level, in combination with specific constraints or measures. They specify for example the availability, the integrity of the functions, design constraints or operational limitations. Some safety requirements have already been specified in the ICAO A-SMGCS manual (cf. §0). All other recommendations derived from this safety assessment are presented in the recommendations synthesis (cf. §4).

1.5 System overview The use of automation is one of the main differences between SMGCS and A-SMGCS. Advanced surface movement guidance and control systems (A-SMGCS) is the term used by ICAO [32] to describe a modular equipment consisting of different functions to support the safe, orderly and expeditious movement of aircraft and vehicles on aerodromes under all circumstances with respect to visibility conditions, traffic density, complexity of the layout and the demand.

1.5.1 System mission The A-SMGCS equipment should provide surveillance, routing, guidance and control services to aircraft and affected vehicles for aerodrome types classified at least as scenario implementation level II (according to terminology defined in [32]). Within the movement area, the A-SMGCS equipment surveillance function should: • provide accurate positional and kinematic information of all movements; • provide identification on authorised movements; • cope with moving and static aircraft/vehicles; • be capable of updating accurate surveillance data required for the alerting, guidance and control requirements both in time and distance; • be immune to operational significant effects of weather and topographical features. Where possible the surveillance should extend to the aerodrome boundary. Within the areas specified above, surveillance should be provided up to an altitude sufficient to cover missed approaches and low level operations. Either manually or automatically, the A-SMGCS equipment routing function should: • be able to designate a route for each mobile within the movement area; • allow for a change of destination at any time; • allow for a change of a route to the same destination; • be capable of meeting the needs of dense traffic patterns at complex aerodromes; and • not constrain the pilot's choice of a runway exit following the landing. In a semi-automatic mode, the A-SMGCS equipment routing function should provide the control authority with advisory information on designated routes. In an automatic mode, the A-SMGCS equipment routing function should: • designate and assign routes; and • provide adequate information to enable manual intervention in the event of a failure or at the discretion of the control authority.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

22 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

When designating routes, the A-SMGCS equipment routing function should: • minimise taxi distances in accordance with the most efficient operational configuration; • be interactive with the control function to minimise junction conflicts; • be responsive to operational changes (e.g. runway heading changes, routes closed for maintenance, temporary hazards or obstacles etc.); • use standardised terminology or symbology; • provide a means of validating routes. When visibility conditions are insufficient for the pilot to taxi by visual guidance only, and when the competent authorities permit operations in these visibility conditions, the A-SMGCS equipment guidance function should: • provide guidance necessary for any authorised movement and be available for all possible route selections; • provide clear indication to pilots and drivers to allow them to follow their assigned route; • enable all pilots and drivers to maintain situational awareness of their position on the assigned route; • be capable of accepting a change of route at any time; • be capable of indicating routes and areas either restricted or not available for use; • allow monitoring of the serviceability of all guidance aids. Keeping aircraft pilots, vehicle drivers and controllers in the decision loop, the A-SMGCS equipment control function should support the application of measures and allocate priorities: • to detect conflicts and incursions, and provide resolutions (traffic monitoring & alerting sub-function); • to ensure safe, expeditious and efficient aerodrome movement (planning sub-function); • to prevent conflicts and incursions (plan monitoring & alerting sub-function). The traffic monitoring & alerting sub-function should: • be able to provide, in order to meet required separation minima, longitudinal spacing to predetermined values, based on speeds, relative directions, aircraft size, jet blast effects, human and equipment response times, and deceleration performances; • detect, provide alerts and provide resolutions (e.g. activate protection devices) for conflicts and incursions. The planning sub-function should provide plans for: • the sequencing of aircraft after landing or when departing from the parking positions to ensure minimum delay and maximum utilisation of the available capacity of the aerodrome; • the possible segregation of support and maintenance vehicles from operational activities; • the spacing between aerodrome movements according to the prescribed minima, taking into account wake vortex, jet blast, propeller wash and rotor wash from taxiing helicopters, aircraft configuration, different locations and layouts (runway, taxiway, apron or aircraft stand); • the separation of aerodrome movements from obstacles or from other aircraft isolated for security reasons. The plan monitoring & alerting sub-function should provide, within an adequate time to enable the control authority to take the appropriate remedial action: • short term warnings on authorised movements when: • predicted separation will be below a predefined minima, • a movement is detected as likely to enter a critical or restricted area, • computed deviation will be more than the predefined maximum deviation, compared to the assigned route; • medium term warnings on movement plans, with respect to predicted conflicts or plan inconsistencies. Once a conflict / inconsistency has been detected, the plan monitoring and alerting function should either automatically solve the conflict / inconsistency or automatically provide the most suitable solution on request.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

23 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.5.2 System boundaries Figure 3 (on page 25) provides a high level view of the advanced surface movement, guidance and control system (A-SMGCS) equipment boundaries and main external and internal data flows. The following equipment has been identified as interfacing with the A-SMGCS equipment: • approach (APP) or area control centre (ACC) radar data processing systems7 (RDPS) providing access to approach secondary surveillance radar (ASR) and/or approach primary surveillance radar (PSR) data, • airport operational database (AODB), usually comprehending a stand & gate (S&G) allocation system, • departure manager (DMAN), • approach (APP) or area control centre (ACC) flight plan data processing system (FDPS), potentially including an arrival manager (AMAN), and further connections to the central flow management unit (CFMU) and aeronautical fixed telecommunication network (AFTN), • aeronautical information system (AIS), • docking guidance system (DGS), • airfield lighting system (ALS), • global navigation satellite system (GNSS) for universal time and vehicle on-board positioning equipment, • aircraft on-board equipment, connected via the air-ground data link (AGDL), e.g. aircraft communications addressing and reporting system (ACARS) or aeronautical telecommunication network (ATN). The functional hazard assessment (FHA) part of this report is concerned with the functions, not with system architecture. Thus, in this document, the external interfaces will be represented by generic functions like "External input interface from equipment X" or "External output interface to equipment X". Figure 3 pictures most of the operational data flows; in order not to overload the figure, the time synchronisation, supervision, recording and aerodrome mapping database (AMDB) data flows are not sketched.

7

Direct connections to approach PSR and SSR could be envisaged. However, this would extend the scope of A-SMGCS without due justifications.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

24 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

A-SMGCS Surveillance co-op sensors non co-op sensors

Movements

DAP

VCS

AGDL

GNSS

RETS Sensor tracks

APP RDPS

System tracks

Sensor tracks

Voice

Fusion

Video

Correlation

Controller Working Position

Flight plan data Co-ordination

Conflicts

Control

NMS

System tracks + Pilot / driver requests, instructions & clearances Flight plan data

DMAN

Taxi routes Aerodrome and meteorological data

APP FDPS

AIS

Routing

Flight data

Flight plan & co-ordination data

Guidance state & status

Manual Commands

Guidance

System tracks

AODB

System tracks + Pilot / driver requests, instructions & clearances

System tracks

Docking guidance commands

Aerodrome data

DGS

Time Mngt Supervision Recording AMDB

All functions Airfield lighting commands

State & status

ALS

NAVAIDS

Figure 3: A-SMGCS equipment boundaries and main flows

In addition, the following equipment is interfacing with the A-SMGCS equipment, but is not part of the scope of this safety assessment: • voice communications system (VCS): until A-SMGCS has matured, VHF radio communication is the main communication means for controlling aircraft and vehicles; dedicated channels are often used to support tower communications with aircraft and vehicles and multiple channels are usually used for controlling different parts of the airport; the voice communications & control system is assumed to be always available; • noise monitoring system (NMS). Clearly, the system boundaries defined above are arbitrary. In particular, the inclusion of the vehicle driver interface and the exclusion of the aircraft pilot interface are disputable. The rationale behind the above-defined system boundaries is system jurisdiction: even though it is difficult to be generic, all functions included inside the above boundaries usually fall into the jurisdiction of the air traffic authority performing air traffic control at the aerodrome8. This is key when performing a safety assessment, as each entity is individually responsible towards its regulatory authority for the functions falling under its jurisdiction.

8

One may object that vehicle equipment is more often in the airport authority’s jurisdiction rather than in the air traffic authority’s jurisdiction. However, when considering equipped follow-me cars, vehicle on-board equipment is also important for the safety assessment performed by the air traffic authority.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

25 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.5.3 About procedures As mentioned in §1.3.1, because A-SMGCS related procedures are not yet mature, this report does not consider the complete system (i.e. people, procedures and equipment), but focuses mainly on A-SMGCS equipment. Initial procedures have been defined by EUROCONTROL in [7], and these have been used in our definition of hazards, but much is yet to be done. A distinction should be made between: • normal operating procedures, without knowledge of which, it is difficult to establish a consistent functional hazard assessment (FHA); • contingency procedures, which can be derived from the FHA to suppress some hazards due to equipment failures; • maintenance procedures, some of which may be derived from the system safety assessment (SSA). Awaiting for the normal operating procedures, some recommendations for the definition of future A-SMGCS procedures have been made (cf. §4). What will be the impact on equipment safety requirements once the full concept of operations is developed? We currently have no answer to this interesting question. All suggestions are welcomed.

1.6 Operational scenario 1.6.1 The different meanings behind “A-SMGCS implementation levels” After a decade of unbridled research and bustling efforts aimed at the standardisation of advanced surface movement, guidance and control systems (A-SMGCS), attention is now focused on its operational use, and the consequences in terms of safety. SMGCS stands for aerodrome surface movement, guidance and control system, as specified in [31]. In the simplest form, it consists of painted guidelines and signs, and in the most advanced and complex forms, employs switched taxiway centre lines and stop bars. An SMGCS provides guidance to aircraft movements on the aerodrome surface, and some guidance to vehicles. However, an SMGCS is not always capable of providing the necessary support to aircraft operations in order to maintain the required capacity and safety levels, especially under low visibility conditions. According to [32] and [31], an advanced SMGCS (i.e. an A-SMGCS) is expected to provide adequate and safe capacity in relation to specific weather conditions, traffic density and aerodrome layout. These objectives are to be reached by making use of modern technologies and a high level of integration between the surveillance, control, routing and guidance functions of the A-SMGCS. The two aforementioned documents provide operational and performance requirements to reach these capacity and safety levels. To help airport operators to decide on the level of automation they need in their particular context, ICAO has defined five levels of implementation for particular aerodromes [32]. All four basic A-SMGCS functions (i.e. surveillance, control, routing and guidance) are provided at all levels, but the part played by automation and avionics increases progressively through the levels. Numbered from I to V by ICAO, the implementation levels have been revisited and renumbered from 0 to 4 by EUROCAE and from 0 to IV9 by EUROCONTROL (cf. [31] and [20]). All of them seem to agree that the lowest level is the strict application of SMGCS, according to [31]. However, for higher levels, the recommended functional implementations tend to vary considerably, even for basic items. For example, EUROCONTROL cannot see any difference in surveillance between the A-SMGCS levels 1 and 2, whereas ICAO recognises an increased automation of the surveillance function between the A-SMGCS levels II and III. Another major difference is that 9

At the date of this report, EUROCONTROL notation is not quite stabilised: both levels I, II, III & IV and levels 1, 2, 3 & 4 seem to be used in different documents.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

26 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ICAO links the A-SMGCS implementation levels with the visibility conditions, traffic density and airport complexity, whereas EUROCONTROL focuses more on equipment capability, irrespective of the conditions of use. Current practice in R&D (cf. EMMA proposal) has established yet a different terminology, with two groups: ASMGCS levels 1 & 2 related to surveillance and alerting automation, and A-SMGCS levels 3 & 4, related to planning and guidance automation. EUROCONTROL confirms the grounds for this grouping by recalling that the “main concerns of the levels I and II rely on the improvements of safety, whereas the ground movements efficiency is dealt with in levels III and IV”. This grouping has two main advantages. First, the A-SMGCS levels 1 & 2 correspond to the year 2005 state-of-the-art technology, with proven off-the-shelf products from the main ATC industrial companies in Europe. On the other hand, the A-SMGCS levels 3 & 4 reflect more advanced or non-standardised technologies and procedures, appealing more to research laboratories than to airport authorities. Second, the grouping of levels forbids sterile quarrels about which function is part or not part of each equipment implementation level. The functions related to levels 1 & 2 usually correspond to basic A-SMGCS tenders (years 2003-2005). In between level 1 and level 2, the way airport authorities decide where to draw the line will more often be driven by financial capabilities (what can I afford?), rather than by a fine analysis of weather conditions, traffic density and aerodrome layout. The point is that the ICAO A-SMGCS implementation levels have been completely assimilated to A-SMGCS functional levels. This is a watershed from which it might be difficult to return. The ICAO document clearly shows that the A-SMGCS functions are progressively automated, shifting from the controller to the equipment. For example, in a level I implementation, surveillance is performed by man; in a level II, surveillance is performed by both man and machine; and in a level III, the surveillance is completely automated. Similarly, EUROCONTROL outlines that in a level II implementation, the control function “will not detect all runway conflicts, but only the more hazardous”, whereas in a level III implementation, the control function “will be able to detect any conflict concerning mobiles on the movement area”. The allocation of functions to A-SMGCS implementation levels is really a safety issue, where the deal is that “we have to trust the equipment to take-over the responsibility over the function”. In this respect, it is interesting to note that for ICAO, the control function is never totally transferred to the equipment, but remains shared between the controller and the equipment. The decision to go forward in automation is clearly related to our understanding of the problem to be solved, and of the potential impacts in terms of safety. Safety assessment, as addressed in this document, is one of the keys to this understanding. Growing automation implies a shift of risk, from people to equipment: procedures must be revised, and a safety assessment must be performed to ensure that the required level of safety is satisfactory. With this in mind, it is clear that an A-SMGCS implementation level is not reached when a given function is successfully implemented, but when the risk addressed to both man and machine is successfully managed. And the conclusion will be given by Alan Gilbert, from Park Air Systems: “the levels of implementation should be closely related to the safety critically of the proposed function, i.e. the more safety-critical a function is, the less likely it is to be implemented in the near future and therefore the higher the implementation level.”

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

27 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.6.2 A conservative approach This functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) applies to a generic advanced surface movement, guidance and control system (A-SMGCS) equipment, as defined by the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. It is therefore impossible to describe the detailed operational scenario or the applicable regulatory framework. However, the reader may refer to [4], which provides a generic operational service and environment description (OSED). In any case, as it concerns safety, the report is conservative, i.e. it relies on the most pessimistic environment assumptions. For example, even though infrequently, poor visibility conditions may occur at an airport having a good visibility conditions parameter. Likewise, airport saturation level might be high a certain day at an airport displaying a low airport saturation level. Thus, the hazards are evaluated assuming occurrence in the peak traffic period of the day, in the most crowded day of the year and/or in the worst visibility conditions. The airport complexity level and the A-SMGCS implementation level (between level II and level V) are accounted in the analysis of the impact of the different hazards. In order not to allocated different severity categories to the same hazard in function of the weather conditions, the complexity of the airport where the A-SMGCS functions will be installed, and the level of automation, we have used the ICAO implementation levels (cf. §1.6.1) as generic implementation scenarios (cf. §1.6.3), and defined a different set of hazards for each implementation scenario. To reflect the conservative, worst credible case approach, we have used the prescriptive method for setting the safety objectives, as described in chapter 3, guidance material G of the SAM [2]. Another driving force that lead us to use this method is that it is easier to apply, requires less time, effort and resources, because it doesn’t require the calculation of the probabilities of the hazard generating the effects (Pe). Indeed, it is assumed that they are somehow considered when deciding the severity class that will lead to set the safety objective (i.e. they are already embedded in the risk classification scheme).

1.6.3 The ICAO's generic implementation levels applied to EMMA, focusing on the worst credible cases We recognise that the ICAO implementation levels are only an annex to the ICAO manual on A-SMGCS [32].

basic

vis vis 1 simple complex vis 2 3

vis 1 ba sic

vis 2

sim ple co m p lex

vis 3

Figure 4: Maximum traffic density recommended for ICAO implementation levels II and III

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

28 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

However, we feel that these levels represent a good study case to analyse safety in different generic configurations. For example, Figure 4 above provides the maximum traffic density (light, medium, heavy) recommended for ICAO implementation levels II and III depending on airport layout (basic, simple, complex) and visibility conditions (vis 1, vis 2, vis 3). Similar recommendations are provided in [32] for ICAO implementation levels IV and V. The ICAO implementation levels form a building block of this functional hazard assessment. To avoid confusions with the EUROCONTROL A-SMGCS implementation levels, we have decided (during the 1st EMMA FHA workshop) to refer, in this document, to the ICAO implementation levels by the name scenario implementation levels (SIL). Safety analysis will be performed on the four A-SMGCS scenario implementation levels provided in [32]. In particular, the worst credible case, very important to determine the severity of a hazard, will be determined using the scenario implementation levels. For example, in a SIL III, when visibility conditions 3 occur, the worst case implies (cf. Figure 4 on page 28) medium traffic density if the layout is basic, but only light traffic if the layout is simple. But, depending of the failure under analysis, one may also consider that the worst case occurs in visibility conditions 2, on a complex layout with light traffic, or on a basic layout with heavy traffic. Figure 4 also shows that a SIL III A-SMGCS is not recommended when visibility 3 conditions occur at an aerodrome with a complex layout, and thus this case is excluded from this safety assessment. Continued use of a SIL III A-SMGCS in these conditions would reflect a hazard of the type abuse of automation.

1.6.4 EMMA scenario implementation levels The scenario implementation levels (SIL) that have been used for this functional hazard analysis are based on Table 1-1, extracted from Appendix B of the ICAO Advanced Surface Movement Guidance and Control Systems (ASMGCS) manual. This table is an "example of one means of grouping A-SMGCS implementation into 5 levels that together cover all cases". For each service, it highlights the share of responsibility between the controller, the pilot/vehicle driver and the equipment, i.e. indicates if a user can rely on the equipment to provide him / her given information. The table gives also indication of the implementation level that would be recommended, depending on the conditions of use of A-SMGCS on a given airport: on a basic, simple or complex airport, with low, medium or high traffic density and during visibility conditions 1, 2, 3 or 4. The SIL that have been analysed in this FHA may slightly differ from the ones that have been defined in the ICAO A-SMGCS manual, to take into account some lack of consistency pointed out by the controllers during the EMMA FHA workshops. However, for the needs of the functional hazard analysis, the SIL has always been carefully defined in order to identify the hazards without ambiguity. The following sections aim at presenting some hypotheses that have been made in order to complete the definition of the SIL.

1.6.4.1 SIL definitions 1.6.4.1.1 SIL I This level corresponds to a basic (i.e. not advanced) surface movement guidance and control systems implementation scenario. Equipment may be provided for assistance only, but the controller does not rely on it to perform control activities. As it has been a common practice during the last decades, it has been considered that all levels of operations (i.e. basic, simple, and complex airports and low, medium and heavy traffic) can be used in visibility conditions 1.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

29 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Table 1-1: Implementation levels table, extracted from Appendix B of the ICAO A-SMGCS manual

1.6.4.1.2 SIL II In SIL II, surveillance equipment is added. This equipment provides identification and position data for most mobiles on the manoeuvring area. The controller cannot rely on equipment to perform the initial identification of a mobile and has to use outside view or pilot report to do it. Once the latter has been performed, the equipment is assumed sufficiently reliable to ensure correct tracking of identification and position of mobiles. A surface conflict alert (SCA) function performs conflict detection. Using surveillance data, alerts are generated for mobile conflict and intrusion on runways. Following the conclusions of the 2nd workshop, it has been considered that all levels of operations (i.e. basic, simple, and complex airports and low, medium and heavy traffic) can be used up to visibility conditions 2.

1.6.4.1.3 SIL III In SIL III, it is assumed that the controller can fully rely on surveillance equipment to perform the initial identification on a mobile, i.e. all mobiles are co-operative. A routing function, associated with a planning function (e.g. electronic stripping) allows the controller to inform the system about the clearances that have been issued.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

30 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

The surface conflict alert (SCA) function performs conflict analysis and route conformance monitoring. Using surveillance, routing and planning data, alerts are generated for mobile conflict and intrusion on the manoeuvring area and for deviation from the assigned route. Automated conflict resolution is currently unrealistic and has been discarded. Following the conclusions of the 2nd workshop, a manual switch of centre line lights may be implemented, but is considered unrealistic on most airports, due to controller overload. For the needs of this functional hazard analysis (FHA), only manual switch of stop bars and, on pilot request, of centreline lights has been considered. Procedures for operations in visibility condition 3, for instance longitudinal separation on ground allowing several mobiles to taxi on the same taxiway in visibility condition 3, are implemented. However, due to the intrinsic limitations of manual switch centreline lights, restrictions on the use of taxiways may apply, thus limiting capacity. In visibility condition 3, the pilot is responsible for runway, taxiway and protected areas intrusion, but not for conflict detection.

1.6.4.1.4 SIL IV In SIL IV, automatic switch of centre line lights is implemented. Adapted procedures for full use of airport capacity in visibility condition 3 are defined. In visibility condition 3, the pilot is responsible for runway, taxiway and protected areas intrusion, but not for conflict detection.

1.6.4.1.5 SIL V In SIL IV, on-board equipment (e.g. moving map) provides the pilot with information about the airport layout, current self-position, assigned route, surrounding traffic and conflict, intrusion and route deviation alerts. Adapted procedures for full use of airport capacity in visibility condition 4 are defined. In visibility condition 3 and 4, the pilot is responsible for runway, taxiway and protected areas intrusion, and for conflict detection.

1.6.4.2 Frequently asked questions about scenario implementation levels Q. In the ICAO A-SMGCS manual table, the pilot is never responsible for the surveillance. However, it is a task of the pilot/vehicle driver to perform surveillance of conflicting aircraft. A. The surveillance of the pilot is not part of A-SMGCS; it is a Communication, Navigation and Surveillance (CNS) task. In the scope of this study, only conflict detection/analysis/resolution by the pilot is assumed to be part of ASMGCS. Q. In the ICAO A-SMGCS manual table, operations in visibility condition 3 seem not to be possible for SIL II. However, operations in this visibility condition can be performed using procedural control. A. In SIL II, it is indeed possible to perform procedural control in visibility conditions 3. However, operations are the same as for SIL I, and possible equipment failures have no impact on safety. Generally speaking, the simple presence of a piece of equipment is not sufficient to state that an airport has reached a given SIL: the airport shall define procedures to use the equipment in the traffic density and visibility conditions associated with the SIL. An obvious consequence is that the performances of equipment shall be sufficient to allow a safe use of such procedures… Q In the ICAO A-SMGCS manual, the limits between low, medium and high traffic are fixed. However, the situation differs from an airport to the other, e.g. on a complex airport, 30 movements / hour may be considered as "low". Also, the complexity of an airport may depend on more parameters than the number of runways. A. The split between low, medium and high traffic may be adapted to the complexity of the airport, where the safety assessment is performed, to reflect its real traffic density situation. For the needs of this functional hazard analysis,

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

31 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

the complexity of the airport mostly reflect the fact that there is one or several ground control working positions (CWP): • basic: one CWP for ground and aerodrome control; • simple: one CWP for ground control, one CWP for aerodrome control; • complex: more than two CWP, depending on the number of runways and the size and complexity of the manoeuvring area.

1.6.5 Airborne equipment technologies and flight crew role The on-board airport navigation system, in particular the moving map function, is the main new equipment that is deemed to improve situational awareness at the pilot’s station. The various stages of progressive implementation of such aircraft equipment include: • stage 1: a basic moving map display to show runways, taxiways and other artefacts (e.g. aprons, stands & gates); • stage 2: the above moving map display to which the aircraft position and orientation are superimposed (for selfsituation awareness); • stage 3: all of the above plus an indication of the route to follow (point A to B, or successive waypoints), as received from ATC; • stage 4: all of the above plus the position and identification of all other aircraft, vehicle and obstacles, and basic alerting information (i.e. aircraft versus environment); • stage 5: all of the above plus the capability of detecting runway/taxiway incursions of its own aircraft; • stage 6: all of the above plus traffic advisories, capability of detecting potential ground collision and resolution advices to avoid hazards. All the functions above provide enhanced situation awareness on-board, but do not provide aircraft control automation. Advanced concepts may be envisioned for aircraft control automation on ground, but those concepts are for the time being out of the scope of this study except for steering and braking cues providing visual indication to the crew of the taxi route and braking information. Those cues will not be used for guiding the aircraft but for assisting the crew to follow a taxi route. Note that, as a first step, the airport map is not intended to be used for navigation / taxiing, but to check that the believed position is consistent with the displayed position. Discrepancies should be reported by the flight crew. The detailed allocation of on-board applications to the various existing or envisioned on-board computers remains to be defined together with adequate cockpit display of traffic information (CDTI) and proper integration of the various aircraft co-operative sensors, e.g. automatic dependant surveillance broadcast (ADS-B), inertial navigation system (INS) / global navigation satellite system (GNSS), very high frequency (VHF) / very high frequency data link (VDL), etc.

1.6.6 Concept of operations and its impact on exposure time The concept of operations that we foresee for A-SMGCS is as follows: • In all visibility conditions: • A-SMGCS equipment is used to validate positional information and aircraft identification to reduce the overall controller work load and voice communications, • A-SMGCS equipment provides a safety net of alerts; • In normal visibility conditions, A-SMGCS equipment does not interfere with the tower ATC prime responsibility of using normal visual procedures to determine aircraft position, maintain overall situational awareness and ensure spacing between all moving mobiles; • In low visibility conditions, A-SMGCS equipment is used as the prime means to determine aircraft position, maintain overall situational awareness and ensure spacing between all moving mobiles.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

32 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

From the above, it is clear that, even when an air traffic control tower is equipped with A-SMGCS equipment, it will not, or only poorly, be used in normal visibility conditions. Thus, the A-SMGCS exposure time is the duration of low visibility conditions at the considered airport.

1.6.7 Follow-up This functional hazard assessment (FHA) is performed on a generic system. Because they rest upon design and implementation choices, the preliminary system safety assessment (PSSA) and system safety assessment (SSA) cannot be performed on a generic system. As part of the EMMA-2 project, Thales ATM and DSNA will perform a full safety assessment of the Thales ATM A-SMGCS product, STREAMS, together with the related operational procedures devised by DSNA. The EUROCONTROL safety assessment methodology [2] will once again be followed to perform the preliminary system safety assessment (PSSA) step 2, and the system safety assessment (SSA). The Toulouse-Blagnac platform will be used to verify and validate the equipment and procedures. The equipment will comprehend a surface movement radar, a mode S multilateration, automatic dependant surveillance broadcast, vehicle localizers and driver moving map displays, surface conflict alerting, routing, taxi route conformance monitoring, electronic strips, interoperability with a departure manager, and controller-pilot data link communications. For a full description of the operational scenario at Toulouse-Blagnac for these two following safety assessment steps, please refer to [11]. With the opportunity to record and analyse up to three years of live traffic data, the EMMA and EMMA-2 projects form a unique opportunity to collect evidence that the progressively growing system (with its related procedures), satisfies the end-user’s safety objectives, as defined within this document.

1.7 State of the art 1.7.1 A target level of safety for A-SMGCS Accident statistics, such as the one presented in [34], [29] or [30], support the setting of a target level of safety for A-SMGCS. The latter document applies to worldwide commercial jet airplanes that are heavier than 60,000 pounds maximum gross weight. It can be seen from Figure 5 that the "taxi, load & parked" phase of flight represents 5% of the accidents, and 0% of the fatalities. But should the scope of A-SMGCS safety assessment be extended to include also takeoff, final approach and landing? In that case, the phases of flight represent together 68% of the accidents, and 26% of the fatalities.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

33 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Figure 5: Accidents and on-board fatalities by phase of flight, 1994-2003 (as extracted from [34])

From Figure 6, it can be seen that airports and air traffic control (ATC) are the primary cause of the accidents in only 4% of the cases.

Figure 6: Accidents by primary cause, 1994-2003 (as extracted from [34])

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

34 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

In EMMA, for diverse financial, timing and resource availability reasons, the study of the most recent accident statistics could not be performed. It was therefore decided to work with the ICAO target level of safety for ASMGCS. The ICAO manual on A-SMGCS [32] states in §4.1.1.2 and §4.1.1.3: “A-SMGCS target level of safety should be 1 x 10-8 (per operation). The function risk has been estimated as: a) guidance: 3.0 x 10-9 per operation; b) surveillance: 3.0 x 10-9 per operation; c) control: 3.0 x 10-9 per operation; and d) routing: 1.0 x 10-9 per operation.” The manual provides the rational behind those figures: starting from the generally accepted 10-7 value as the target level of safety for the entire flight operation, that appendix discusses how a portion (i.e. 10-8) of this TLS was allocated to the A-SMGCS taxi phase.

1.7.2 The AGATE functional hazard assessment The Eurocontrol AGATE project was never a formal project and the documents it produced have no official status. However, the AGATE functional hazard assessment report ([21], [2]) is the first significant work in A-SMGCS functional safety assessment. It is therefore interesting to recall here the differences in the scope of the two studies (cf. §1.7.2.1), and the main AGATE conclusions (cf. §1.7.2.2).

1.7.2.1 Synthesis of the AGATE scope AGATE focused on A-SMGCS equipment only. The following table provides a synthetic view of the functional decomposition of AGATE, as available in Appendix 3 of [21] or chapter 4 of [2]. Level 0 Surveillance (AWARE)

Control / Monitoring (ALERT)

Guidance (GUIDE) Routing / Planning / Conformance monitoring (SMAN)

AGATE function Level 1 Tracks data fusion Surveillance enhancement

Level 2 Velocity assessment Association Key events detection

Surveillance information distribution Runway incursion detection Short term conflict detection Runway incursion resolution Short term conflict resolution Guidance command & distribution Guidance acquisition & processing Key events prediction Nose-to-nose conflict free route elaboration or 4D conflict-free route elaboration Route conformance monitoring

Functional configurations All All All All All All F2, F3, F4 F5 F5 All F4, F5 All F4 F5 F5

Table 1-2: Synthesis of the AGATE functional decomposition

The boundaries of the AGATE system are sketched in Figure 7.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

35 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

The main differences with the EMMA scope are as follows: • in EMMA, the sensors and related radar data processing systems (RDPS) are seen as an integral part of the A-SMGCS, the interface being reduced to adjacent (i.e. APP or ACC) radar data processing systems; • in EMMA, the flight data processing related to ground movement is seen as an integral of the ASMGCS, the interface being with external adjacent (i.e. APP or ACC) flight plan data processing systems; •

Aircraft Operator Airport Operator

Visual Aids External Interfaces

Aircraft cockpit CWP Vehicles

Airport Management System

AGATE

FDPS

Surveillance sensors RDPS

AMAN DMAN

Meteorological information

Figure 7: Synthesis of the AGATE system boundaries

in EMMA, the A-SMGCS controller working position (CWP) is seen as an integral of the system.

1.7.2.2 The AGATE conclusions 1. None of the identified AGATE hazards involves a catastrophic severity. In case of degradation or loss of one or several capabilities provided by the AGATE assistance tools, the controller has still the possibility10 to communicate with pilots by RTF in order to instruct them or to acquire information about their intentions and position. Moreover, unlike air control, the ground control allows for the stopping of traffic if the criticality of a situation justifies it. 2. Generally, the loss or degradation of functions which result in early detected loss or degradation of various capabilities provided to users may involve a major severity at most, while the undetected loss or degradation of function (e.g. corruption of output data), where no means exist to make users aware about the degradation of capabilities they are using, might involve a hazardous severity as well. A deviation from this rule is observed for the failures resulting in a loss to provide localisation information (and subsequently, runway incursion and conflict alert) to both controller and traffic components, when airport complexity level is high. In that case it is pessimistically assumed that controller workload is too high to allow application of contingency separation measures without serious risk of collision. 3. More sophisticated functional configurations, resulting from the need to allow control of high levels of traffic under poor visibility conditions, involve generally a higher dependence of controller and pilots on capabilities provided by AGATE assistance tools. In case of failure, traffic is much higher than the level allowing a safe air traffic service using classical means and procedures, on one hand, and users are less familiar with these classical means, as they will seldom use them, on the other hand. Moreover, information needed to support the transfer from the normal to the fallback (classical) mode of operation should be available to controller. Consequently, more sophisticated functional configurations might involve failure conditions with more important safety consequences. Meanwhile, differences are not always significant enough to allocate different severity categories. 4. Unlike the functional configurations, the airport complexity level is not determinant for the failure conditions identification. Meanwhile, this parameter plays an important role in the allocation of severity categories to certain types of failure conditions. It is generally the case for those failure conditions that result in a significant increase in the controller and/or pilot workload until traffic is reduced or service restored. In addition, it may also be the case of those failure conditions leading to an increase of the controller error probability when airport is complex.

10

Emma team comment: the controller has this possibility only if he knows that there is a failure.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

36 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

5. As expected, AWARE exhibits the greatest number of severe (Hazardous, Major) failure conditions. As AGATE functions will be used in all conditions of visibility, localisation and identification information is crucial for assuring a safe control. Moreover, this information is the basic input for the rest of AGATE functions. 6. ALERT exhibits a significant number of Hazardous failure conditions. Some of them concern the non-detection (including the late detection) of runway incursions or short-term conflicts, which might result from the corruption of the detection mechanisms or from the unreliability of the detection algorithms. The rest of Hazardous failure conditions concern the most sophisticated functional configuration only (F5), where the corruption of the conflict resolution mechanisms, leads to the provision of misleading critical information to GUIDE, which will use it for issuing stop bars automatic commands. Meanwhile, many ALERT failure conditions have a major severity, as this function provides a last "safety net" against the collisions. 7. Only a particular type of failure condition in GUIDE is estimated to be hazardous. It concerns the undetected corruption of the functions involved in the acquisition, processing delivery and distribution of the commands to the visual aids (including stop bars). It is assumed, in a pessimistic perspective, that following an erroneous guidance command, even if the runway incursion or short-term conflict alert is still available, a high risk of collision subsists in some specific situations where time is too short to take into account that alert (e.g. an aircraft cleared to cross a runway using a stop bar, while the runway is in use by another aircraft taking-off or landing). Meanwhile, GUIDE exhibits a significant number of major hazards, arising in sophisticated functional configurations and/or complex airports, where controllers and pilots are fully relying on the automatic guidance based on routes elaborated by SMAN and validated by a controller and additionally, pilots dispose of a moving map in the cockpit. In case of a loss of these capabilities, the ability to maintain a safe air traffic service will be compromised and contingency separation measures will have to be applied. 8. As expected, SMAN is less critical than the other AGATE functions (no Hazardous failure condition). Meanwhile, in the most sophisticated functional configurations and when airport complexity level is high, SMAN exhibits several major hazards. These hazards address the risk of providing undetected corrupted information (predicted key events, elaborated routes) to GUIDE. If not detected by controllers in the route validation process, this might result in erroneous automatic guidance.

1.7.3 A-SMGCS levels 1 and 2 preliminary safety case by EUROCONTROL EUROCONTROL has launched a Task Requirements Sheet (EATMP-TRS003/04), whose main objective is to produce a safety case for A-SMGCS levels 1 & 2, proving that the concepts and procedures are safe for implementation throughout the European Civil Aviation Conference states. The final results have been reported in [27] since October 2005. At the date of this being written, although the EUROCONTROL document remains a draft, it is version 1.0 and will not change11. Publication is expected to occur after the Safety Regulation Commission (SRC) meeting in February 2006.

1.7.3.1 Executive summary The following executive summary is copied from [27]. The A-SMGCS preliminary safety case evaluates whether the EUROCONTROL levels 1 and 2 A-SMGCS concept and specifications can be safely implemented. This is to support the EUROCONTROL Airports Programme in the validation of the concept. The A-SMGCS preliminary safety case has been developed based on the generic EUROCONTROL concept and a representative A-SMGCS implementation in Europe (London Heathrow). The safety analysis was performed by applying the EUROCONTROL safety assessment methodology (SAM). Throughout the whole process, stakeholders have participated in a number of workshops to validate the approach, assumptions and results of the analysis. 11

Since EUROCONTROL were not able to demonstrate the feasibility of Level 2 A-SMGCS (at Heathrow), EUROCONTROL will update this aspect later in 2006 (following improvements to the Heathrow Level 2 system), which will results in a version 2.0 of the current document.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

37 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Assumptions The A-SMGCS preliminary safety case has been developed based on a number of assumptions. The results of the A-SMGCS preliminary safety case are only valid if these assumptions are valid. As such, when stakeholders develop their local safety cases then all the assumptions shall be validated. The key assumptions relate to: • weather (the proportion of time an airport is in visibility condition 1, 2, 3 or 4); • airport layout (the proportion of time an aircraft is on the taxiway or runway); • controller performance (the detection rate of an A-SMGCS failure); • the architecture and performance of a typical A-SMGCS (in this case LHR). The evidence to support the argument has been developed, in part, based on a ‘case study’. Stakeholders should review all the assumptions regarding LHR evidence to ensure it remains valid for their local implementation. Conclusions The A-SMGCS preliminary safety case has shown that the safety requirements for A-SMGCS level 1 can be implemented. The A-SMGCS preliminary safety case has shown that the A-SMGCS level 2 concept safety requirements are currently not achieved at LHR. This does not mean that the concept is unsafe but rather that the implementation has not achieved the required performance. This is recognised by NATS and since the installation of A-SMGCS at Heathrow, NATS have observed that the runway incursion monitoring false alarm rate does not meet their safety requirement for the conflict prediction function. This is primarily due to the way the system handles multipath from the single SMR. For this reason, conflict alerts are not currently presented on the controller display. A project is underway to add two new SMRs, and to upgrade the data fusion system, so that false targets from the sensors do not generate runway incursion monitoring false alerts. It is expected that the safety requirement for conflict prediction will then be met.

1.7.3.2 Commonalities and differences with the EMMA work The work done in the EATMP-TRS003/04 is very similar to the work done in EMMA. On the 15th September 2005, a cross-presentation of the EMMA and EUROCONTROL work was performed in Brussels. The participants of the meeting were Morten Jensen (EC, EMMA project officer), Chris Machin (Helios, main author of the EUROCONTROL safety case), Paul Adamson and Jean-Pierre Lesueur (Eurocontrol), Stéphane Paul (TATM, main author of EMMA functional hazard assessment), and Jörn Jakobi (DLR, EMMA concept work-package leader). The main discussions of the meeting are reported below. It was recalled that the EMMA functional hazard assessment (FHA) excludes avionics. Focus is on hazards whose origins are related to ground equipment (i.e. ground equipment failures), but the hazards are expressed at the boundary of the system, which encompasses human and procedure elements. The Eurocontrol FHA includes avionics (at least the transponder), environmental description of the airport, and the air traffic controllers, but hazards relate only to A-SMGCS equipment and are expressed at the boundary of that equipment. Hazards are mainly “loss” and “corruption”, which are comparable to the EMMA equipment failure modes. Therefore whilst Eurocontrol will consider the "corruption of the surveillance data" as a hazard, and the "misuse of that data by the controller" as one of the effects, EMMA will consider "misuse of corrupted surveillance data by the controller" as a hazard, and the consequences on aircraft operations as the effects. The EMMA FHA is a generic FHA covering all 5 ICAO implementation levels (that are used to describe different scenarios related to levels of automation, visibility, airport complexity and traffic density) concentrating on the possible worst-case scenarios. On the other hand, the Eurocontrol safety case is not only a FHA: it is a preliminary safety case related to Heathrow airport and its level 1&2 system. Routing, guidance, and onboard services are not included. The EMMA FHA has not identified any hazard in good visibility scenario implementation level (SIL) 2. The Eurocontrol safety case has identified a severity 3 hazard related to undetected corrupted surveillance for aircraft located on the runway, and a severity 2 hazard related to undetected corrupted conflict prediction for aircraft

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

38 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

located on the runway in the same visibility conditions. This is clearly related to different expectations on the procedures that will be used – cf. discussion in §1.5.3. The main EMMA results are safety objectives related to equipment – and the next steps (PSSA and SSA) will be to make sure that the Thales A-SMGCS equipment is sufficiently safe (in terms of design and implementation) to fulfil these safety objectives. The overall objective of the Eurocontrol work was to prove that the Eurocontrol levels 1 & 2 concept is safe. Eurocontrol included the different visibility conditions and focussed on the sensor and alerting systems (i.e. levels 1 and 2 according to Eurocontrol). The safety case leans on the Heathrow design, implementation and environment for the PSSA and SSA steps. The Eurocontrol level 2 corresponds very much to the ICAO level II. Both Eurocontrol and EMMA have identified a worst severity hazard rated “hazardous” (or severity 2) for these levels: this is an important point of consistency between the two studies. EMMA has shown a severity increase to “catastrophic” (severity 1) for levels III and IV. It was outlined that both EMMA and EUROCONTROL had worked on the risk and severity table. The higher the severity class of an accident the lower must be the probability of occurrence. This relation is estimated by the factor 10² for each severity level by Eurocontrol. EMMA has used the same process, but with a different scale. Eurocontrol estimates that 90% of all accidents are related to aerodrome movements. The EMMA FHA uses the ICAO A-SMGCS TLS, but has shown, using a different set of statistics, that only 68% of all accidents are related to aerodrome movements (in a large acceptance including takeoff, final approach and landing), of which only 4% have ATC as primary cause. EUROCONTROL identified 10 hazards and built up event trees with respect to visibility conditions (e.g. 1% of visibility conditions 3), aircraft on the different parts of the tarmac (e.g. 8% of the time on runways), and failure detected (e.g. 99%) or not (e.g. 1%) by the ATCO. This processing of exposure time and mitigation means reflect the reduction of probability of occurrence (Pe) of the hazard effects in different conditions (e.g. 1% * 8% * 1% for an undetected hazard affecting an aircraft on a runway in bad visibility conditions). EMMA has used a different approach focused on the worst credible case: in EMMA, the probability that an aircraft will be on a runway in bad visibility conditions is 100% on a day with bad visibility conditions, because the flight will not be postponed and because the aircraft has to use the runway to take off. These different approaches may greatly impact the assessment of the safety objectives. Relating to the EUROCONTROL PSSA, safety requirements were allocated arbitrary and evenly to the equipment boxes. At Heathrow the surveillance performance was proved to meet all safety requirements, but conflict detection does not. Heathrow is currently in the process of procuring new SMR to reach the level 2 implementation safety objectives. So, the main differences between EMMA and EUROCONTROL work were summarized as follows: • EMMA looked only to the worst-case scenarios so that the TLS could be verified for every individual movement; Eurocontrol had a global approach, which satisfies a global TLS (for all movements over one year); thus EMMA will naturally result in much more stringent safety objectives; • EMMA looked to ICAO implementation levels I to V, Eurocontrol looked to their own implementation levels 1 & 2 – thus, the scope with EMMA is broader and complements Eurocontrol in this way; • EMMA has performed an FHA only, versus a complete safety case for Eurocontrol (London-Heathrow case); the EMMA work will be complete to a complete safety case during EMMA-2, using the Toulouse-Blagnac setup and environment; • EMMA has identified hazards caused by equipment failures but expressed at the boundary of the system (incl. people and equipment) – Eurocontrol has identified hazards at the boundary of the equipment; • Eurocontrol has used a top down approach; EMMA has used a bottom-up approach;

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

39 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

• • •

Eurocontrol has worked on the computation of the target level of safety (TLS), EMMA has taken the ICAO TLS value for granted; EMMA has opened the door for FHAs related to people and procedures (by stressing its focus on equipment related hazards) – the theme is not mentioned by Eurocontrol; The primary objective with Eurocontrol was to show that the concept is safe and secondly to give a local stakeholder a generic approach to prove that their system is safe – the primary objective of the EMMA FHA shall be similar, but for all levels, once EMMA-2 is complete.

1.7.4 Operational hazard assessment by the C-ATM project Co-operative Air Traffic Management (C-ATM) is a research project supported by the European Commission Directorate General "Transport and Energy" within the 6th Framework Programme. C-ATM is an Integrated Project addressing improvements in the Air Traffic Management system. It aims at optimising task distribution between actors, improving decision making through Collaborative Decision Making principles and the development of an information network, reducing uncertainty, increasing safety and creating additional capacity. In [35], based on use-cases describing the sequences of operations between key ATM actors, the entire C-ATM concept has been analysed for hazard potential. Credible hazards have been identified via a range of methods, but principally have relied on use of subject matter experts and safety assessor expertise. The descriptions therefore remain at a very high-level and cannot be directly compared to the analysis in this document. C-ATM hazards have been classified in terms of severity and frequency. These classifications should be seen as preliminary indications by expert judgement of the relative risk of the various hazards - their absolute risk requiring further study. However, it is to be noted that the worst severity assigned to hazards is 3 (i.e. major); this contrasts greatly with the severity 1 (i.e. catastrophic) assigned to some hazards herein. C-ATM hazards have been linked to an extended Integrated Risk Picture (IRP) model. The hazards and risk mitigation measures identified give a first picture of the risk of the C-ATM services, and show where more study, and perhaps safety investment, should be considered. According to the authors, the next stage is to gain feedback from the stakeholders on this OHA, in order to refine this ATM system-wide risk picture.

1.7.5 The FHA of Maastricht upper area control centre The Maastricht upper area control centre (MUAC), functional hazard assessment (FHA) report [25] does not deal with A-SMGCS, but it includes an equivalence study between the ESARR 4 [19] and the NATS hazard severity categorisation schemes. The document recalls that the ESARR 4 provides the basis of a risk classification scheme by defining 5 severity levels and a maximum rate of the worst category – the accident, known as a severity class 1 (SC1) event, but: • it does not currently specify maximum rates for SC2 to SC4 events, although it recognises that such maxima need to be specified; • although it is intended for a priori analysis, it defines the hazard outcomes (at least in its use of examples) in terms of fully developed events. The MUAC FHA then argues that it is not always possible to be so categorical about the possible consequences of a hazard; rather, it is often necessary to limit the analysis to undeveloped outcomes (SCU2, SCU3, SCU4), which define merely the affect of the hazard on the ability to maintain separation. The latter approach is that which has been adopted by NATS Ltd for UK airspace, for a number of years, and is the basis for the extension to the ESARR 4 scheme that is proposed. Thus, the comprehensive expression is defined as follows: Pr SC1 + Pr SCU2 / 100 + Pr SCU3 / 1000 + Pr SCU4 / 100000 A similar approach has been used in the EUROCONTROL A-SMGCS safety case (cf. §1.7.3).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

40 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.7.6 Safety assessment for on-board equipment The approach to on-board system safety differs essentially from approaches taken for air traffic or airline operations in terms of applicable regulations and industry standards that are used as the reference guidelines. A summary of the state-of-the-art approach to safety assessment for on-board equipment can be found in the EMMA general safety concept document [6], and in particular in §4.2 related to the aircraft system domain. Please refer to that document for full details. The authors would also like to bring the readers attention to the safety analysis work performed by the Delft University of Technology (TUDelft) as part of the Safe Airport Navigation (SAN) project. Erik Theunissen, G. J. M. Koeners, F. D. Roefs and R. M. Rademaker have designed and evaluated an electronic flight bag (EFB) application for surface navigation, and: • listed the different errors that may occur during surface navigation, and organized these in a diagram showing how they may lead to an incident or accident; • explained how a moving map display (with / without routing) decreases the chance of occurrence of these errors, and increases the chance that they are timely detected; • analyzed the failure modes added by the surface guidance system, and the possible consequences thereof by means of a fault tree analysis. The research team concluded that a surface guidance system adds considerably to awareness of position, and possibly routing, traffic and obstacles as well, thereby increasing safety (i.e. the concept is safe). Conformance monitoring and alerting functions increase safety even further. However, the occurrence of an integrity failure may cause an incident with an aircraft at an un-cleared position on the airport. With the permission of TUDelft, an extract of a paper presented at the 24th Digital Avionics Systems Conference, on 30 October 2005 is given below. The paper by E. Theunissen, G.J.M. Koeners, F.D. Roefs (Delft University of Technology, Delft, The Netherlands), P. Ahl (AVTECH, Sweden) and O. F. Bleeker (Rockwell Collins) is entitled "Evaluation of an electronic flight bag with integrated routing and runway incursion detection functions". The extract focuses on the potential on the electronic flight bag (EFB) to increase safety. Figure 8 shows three [pilot] errors that can be made during taxiing: a control error (e.g. steering into the grass); a navigation error (e.g. taxiing onto the wrong taxiway); and a clearance violation such as an unauthorized hold crossing. There is an important difference between a navigation error and a clearance violation on the one hand, and a control error on the other. A navigation error can be seen as a spatial deviation from the planned route, while an unauthorized hold crossing results in an un-cleared position on the planned route.

Figure 8: Three kinds of pilot errors during taxiing

The result of either is that the aircraft ends up at an un-cleared position. In contrast, a control error is a deviation from the centreline, with the aircraft still at a cleared part of the planned route. Furthermore, errors can arise during the planning, communication, interpretation, and memorizing of routing instructions. Again, these errors ultimately lead to the aircraft being at an un-cleared position. Figure 9 shows how different types of errors during or prior to taxiing may lead to incidents12 and subsequently an accident13. The diagram is probabilistic; the grey bars attached to the boxes (representing a certain occurrence) and arrows 12 13

An occurrence other than an accident, associated with the operation of an aircraft, which affects or could affect the safety of operations [NTSB]. An occurrence associated with the operation of an aircraft which takes place between the time any person boards the aircraft with the intention of flight and all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage [NTSB].

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

41 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

(representing a causal relation) are probability bars. The height of these bars is not based on quantitative data, and should be interpreted on an ordinal scale level. The incidents are indicated with the orange blocks, the accident with the red block. Note that with the control error, the resulting situation is not classified as an incident. Although a control error may cause significant economical damage, it is assumed that the effect of the control error will be noticed long before separation with other vehicles becomes an issue and the pilot stops the aircraft. A navigation error can exist much longer before being noticed.

Figure 9: From error, to incident, to accident

Figure 4 shows the same diagram with separate probability bars for three situations: 1. current situation; 2. situation with moving map display; 3. situation with moving map display with routing information . As shown in Figure 10, a moving map display (situation 2) reduces the chance of an incident or accident through its positive influence on position awareness. The impact of a moving map display with routing (situation 3) is larger, since it not only improves position awareness, but route awareness as well. Furthermore, it allows for a route conformance monitoring function and an alerting function, decreasing the chance that a path/route deviation or a clearance violation remains unnoticed. Again, the probability bars are not representative of any quantitative data, but show probabilities on an ordinal scale.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

42 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Figure 10: Influence of an electronic map and routing information on safety

In case routing information is available, the basis for alerting is the difference between the actual and the desired position. With a hold crossing, this will only generate an alert after the violation has occurred. By using a predictive warning scheme that estimates whether with the current direction and velocity a violation will take place within a certain time, a warning can be provided that should allow the pilot to prevent the actual violation. The same concept can be applied to control and navigation errors. This additional reduction in likelihood that a potential incident turns into an actual incident is indicated by the blue bars in Figure 10.

1.7.7 ICAO requirements and their impacts on this assessment Requirements related to safety are disseminated throughout the ICAO manual on advanced surface movement guidance and control systems [32]. We highly recommend that the reader make direct use of the aforementioned document. However, to ease the understanding of our approach to this hazard assessment and to justify some features that we have taken for granted (because already advocated by ICAO), we have collected below a few relevant requirements.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

43 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

The 1st set of requirements is extracted from chapter 2, which is dedicated to the A-SMGCS operational requirements. In §2.6.9 (system failures), the ICAO manual on A-SMGCS reads: “Equipment which shows control data should both be fail-safe14 and fail-soft15. In case of a failure of an element of an A-SMGCS, the failure effect should be such that the element status is always in the "safe" condition. All critical elements of the system should be provided with timely audio and visual indication of failure. An A-SMGCS should be self-restartable. The recovery times should be of a few seconds. The restart of an A-SMGCS should include the restoration of pertinent information on actual traffic and system performance.” In §2.6.11 (pilot considerations), the manual reads: “Pilots should be provided with the following: a) […] e) indication of spacing from preceding aircraft, including speed adjustments; f) indication of spacing from all aircraft, vehicles and obstacles in visibility condition 4; […] h) information to prevent the effects of jet blast and propeller/rotor wash; i) identification of areas to be avoided; j) information to prevent collision with other aircraft, vehicles or known obstacles; k) information on system failures affecting safety; […] m) alert of incursion onto runways and taxiways; and n) the extent of critical and sensitive areas. Note.— Most of the foregoing requirements may be satisfied by ground visual aids.” In §2.6.12.1 (vehicle driver considerations), the manual reads: “Vehicle drivers should be provided with the following: a) […] d) information, and control when and where appropriate, to prevent collision with aircraft, vehicles and known obstacles; and e) alert of incursions into unauthorized areas.” In §2.6.13 (apron management considerations), the manual reads: “The following information should be available to the apron management services: a) […] c) information on the presence of obstacles or other hazards; d) information on the operational status of elements of the system; and […]”. In §2.6.14 (automation), the manual reads: “Where automation is available, the automated systems should demonstrate an acceptable level of HMI efficiency. The design of an A-SMGCS should make it possible to make a distinction between the following system elements and functions: (a) system assistance in the decision-making process; (b) system advice on the decision taken; and (c) system decisions provided directly to the users. Automated guidance should not be used by the system if aircraft control, conflict detection and conflict alert resolution are not available. If the system integrity degrades, it should automatically alert all users and should have the capability to transfer automated functions to the controllers in an easy and safe way. […] Note.— Automation validation processes are expected to encompass all environmental and failure conditions including a reversion to manual control.” In §2.7.3 (integrity), the manual reads: “The system design should preclude failures that result in erroneous data for operationally significant time periods. The system should have the ability to provide a continuous validation of data and timely alerts to the user when the system must not be used for the intended operation. The validity of data should be assessed by the system in accordance with the assigned priority given to these data. Validation of operationally significant data should be timely and consistent with human perception and/or response time.” In §2.7.4 (availability and continuity), the manual reads: “The availability of an A-SMGCS should be sufficient to support the safe, orderly and expeditious flow of traffic on the movement area of an aerodrome down to AVOL. An A-SMGCS should provide continuous service for all areas determined by the competent authority. Any unscheduled break in operations should be sufficiently short or rare so as not to affect the safety of aircraft using the system.

14

15

The term "fail-safe" in this context means that sufficient redundancy is provided to carry data to the display equipment to permit some components of the equipment to fail without any resultant loss of data displayed. The term "fail-soft" means that the system is so designed that, even if equipment fails to the extent that loss of some data occur, sufficient data remain on the display to enable the controller to continue operation without assistance of the computer.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

44 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

[…] Automatic positive indication of the status of the system or any operationally significant failure should be given to any aircraft, vehicle or control facility that might be affected.” In §2.7.5 (reliability), the manual reads: “An A-SMGCS should be designed with an appropriate level of redundancy and fault tolerance in accordance with the safety requirements. A self-checking system with failure alerts should be in the system design. A failure of equipment should not cause a reduction in safety (fail soft); and the loss of basic functions. The system should allow for a reversion to adequate back-up procedures if failures in excess of the operationally significant period occur. Operationally significant failures in the system should be clearly indicated to the control authority and any affected user.” It is interesting to see that, even if most safety-related operational requirements apply to the whole system, there is special attention paid to control data. There is also some apprehension towards fully automatic routing (cf. related requirement in Table 5-5 on page 85) and automated guidance (cf. related requirement in Table 5-6 on page 86). In both these cases, a means to revert to manual procedures is recommended. Chapter 3 provides guidance on the application of the operational and performance requirements. The following requirements have been deemed interesting. In §3.2 (division of responsibilities and functions), the manual reads: “The consideration of assigning responsibilities within the operation of A-SMGCS will be a major factor in the overall design of such systems. The design of A-SMGCS should not be constrained by existing allocations of responsibility. It should be recognized that changes may be required to make use of new technology and operational concepts. New elements will be introduced as systems become more capable and the correct operation of certain functions will involve the responsibilities of manufacturers and producers of software. A thorough and ongoing review of the present division of responsibility is required to see more clearly how new concepts will affect existing arrangements. The implementation of an A-SMGCS and its associated procedures enables the introduction of a high level of automation. This automation offers the chance of the “system” management of safety-related tasks that are normally performed by humans. Where there is a safety risk associated with the role and responsibility afforded to system functionality, a full risk assessment should be carried out.” In §3.5.10 (system failures), the manual reads: “The A-SMGCS should have sufficient redundancy, fault tolerance or failure mitigation to enable operations to continue or be downgraded without affecting the required level of safety. This applies to both hardware and software failures that cause an interruption or loss of an A-SMGCS function. In this case, a back-up procedure should be provided for any known potential failure. The possibility of an unpredictable and catastrophic failure should be assumed. In the event of such a failure, a procedure(s) should be provided whereby dependability on the system (which may be the entire A-SMGCS) can be removed.” In §3.5.13.4 (ATC considerations – Automation in ATC), the manual reads: “Automation should be introduced in a modular form and each element should be independent, capable of operating when other elements have become unserviceable. Interfaces should be provided to enable controllers to take over the operation of failed elements. These interfaces should also make it possible for staff to adjust the functioning of automated elements during normal operation when unplanned events, or inappropriate system function, require amendments to the operation […].” In §3.5.13.13 (ATC considerations – ATC and HMI), the manual reads: “If human operators are to provide any meaningful contribution to the operation of A-SMGCS, even if only in a monitoring role and providing backup in the event of system failure, they should be involved in the executive functions of the system. Humans are poor monitors and whilst performing such tasks humans may be unable to take over the functions of a system if they have not been involved in its operation.”

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

45 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

In §3.5.17 (automation), the manual reads: “The use of automation is one of the main differences between SMGCS and A-SMGCS […]. Any automation should undergo a thorough validation process to ensure that the operational requirements are met. The validation process needs to encompass all environmental and failure conditions, including the reversion to manual control.” In §3.6.2 (integrity), the manual reads: “[…]In the event of any failure, an appropriate alert including the operational significance of the failure should be provided. A safety assessment should be carried out on the level of integrity and should be directly related to the TLS. Other integrity requirements include: a) determination of the integrity risk — the probability of an undetected failure, event or occurrence within a given time interval; b) error identification — an error detection process should be deployed that will maintain the required level of integrity; c) error classification — each detected error should be analysed and a corrective or error processing method should be initiated within a specified time; d) error handling — specifies the number of attempts or retries allowed within a given time period to complete an error free function, transaction or process before a failure is declared; e) data integrity and validation — latent data within an A-SMGCS should be continuously checked for its integrity. This includes data that have a specified life cycle and that are contained within databases; and f) information errors — the propagation of hazardous or misleading information should be prevented.” Chapter 4 of the manual on advanced surface movement guidance and control systems is dedicated to the ASMGCS performance requirements. The ICAO manual on A-SMGCS [32] states in §4.1.1.2 (system requirement - general – safety): “A-SMGCS target level of safety should be 1 x 10-8 (per operation)” and in §4.1.1.3: “The function risk has been estimated as: a) guidance: 3.0 x 10-9 per operation; b) surveillance: 3.0 x 10-9 per operation; c) control: 3.0 x 10-9 per operation; and d) routing: 1.0 x 10-9 per operation.” Chapter 4 of the manual also provides some dependability figures for each of the four main A-SMGCS functions. In §4.2.3 (surveillance requirements), the manual reads: “The actual position of an aircraft, vehicle or obstacle on the surface should be determined within a radius of 7.5 m. Where airborne traffic participates in the A-SMGCS, the level of an aircraft when airborne should be determined to within ±10 m.” In §4.3.1 (routing requirements), the manual reads: “The requirements listed in Table 4-1 should be used in the design of the routing function.” Table 4-1. Routing maximum failure rate requirements Visibility Condition Requirement (Failures per hour) 1 1.5E-03 2 1.5E-04 3 3.0E-06 4 1.5E-06 In §4.5.1 (control requirements), the manual reads: “The probability of detection of an alert situation (PDA) should be greater than 99.9 per cent. The probability of false alert (PFA) should be less than 10-3.” These dependability figures had no direct implications on this functional hazard assessment and very preliminary system safety assessment. However, they should be accounted for in the following iterations of the preliminary system safety assessments. Finally, §5.5 outlines safety assessment implementation issues.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

46 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

1.7.8 Safety and safety nets According to the SRC policy document 2, "Use of safety nets in risk assessment & mitigation in ATM" [22]: “Safety nets are engineered systems which are designed and operated for the purpose of collision avoidance. Any safety benefit, which may be provided by a safety net, shall be considered as an additional overlay to that provided by the ATM system, as safety nets are considered to be in the collision avoidance layer outside the scope of ESARR 4. The ATM system must be able to demonstrate that it satisfies applicable tolerable ATM safety minima without reliance upon the safety benefit expected to be provided by safety nets. As safety nets can themselves induce new hazards to flight operations, they will be subject to specific safety objectives.”

1.7.9 State-of-the-art conclusion The AGATE study [21], together with the A-SMGCS levels 1 and 2 preliminary safety case [27] and the NUP operational hazard assessment [24] represent major inputs to this functional hazard assessment. This document pushes the analysis one step further with a strong position on the safety assessment of the consequences of automation.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

47 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

2 Referenced documents 2.1 Applicable documents [1] [2]

European Airport Movement Management by A-SMGCS, contract EUROCONTROL Air Navigation System Safety Assessment Methodology (SAM), SAF.ET1.ST03.1000MAN-01-00, edition 2.0.

2.2 Other relevant publications 2.2.1 Emma deliverables All the following EMMA deliverables have a public dissemination level. [3] [4] [5] [6] [7] [8] [9] [10]

D1.2.1: ATM interoperability document. D1.3.1: Air-ground operational service and environment description (OSED). D1.3.2: Safety and performance requirements (SPR). D1.3.3: General safety concept (GSC). D1.3.5: Operational requirements document (ORD). D1.3.6: Human factors HMI requirements. D1.3.8: New A-SMGCS user roles. D1.4.1: High-level Air-Ground Functional Architecture (AGFA), previously called Interoperability document (INTEROP). [11] D1.6.1: Test site operations document for Prague-Ruzynĕ, Toulouse-Blagnac and Milan-Malpensa. [12] D2.1.1: Report on aircraft position issues.

2.2.2 Thales ATM publications [13] System / segment specification (SSS) for the Airport & Terminal Automation System (ATAS), revision H, Thales ATM, July 2004 (commercial in confidence). [14] Quality Manual, Thales ATM, QM-03 (commercial in confidence). [15] Hazard Analysis / Operational safety, Work instruction IPD-315/03, Product Development Baseline (commercial in confidence). [16] Safety CSCI Folder, Work instruction IPD-315/09, Product Development Baseline (commercial in confidence). [17] Generic FHAR template, FAJ09, Product Development Baseline (commercial in confidence). [18] Safety training, Bernard Pauly, 29 April 2004, DT-PLS-SE (commercial in confidence).

2.2.3 Publications from other EMMA consortium partners [19] EUROCONTROL Safety Regulatory Requirement, ESARR 4, Risk Assessment And Mitigation In ATM, Edition 1.0, 05-04-2001, DGOF/SRU [20] EUROCONTROL EATMP, DAP / APT, Definition of A-SMGCS Implementation Levels (internal project document subject to change), version 1.0, September 2003. [21] High-level business case document for A-SMGCS ground assistance tools for Europe (AGATE), proposed issue, edition 1.0, EUROCONTROL, ODT13/DP13, November 1998. [22] Use of safety nets in risk assessment & mitigation in ATM, EUROCONTROL Safety Regulation Commission policy document 2, edition 1.0, 28 April 2003.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

48 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

[23] Review of techniques to support the EATMP Safety Assessment Methodology, EUROCONTROL draft report, Patrick Mana, 11 April 2003. [24] Operational hazard assessment (OHA) automatic dependant surveillance broadcast (ADS-B) APT, North European ADS-B Network Update Programme (NUP), phase II, Philippe CAISSO, Service Technique de la Navigation Aérienne (STNA), June 2004. [25] Maastricht Upper Area Control Centre, FHA Report, S.P1237.40.5, Issue 1.1, Brian Orr, Derek Fowler, 30 September 2003 (commercial in confidence). [26] Maastricht Upper Area Control Centre, Preliminary System Safety Assessment, Interim Report, Ref. C/401/01/501, Issue: 0.1, 6 Feb 04 (commercial in confidence). [27] A-SMGCS levels 1 and 2 preliminary safety case, release 1.0, October 2005, EUROCONTROL (draft intended for a restricted audience). [28] EUROCONTROL OATA-P2-D4 2 11-01, Study Report on Avionics. [29] EUROCONTROL Safety Regulation Commission (SRC) document 2, Aircraft accidents / incidents and ATM contribution, Review and Analysis of Historical Data, Edition 3.0 dated 12 December 2002. [30] Eurocontrol experimental centre, Review of root causes of accidents due to design, EEC Note No. 14/04, Project Safbuild, Issued: October 2004.

2.2.4 External publications [31] ICAO manual on Surface Movement, Guidance and Control Systems (SMGCS), doc 9476. [32] ICAO manual on Advanced Surface Movement, Guidance and Control System (A-SMGCS), doc 9830 AN 452 - 2004. [33] EUROCAE WG-41, Minimum Aviation System Performance Specification for Advanced Surface Movement Guidance and Control Systems, ED-87A, January 2001. [34] Statistical Summary of Commercial Jet Airplane Accidents - Worldwide Operations 1959 – 2003, Airplane safety, Boeing, April 2004. [35] Preliminary Operational Hazard Assessment, deliverable n° D1.3.2, Co-operative Air Traffic Management (C-ATM) - Phase 1, Contract No.: TREN/04/FP6AES/S07.29954/502911, Sixth Framework Programme.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

49 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

3 Main results of the functional hazard assessment and very preliminary system safety assessment In agreement with the method described in §1.4, this functional hazard assessment and very preliminary system safety assessment was performed in four steps, whose main results are given below: • identification of potential equipment failures, cf. §3.1; • identification of hazards, cf. §3.2; • assessment of hazard severity, cf. §3.3; and • specification of safety objectives, cf. §3.4. The safety recommendations are provided in §4. Full details on all the above can be found in appendices A to F.

3.1 Identification of potential equipment failures The identification of potential equipment failures has been performed in 3 steps: • functional decomposition; • identification of data & control flows; • posting of fault modes on each data & control flow and analysis of the effects.

3.1.1 Functional decomposition According to the ICAO manual on A-SMGCS [32], “an A-SMGCS should support the following primary functions: a) surveillance; b) routing; c) guidance; and d) control.” It is noted that “communication is considered to be an integral part of each of the primary functions.” To keep this report simple and generic, the granularity of the functional decomposition has been limited to only one level beneath the level of primary functions. Surveillance has been decomposed into: • surveillance via non co-operative sensors, • surveillance via co-operative sensors, • data fusion, • traffic movement characterisation. Routing has not been decomposed. Guidance has been decomposed into: • guidance control, • guidance aids monitoring, • vehicle on-board guidance, • traffic information service – broadcast (TIS-B). Control has been decomposed into: • traffic monitoring & alerting, • planning, • plan monitoring and alerting. In addition, the controller working position has been highlighted as a stand-alone function, and the following five technical functions have been retained: time management, technical supervision, legal recording, aerodrome mapping database, and strip printer.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

50 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

3.1.2 Identification of data & control flows Fifty-eight (58) data & control flows have been identified, based on the above functional decomposition. The identification was driven by technical considerations. For example, if it is known that different data or control items (e.g. track position, track speed, track heading, etc.) are handled by the same piece of software or hardware, then these data or control items are known to flow as a coherent group, and are thus presented as a unique data or control flow. Each flow has been analysed in terms of content description, system state & mode (i.e. condition when the flow is active), flow type (i.e. external or internal flow), presentation and application protocols (if standardised), redundancy, periodicity, and acceptable outage.

3.1.3 Posting of fault modes on each data & control flow The “loss of” and “corruption of” fault modes have been systematically posted on each of the 58 identified data & control flows. For each failure, the detected or not detected cases have been distinguished. This leads to some 58 * 2 * 2 = 232 studied equipment failures. The “temporary interruption of” fault mode has been analysed only on a case-by-case basis. For each equipment failure, the possible operational effects, at equipment level, have been described. The description of operational effects has been slightly formalised in order to maximise their reuse for different equipment fault modes. Thus only 37 significant operational effects were identified, and classified into 4 categories: • controller false confidence in the equipment (i.e. controller over-reliance on the failed equipment, before equipment failure detection), • controller workload increase due to manual substitution (after equipment failure detection), • controller workload increase due to known malfunctioning that cannot be helped (after equipment failure detection), • operational effects on vehicle drivers and aircraft pilots (independently of equipment failure detection). The operational effects, at equipment level, that have been identified, are the following: • OE-01: The controller’s traffic situational awareness is severely compromised (due to undetected loss or undetected corruption of surveillance data as normally provided by the equipment). • OE-02: The controller’s traffic situational awareness is slightly compromised (due to undetected loss or undetected corruption of some surveillance data, as normally provided by the equipment, e.g. loss of only one source of surveillance, such as raw video, co-operative sensors, non co-operative sensors, etc.). Remains at least one source of co-operative surveillance, and one source of non co-operative surveillance. Complete loss of one source is covered by OE-01. There is no significant impact on conflict detection. • OE-03: Detection of surface conflicts & incursions by the controller is severely compromised (due to the undetected loss or undetected corruption of control data as normally provided by the equipment). • OE-04: The controller’s projected situational awareness is severely compromised (due to the undetected loss or undetected corruption of flight plan data as normally provided by the equipment). • OE-05: The detection of plan deviations by the controller is severely compromised (due to the undetected loss or undetected corruption of plan conformance monitoring data as normally provided by the equipment). • OE-06: The controller’s awareness of the traffic situation in adjacent sectors is severely compromised (due to loss or corruption of flight plan and / or surveillance data related to adjacent sectors as normally provided by the equipment). • OE-07: The controller’s context awareness is slightly compromised (due to loss or corruption of guidance data, e.g. incorrect knowledge of equipment state and status, or due to loss or corruption of aerodrome-mapping data as normally provided by the equipment). • OE-08: The controller human-machine interface (HMI) is stuck in a display configuration that is improper for normal (safe) control operations.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

51 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

• • • • • • • • • • • • • • • • • • • • • • • • • • • • •

OE-09: Equipment response time increases above tolerable values (e.g. due to overload), and the equipment does not detect this slowing down. OE-10: The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS). OE-11: The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by adjacent tower positions. OE-12: The controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress. OE-13: The controller has to manually label (some) target reports. OE-14: The controller has to assign all taxi routes manually (with or without semi-automatic routing support.) OE-15: The controller has to manually control the ground guidance aids. OE-16: The controller has to manually update the aerodrome-mapping database. OE-17: The controller has to mentally maintain the association between the flight plans and the target reports. OE-18: The control procedures have to revert to paper strips. OE-19: The controller has to revert to RTF co-ordination with the adjacent approach centre. OE-20: The controller has to rely (more) on pilots’ RTF reports for mobile positioning & identification data. OE-21: The controller has to revert to RTF guidance. OE-22: The controller has to monitor plan adherence (and in particular taxi route adherence) without automated plan conformance monitoring support. OE-23: The controller has to return to SMGCS working procedures and conditions. OE-24: The controller has to use the ground guidance aids own control & monitoring tools to manually control them. OE-25: The controller is provided (by the equipment) with missing and/or corrupted traffic data. He knows it, but cannot / does not prevent it. This effect includes OE-20, whose hazards are not repeated here. OE-26: The controller is provided (by the equipment) with missing and/or erroneous mobile identification. He knows it, but cannot / does not prevent it. Note: This effect includes OE-17, whose hazards are not repeated here. OE-27: The controller is provided (by the equipment) with missing or false traffic alerts. He knows it, but cannot / does not prevent it. OE-28: The controller is provided (by the equipment) with missing and/or erroneous plan monitoring alerts. He knows it, but cannot / does not prevent it. OE-29: The controller is provided (by the equipment) with missing and/or erroneous co-ordination support. He knows it, but cannot / does not prevent it. OE-30: Pilots and/or drivers do not receive any automated guidance from ground guidance aids. Note: This effect may include OE-34. OE-31: Pilots and/or drivers do not receive any automated guidance from on-board equipment. Note: This effect includes OE-34. OE-32: Pilots and/or drivers are provided with missing or erroneous indications via the ground guidance aids. OE-33: Pilots and/or drivers are provided with missing or erroneous guidance indications via the on-board equipment. OE-34: Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board and RTF). Note: When the failure is detected, this effect includes OE-21. OE-35: Pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification). OE-36: Pilots and/or drivers are provided with inconsistent aeronautical information (between the A-SMGCS aerodrome-mapping database, the ATIS, the FIS-B, the RTF). Note: When the failure is detected, this effect includes OE-21. OE-37: Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

52 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Depending on the A-SMGCS scenario implementation level, the environmental conditions, the procedures and the controllers, each of the above operational effect, at equipment level, may represent a hazard (at system level).

3.2 Identification of hazards 3.2.1 Hazards originating from equipment After the identification of possible operational effects, at equipment level, the possible operational effects at system level have been identified, taking into account people (i.e. controllers, pilots, drivers) and procedures. Because equipment and procedures change with the A-SMGCS scenario implementation levels (SIL), hazards have been split per SIL. Some hazards may seem similar between levels, however since the severity may be different we have preferred to systematically16 identify them as separate hazards. For each level, the worst conditions (as indicated by ICAO) have been used in terms of airport layout, visibility conditions and traffic load. For more details, please refer to annex F.

3.2.1.1 Hazards originating from equipment in a scenario implementation level II The following hazards have been identified for an A-SMGCS scenario implementation level II: • HZ-01: In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. • HZ-05: In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data. • HZ-10: In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure separation (essentially on or near runways). • HZ-25: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. • HZ-26: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

3.2.1.2 Hazards originating from equipment in a scenario implementation level III The following hazards have been identified for an A-SMGCS scenario implementation level III: • HZ-02: In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. • HZ-06: In visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. • HZ-11: In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure separation. • HZ-14: In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips and the voice communications system (VCS). • HZ-17: In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing.

16

With very few exceptions.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

53 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

• • •

HZ-20: In visibility conditions 3, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight data), and continues to use this corrupted data to ensure co-ordination. HZ-25: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. HZ-26: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

3.2.1.3 Hazards originating from equipment in a scenario implementation level IV The following hazards have been identified for an A-SMGCS scenario implementation level IV: • HZ-03: In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. • HZ-07: In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. • HZ-12: In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation. • HZ-15: In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. • HZ-18: In visibility condition 3, the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure routing and automated ground guidance. • HZ-21: In visibility conditions 3, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination. • HZ-25: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. • HZ-26: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. • HZ-27: Recovery: in visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one position to another.

3.2.1.4 Hazards originating from equipment in a scenario implementation level V The following hazards have been identified for an A-SMGCS scenario implementation level V: • HZ-04: In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. • HZ-08: In visibility condition 4, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. • HZ-09: In visibility condition 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected. • HZ-13: In visibility condition 4, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation. • HZ-16: In visibility condition 4, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

54 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

• • • • • • •

HZ-19: In visibility conditions 4, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance. HZ-22: In visibility conditions 4, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination. HZ-23: Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously. HZ-24: Misuse of automation in visibility conditions 4: due to over-reliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions. HZ-25: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. HZ-26: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. HZ-27: Recovery: in visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one position to another.

3.2.2 Other hazards and share of the target level of safety Our safety assessment does not consider all A-SMGCS hazards, but only those hazards that originate from equipment. Other hazards exist which originate from people and procedures (cf. Figure 11). It is not in the scope of EMMA to identify all those hazards. Some have been listed in §3.2.2.2, but this list is not to be considered as complete.

Aerodrome ATC level A-SMGCS level System mitigation

Equipment level Equipment failure

People / procedure failure

Equipment mitigation

People / procedure mitigation

Operational effects at equipment level

External mitigation

Hazards = operational effects at A-SMGCS level

Operational effects at aerodrome ATC level (i.e. failure condition)

Operational effects at people / procedure level

Figure 11: Hazards originating from equipment, and other hazards

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

55 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Focusing on hazards originating from equipment failures represents one of the main weaknesses of this analysis. Indeed, the A-SMGCS target level of safety (i.e. 1 x 10-8 per operation) has to be divided between all hazards, not only the former. Some part of the target level of safety should be set aside for other hazards, but to which extent? There is no known SMGCS FHA that could provide us with such an insight. A proposal, to be discussed and agreed at European / international level has been made in §3.2.2.1, for each A-SMGCS scenario implementation levels.

3.2.2.1 Share of the TLS allocated to equipment Our safety assessment does not consider all A-SMGCS hazards, but only those hazards that originate from equipment failures. It is therefore needed to assume a share of the total target level of safety (TLS) that will be allocated to the equipment. In [27], annex D, 15% of the total TLS was allocated to equipment for an A-SMGCS implementation level 1 & 2 (according the EUROCONTROL terminology – corresponding more or less to ICAO level II). We tend to agree with this share, and propose the following allocations for higher scenario implementation levels. ICAO scenario implementation level (SIL)

Share of the TLS allocated to hazards originating from people & procedure failures

Target level of safety allocated to people & procedure

Share of the target level of safety (TLS) allocated to hazards originating from equipment failures

Target level of safety allocated to equipment

I

100%

1.0E-08

0%

II III IV V

85% 65% 55% 45%

8.5E-09 6.5E-09 5.5E-09 4.5E-09

15% 35% 45% 55%

Not applicable (no A-SMGCS equipment) 1.5E-09 3.5E-09 4.5E-09 5.5E-09

Table 3-1: Share of the TLS per scenario implementation level

As automation increases, the share of the A-SMGCS target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases (cf. Table 3-1). We propose a major step between ICAO A-SMGCS scenario implementation level II and level III (i.e. +20 points) because at level III, on basic and simple airports with light or medium traffic, the A-SMGCS is suppose to support operations in visibility conditions 3. For us, this is a major step that implies very high confidence in the equipment, and new conflict prediction & resolution tools. In our view, later steps up the A-SMGCS scenario implementation levels are less dramatic, and therefore, are only assigned a +10 points. However, comments and discussions are highly solicited. People and procedures

Safe state

Equipment failure

Hazard

Safety objective Figure 12: People and procedures act as mitigation for hazards originating from equipment failures

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

56 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

As seen in Figure 11, all hazards (including hazards originating from equipment failures) are identified at the boundary of the system. This means that people and procedures act as mitigation to reduce the probability to evolve from an equipment failure to a hazard (cf. Figure 12). For a hazard to be raised, we need that an equipment failure occurs and that neither the people nor the procedures correctly mitigate the equipment failure. Procedures to detect equipment failures and to recover from them need to be safe, and the people need to be adequately trained to cope with such equipment failures. In other terms, part of the target level of safety (TLS) allocated to hazards originating from equipment failures needs to be allocated to equipment failure detection procedures and to training. Even though we would like to stress the importance of training controllers to face equipment failures by allocating a part of the A-SMGCS TLS to this training and these procedures, we are aware that this allocation would increase dramatically the complexity of the computations, with probably minor effects on the resulting figures. We will therefore consider that the part of the target level of safety allocated to this training and these procedures is already covered in the share of the TLS as expressed in Table 3-1. Whatever apportionment between equipment, people and procedures is agreed, it is suggested that for future system safety assessments following implementation, a mechanism is enforced to review the apportionment once safety data from several airports is available.

3.2.2.2 Hazards originating from people and procedures This preliminary system safety assessment (PSSA) part of this document is focused on hazards originating from equipment failures. For this reason, the proposed lists of hazards related to people and procedure failure is not exhaustive, but focuses on abuse of automation. Abuse refers to an inappropriate application of automation by designers and managers or to inappropriate usage of automation by operators. The main causes of abuse of automation may be, for example, that: • the A-SMGCS implementation is recent and the controller is not used to the new equipment and procedures; • the A-SMGCS implementation is recent and the new procedures are not adapted to the use of the new equipment or to the known performances of this equipment; • the controller does not react to changes of airport environment (airport layout, meteorological conditions, traffic density, etc.) and continues to use unsuitable procedures, or set of tools, etc. Table 3-2 below provides an insight on some hazards that are related to automation, but whose main origin is a people or procedure failure, rather than an equipment failure. A-SMGCS scenario implementation level

Hazard typology

II

Abuse

II

Abuse

III, IV

Abuse

V

Abuse

17

Hazard description (at system level)

Comments and recommendations

Even though surveillance equipment is only Abuse of automation should be prevented: supposed to be used in visibility conditions 1 or 2, • either through adequate training of the supervisor, due to work pressure, the controller continues to • or through automated equipment alerting17 when the use the equipment surveillance data in visibility visibility conditions (automatically entered) imply that conditions 3 or worst. the equipment should not be used for operational purposes. In any visibility condition (related to SIL II), due to Abuse of automation should be prevented through adequate training and definition of procedures. over-reliance on automation, the controller uses surveillance equipment to ensure ground separation. In visibility conditions 3, due to work pressure, the Management of more traffic than controller will be able to cope during a failure recovery should be prevented: controller manages more traffic than he will be able to cope during a failure recovery. • either through adequate training of the supervisor, • or through automated equipment alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult. In visibility conditions 4, due to work pressure, the Management of more traffic than controller will be able

The listed mitigations (e.g. alerting) may introduce additional failure modes and hazards. Since the assessment of hazards originating from people and procedures is not the object of this document, the latter have not been assessed herein. However, it is understood that this would be necessary if a thorough functional hazard assessment including people and procedures were to be made.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

57 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

A-SMGCS scenario implementation level

Hazard typology

Hazard description (at system level)

controller manages more traffic than he will be able to cope during a failure recovery.

II, III

Abuse

In any visibility condition, due to over-reliance on automation, the controller uses surveillance equipment to ensure ground guidance, using heading and speed instructions.

III, IV, V

Abuse

In visibility condition 3 or worse, due to work pressure, the controller gives responsibility to the pilot for separation with other aircraft.

V

Abuse

In any visibility condition, the pilot uses surveillance information provided by the on-board surveillance display (e.g. TIS-B) to ensure tactical separation with other aircraft.

V

Abuse

In visibility condition 3 or worse, due to overreliance in automation, the controller gives responsibility to the pilot for separation with other aircraft, using on-board surveillance display.

II, III, IV, V

Abuse

III, IV, V

Abuse

In any visibility condition, due to over-reliance on automation, the controller relies on the system to detect conflicts. In any visibility condition, due to over-reliance on automation, the controller does not countercheck the conflict alerts provided by the conflict prediction equipment.

III, IV, V

Abuse

In any visibility condition, due to over-reliance on automation, the controller does not countercheck the conflict resolution proposed by the conflict prediction equipment.

III, IV, V

Abuse

In any visibility condition, due to over-reliance on automation, the controller does not verify the routes provided by the routing equipment.

III, IV, V

Abuse

III, IV

Abuse

In any visibility condition, due to work pressure, the controller relies on the plan conformance monitoring function to ensure that the traffic is conforming to instructions. Even though ground guidance equipment is only supposed to be used in visibility conditions 1, 2 or 3, due to work pressure, the controller continues to use it in visibility conditions 4.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations

to cope during a failure recovery should be prevented: • either through adequate training of the supervisor, • or through automated equipment alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult. We assume that until guidance is automated, it is improper to use the system to ensure speed and heading guidance (open for discussion). Abuse of automation should be prevented through adequate training and definition of procedures. Abuse of automation should be prevented: • either through adequate training of the supervisor, • or through automated equipment alerting when the visibility conditions (automatically entered) imply that the equipment should not be used for operational purposes. The surveillance information provided by TIS-B are not reliable enough to ensure tactical separation and the pilot does not have the responsibility for separation with other aircraft. Abuse of automation should be prevented through adequate training of the pilot and definition of procedures. Common sources of mistake can be a misunderstanding of the performances of TIS-B. Abuse of automation should be prevented through adequate training of the pilot and definition of procedures. Abuse of automation should be prevented through adequate training and definition of procedures. Conflict prediction cannot manage all the operational criteria used to determine a conflict alert. For this reason, the controller will always have to check the predicted conflict and validate the alert. Abuse of automation should be prevented through adequate training and definition of procedures. Conflict prediction cannot manage all the operational criteria used to determine a conflict resolution. For this reason, the controller will always have to check the predicted conflict and validate the proposed conflict resolution. Abuse of automation should be prevented through adequate training and definition of procedures. The routing equipment cannot manage all the operational criteria used to define a route. For this reason, the controller will always have to check and validate the route. Abuse of automation should be prevented through adequate training and definition of procedures. Abuse of automation should be prevented through adequate training of the supervisor and definition of procedures. It is likely that the pilot will announce that he is not able to taxi. Abuse of automation should be prevented: • either through adequate training of the supervisor, • or through automated equipment alerting when the visibility conditions (automatically entered) imply that the equipment should not be used for operational purposes.

58 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Table 3-2: Hazards originating from people and procedures

3.3 Assessment of hazard severity For each of the identified hazard originating from equipment failures, severity indicators (i.e. hazard effects at aerodrome ATC level, exposure, and mitigation means that are external to the system) have been analysed in order to assign a severity. Two hazards were assessed as catastrophic (i.e. severity 1). The two hazards are similar but apply respectively to A-SMGCS scenario implementation level III (HZ-06) and level IV (HZ-07): in visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation. In visibility condition 3, visibility is sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. To assign a severity 1, two kinds of operational effects were analysed: • A dangerous situation develops unbeknownst to the controller, e.g. a conflict between aircraft on a taxiway, a runway incursion, a take-off without clearance, a route deviation, etc. (cf. Milano-Linate accident). The equipment provides no alert. • Due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on December 6th, 1999, or the Überlingen accident in July 1st, 2002). The severities 1 were first assigned by DSNA and TATM based on undeveloped hazard outcomes. After de second FHA workshop (cf. appendix H), the severities were confirmed by drafting concrete outcomes (cf. appendix F). Scenario implementation levels

Hazards

Severity

2

HZ-05

2

2

HZ-01

4

2

HZ-10

5

2

HZ-25

5

2

HZ-26

5

3

HZ-06

1

3

HZ-02

2

3

HZ-17

2

3

HZ-11

3

3

HZ-20

4

3

HZ-14

5

3

HZ-25

5

3

HZ-26

5

4

HZ-07

1

4

HZ-03

3

4

HZ-12

3

4

HZ-18

3

4

HZ-15

4

4

HZ-21

4

4

HZ-27

4

4

HZ-25

5

4

HZ-26

5

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

59 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Scenario implementation levels

Hazards

Severity

5

HZ-08

2

5

HZ-04

3

5

HZ-19

3

5

HZ-24

3

5

HZ-13

4

5

HZ-16

4

5

HZ-22

4

5

HZ-23

4

5

HZ-27

4

5

HZ-09

5

5

HZ-25

5

5

HZ-26

5

Table 3-3: Summary of hazard severities

It is to be noted that for a scenario implementation level V, the similar hazard (HZ-08) has only been rated hazardous (i.e. severity 2) because aircraft and vehicles are supposed to be equipped with ADS-B in and to continuously receive positions and identification of other mobiles. Two other hazards were qualified with a hazardous severity (i.e. severity 2). The first one, HZ-02, is closely related to the aforementioned HZ-06; it is the hazard related to the recovery from the HZ-06 situation. The other one, HZ17, is again a misuse, but this time related to flight data: “In visibility condition 3 the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure verbal and manual routing”. Seven hazards were qualified with a major severity (i.e. severity 3). All other hazards were qualified as having a minor or no impact on safety. For full details, please refer to appendix F. Per scenario implementation level, the following results have been obtained: • SIL II: the most severe hazard is hazardous; • SIL III: the most severe hazard is catastrophic; • SIL IV: the most severe hazard is catastrophic; • SIL V: the most severe hazard is hazardous. It is to be noted that during the 2nd EMMA FHA workshop, the severities assigned to SIL II and SIL III hazards had a clear tendency to become more dramatic then what had been previously assigned by DSNA and TATM. The hazards related to SIL IV and SIL V were not discussed: it is not to be excluded that further assessment with operational staff may lead to similar evolutions.

3.4 Specification of safety objectives 3.4.1 Introduction The specification of safety objectives involves three notions: • the target level of safety (cf. §3.2.2.1), • the severity (cf. §3.3), • the safety objectives themselves.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

60 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Each hazard has its own safety objective in order to ensure the global safety objective

Hazard 1 Target Level of Safety= probability of an accident during aircraft movement on the aerodrome = 10-8 per movement

Safe condition

Safety Objective ≡ probabilities at which hazards can be expected to occur

…

Hazard N Set of all hazards = potentially unsafe conditions

Failure condition

Severity ≡ probabilities at which hazards can lead to an accident (using NATS mapping for SCU2 to SCU4)

Each hazard contributes at little to create an accident

Mitigation can reduce severity

Figure 13: Relationship between target level of safety, severities and safety objectives

Figure 13 shows the relationship between (a) a safe condition, (b) a hazard, i.e. a potentially unsafe condition and (c) a failure condition, i.e. an accident, except for “chance”: • The target level of safety is the probability that an accident occurs during an aircraft movement on the aerodrome; it has a value set to 10-8 per movement (cf. §1.7.1). In Figure 13, it is illustrated by a blue arrow between a safe condition and a failure condition (or accident). • The safety objective of a hazard is a requirement (or constraint) setting the highest tolerable/acceptable probability that this hazard is raised; the set of all hazard safety objectives is noted (as a vector):

Safety objective of hazard 1 …. Safety objective of hazard N

Global safety objective =

•

In Figure 13, a safety objective is illustrated by a black arrow between a safe condition and a hazard. It is assumed that because we have used the prescriptive approach (cf. [2]) for the setting of safety objectives that the probabilities of the hazard generating the effects (Pe) are somehow already considered when we have decided the severity class of each hazard (cf. §1.6.2 for more details). Using the risk classification scheme and NATS’ mapping for SCU2 to SCU4 (§1.7.5), the severity of a hazard can be used to retrieve the probability that this hazard leads to an accident. The severity of each identified hazard has been assigned (cf. §3.3) and is therefore known; the set of all hazard severities is noted (as a vector):

Global severity =

Severity of hazard 1 …. Severity of hazard N

In Figure 13, the probability that a hazard leads to a failure condition (based on hazard severity) is illustrated by a red arrow between a hazard and a failure condition (or accident).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

61 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Considering that the target level of safety (TLS) and the global severity are known, the global safety objective can be computed from the following scalar product:

global TLS = global safety objective * global severity The infinite number of solutions to this equation are part of an hyper-plan. To set down ideas, let’s suppose that: • we have identified only 2 hazards: H1 SV1 = catastrophic, catastrophic and H2, hazardous; i.e. 100% • we note SO1 and SO2 the safety Hazard 1 objectives of H1 and H2, i.e. the SO1 probability of occurrence of H1 and H2; Safe Accident • we note SV1 and SV2 the severities of H1 and H2; given NATS mapping for severities18, the probabilities of SO2 accident if H1 and H2 occur are Hazard 2 respectively 100% and 1%. SV2 = hazardous, Thus, based on the above scalar product, i.e. 1% we know that: 10-8 = SO1 * SV1 + SO2 * SV2 Figure 14: Example of relationship between TLS, severities and SO = SO1 * 100% + SO2 * 1% The set of solutions for SO1 and SO2 is given by the blue segment in Figure 15 opposite, corresponding to the following equation: SO1 + 0.01 * SO2 = 10-8. Two specific solutions have been highlighted (in red) in Figure 15: one corresponds to the equiprobability of occurrence of the two hazards (i.e. SO1 = SO2), the second to the equiprobability of occurrence of an accident when these hazards occur (i.e. SO1 * 100% = SO2 * 1% ⇔ SO1 = SO2 / 100). It is to be noted that the extremities of the segments are excluded. Indeed, if SO1 = 10-8, then SO2 = 0, which means H2 cannot occur: this is absurd for a hazard. SO2

SO2

Equiprobability of accident occurrence

10-6

10 -6

10 -7

SO1 = SO2

10-7 5. 10-7

10 -8

Equiprobability of hazard occurrence

10-8

10 -8

10

-8

5. 10-9

SO3

Figure 15: Set of safety objectives (example with 2 hazards)

18

SO1

10 -8

SO1

Figure 16: Set of safety objectives (example with 3 hazards)

In the absence of a universally recognized method, the NATS mapping for SCU2 to SCU4 has been used, cf. §1.7.5 for more details.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

62 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

To conclude on the example, if we now add a third (catastrophic) hazard, we introduce a third dimension to the set of solutions, as shown in Figure 16 opposite. The specification of safety objectives usually requires the arbitrary split of the global target level of safety between the different hazards. Unlike what has been performed in the EUROCONTROL A-SMGCS safety case [27] or in the MUAC FHA [25] we do not feel it is acceptable at this stage of the safety assessment to (evenly or unevenly) split the global target level of safety between the different hazards. Indeed, imposing arbitrarily the equiprobability of occurrence of hazards or the equiprobability of occurrence of an accident when these hazards occur may dramatically increase the design and/or development costs. In our view, this assignment should be performed at a more detailed preliminary system safety assessment (PSSA) level, because at this step, the cheapest solution that will satisfy the target level of safety (TLS) can be selected.

3.4.2 Numerical illustration Even thought the scalar product is the only correct result, it remains rather obscure. Below is a numerical illustration of the formula, using the hypothesis of equiprobability of occurrence of hazards. Based on the hypothesis that ∀ i, ∀ j, SOi = SOj, we can deduce, from the scalar product, a global equipment safety objective for each A-SMGCS scenario implementation level (cf. Table 3-4). A-SMGCS scenario implementation level (SIL)

Global safety objective per movement allocated to equipment

I

Not applicable (no A-SMGCS equipment)

II

1.5E-09

III

3.5E-09

IV

4.5E-09

V

5.5E-09

Hazards ref.

Maximum hazard severity that can occur

Global equipment safety objective (per movement)

i.e. one equipment failure leading to a hazardous (for SIL II and V) or catastrophic (for SIL III & IV) hazard every X movements

Not identified.

n/a

n/a

n/a

Hazardous

1.50E-07

6 673 333

Catastrophic

3.43E-09

291 717 143

Catastrophic

4.49E-09

222 895 556

Hazardous

4.21E-07

2 372 727

HZ-01, HZ-05, HZ10, HZ-25, HZ-26 HZ-02, HZ-06, HZ11, HZ-14, HZ-17, HZ-20, HZ-25, HZ-26 HZ-03, HZ-07, HZ12, HZ-15, HZ-18, HZ-21, HZ-25, HZ26, HZ-27 HZ-04, HZ-08, HZ09, HZ-13, HZ-16, HZ-19, HZ-22, HZ23, HZ-24, HZ-25, HZ-26, HZ-27

Table 3-4: Safety objectives per scenario implementation level

In this numerical illustration, for an A-SMGCS scenario implementation level II, an equipment failure leading to an hazardous condition may occur every 6.673.333 movements, i.e. more or less every 12 years on large airports such as Amsterdam-Schiphol, London-Heathrow, Fraport or Paris-CDG (assuming an average of 560.000 movements per year). For an A-SMGCS SIL III, an equipment failure leading to a catastrophic hazard may occur every 291.717.143 movements, i.e. more or less every 520 years on the same airports.

3.4.3 Cross-check of numerical illustration The above numerical illustration is only one solution amongst an infinite number of valid solutions, but whatever the final choice (based on design and implementation choices), it should always be checked that it is compatible with our risk classification scheme (cf. Table 3-5).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

63 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Probability of occurrence Quantitative definition (per movement)

Qualitative definition

Severity class

Frequent

1

10

-1

10

Reasonably probable -2

10

-3

10

-4

10

-5

May occur once or several times during the system’s operational life.

No effect

Minor

Extremely remote

Remote

10

-6

Unlikely to occur during total operational life of each system but may occur several times when considering several systems of the same type. Major

10

-7

10

-8

Extremely improbable 10

-9

Unlikely to occur when considering several systems of the same type, but nevertheless, has to be considered as being possible.

Should virtually never occur.

Hazardous

Catastrophic

Table 3-5: Risk classification scheme

Table 3-5 requires that catastrophic events have a probability of occurrence of the order of 10-9 (i.e. should virtually never happen) and that hazardous events have a probability of occurrence of the order of 10-7 to 10-9 (i.e. should be unlikely to occur even when considering several systems of the same type but nevertheless, has to be considered as being possible). Results provided in Table 3-4 are of the right order of magnitude, and therefore increase the confidence we have in our analysis.

3.4.4 Cross-check with EUROCONTROL A-SMGCS safety case The mapping of the Eurocontrol A-SMGCS safety case hazards to the EMMA hazards is not straightforward, so results are difficult to compare. Let us just point out that EMMA really highlights the issue of undetected failures (whatever the function – position or identification) with a very stringent safety objective on misuse. The logic behind is the assumption that the controller(s) can revert to aerodrome ATC using a "safe" SMGCS if the ASMGCS is detected as failed. Therefore the main risk of A-SMGCS is misusing corrupted A-SMGCS data, (more or less) whatever the origin and nature of the corrupted data. For more details on the comparison with the EUROCONTROL A-SMGCS safety case, please refer to appendix F.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

64 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

4 Recommendations 4.1 Recommendations for the specification, design and development During the functional hazard assessment and the very preliminary system safety assessment a number of features have been identified as being uncommon but critical to safety. They have been gathered together below. The recommendations should be analysed in detail with respect to the system / segment specification and system / segment design documents. If appropriate, they may become safety requirements. ™

Choice of input device equipment should allow technical monitoring.

™

Choice of input device equipment should allow online replacement.

™

Choice of input device equipment should favour independent input devices (e.g. avoid mouse connected to keyboard).

™

Upon HMI input failure detection, the HMI should automatically switch to a default configuration set-up, so as to avoid leaving the HMI in a configuration improper for control.

™

In case of inconsistent data received by the surveillance data fusion (from the planning with respect to data received from the co-operative sensors) an alert19 should be raised.

™

In case of missing flight plan, manual labelling should be very easy (i.e. simply by typing the call sign) in order not to force the controller to quit automation support.

™

When defining the procedure for A-SMGCS clearance delivery, read-back, whether electronic or via voice, should ensure that a clearance downlink corruption should not go undetected in the uplink connection.

™

The contingency procedure to be defined for flight plan updates during planning input failure should prescribe minimal updates to keep the system consistent and ease synchronization.

™

The loss of the planning function should automatically disable guidance.

™

In case of aerodrome mapping database (AMDB) failure, the controller, pilots & drivers should be able to manually update the dynamic status of operational parts of the aerodrome on their display systems (display impact only for the CWP).

™

When a specific co-operative sensor is known to provide corrupted data, the control authority should be able to selectively disconnect it.

™

Fused sensor data is currently seen as the sole input to the traffic monitoring and alerting function. Reconfiguration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution.

™

Fused sensor data is currently seen as the sole input to the TIS-B function. Re-configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution.

19

This is not related to the "conformance monitoring" function, but deals with integrity monitoring.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

65 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

™

Automated guidance should not depend only upon surveillance data. Guidance should depend on clearance inputs by the controller.

™

The guidance function should send & apply positive command instructions (e.g. turn it on / off), independently from the guidance means’ current state (e.g. not set inverse of current state).

™

The supervisor should be able disconnect external flight plan data processing system (FDPS) inputs.

™

Automation requires the introduction of new procedures for recovery from fault modes, as well as training and practice.

™

Abuse of automation (i.e. manage more traffic than controller will be able to cope during a failure recovery) should be prevented, either through adequate training of the supervisor, or through automated equipment alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult.

4.2 Recommendations to the ICAO manual on A-SMGCS Analysis of the ICAO manual on advanced surface movement guidance and control systems [32] have lead us to provide the following recommendations with respect to the contents of the manual. ™

The terms system and equipment should be used with more discernment.

™

In the ICAO implementation level table, the “X” in conflict prediction and/or detection means that a conflict is detected but not solvable in visibility 3. How can that be used? ICAO should clarify what is meant here?

™

This functional hazard assessment (FHA) conclusions appear to be paradoxical in the sense that, as the ASMGCS SIL (scenario implementation level) increases, the most worrying hazard severity classification decreases. Some consideration ought to be given for the introduction of on-board functions in lower levels to act as internal mitigation of catastrophic severity risks.

Some typos were also noted, in particular: ™ In §4.5.1 (control requirements), the manual reads: “The probability of false alert (PFA) should be less than 103.” This should be corrected to: “The probability of false alert (PFA) should be less than 10-3.”

4.3 Recommendations for the adaptation of the functional hazard assessment and very preliminary system safety assessment to a specific environment The work presented in this document is generic. It is not directly applicable and should not be directly applied to any aerodrome. It provides a good insight into what a site specific functional hazard assessment (FHA) may look like, and it provides an approximate value for the expected safety objectives. For a site-specific study, we recommend that the preliminary system safety assessment (PSSA) part be pushed a bit further than what has been performed in this document. In particular, we recommend that the following topics be addressed: • Object of the evolution (compared to the pre-existing system, and compared to the current level of safety); • System scope and interfaces (including environment description); • Organisation (including authority jurisdictions, and system deployment steps);

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

66 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

• • •

•

•

Commissioning (including related risks, commissioning procedures, training); Risk classification scheme (RCS) should be approved or adapted; Safety objectives and safety requirements including: • Applicable standards and documents; • Site specific hazard identification, severity allocation, safety objective determination; Safety evaluation (e.g. based on a fault tree analysis, mean time to failure (MTTF) and mean time to repair (MTTR) provided by the A-SMGCS supplier), including list of actions to undertake in order to ensure the target level of safety; such actions may be the design of new control procedures, specific set of tests or requirements for more system redundancy; Study of the transition phase, including system implementation steps and civil works, system configuration and on-site optimisation, list of actions to undertake until commissioning.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

67 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

5 Notes 5.1 Acronyms The following abbreviations are used in this document. Their meanings are as shown below. ACARS ADEXP ADS-B AENA AFTN AGDL AGFA AHA AI AIDC AIS ALS AMAN AMDB ANS ANS_CR AODB APATSI ASM A-SMGCS ASTERIX ATAS ATC ATCO ATFM ATIS ATM ATS AUEB AVISO AVOL BAES C-ATM CDG CDTI CFMU CNS CPDLC CSA CSCI CSL CWP DAP

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Aircraft Communication(s) Addressing and Reporting System ATS Data Exchange Presentation Automatic Dependant Surveillance - Broadcast ente público Aeropuertos Españoles y Navegación Aérea Aeronautical Fixed Telecommunication Network Air-Ground Data Link Air-Ground Functional Architecture Aviation Hazard Analysis Airbus ATS Inter-facility Data Communications Aeronautical Information System Airfield Lighting System Arrival Manager Aerodrome Mapping Database Air Navigation System Air Navigation Systems of the Czech Republic Airport Operational Database Airport / Air Traffic Systems Interface Air Space Management Advanced-SMGCS All purpose STructured Eurocontrol Radar Information eXchange Airport & Terminal Automation System Air Traffic Control Air Traffic Controller Air Traffic Flow Management Automatic Terminal Information Service Air Traffic Management Air Traffic Management Services Athens University of Economics and Business Aide à la VIsualisation au SOl Aerodrome Visibility Operational Level BAE Systems Avionics Limited Co-operative Air Traffic Management Charles-de-Gaulle Cockpit Display of Traffic Information Central Flow Management Unit Communication, Navigation And Surveillance Controller Pilot Data Link Communication Czech Airlines Computer Software Configuration Item Česká správa letišť, s.p.; Czech Airports Authority Controller Working Position Download Aircraft Parameter(s)

Public

68 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

DAV DFS DGPS DGS DLR DMAN DSNA EATMP EEC EFB EFS ENAV ESARR ETG EU EUROCAE EUROCONTROL EVS FDPS FHA FHAR FIS-B FMEA GBAS GNSS GPS GSC HUD HZ ICAO IFATCA IFSA INS IRP IRS KOM LHR LVC MASPS MD MLAT MTCD MUAC NATS NEAN NESS NLR NMS NOTAM NTP NUP

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Diehl Avionik Deutsche Flugsicherung GmbH Differential GPS Docking Guidance System Deutsches Zentrum für Luft und Raumfahrt Departure Manager Direction des Services de la Navigation Aérienne European Air Traffic Management Programme EUROCONTROL Experimental Centre Electronic Flight Bag Electronic Flight Strip Ente Nazionale Assistenza al Volo EUROCONTROL Safety Regulatory Requirement EuroTelematik AG European Union European Organisation for Civil Aviation Equipment EUROpean organisation for the safety of air navigation Enhanced Vision System Flight Plan Data Processing System Functional Hazard Assessment FHA Report Flight Information Service - Broadcast Fault Mode and Effect Analysis (previously Failure Modes and Effects Analysis) Ground Based Augmentation System Global Navigation Satellite System Global Positioning System General Safety Concept Head Up Display Hazard International Civil Aviation Organisation International Federation of Air Traffic Controllers Association Institut Français de la Sécurité aérienne Inertial Navigation System Integrated Risk Picture Inertial Reference System Kick Off Meeting London-Heathrow Low Visibility Condition Minimum Aviation System Performance Standards Messier Dowty Ltd. Multilateration Medium Term Conflict Alert Maastricht Upper Area Control Centre National Air Traffic Services (UK) North European ADS-B Network Noise Monitoring System Nationaal Lucht - en Ruimtevaart Laboratorium Noise Monitoring System NOTice to AirMen Network Time Protocol NEAN Update Programme

Public

69 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

OE OHA OLDI ORD OSED OSI PAS Pe PFA PLS POC Pr PSR PSSA RDPS REC RVR RWY S&G SBAS SC SCA SCU SDF SICTA SIL SMAN SMGCS SMR SO SP SPR SRC SSA SSR SSS STAR STCA STNA TATM TCAS THAV TIS-B TMA TREN TRS TUD TWR UAT UTA VCS

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Operational Effect Operational Hazard Assessment On-Line Data Interchange Operational Requirements Document Operational Service And Environment Description Open System Interconnection Park Air Systems AS Probability of generating the effects (of a hazard) Probability of False Alert Product Line Strategy Point of Contact Probability Primary Surveillance Radar Preliminary SSA Radar Data Processing System Record Runway Visual Range Runway Stand & Gate Space Based Augmentation System Severity Classification Surface Conflict Alert Severity Classification Undeveloped Sensor Data Fusion Sistemi Innovativi per il Controllo del Traffico Aereo Scenario Implementation Level (other name for ICAO A-SMGCS implementation level) Surface Manager Surface Movement, Guidance And Control System Surface Movement Radar Safety Objective Sub-Project Safety And Performance Requirements Safety Regulation Commission System Safety Assessment Secondary Surveillance Radar System / Segment Specification Star Alliance Short Term Conflict Alert Service Technique de la Navigation Aérienne Thales Air Traffic Management Traffic Alert And Collision Avoidance System Thales Avionics Traffic Information Service – Broadcast Terminal Manoeuvring Area Transport & Energy Task Requirements Sheet Technische Universität Darmstadt Tower Universal Access Transceiver Union de Transports Aériens Voice Communication System

Public

70 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

VDL VHF WG WP

VHF Data Link Very High Frequency Working Group Work-Package

5.2 Term definitions ASMGCS-DEF-001 Abuse of Automation Definition

Abuse refers to an inappropriate application of automation by designers and managers or to inappropriate usage of automation by operators. [2] See also use, misuse, and disuse of automation. ASMGCS-DEF-002 Accident Definition

An accident is an occurrence associated with the operation of an aircraft, which takes place between the time any person boards the aircraft with the intention of flight until such time as all such persons have disembarked, in which: • a person is fatally or seriously injured as a result of: • being in the aircraft, or • direct contact with any part of the aircraft, including parts which have become detached from the aircraft, or • direct exposure to jet blast, except when the injuries are from natural causes, self-inflicted or inflicted by other persons, or when the injuries are to stowaways hiding outside the areas normally available to the passengers and crew; or • the aircraft sustains damage or structural failure which: • adversely affect the structural strength, performance or flight characteristics of the aircraft, and • would normally require major repair or replacement of the affected component, except for engine failure or damage, when the damage is limited to the engine, its cowlings or accessories; or for damages limited to propellers, wing tips, antennas, tires, brakes, fairings, small dents or puncture holes in the aircraft skin; or • the aircraft is missing or is completely inaccessible. Note 1.-For statistical uniformity only, an injury resulting in death within thirty days of the date of the accident is classified as a fatal injury by ICAO. Note 2.- An aircraft is considered to be missing when the official search has been terminated and the wreckage has not been located. This definition, together with the notes, is extracted from [19], and is consistent with ICAO Appendix 13. ASMGCS-DEF-003 Aerodrome Layout Definition

An aerodrome layout is said to be basic when it has one runway with one taxiway to one apron area. An aerodrome layout is said to be simple when it has one runway, more than one taxiway to one or more apron areas. An aerodrome layout is said to be complex when it has more than one runway, many taxiways to one or more apron areas.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

71 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ASMGCS-DEF-004 Aircraft Equipment Definition

The aircraft equipment co-operating with the ground A-SMGCS equipment in performing its related functions include: 1) communication equipment such as voice / radio telephony & data link; such equipment establishes point-topoint communication; 2) surveillance equipment implementing automatic dependent surveillance broadcast (ADS-B) such as: • mode S transponder through extended squitter, • universal access time (UAT) - in development, • VDL mode 4 - in development. 3) airport navigation equipment such as a “moving map” that provides an accurate representation of the airport configuration to the pilots, including unambiguous identification of airport objects (gates, taxiways, etc.) ASMGCS-DEF-005 Air Navigation System Definition

An air navigation system is an aggregate of organisations, people, infrastructure, equipment, procedures, rules and information used to provide the airspace users air navigation services in order to ensure the safety, regularity and efficiency of international air navigation. [2] ASMGCS-DEF-006 Air Traffic Management Service Definition

An air traffic management service is a service for the purpose of air traffic management. [19] ASMGCS-DEF-007 Air Traffic Management System Definition

An air traffic management system is a part of an air navigation system, composed of a ground-based air traffic management (ATM) component and an airborne ATM component. Notes:a. The ATM system includes the three constituent elements: human, procedures and equipment (hardware and software). b. The ATM system assumes the existence of a supporting communication, navigation and surveillance system. [19] ASMGCS-DEF-008 Air Traffic Management Definition

The aggregation of ground based (comprising variously ATS, ASM, ATFM) and airborne functions required to ensure the safe and efficient movement of aircraft during all appropriate phases of operations. [19] ASMGCS-DEF-009 Alert Definition

An alert is a report of an existing or pending situation during aerodrome operations (i.e. traffic alert situation, planning alert), or an indication of abnormal A-SMGCS operation, that requires attention and / or action. Note.- Priority levels of alerts are dependent upon specific application. In this document, the term alert covers 3 levels, which are, from least to most important: information (messages), warnings and alarms.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

72 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ASMGCS-DEF-010 Assessment Definition

An assessment is an evaluation based on engineering, operational judgement and/or analysis methods. [2] ASMGCS-DEF-011 Assurance Definition

All planned and systematic actions necessary to provide adequate confidence that a product or service satisfies given requirements. [ARP 4754] [2] ASMGCS-DEF-012 Automation Definition

Automation is replacement of a human function, either manual or cognitive, with a machine function (usually a computer). [2] The SAM guidance material B on automation issues [2] defines ten levels of automation: 1 The computer offers no assistance: the human must take all decisions and actions. 2 The computer offers a complete set of decision/action alternatives. 3 The computer narrows the selection of decision/action alternatives down to a few. 4 The computer suggests one decision/action alternative. 5 The computer executes the suggested decision/action if the human approves it. 6 The computer allows the human a restricted time to veto before automatic execution of a decision/action. 7 The computer executes automatically the decision/action, and then necessarily informs the human. 8 The computer executes automatically the decision/action, and informs the human only if asked. 9 The computer executes automatically the decision/action, and informs the human only if it decides to. 10 The computer decides everything and acts autonomously, ignoring the human. See also use, misuse, disuse and abuse of automation. ASMGCS-DEF-013 Communication, Navigation and Surveillance System Definition

A communication, navigation and surveillance (CNS) system is all the hardware and software that make up a function, tool or application that is used to provide one or more air traffic management services. The CNS system is an enabler to the provision of ATM services. [19] ASMGCS-DEF-014 Credible Case Definition

Credible implies that it is not unreasonable to expect to experience this combination of extreme conditions within the operational lifetime of the system so that such scenario leading to generate such an effect has to be considered. The word “credible” could lead to difficulties of interpretation, as what is meant is: a combination being “a believable scenario” or “being reasonably pessimistic”. So it obviously includes a subjective part (which should be reduced as much as possible by provision of rationale, field experience data...) and requires expert judgement. So other words such as “realistic” or “reasonable” could have been chosen instead of “credible”. [2]

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

73 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ASMGCS-DEF-015 Criticality Definition

Criticality is synonymous to severity. Use within this document should be avoided. ASMGCS-DEF-016 Disuse of Automation Definition

Disuse refers to under-utilisation of automation. [2] See also use, misuse and abuse of automation. ASMGCS-DEF-017 External Event Definition

An external event is an occurrence that has its origin distinct from the considered system. [2] ASMGCS-DEF-018 Failure Definition

A failure is the inability of an air navigation system to perform its intended function or to perform it correctly within specified limits. [2] The causes of a function failure are numerous and often irrelevant in a functional hazard assessment, but the ways in which a failure reveals itself (at the function’s output) can be modelled, in order to analyse the effects on the air navigation system. The former are called fault modes, the latter hazards. Note that some fault modes may not have any effect for the operators, and so, are not related to any hazard. Note: the CEI 60050-191 (2002) additionally specifies that a failure is an event, as distinguished from a fault, which is a state. A failure is the transition from a safe state to an abnormal state called “fault”. ASMGCS-DEF-019 Fault Mode (previously Failure Mode) Definition

A failure of a particular function may manifest itself in a number of different ways. The fault mode is the manner in which the function failure reveals itself. In this document, referring to equipment failure only, the following models are used to designate fault modes: • “Loss of…”, when referring to the total function loss, as normally provided by the equipment; • “Temporary interruption of…”, when referring to a certain duration during which the function is not provided by the equipment, but below the duration above which it is declared lost; • “Corruption of…” in all the other cases, including receipt of unexpected data, partial losses, and overflows; where and when applicable (i.e. mainly for periodic data flows), this fault mode is declared only when the time to alert (i.e. the time during which corruption is allowed) is exceeded. Further, for all fault modes, the two cases “without detection” and “with detection” are analysed separately. ASMGCS-DEF-020 Hazard Definition

A hazard is any condition, event, or circumstance that could induce an accident [2][19]. A hazard is anything that might negatively influence safety. A hazard is an event/state that may lead to a dangerous situation, or hamper resolution of such a situation, possibly in combination with other hazards or under certain conditions. It is

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

74 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

important to note that the notion of hazard is defined in relation to safety. This makes it a much more general notion than “something going wrong”, which is rather related to reliability [2]. However, it is the feeling of the authors that this definition is improper, because much too vague. For more details on what is considered as a hazard in this document, please refer to appendix E. ASMGCS-DEF-021 Incident Definition

An occurrence, other than an accident, associated with the operation of an aircraft, which affects or could affect the safety of operation. ASMGCS-DEF-022 Layout Complexity Definition

Please refer to Aerodrome Layout definition. ASMGCS-DEF-023 Misuse of Automation Definition

Misuse refers to over-reliance on automation and inadequate monitoring of automated systems. [2] Monitoring studies indicate that automation failures are difficult to detect if the operator's attention is engaged elsewhere. See also use, disuse and abuse of automation. ASMGCS-DEF-024 Mitigation (or Risk Mitigation) Definition

Risk mitigation is the steps taken to control or prevent a hazard from causing damage, and to reduce risk to a tolerable or acceptable level. [19] ASMGCS-DEF-025 Probability of Occurrence (of a Hazard) Definition

The probability of occurrence of a hazard is defined in both qualitative and quantitative terms in the table below. In certain applications numerical analysis may not be practical, e.g. the rate of failure of a human cannot be expressed numerically with confidence. Also, qualitative assessment may be sufficient for hazards whose severity is classified as minor or major.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

75 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Probability of occurrence Quantitative definition (per movement)

Frequent

1

Qualitative definition

10

-1

10

Reasonably probable -2

10

-3

10

-4

10

-5

May occur once or several times during the system’s operational life.

Extremely remote

Remote

10

-6

Unlikely to occur during total operational life of each system but may occur several times when considering several systems of the same type.

10

-7

10

-8

Unlikely to occur when considering several systems of the same type, but nevertheless, has to be considered as being possible.

Extremely improbable 10

-9

Should virtually never occur.

Table 5-1: Definition of the probability of occurrence

Note: Some risks are dependent on the number of hours that an aircraft is exposed to risk. For aerodrome operations it is usually more appropriate to use “per operation” (instead of “per flight hour”), as system functionality is not normally time-dependent. ASMGCS-DEF-026 Procedure Definition

Procedures are written procedures and instructions used by air traffic control (ATC) personnel in the pursuance of their duties directly in connection with the provision of the air traffic management services. Note:- ATC procedures include the control and handling of traffic including transfer of control, the application of separation criteria, resolution of conflicts, methodologies for maximising traffic flows and general communication between controllers and between pilots and controllers. Procedures include also, how particular ATC tasks are executed using available equipment and action in the event of equipment failure so as to mitigate their effects. [19] Other procedures, e.g. maintenance procedures directly related to the objective of maintaining system integrity, availability or continuity, are not within the scope of this document. ASMGCS-DEF-027 Recovery Definition

Failure recovery in an automation perspective is the operator’s ability, in case of automation failure: • to manage unexpected failures of the automation, • to continue the operation manually [2]. ASMGCS-DEF-028 Residual Risk Definition

Residual risk is the risk against which risk reduction by design (i.e. prevention or reduction of hazards by proper choice of some design characteristics, and limitation of users exposure to hazards) and safeguarding (i.e. use of specific technical means in order to protect users against hazards) are not - or only partially - covering the risk.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

76 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ASMGCS-DEF-029 Risk Definition

A risk is the combination of the probability or frequency of occurrence20 of a defined hazard and the magnitude of the consequences (i.e. severity) of the occurrence [2]. A risk classification scheme is a means of classifying risk by combining pre-defined categories for consequence severity and probability of occurrence. The following risk classification scheme (or risk tolerability matrix) is defined for this document. Probability of occurrence Severity class

Reasonably probable Minor

Frequent No effect

Remote Major

Extremely remote Hazardous

Extremely improbable Catastrophic

Table 5-2: Risk classification scheme

Risk assessment is an assessment to establish that the achieved or perceived risk is acceptable or tolerable. An acceptable or tolerable risk is a willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled. To accept or tolerate a risk means that it is not regarded as negligible or something that might be ignored, but rather as something that needs to be monitored and reduced if possible. Acceptable and tolerable can be seen as synonyms, however in practice, the tolerable risk will be defined by the regulator, whilst the acceptable risk will be defined by the air navigation service provider (and will of course comply with the regulator's request). As good practice, an order of magnitude will separate the acceptable from the tolerable risk. ASMGCS-DEF-030 Risk Mitigation Definition

Cf. mitigation. ASMGCS-DEF-031 Safety Definition

Safety is freedom from unacceptable risk. [2] In other words, safety is the expectation that a system does not, under defined conditions, lead to an accident. We can distinguish between three safety contexts: • occupational health & safety, • personnel & environment safety, • operational safety. Occupational health & safety involves the identification and mitigation of hazards in the workplace that are, or may be, directly injurious to human health. Personnel & environment safety is known as "product safety" in the industry. By requirement of criminal law, personnel & environmental safety is the expectation that throughout its lifecycle a system, or any constituent part, does not have unreasonable harmful effects on those who interact with it, e.g. user, maintainer, property, or the wider environment. This applies in manufacture, installation, operation, maintenance, modification and disposal.

20

In our formula, exposure time is assumed to be incorporated in the probability or frequency of occurrence.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

77 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational safety is concerned with the overall effects of the system. The scope is wider than personnel & environmental safety in that the application of the system shall be safe. Thus operational safety encompasses all those who are affected by the use of the system, not just the users and maintainers. ASMGCS-DEF-032 Safety Assurance Definition

Safety assurance is all planned and systematic actions necessary to provide adequate confidence that a product, a service, an organisation or a system achieves acceptable or tolerable safety. [19] ASMGCS-DEF-033 Safety Objective Definition

A safety objective is a qualitative or quantitative statement that defines the maximum frequency or probability at which a hazard can be expected to occur. [19] ASMGCS-DEF-034 Safety Requirement Definition

A safety requirement is risk mitigation means, defined from the risk mitigation strategy, which achieves a particular safety objective. Safety requirements may take various forms, including organisational, operational, procedural, functional, performance, and interoperability requirements or environment characteristics. [19] ASMGCS-DEF-035 Severity Definition

Severity is the level of effect/consequences of hazards on the safety of flight operations (i.e. combining level of loss of separation and degree of ability to recover from the hazardous situation). [19] Note – Severity applies to hazard effects, not to hazards. ASMGCS-DEF-036 Severity Class (or Category) Definition

Severity class is a gradation, ranging from 1 (most severe) to 5 (least severe), as an expression of the magnitude of the effects of hazards on flight operations. [19]

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

78 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity class Qualitative definition Effect on operations

5

4

3

2

1

No impact

Minor

Major

Hazardous

Catastrophic

No immediate effect on safety

Significant incidents

Major incidents

Serious incidents

Accidents

Nuisance. Operating limitations: emergency procedures.

A significant reduction in safety margins. A reduction in the ability of the flight crew to cope with adverse operating conditions as a result of increase in workload or as a result of conditions impairing their efficiency. Injury to occupants.

A large reduction in safety margins. Physical distress or a workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely. Serious injury or death of a relatively small proportion of the occupants.

The loss of an aircraft. Multiple fatalities.

Examples

Table 5-3: Severity classification scheme

For this document, it is measured on the reference scale given in Table 5-2. ASMGCS-DEF-037 System Definition

A combination of physical components, procedures and human resources organised to perform a function. [19] ASMGCS-DEF-038 Target Level of Safety Definition

The target level of safety is the probability of an accident (fatal or hull loss) during aircraft movement on the aerodrome. [32] ASMGCS-DEF-039 Traffic Density Definition

Traffic density is said to be light when there are no more than 15 take-off or landing operations per runway or typically less than 20 total aerodrome movements per hour. Traffic density is said to be medium when there are 16 to 25 take-off or landing operations per runway or typically between 20 to 35 total aerodrome movements per hour. Traffic density is said to be heavy when there are 26 or more take-off or landing operations per runway or typically more than 35 total aerodrome movements per hour. ASMGCS-DEF-040 Use of Automation Definition

Use refers to the voluntary activation or disengagement of automation by human operators. [2] See also misuse, disuse and abuse of automation.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

79 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ASMGCS-DEF-041 Verification Definition

Verification is confirmation by examination and provision of objective evidence that the requirements have been fulfilled. [ISO 8402] ASMGCS-DEF-042 Validation Definition

Validation is confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled. [ISO 8402] ASMGCS-DEF-043 Visibility Condition Definition

Visibility condition 1 is defined as a visibility sufficient for a pilot to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, and for the control authority to exercise control over all traffic on the basis of visual surveillance. Visibility condition 2 is defined as a visibility sufficient for a pilot to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, but insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. Visibility condition 3 is defined as a visibility sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. For taxiing, this is normally taken as visibility equivalent to a RVR less than 400 m but more than 75 m. Visibility condition 4 is defined as a visibility insufficient for the pilot to taxi by visual guidance only. This is normally taken as a RVR of 75 m or less. ASMGCS-DEF-044 Worst Case Definition

Worst means the most unfavourable conditions – e.g. extremely high levels of traffic or extreme weather disruption. [2]

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

80 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

(End of main document)

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

81 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendices to the FUNCTIONAL HAZARD ASSESSMENT AND VERY PRELIMINARY SYSTEM SAFETY ASSESSMENT REPORT Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

82 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix A Functional decomposition Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

83 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

According to the ICAO manual on A-SMGCS [32], “an A-SMGCS should support the following primary functions: a) surveillance; b) routing; c) guidance; and d) control.” It is noted that “communication is considered to be an integral part of each of the primary functions.” To keep this report simple and generic, the granularity of the functional decomposition has been limited to only one level beneath the level of primary functions. In addition, the controller working position has been highlighted as a stand-alone function, and the following three technical functions have been retained: time management, technical supervision and recording. The complete high-level view is given in Figure 3, page 25. Justifications

Since the objective of this document is not to perform a functional analysis but a functional hazard assessment, the complete analysis process leading to the A-SMGCS functional decomposition is not described herein. Only the result is given in the following tables. It should however be explained that the decomposition is driven by technical considerations. Thus, if it is known that different functions (e.g. track maintenance, velocity assessment, track / flight plan association, etc.) are handled by the same piece of software or hardware, then these functions are known to work or fail as a coherent group, and are thus presented here as a unique function. Breakdown has also been limited to keep it simple and comprehensive. Function ref.

Primary function name

Secondary function name

S0

Surveillance

S1

Surveillance

Non co-operative sensors

S2

Surveillance

Co-operative sensors

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Brief description

According §2.5.1 of the ICAO manual on ASMGCS [32]: “The surveillance function of an A-SMGCS should: • provide accurate position information on all movements within the movement area; • provide identification and labelling of authorized movements; • cope with moving and static aircraft and vehicles within the coverage area of the surveillance function; • be capable of updating data needed for the guidance and control requirements both in time and position along the route; and • be unaffected by operationally significant effects such as adverse weather and topographical conditions.” Within the movement area, the non cooperative sensors sub-function shall: • provide accurate positional information of all movements; • cope with moving and static aircraft/vehicles. Within the movement area, the cooperative sensors sub-function shall: • provide accurate positional information of co-operative movements; • provide identification on authorised cooperative movements; • cope with moving and static aircraft/vehicles.

Public

Comment

Where possible the surveillance should extend to the aerodrome boundary. Within the areas specified above, surveillance shall be provided up to an altitude sufficient to cover missed approaches and low level operations.

Covers surface movement radar (SMR), normal and infrared cameras.

Covers automatic dependant surveillance broadcast (ADS-B), mode S multilateration. Includes vehicle & aircraft on-board equipment.

84 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Function ref.

Primary function name

Secondary function name

S3

Surveillance

Fusion

S4

Surveillance

Traffic movement characterisation

Brief description

Comment

Within the movement area, the fusion subfunction shall: • be capable of updating accurate surveillance data required for the alerting, guidance and control requirements both in time and distance; • be unaffected by operational significant effects of weather and topographical features. Within the movement area, the traffic movement characterisation sub-function shall “understand” what the mobiles are doing.

This sub-function provides events such as aircraft entering/exiting apron or runway, aircraft pushing back, aircraft landing, etc.

Table 5-4: A-SMGCS functional decomposition – Surveillance function

Surveillance is decomposed in four sub-functions: • non co-operative sensors, • co-operative sensors, • fusion, • traffic movement characterisation. All non co-operative sensors and all co-operative sensors are grouped, because the loss of only part of each type of sensor can be modelled as a loss on certain areas (e.g. on an airport with a main SMR, which covers the manoeuvring area, and a gap filler, which covers the apron area, the loss of the SMR gap filler can be modelled as the loss of the non co-operative sensors on the apron area). The co-operative sensors sub-function covers (in a single black box) a wide range of equipment, including onboard and ground components. Thus, failures in the data link transmissions between the on-board and ground components have to be modelled as a global failure of the co-operative sensors. The fusion function is assumed to fuse the information coming from all sensor types, and perform a unique flight plan to track association. Function ref. R0

Primary function name

Secondary function name

Routing

Brief description

Comment

According §2.5.2 of the ICAO manual on ASMGCS [32]: “Either manually or automatically, the routing function should: • be able to designate a route for each mobile within the movement area; • allow for a change of destination at any time; • allow for a change of a route to the same destination; • be capable of meeting the needs of dense traffic patterns at complex aerodromes; and • not constrain the pilot's choice of a runway exit following the landing.”

According §2.5.2.3 of the ICAO manual on ASMGCS [32]: “In an automatic mode, the routing function should also: a) assign routes; and b) provide adequate information to enable manual intervention in the event of a failure or at the discretion of the control authority.”

Table 5-5: A-SMGCS functional decomposition – Routing function

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

85 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Routing is a simple function, which is not decomposed. Routing essentially performs itinerary search. The itinerary search is a purely computational sub-function. It can compute a route from any point to any other point on the aerodrome tarmac. It takes into account the mobile’s heading. It does not store the route. Function ref.

Primary function name

Secondary function name

G0

Guidance

G1

Guidance

Guidance control

G2

Guidance

Guidance aids monitoring

G3

Guidance

Vehicle onboard guidance

G4

Guidance

Traffic information service – broadcast (TISB)

Brief description

Comment

When visibility conditions are insufficient for the pilot to taxi by visual guidance only, and when the competent authorities permit operations in these visibility conditions, according §2.5.3 of the ICAO manual on A-SMGCS [27]: “The guidance function of an A-SMGCS should: • provide guidance necessary for any authorized movement and be available for all possible route selections; • provide clear indications to pilots and vehicle drivers to allow them to follow their assigned route; • enable all pilots and vehicle drivers to maintain situational awareness of their position on the assigned route; • be capable of accepting a change of route at any time; • be capable of indicating routes and areas either restricted or not available for use; • allow monitoring of the operational status of all guidance aids; and • provide on-line monitoring with alerts where guidance aids are selectively switched in response to routing and control requirements.” Decodes instructions and/or clearances provided through the planning sub-function or directly via the controller working position to effectively guide the pilots and/or vehicle drivers, using any available guidance means. Monitors the serviceability of all guidance aids. Also provides feedback for the controls performed by the “Guidance control” sub-function. Provides clear indication to drivers to allow them to follow their assigned route & enables all drivers to maintain situational awareness of their position on the assigned route. Can be capable of indicating, to the driver, routes and areas either restricted or not available for use. Provides a means to combine ground (e.g. radar) and on-board (e.g. ADS-B) surveillance data and a means of redistributing these data to controllers, pilots and drivers.

According §2.6.14.3 of the ICAO manual on A-SMGCS [32]: “Automated guidance should not be used by the system if aircraft control, conflict detection and conflict alert resolution are not available.”

Table 5-6: A-SMGCS functional decomposition – Guidance function

Guidance is decomposed in four sub-functions: • guidance control; • guidance aids monitoring; • vehicle on-board guidance; • traffic information service – broadcast (TIS-B).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

86 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Function ref.

Primary function name

Secondary function name

C0

Control

C1

Control

Traffic monitoring & alerting

C2

Control

Planning

C3

Control

Plan monitoring and alerting

Brief description

Keeping pilots/vehicle drivers and controllers in the decision loop, the control function shall support the application of measures and allocate priorities: • to detect conflicts and incursions, and provide resolutions; • to ensure safe, expeditious and efficient aerodrome movement; • to prevent conflicts and incursions. Keeping pilots/vehicle drivers and controllers in the decision loop, the traffic monitoring & alerting subfunction shall support the application of measures and allocate priorities: • to detect conflicts and incursions, and provide resolutions. Keeping pilots/vehicle drivers and controllers in the decision loop, the planning sub-function shall support the application of measures and allocate priorities: • to ensure safe, expeditious and efficient aerodrome movement. Keeping pilots/vehicle drivers and controllers in the decision loop, the plan monitoring and alerting subfunction shall support the application of measures and allocate priorities: • to prevent conflicts and incursions.

Comment

According §2.6.9 of the ICAO manual on A-SMGCS [32]: “Equipment which shows control data should both be fail-safe and fail-soft.”

This function is similar to the short term conflict alert (STCA) of APP/ACC centres. It must not be used for control, but as a safety net only.

This function is similar to the medium term conflict detection (MTCD) of APP/ACC centres. It supports control.

Table 5-7: A-SMGCS functional decomposition – Control function

Control is decomposed in only three sub-functions: • traffic monitoring & alerting, • planning, • plan monitoring and alerting. The traffic monitoring & alerting sub-function uses only cinematic and topographic data to detect conflicts and incursions, and provide resolutions. It is totally independent from planning data. The planning sub-function is totally independent from surveillance data (i.e. planning has no surveillance inputs). The plan monitoring and alerting sub-function performs the link between the two former sub-functions. Function ref.

21

Primary function name

Secondary function name

Brief description

O0

Other

Controller working position

The human-machine interface (HMI) between the controller and the system.

O1

Other

Time management

O2

Other

Technical supervision

The time management function is in charge of the acquisition of the time provided by an external clock, and its dispatching within the A-SMGCS. This supervision is merely technical (i.e. operational alerts are managed through the control function). Technical supervision is generally twofold: • it supervises the system, • it sends controls / commands to the subsystems.

Comment

For scenario implementation levels II and III, the controller working position is supposed to be in the tower, where there is 21 usually no space for redundancy. For higher levels, head-down controller working positions and redundancy is assumed. Time accuracy and the tolerable drifts are key issues that are not addressed in the ICAO manual on A-SMGCS [32]. According §2.7.4.3 and §2.7.4.4 of the ICAO manual on A-SMGCS [32]: “Monitoring of the performance of an ASMGCS should be provided such that operationally significant failures are detected and appropriate remedial action is

Lack of space is linked to the importance of controller outside view: each given controller role usually needs a specific outside view.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

87 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Function ref.

Primary function name

Secondary function name

Brief description

Comment

initiated to restore the service or provide a reduced level of service. Automatic positive indication of the status of the system or any operationally significant failure should be given to any aircraft, vehicle or control facility that might be affected.” O3

Other

Legal recording

O4

Other

Aerodrome mapping database

O5

Other

Strip printer

According §2.6.8 of the ICAO manual on A-SMGCS [32]: “Selected data on communications control activity and display information should be recorded for accident and incident investigation. There should be a function to provide direct replay of recorded data within the operational system, as part of the requirement for immediate checking of suspect equipment and initial incident investigation.” The aerodrome mapping database provides static and dynamic information on the topology, topography and toponymy (e.g. taxiway closure, runway configuration, etc.) 22

Table 5-8: A-SMGCS functional decomposition – Other services

Note: The “other” services are a set of sundries. Therefore, the taxonomy does not follow the same hierarchical classification as the other main A-SMGCS functions.

22

The strip printer could have been an external function, a part of the controller working position or a part of the control function. The choice to place it in the “Other” functions is arbitrary and disputable. However, this choice has no impact on the analysis, and the reader may re-locate the printer as he wishes.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

88 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix B Data and control flows Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

89 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

The objective of this appendix is to describe in a clear and non-ambiguous way the interface specifications between: • any two functions of the A-SMGCS equipment itself (internal data or control flows), • the A-SMGCS equipment and all the adjacent equipments (external data or control flows). This specification is intended to be used as baseline for the future system design and as a reference for integration and validation. Identification of data flows

Since the objective of this document is not to perform a data & control flow analysis but a hazard assessment, the complete analysis process leading to the A-SMGCS data flow is not described herein. Only the result is given in Table 5-9. It should however be explained that the data & control flows identified herein are induced by the functional decomposition (proposed in Appendix A), which in itself was driven by technical considerations. Thus, if it is known that different data or control items (e.g. track position, track speed, track heading, etc.) are handled by the same piece of software or hardware, then these data or control items are known to flow as a coherent group, and are thus presented as a unique data or control flow. This approach represents a major difference with the AGATE approach (cf. §1.7.2), which should greatly reduce the number of identified hazards. Interface profile

The interface profile is based on the OSI (Open System Interconnection) seven layers model. Information is provided only when the layer specification is standardised (because design issues will be examined later in the preliminary system safety assessment). Restrictions or deviations description are documented in the comments column. Equipment state & mode

Some flows are strictly related to specific equipment states & modes. The system shall have the following six operating states: • system stop state, • system initialisation state, • system maintenance state, • system operational state, • system playback state, • system failed state. The system stop state is the state in which at least one equipment essential for operation is powered off. In the system stop state, the system can only be in the system stop mode. In the system stop state, the system does not deliver any data to the control authority. The system initialisation state is the state in which at least one equipment essential for operation performs its startup or test sequence. In the system initialisation state, the system can only be in the system initialisation mode. In the system initialisation state, the system does not deliver any data. The system maintenance state is the state in which at least one equipment essential for operation is in the maintenance state. In the system maintenance state, the system can only be in the system maintenance mode. In the system maintenance state, the system does not deliver any data to the control authority.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

90 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

The system operational state is the state in which the minimal functions required to perform the essential missions are available for use by the control authority. In the system operational state, the system can be in one of the following 2 modes: system fully functional mode, system reduced functional mode. The system fully functional mode is the mode in which all functions and items of equipment are in use, and actively processing data. The system reduced functional mode represents a broad spectrum of situations between system fully functional mode and system failed state. In essence, the loss of any function, or item of equipment or a significant overload condition (causing increased response times) causes the configuration to degrade to reduced functional mode. The system playback state is the state in which recorded data is being used to replace the normal operational inputs. In the system playback state, the system can be in one of the following two modes: system fully functional mode, system reduced functional mode. The system failed state is the state in which the minimal set of functions necessary for the continuation of the air traffic control (ATC) services is not available. In the system failed state, the system can only be in the system failed mode. In the system failed state, the system does not deliver any data to the control authority. This functional hazard assessment is performed only for the system operational state. The “system mode” column specifies if the flow is mandatory to support the control authority perform its essential missions. When this column specifies “Fully functional”, it means that the data flow can be omitted in the system reduced functional mode. When this column specifies “All”, it means that the loss of the data flow renders the system inadequate to perform its essential missions. Redundancy

Information is provided only when the redundancy specification is standardised or intrinsic to the function itself. Design issues will be examined in the preliminary system safety assessment. Acceptable outage

The acceptable outage value should be filled for all data flows for which some kind of redundancy is foreseen. It defines the maximum time within which a (data or control) flow problem should be detected and the flow restored, usually through a switchover. The acceptable outage value is the flow interruption duration above which a “temporary interruption of…” fault mode may be studied. T0 (expected data delivery time)

T0 + acceptable outage

Technical switchover time

Temporary interruption of…

Loss of…

time

Figure 17: Acceptable outage

With the current technology, the technical switchover times for the communication parts23 are approximately 2 seconds when on the same physical network, and up to 6 seconds for multi-cast connections24 over a router (i.e. between different physical networks). When machines and / or process have to commute (i.e. switchover from master to slave server), additional durations of up to 30 seconds are possible, depending on the design and implementation of the hardware, the middleware and the applications concerned. For (data & control) flow outage durations above the aforementioned technical switchover times, the flows are either restored (in case of successful switchover) or modelled as a “loss of…” fault mode. 23 24

In this hypothesis, the servers and/or clients at each end of the communication line are unaware of the communication line switchover. For ATC systems, broadcast connections are not considered.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

91 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

When applicable, the provision of the acceptable outage (in Table 5-9) and the study of the corresponding “temporary interruption of…” fault modes (in appendixes C and D) lead to safety recommendations related to the technology to be used for the detection of the flow loss and for the switchover management. For critical flows, the objective is to design and implement a switchover mechanism whose duration is as close as possible to the acceptable (operationally defined) outage. This must be studied carefully, as design and implementation costs may rise dramatically due to these requirements. Note: if the acceptable outage value is greater than the (worst foreseeable) technical switchover time, then it is not needed to study the “temporary interruption of…” fault mode. Key to the reading of the figures

In Figure 18 to Figure 23 below, the main data & control flows have been represented between the functions identified in Appendix A. The latter are represented by a rectangle when they are an integral part of an A-SMGCS, and represented by an oval when they are external. Data & control flows are named by bracketing the names of the source and cesspool functions; the use of a sequence number after the compound flow name allows for the definition of multiple flows between a same function couple. Technical supervision (O2)

XxO2_01

S1O2_01

Non co-operative sensors (S1)

S1O0_01

S2O2_01

O0S3_01

GNSS

Co-operative sensors (S2)

S2S3_01

S1S3_01

CWP (O0)

S3O2_01

S2G3_01 S2Ex_01

S3Ex_01 S3Ex_02 ExS3_01 ExS3_02

S3O0_01

ExS2_01

Onboard guidance (G3 + Ex) External RDPS

Fusion (S3)

S3C1_01 S3S4_01

Traffic monitoring & alerting (C1)

S3G4_01

C2S3_01

Traffic movement characterisation (S4)

Traffic information service – broadcast (G4)

Surveillance (S0) S4C3_01

Planning (C2)

Plan monitoring and alerting (C3)

Figure 18: Main “surveillance” data & control flows

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

92 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Surveillance Fusion (S3) S3C1_01

Routing (R0)

C2S3_01

R0C2_01 C2R0_01

Traffic monitoring & alerting (C1)

C1O0_01

Planning (C2)

C3C2_01 O0C2_01 O0C2_02 G1C2_01

CWP (O0) C2O0_01

C2C3_01

Plan monitoring and alerting (C3)

APP FDPS + AMAN/DMAN Strip printer (O5)

C2O5_01

XxO2_01

Control (C0) S4C3_01

AODB ExC2_01 ExC2_02 C2Ex_01 C2Ex_02

Technical supervision (O2)

C2G1_01

Traffic movement characterisation (S4)

Guidance control (G1)

Figure 19: Main “control” data & control flows

Technical supervision (O2)

XxO2_01

Aerodrome mapping database (O4)

O4X0_01

Routing (R0)

O0R0_01 R0O0_01

CWP (O0)

R0C2_01 C2R0_01

Planning (C2)

Figure 20: Main “routing” data & control flows

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

93 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

O4X0_01 ExG2_01

Guidance (G0) Aerodrome mapping database (O4) Fusion (S3)

Traffic information service – broadcast (G4)

S3G4_01

Co-operative sensors (S2)

Guidance aids monitoring (G2)

G2O4_01

S2G3_01

Aircraft onboard guidance

G2G1_01

Technical supervision (O2)

G4Ex_01

G1G3_01 G4G3_01

ExG1_01

C2G1_01 XxO2_01

Controllable guidance aids G1Ex_01

Vehicle onboard guidance (G3)

G1Ex_02

ExG2_02

Non-controllable guidance aids

Guidance control (G1)

G1C2_01

Planning (C2)

O0G1_01

CWP (O0)

Figure 21: Main “guidance” data & control flows

It is important to note that the guidance function is not controlled by any direct input from the surveillance function: the controller is always in the control loop, either via the planning function (i.e. movement clearances) or directly via guidance commands entered on the controller working position (CWP). This excludes the "running rabbit" guidance function, which would require a specific safety assessment.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

94 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Non co-operative sensors (S1) Aerodrome mapping database (O4)

Guidance control (G1)

O0S3_01

O4X0_01

O0G1_01

Fusion (S3)

S1O0_01 S3O0_01

CWP (O0) Technical supervision (O2)

Traffic monitoring & alerting (C1) C1O0_01 C2O0_01 C3O0_01

Planning (C2) O0C2_01 O0C2_02

O2O0_01 XxO2_01

O0R0_01 R0O0_01

Plan monitoring and alerting (C3)

O0Ex_01 ExO0_01

Routing (R0) Controller

Figure 22: Main “controller working position” data & control flows

Guidance aids monitoring (G2)

XxO2_01

Technical supervision (O2)

G2O4_01

AIS

ExO4_01

Aerodrome mapping database (O4)

O4X0_01

Any level 0 function (i.e. Surveillance, Control, Routing, Guidance, CWP)

Figure 23: Main “aerodrome mapping database” data & control flows

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

95 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

From

To

Data flow type (content description)

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

Comments (usually related to assignment of operationally acceptable outage)

1

C1O0_01

Traffic monitoring & alerting

Controller working position

Fully functional

I

-

-

-

1s

No temporary delay fault mode acceptable.

2

C2C3_01

Planning

Plan monitoring and alerting

Alerts on conflicts and incursions, resolutions Flight plan data

Fully functional

I

-

-

6s or more

3

C2Ex_01

Planning

Flight plan data

Fully functional

X

-

-

6s or more

4

C2Ex_02

Planning

AODB, APP FDPS or AMAN/DMAN APP FDPS or AMAN/DMAN

ICAO ATS or ADEXP ICAO ATS or ADEXP

Co-ordination data

Fully functional

X

-

-

6s or more

5

C2G1_01

Planning

Guidance control

Instructions & clearances

Fully functional

I

ICAO AIDC or ADEXP OLDI -

-

-

2s

6

C2O0_01

Planning

Controller working position

Flight plan data

Fully functional

I

-

-

6s or more

7 8

C2O5_01 C2R0_01

Planning Planning

Strip printer Routing

Flight plan data Taxi route request

I I

-

-

6s or more 6s or more

9

C2S3_01

Planning

Flight plan data

I

ASTERIX-62

-

-

6s or more

10

C3C2_01

Plan monitoring and alerting

Surveillance fusion Planning

All Fully functional Fully functional All

ICAO ATS or ADEXP -

I

-

-

-

2s

11

ExC2_01

Planning

Flight plan data

Fully functional

X

ICAO ATS or ADEXP

-

-

6s or more

12

ExC2_02

AODB, APP FDPS or AMAN/DMAN APP FDPS or AMAN/DMAN

Planning

Co-ordination data

Fully functional

X

-

-

6s or more

13

ExG1_01

Aircraft on-board guidance

Guidance control

Clearance requests and read-back

Fully functional

X

ICAO AIDC or ADEXP OLDI ACARS, ARINC 623 or other

-

-

6s or more

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Alerts on plan deviations & automated flight progress based on surveillance

Public

No temporary delay fault mode acceptable.

Below 2s, an immediate route correction is still possible. Above, a new route must be assigned and/or a nose-to-nose situation may occur.

96 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

From

To

Data flow type (content description)

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

14

ExG2_01

-

-

-

6s

All

X

-

-

-

2s

16

ExO0_01

All

X

-

Yes

-

0.5s

17

ExO4_01

AIS

Fully functional

X

-

-

-

6s or more

18

ExS2_01

GNSS

Aerodrome database management Surveillance cooperative sensors

Guidance aids status Guidance aids state & status Keyboard, mouse, touch screen or other similar inputs Aerodrome & meteorological data

X

ExG2_02

Guidance aids monitoring Guidance aids monitoring Controller working position

All

15

Non-controllable guidance aids Controllable guidance aids Controller

19

ExS3_01

External RDPS

20

ExS3_02

21

All

X

-

?

?

?

Surveillance fusion

Almanac and ephemeris data Differential corrections and integrity monitor signals External system tracks

Fully functional

X

-

4s

6s or more

External RDPS

Surveillance fusion

External RDPS live status

Fully functional

X

-

4s

18s

G1C2_01

Guidance control

Planning

-

-

6s or more

G1G3_01

Guidance control

Vehicle on-board guidance

Fully functional Fully functional

I

22

Clearance requests and read-back Instructions & clearances

I

ASTERIX-1 or ASTERIX-30 ASTERIX-2 or ASTERIX-255 ARINC 623 or other -

-

-

6s

23

G1Ex_01

Guidance control

Controllable ground guidance aids

Ground guidance aids commands

Fully functional

I

-

-

2s

24

G1Ex_02

Guidance control

Aircraft on-board guidance

Instructions & clearances

Fully functional

X

?

Guidance aids usually have their own control & monitoring system -

-

2s

25

G2O4_01

Guidance aids state & status Guidance aids state & status

I

-

-

-

6s

G2G1_01

Aerodrome mapping database Guidance control

All

26

Guidance aids monitoring Guidance aids monitoring

Fully functional

I

-

-

-

6s

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments (usually related to assignment of operationally acceptable outage)

No temporary delay fault mode acceptable.

The GNSS time information is used by aircraft equipment to provide Time Of Applicability (TOA) for ADS-B parameters.

In case of conflict or incursion, RTF will be used instead. No temporary delay fault mode acceptable.

No temporary delay fault mode acceptable.

97 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

From

To

Data flow type (content description)

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

Comments (usually related to assignment of operationally acceptable outage)

27

G4Ex_01

Traffic information service broadcast

Aircraft on-board guidance

System tracks

Fully functional

X

ASTERIX-21

All ADS-B primary sources

1s

6s

28

G4G3_01

Vehicle on-board guidance

System tracks

Fully functional

I

ASTERIX-21

All ADS-B primary sources

1s

6s

29

O0C2_01

Traffic information service broadcast Controller working position

The TIS-B characteristics are not fully known at the moment. No control delegation to pilots based on TIS-B data. The TIS-B characteristics are not fully known at the moment.

Planning

Flight plan data

Fully functional

I

-

-

6s

30

O0C2_02

Controller working position

Planning

Co-ordination data

Fully functional

I

-

-

6s

31

O0Ex_01

Controller working position

Controller

All

X

-

-

1s

No temporary delay fault mode acceptable.

32

O0G1_01

Controller working position

Guidance control

Any multimedia data on any output device for the attention of the controller Guidance manual commands

ICAO ATS or ADEXP OLDI AIDC -

Fully functional

I

-

-

-

2s

Below 2s, an immediate route correction is still possible. Above, a new route must be assigned and/or a nose-to-nose situation may occur.

33

O0S3_01

Manual association / de-association Taxi route constraints

Fully functional Fully functional

ASTERIX-62

-

-

6s

O0R0_01

Surveillance fusion Routing

I

34

Controller working position Controller working position

I

-

-

-

6s

35

O1Xx_01

Time management

Any

Time and resynchronisation data

All

I

NTP

Yes

-

Several hours of GPS service interruption

36

O2O0_01

Technical supervision

Controller working position

System status (ok, fault, etc.)

All

I

SNMP

-

-

No limit, but can be very uncomfortable

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

In order not to overload the data & control flow figures above, the time data flows are never represented. A technical supervision outage is not critical for the A98 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

From

To

Data flow type (content description)

37

O2Xx_01

Technical supervision

Any

38

O4X0_01

Aerodrome mapping database

39

R0C2_01

Routing

Any level 0 function (i.e. Surveillance, Control, Routing, Guidance, CWP) Planning

40

R0O0_01

Routing

Controller working position

41

S1O0_01

Non co-operative sensors

Controller working position

Taxi route proposal (i.e. before assignment to mobile) Raw or pseudoanalogue video

42

S1O2_01

Non co-operative sensors

Technical supervision

43

S1S3_01

44

S2Ex_01

Surveillance fusion Aircraft on-board guidance

45

S2G3_01

Non co-operative sensors Surveillance cooperative sensors Surveillance co-

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Vehicle on-board

Controls (switchover, shutdown, enter maintenance mode, etc…) Topology, topography, toponymy

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

Comments (usually related to assignment of operationally acceptable outage)

for the controller. Half an hour to one hour could be acceptable.

SMGCS operation if the BITE (that ensures the continuity of the services) is independent of the technical supervision.

All

I

SNMP

-

-

None

Fully functional

I

-

-

?

Fully functional Fully functional

I

-

Guidance aids usually have their own dynamic status management -

-

6s

I

-

-

-

6s

All

I

-

-

1s

6s

Non co-operative sensors live status

All

I

ASTERIX-10

-

1s

6s

Sensor tracks

Fully functional Fully functional

I

ASTERIX-10

-

-

6s

I

-

-

-

6s

Fully

I

-

-

-

6s

Taxi route

Sensor tracks

Sensor tracks

Public

Outage is concerned only by dynamic data

Outage configurable per area type? Co-operative sensors are still available The sensor live status flow is modelled towards the technical supervision only, but it is really present each time the sensor track data flow exists. Co-operative sensors are still available Non co-operative sensors are still available

99 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

46

S2O2_01

47

S2S3_01

48

From

To

operative sensors Surveillance cooperative sensors

guidance

Data flow type (content description)

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

Comments (usually related to assignment of operationally acceptable outage)

The sensor live status flow is modelled towards the technical supervision only, but it is really present each time the sensor track data flow exists. Non co-operative sensors are still available.

functional

Technical supervision

Co-operative sensors live status

All

I

ASTERIX-10

-

1s

2s

Surveillance cooperative sensors

Surveillance fusion

Fully functional

I

ASTERIX-10 ASTERIX-21

-

-

6s

S3C1_01

Surveillance fusion

Traffic monitoring & alerting

Sensor tracks Note: the ADS-B parameters are provided with an integrity and accuracy information. System tracks

Fully functional

I

ASTERIX-62

-

1s

1s

49

S3Ex_01

External RDPS

System tracks

ASTERIX-62

-

1s

6s

S3Ex_02

External RDPS

X

ASTERIX-63

-

1s

6s

51

S3O0_01

Controller working position

Surveillance subsystem live status System tracks

Fully functional Fully functional Fully functional

X

50

Surveillance fusion Surveillance fusion Surveillance fusion

I

ASTERIX-62

-

1s

2s

52

S3O2_01

Surveillance fusion

Technical supervision

Surveillance subsystem live status

All

I

ASTERIX-63

-

1s

2s

53

S3S4_01

Surveillance fusion

Surveillance traffic movement

System tracks

Fully functional

I

ASTERIX-62

-

1s

6s

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

No temporary delay fault mode acceptable.

Outage configurable per area type? All tracks are delayed: this can lead to more critical situations than when only a single sensor is unavailable. The sensor live status flow is modelled towards the technical supervision only, but it is really present each time the system track data flow exists.

100 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Flow ref.

From

To

54

S3G4_01

Surveillance fusion

characterisation Traffic information service broadcast

55

S4C3_01

56

XxO2_01

Surveillance traffic movement characterisation Any

57

XxO3_01

Any

Technical supervision Recording

58

XxO3_02

Any

Recording

Plan monitoring and alerting

Data flow type (content description)

System mode (of operational system state)

Flow type (e.g. external or internal flow)

Presentation and application protocols (if standardised)

Redundancy

Periodicity

Operationally acceptable outage

Comments (usually related to assignment of operationally acceptable outage)

System tracks

Fully functional

I

ASTERIX-62

-

1s

6s

The TIS-B characteristics are not fully known at the moment. No control delegation to pilots based on TIS-B data.

Traffic characterisation events Sub-system status (ok, fault, etc.) Sub-system status (ok, fault, etc.)

Fully functional

I

-

-

-

6s

All

I

SNMP

-

-

?

Cf. O2O0_01.

Fully functional

I

SNMP

-

-

?

Sub-system specific data

Fully functional

I

n/a

n/a

n/a

2s

In order not to overload the data & control flow figures above, the recording flows are never represented. In order not to overload the data & control flow figures above, the recording flows are never represented.

Table 5-9: A-SMGCS data and control flows

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

101 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix C External fault modes and effects analysis Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

102 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

Robustness analysis enables the assessment of the impact of external interface problems in the A-SMGCS equipment. This analysis does not take into account the mitigations external to the A-SMGCS equipment that could provide additional safety on site. However, these external mitigations will be part of the identification of hazards (cf. appendix E). Robustness deals with external input data. External output data is addressed in the internal fault modes part (because they are generated by the equipment). Structure of the analysis tables

The robustness analysis is presented in a table that is composed of following data: • column 1, “external flow references”: this column indicates references to identify external data or control flows, as labelled in appendix B; • columns 2 and 3, “fault modes”: these columns provide a description of the fault modes; when both “no” and “yes” are mentioned in column 3, it means that this criterion is irrelevant (see below); • column 4, “equipment failure effects”: this column presents a synthesis of the direct effects of the equipment fault mode for the end-users, on his working position; • column 5, “existing equipment mitigation features”: this column describes the various safety barriers that already exist at equipment specification level [32], and that provide either prevention, or surveillance/warning of the fault mode, or mitigation of its consequences; • column 6, “existing equipment escalation features”: even though this functional hazard assessment assumes a single point of failure, this column highlights things that are likely to go wrong simultaneously (due to the design architecture, e.g. when many flows are supported by the same physical interface), or fault modes that are likely to be induced by the considered fault mode (due to functional dependencies); • column 7, “operational effects references”: to avoid repeating the operational effects description many times, this column provides unique identifiers of operational effects; the list of operational effects sorted by reference number can be found in appendix E; • column 8, “operational effects”: this column presents a synthesis of the effects of the equipment fault mode on the air traffic control operations; these operational effects may have some consequences in term of safety, and therefore need further assessment (cf. appendix E); note that to avoid repetitions on text related to an OE, the full text is given (normally) at the 1st occurrence of an OE, and the ref. is provided in the dedicated (previous) column; for latter occurrences, only the reference is provided in the “Operational effects of equipment fault mode” column; • column 9, “comments / recommendations”: self-explicit. To detect or not to detect

Except when unrealistic, both the detection and the non-detection cases of a fault mode are detailed in the tables below. Depending on the result of the analysis, recommendations will be made so that the fault mode is, or is not detected by the system. Internal equipment mitigation features: hot switchover

Hot switchover is commonly mentioned in the equipment mitigation features, without any details. Indeed, when a flow is lost, it can be due to the source of the flow (i.e. server), its destination (i.e. the client) or to the link (i.e. network). Depending of the exact causes of a fault mode, the appropriate switchover is assumed.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

103 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Internal equipment escalation features

Internal equipment escalation features have be classified in three groups: • induced effects: these are fault modes which are functionally induced by the considered fault mode, whatever the selected architecture and implementation (e.g. failure of surveillance induces the failure of traffic monitoring and alerting); • simultaneous effects: these are fault modes which are likely to occur simultaneously to the considered fault mode if no specific care is taken during the design and implementation phases to prevent them; • other effects. Operational effects

Many operational effects are highly dependant on the procedures that will be used. However, the description of operational effects has been slightly formalised in order to maximise their reuse for different fault modes (cf. Figure 24). When the fault mode is not detected, the operational effects are an increased25 risk due to false confidence in (or over-reliance on) the equipment. Operational effects of a fault mode or Fault mode not detected

Fault mode detected or

(a) Increased risk due to false confidence

(b) Manually substitute for the system

(c) Knowingly suffer from the failure

Figure 24: Classification of operational effects

When the fault mode is detected, the operational effects can be a workload increase only, if the controller wants (and can) manually substitute for the system, thus preventing any escalation. Alternatively, the complete substitution may be technically impossible, or the controller may decide to live with (all or part of) the failure, thus knowingly suffering from all the equipment failure effects, and having to separate the wheat from the chaff. The study of the operational effects of each of the possible choice should influence the equipment design and implementation, but also the procedures, so that the controller is not faced with the choice between the alternatives (b) and (c) when the failure occurs. Note: in the tables below, the greyed-out lines have no particular significance. They just help to identify packs of fault modes related to the same data or control flow.

25

The hypothesis that the controller may subconsciously substitute himself to the system, limiting the risk but seamlessly increasing his workload, has not been retained.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

104 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref. 1

2

3

26

ExC2_01

ExC2_01

ExC2_01

Fault modes

Fault mode 26 detection

Loss of…

No

Loss of…

Corruption of…

Yes

No

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

• Planning data is not provided • Flight plan data continue to anymore from external systems arrive through the (e.g. APP FDPS, AMAN, DMAN, surveillance data flow etc.) or external end-users. (ExS3_01 and S2S3_01). • Stand & gate allocations are not provided any more by the AODB.

Internal equipment Operational escalation features effects ref. The failure induces the corruption of: • C2O0_01 • C2C3_01 • C2G1_01 • C2R0_01 • C2S3_01 • C2Ex_01 • C2Ex_02

As above + As above + • None • Display on the CWP of a “Loss • Controllers can locally of external flight plan input” alert. create, modify, and delete flight plans: data will be synchronised with the external systems when the service is restored. • Flight plan data exchange between TWR controllers is unaffected. • Hot switchover Possible corruptions are: • At least one (but not all) flight plan sent by an external FDPS was never received. • At least one flight plan sent by an external FDPS has missing or erroneous data. • At least one flight plan sent by an external FDPS is sent at an inappropriate time (e.g. too early). • A large amount of flight plans are received, which create a system overload.

• Flight plan data continue to The failure induces the corruption of: arrive through the surveillance data flow • C2O0_01 (ExS3_01 and S2S3_01). • C2C3_01 • C2G1_01 • C2R0_01 • C2S3_01 • C2Ex_01 • C2Ex_02

• OE-04

• OE-10

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • Controller situational awareness is severely compromised due to loss of, or corruption of flight plan data. Until service is restored: • Controller workload increase: the controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS). Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-04

Concerning a system overload, it is not to be excluded that it could be a voluntary “attack” (cf. §1.3.6)

By the equipment itself.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

105 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref. 4

ExC2_01

Fault modes

Fault mode 26 detection

Corruption of…

Yes

5

ExC2_02

Loss of…

No

6

ExC2_02

Loss of…

Yes

7

ExC2_02

Corruption of…

No

8

ExC2_02

Corruption of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

As above + As above + • None • Display on the CWP of a • Controllers can locally “Corruption of external flight plan create, modify, and delete input” alert. flight plans: data will be synchronised with the external systems when the service is restored. • Flight plan data exchange between TWR controllers is unaffected. • The supervisor can disconnect external FDPS inputs. • Hot switchover • All automated co-ordination from • Surveillance data (ExS3_01 • Failure is likely to and S3Ex_01) continue to be simultaneous the adjacent APP to the TWR is support co-ordination. stopped. with loss of C2Ex_02. As above + As above + • As above • Display on the CWP of a “Loss • Hot switchover of APP co-ordination” alert. Possible corruptions are: • At least one automated coordination message sent from the adjacent APP to the TWR was never received. • At least one automated coordination message from the adjacent APP to the TWR has missing or erroneous data. • At least one automated coordination message from the adjacent APP to the TWR is sent at an inappropriate time (e.g. too early). As above + • Display on the CWP of a “Corruption of APP coordination” alert.

• OE-18

Operational effects of equipment fault mode Until service is restored: • OE-10 or • Control procedures revert to paper strips (because electronic strips are considered unreliable).

•

Until service is restored or failure is detected: • OE-06

•

Until service is restored: • OE-19

• Surveillance data (ExS3_01 • and S3Ex_01) continue to support co-ordination.

•

Until service is restored or failure is detected: • OE-06

•

•

Until service is restored: • OE-19

As above + • Hot switchover

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

The TWR and APP controllers are likely to detect the failure st at 1 co-ordination mishap.

Unlike the “loss of ExC2_02” fault mode, the erratic behaviour of the system in this fault mode makes is unlikely that the TWR and APP controllers detect the failure very quickly.

106 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref.

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

Fault modes

Fault mode 26 detection

ExG1_01

Loss of…

No

• Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are not provided anymore.

• Due to compulsory logical acknowledgement messages, it is impossible not to notice this failure, so non-detection of failure is not realistic.

Not applicable.

•

Not applicable.

10 ExG1_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of downlink communications with aircraft” alert.

• None

The failure induces the loss of: • G1C2_01

•

Until service is restored or failure is detected: • OE-31

11 ExG1_01

Corruption of…

No

• Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are corrupted.

• Clearance delivery should be consistent with clearance request and clearance read-back, so non-detection of failure is not realistic.

Not applicable.

•

Not applicable.

12 ExG1_01

Corruption of…

Yes

• Corruption will automatically and • None instantaneously be considered as a loss. Please refer to fault mode two lines above.

The failure induces the loss of: • G1C2_01

•

Until service is restored or failure is detected: • OE-31

13 ExG2_01

Loss of…

No

• Loss of status information on non-controllable ground guidance aids.

The failure induces the corruption of: • G2O4_01 • G2G1_01

•

Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: • OE-07

•

Until service is restored: • OE-21

9

• Ground guidance aids usually have their own monitoring tools.

Recommendations & comments with respect to ICAO A-SMGCS manual

The failure is likely to be simultaneous with the loss of: • ExG2_02 14 ExG2_01

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Display on the CWP of a “Loss of guidance monitor” alert.

• As above

As above + • Hot switchover

Public

107 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref.

Fault modes

Fault mode 26 detection

15 ExG2_01

Corruption of…

No

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Possible corruptions are: • Ground guidance aids usually have their own • At least one non-controllable monitoring tools. ground guidance aid does not provide its status. • At least one non-controllable ground guidance aid provides an erroneous status.

The failure induces the corruption of: • G2O4_01 • G2G1_01

Operational effects of equipment fault mode

•

Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: • OE-07

The failure is likely to be simultaneous with the corruption of: • ExG2_02

16 ExG2_01

Corruption of…

Yes

As above + As above + • Hot switchover • Display on the CWP of a “Corruption of guidance monitor” alert.

• As above

•

Until service is restored: • OE-21

17 ExG2_02

Loss of…

No

• Loss of state and status information on controllable ground guidance aids.

The failure induces the corruption of: • G2O4_01 • G2G1_01

•

Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: • OE-07

• As above

•

Until service is restored: • OE-21

The failure induces the corruption of: • G2O4_01 • G2G1_01

•

Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: • OE-07

• Ground guidance aids usually have their own monitoring tools.

Recommendations & comments with respect to ICAO A-SMGCS manual

The failure is likely to be simultaneous with the corruption of: • ExG2_01 18 ExG2_02

Loss of…

Yes

19 ExG2_02

Corruption of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + As above + • Display on the CWP of a “Loss • Hot switchover of guidance monitor” alert. Possible corruptions are: • Ground guidance aids usually have their own • At least one controllable ground monitoring tools. guidance aid does not provide its state or status. • At least one controllable ground guidance aid provides an erroneous state or status.

Public

The failure is likely to be simultaneous with the corruption of: • ExG2_01

108 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

N° External flow ref.

Fault modes

Fault mode 26 detection

20 ExG2_02

Corruption of…

Yes

As above + As above + • Hot switchover • Display on the CWP of a “Corruption of guidance monitor” alert.

21 ExO0_01

Loss of…

No

• All input devices inoperative. Note: It is not realistic to imagine that a controller will lose one or several input means without knowing it. In most cases (e.g. coffee spilled on keyboard and mouse) failure detection will be obvious. However, by nondetection we mean not detected before use is required.

• None.

As above + • Display on the CWP of a “Loss of input devices” alert.

• The controller may use a redundant HMI, or may share an HMI with another active controller.

22 ExO0_01

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment Operational escalation features effects ref. • None

The failure induces (or equals to) the simultaneous loss of: • O0C2_01 • O0C2_02 • O0G1_01 • O0S3_01 • O0R0_01

Public

As above + • Depending on equipment, restart of CWP may be necessary, even if all the other functions are performing well. • Supervisor may need to perform a re-sectorisation.

•

• OE-08

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • OE-21

Until service is restored or failure is detected: • Controller discomfort: at the time of the failure detection, the HMI may be in an improper display set-up (e.g. some parts of the airport are not visible).

As above + until service is restored: • OE-18

• Choice of input device equipment should allow monitoring. • Choice of input device equipment should allow online replacement. • Choice of input device equipment should favour independent input devices (e.g. avoid mouse connected to keyboard). • Spare input devices should be available nearby. • Upon failure detection, the HMI could automatically switch to a default configuration set-up, so as to avoid leaving the HMI in a configuration improper for control.

109 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref.

Fault modes

Fault mode 26 detection

23 ExO0_01

Corruption of…

No

24 ExO0_01

Corruption of…

Yes

25 ExO4_01

Loss of… Corruption of…

No / Yes

26 ExS2_01

Loss of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Possible corruptions are: • At least one (but not all) input device is totally or partially inoperative. • At least one (but not all) input device generates erratic inputs (e.g. stuck key on keyboard produces a continuous input flow).

• The CWP possesses at least 2 input devices, and all the important commands can be entered by any of the input devices.

As above + • Display on the CWP of a “Corruption of input devices” alert.

As above + • The controller may use a redundant HMI, or may share an HMI with another active controller.

• Data concerning local weather conditions and airport configuration are not provided anymore, are delayed or are corrupted: cf. O4X0_01.

• Cf. O4X0_01.

• All GNSS signals lost for all ADS-B mobiles.

• None • On-board odometers and goniometers may allow onboard computed positions to be reliably extrapolated for a significant time. • All non ADS-B surveillance systems are unaffected.

Public

The failure induces the corruption of: • O0C2_01 • O0C2_02 • O0G1_01 • O0S3_01 • O0R0_01

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

In case of overflow, alerting will be performed at operating system level, so the fault mode is not realistic: • Not applicable In all the other cases, an input device remains operative, so: • None

As above + • • Depending on equipment, restart of CWP may be necessary, even if all the other functions are performing well. • Supervisor may need to perform a re-sectorisation. • Input overflow may generate system aural alerts that may hide an operational aural alert. Failure induces loss • of, temporary interruption of, and / or corruption of: • O4X0_01

• OE-35

In case of input overflow, until service is restored: • OE-18 Otherwise: • None.

• Cf. O4X0_01.

Until service is restored or failure is detected: • OE-02 • Reliability decrease or even complete loss of on-board surveillance information for part of the mobiles.

110 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

N° External flow ref.

Fault modes

Fault mode 26 detection

27 ExS2_01

Loss of…

Yes

As above + • As above • Within vehicles, built-in test alert, resulting in an alarm light emitting diode (LED) being switch on. • Within aircraft? • For the controller, display on the CWP of a “Corruption of ADS-B surveillance data” alert.

• None

•

Until service is restored: • OE-23 • OE-35

28 ExS2_01

Corruption of…

No

Possible corruptions are: • All non ADS-B surveillance • None systems are unaffected. • At least one mobile with ADS-B capability stops receiving GNSS signals. • Use of GNSS signals result in erroneous positioning for all ADS-B mobiles. • Site monitor inoperative. • Differential corrections inoperative.

•

Until service is restored or failure is detected: • OE-01 • OE-35

29 ExS2_01

Corruption of…

Yes

•?

• All non ADS-B surveillance • None systems are unaffected.

•

Until service is restored: • OE-25 • OE-35

30 ExS3_01

Loss of…

No

• Tracks for arriving traffic are no • Ground co-operative more provided by the external sensors should perform RDPS (thus surveillance identification of arriving coverage is reduced and early traffic before aircraft automatic association of arriving landing. aircraft may be lost). • Outbound traffic is not confirmed by the external RDPS as being departed (e.g. to set actual time of departure).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

The failure induces • the corruption of: • C1O0_01 (i.e. missing target reports may lead to missing alerts). Note: Failure may be due to RDPS itself, in which case APP is simultaneously facing an equipment failure (with impacts on AMAN). This is not A-SMGCS, but may impact coordination between APP and tower.

Recommendations & comments with respect to ICAO A-SMGCS manual The ADS-B standard allows sending operational status ADS-B messages from the ADS-B source. This is sufficient.

Until traffic is reduced, Failure detection should be visibility conditions become immediate using the ExS3_02 flow. acceptable, service is restored or failure is detected: • OE-06 • OE-03

111 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N° External flow ref.

Fault modes

Fault mode 26 detection

31 ExS3_01

Loss of…

Yes

Equipment failure effects (at equipment level but visible by end-users) As above + • Display on the CWP of a “Loss of external surveillance input” alert.

Internal equipment mitigation features As above + • Actual time of departure can be entered manually. • Hot switchover

Internal equipment Operational escalation features effects ref. • As above. • OE-20

32 ExS3_01

Corruption of…

No

Possible corruptions are: • Internal sensor tracks remain reliable (but then we • At least one (but not all) target need to validate the priority located in the coverage of the given to the internal external RDPS is not reported. • At least one target located in the sensors if there is also a status for them.) coverage of the external RDPS is reported with missing or erroneous attributes (position, speed, call sign, etc.) • The external RDPS provides at least one false target report.

The failure induces • the corruption of: • C1O0_01 (i.e. false target reports may generate false alerts). Note: Failure may be due to RDPS itself, in which case APP is simultaneously facing an equipment failure (with impacts on AMAN). This is not A-SMGCS, but may impact coordination between APP and tower.

33 ExS3_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of external surveillance input” alert.

• As above.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • In case of inconsistent target reports between the external RDPS and the internal sensors, priority is given to internal target reports. • Hot switchover

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • OE-25 • Controller workload increase & RTF congestion: the controller’s trust in the surveillance display is reduced, so the controller needs to rely (more) on pilots’ RTF reports. • OE-27 • OE-19 Until service is restored or Failure detection should be failure is detected: immediate using the ExS3_02 flow. • OE-06 • OE-03

Until traffic is reduced, visibility conditions become acceptable, or service is restored: • OE-25 • OE-20 • OE-27 • OE-19

Priority given to internal target reports may be dangerous: should it be a safety requirement?

112 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

N° External flow ref.

Fault modes

Fault mode 26 detection

34 ExS3_02

Loss of… Temporary interruption of… Corruption of… Loss of… Temporary interruption of… Corruption of…

No

• N/a

• N/a

Yes

• Same as detected loss of, temporary interruption of, or corruption of ExS3_01.

• Same as detected loss of, • Same as detected temporary interruption of, or loss of, temporary corruption of ExS3_01. interruption of, or corruption of ExS3_01.

35 ExS3_02

• N/a

Operational effects of equipment fault mode

•

• None

•

• None

Recommendations & comments with respect to ICAO A-SMGCS manual

Table 5-10: External fault modes and effects analysis table

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

113 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix D Internal fault modes and effects analysis Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

114 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

Similar to the robustness analysis, the following tables analyse the internal flows: Table 5-11 lists all the flows between two internal A-SMGCS functions, whilst Table 5-12 lists all the flows between one internal function and one external function (output flow). Structure of the analysis tables

Please refer to the introduction of appendix C. Additional note

All data and control flows are analysed separately, even when they seem completely dependant. For example, if the traffic monitoring & alerting function does not receive surveillance inputs (i.e. S3C1_01), then it surely cannot detect conflicts and send alerts to the controller working positions (i.e. C1O0_01). Thus the operational effects of a fault mode on S3C1_01 may be identical to the operational effects of the corresponding fault mode on C1O0_01. However, the analysis shows that the mitigation and escalation features are different, leading to different effects, safety objectives and recommendations.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

115 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

1

C1O0_01

Loss of…

2

3

27

C1O0_01

C1O0_01

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Loss of…

Corruption of…

No

Yes

No

• On the CWP, loss of all traffic monitoring alerts.

Internal equipment mitigation features • The plan monitoring function continues to provide the controller with reliable plan deviation alerts. • On-board traffic monitoring & alerting continues to provide reliable alerts to pilots and drivers.

Internal equipment Operational escalation effects ref. features • None

• OE-03

• None

As above + As above + • Hot switchover. • Display on the CWP of a “Loss of traffic monitoring” alert.

• OE-27

Possible corruptions are: • Same as loss of C1O0_01 • At least one (but not all) alert is not reported (to the controller in charge); missing alerts may concern a sub-set of mobiles (e.g. faulty secondary surveillance) or a part of the aerodrome. • At least one alert is provided with erroneous attributes (e.g. foreseen accident location, resolution advice, mobiles involved); • At least one false alert is provided (due to corruption of S3C1_01).

• None

•

Operational effects of equipment fault mode Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • Detection of surface conflicts & incursions by the controller is severely compromised. Until service is restored: • Controller workload increase: the controller is provided with missing or false traffic alerts.

Recommendations & comments with respect to ICAO A-SMGCS manual

The controller, pilots and drivers need to increase their vigilance and contingency separation procedures may be applied.

Note: AGATE ranks this failure with a “major” severity. Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-03

By the equipment itself.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

116 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

N°

Internal flow ref.

Fault modes

4

C1O0_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of traffic monitoring” alert.

As above + • Hot switchover (except if corruption is due to corrupted surveillance data).

• None

•

Until service is restored: • OE-27

5

C2C3_01

Loss of…

No / Yes

• Flight plans are not provided any more to the plan conformance monitoring function.

• Hot switchover in case of failure detection, none otherwise.

The failure induces the corruption of: • C3C2_01

•

• Cf. undetected / detected corruption of C3C2_01.

•

• Cf. undetected / detected corruption of C3C2_01.

Recommendations & comments with respect to ICAO A-SMGCS manual

The failure is likely to be simultaneous with the loss of: • C2O0_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2S3_01 • C2R0_01 6

C2C3_01

Corruption of…

No / Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Possible corruptions are: • At least one flight plan to be monitored is provided with false or missing data (e.g. no taxi route assignment). • At least one flight plan is missing.

• Hot switchover in case of failure detection, none otherwise.

The failure induces the corruption of: • C3C2_01 The failure is likely to be simultaneous with the corruption of: • C2O0_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2S3_01 • C2R0_01

Public

117 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

N°

Internal flow ref.

Fault modes

7

C2G1_01

Loss of…

No

8

C2G1_01

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

The failure induces • Ground guidance aids possess • Clearances given by the the loss or their own control & monitoring controller are not provided corruption of: tools. any more to the guidance function in order to be • The controller, pilots, drivers are • G1Ex_01 • OE-31 transformed into guidance likely to identify the failure • G1G3_01 indications, neither on immediately due to the complete • G1Ex_02 ground guidance aids (cf. lack of guidance indications (e.g. G1Ex_01), nor on vehicle / initial instructions) and/or The failure is likely aircraft on-board acknowledgement (e.g. to be simultaneous equipment (cf. G1G3_01 & instruction update). with the loss of: G1Ex_02.) • C2O0_01 • C2C3_01 • C2Ex_01 • C2Ex_02 • C2S3_01 • C2R0_01 As above + As above + As above + • • Ground guidance aids can still be • Considering the • Display on the CWP of a manually controlled via the CWP “Loss of guidance control” fault mode, it is (via O0G1_01 and G1Ex_01). alert. unlikely that failure indication can be • Hot switchover. transmitted onboard (pilot / driver).

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored or failure is detected: • OE-30 • Pilots and/or drivers do not receive any automated guidance from on-board equipment • OE-34

Until service is restored: • OE-15 • OE-31 • OE-34 Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: • OE-21 • OE-30 • OE-31 • OE-34

118 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

9

C2G1_01

Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Possible corruptions are: • At least one clearance provided to the guidance function has false or missing data (e.g. wrong taxi route assignment). • At least one (but not all) clearance is not provided to its addressee.

Internal equipment mitigation features • Guidance via RTF remains unaffected.

Internal equipment Operational escalation effects ref. features If the clearance is provided with corrupted data, onboard (cf. G1G3_01 • OE-33 & G1Ex_02) and ground (cf. G1Ex_01) guidance indications will be consistent (but wrong!).

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored or failure is detected: • OE-32 • Pilots and/or drivers are provided with missing or erroneous indications via the on-board equipment. • OE-34

The failure is likely to be simultaneous with the corruption of: • C2C3_01 • C2O0_01 • C2Ex_01 • C2Ex_02 • C2S3_01 • C2R0_01 • C2O0_01 10 C2G1_01

Corruption of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Display on the CWP of a “Corruption of guidance control” alert.

• • A-SMGCS control of ground guidance aids can be disconnected. • Pilots & drivers can be told to ignore on-board guidance indications. • Guidance aids possess their own control & monitoring tools, which override all A-SMGCS commands. • Hot switchover.

Public

•

Until traffic is reduced or service is restored: • OE-21 • OE-30 • OE-31

119 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

11 C2O0_01

12 C2O0_01

Fault modes Loss of…

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• Flight plan updates (including plan monitoring alerts & creation of new flight plans) are not provided any more to the controller.

As above + • Display on the CWP of a “Loss of planning” alert.

Internal equipment mitigation features • Each CWP holds its own flight plan data base which can be modified locally, and which will be synchronised with the system flight plan data processing system when the service is restored. • A safety net is still ensured by the traffic monitoring & alerting function.

Internal equipment Operational escalation effects ref. features The failure is likely to be simultaneous with the loss of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2R0_03 • O0C2_01

As above + • As above • Local CWP planning data, live surveillance data, and RTF reports by pilots & drivers provide sufficient data to the controller to allow him to perform efficient plan conformance monitoring. • Hot switchover.

Public

• OE-05

• OE-11

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-04 • The detection of plan deviations by the controller is severely compromised.

Until service is restored: • OE-10 • Controller workload increase: in case multiple A-SMGCS controller working positions, the controller has to manually manage the flight plans for the operations (creations, deletions, updates) that are normally handled by adjacent tower positions. • OE-12 • OE-22 Alternatively, due to lack of confidence in the electronic stripping system, the controller may wish to forget about automation: • OE-18 • OE-30 • OE-31

When the service is restored, the controller may also have to deal with inconsistent updates made on different controller working positions or in external systems.

120 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

13 C2O0_01

Corruption of…

No

14 C2O0_01

Corruption of…

Yes

15 C2O5_01

Loss of… Temporary interruption of… Corruption of…

No / Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

On the CWP, possible • None corruptions are: • At least one missing flight plan. • At least one flight plan with missing or corrupted data (e.g. no taxi route, wrong gate, wrong flight state, etc.) • At least one flight plan received at an inappropriate time (i.e. too late or too early). • Overflow. As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of planning” alert. • Strip printer inoperative.

• There are usually more than one strip printers, each capable of printing all strips in multiple copies.

Public

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

The failure is likely to be simultaneous with the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2R0_03 • O0C2_01

•

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-04 • OE-05

• As above

•

Until traffic service is restored: • OE-18

• None

•

• None

Recommendations & comments with respect to ICAO A-SMGCS manual

The strip printer is seen as the backup solution in case of a planning failure. Thus, the analysis of the strip printer failure in addition to a planning failure exceeds the scope of this functional hazard assessment (because of the single point of failure hypothesis). On the other hand, if the planning function is in service, the failure of the strip printer has no operational effects.

121 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

16

C2R0_01

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

• Default taxi routes are not assigned anymore to mobile movement plans.

Internal equipment mitigation features • Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance and conformance monitoring). Therefore, this non-detected fault mode is not a plausible hypothesis.

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O0_01 The failure induces the loss of: • R0C2_01

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

• None

The failure is likely to be simultaneous with the loss of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2O0_01 • O0R0_01

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

122 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

17

C2R0_01

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) Yes

As above + • Display on the CWP of a “Loss of routing” alert.

Internal equipment mitigation features • Semi-automatic routing may remain possible, and manual route assignment should remain possible (cf. O0R0_01) – by ICAO requirement. • Hot switchover.

Internal equipment Operational escalation effects ref. features • As above • OE-14

• OE-22

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • Controller workload increase: the controller assigns all taxi routes manually (with or without semi-automatic routing support.) Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: • OE-21 • OE-30 • OE-31 • Controller workload increase: the controller needs to monitor plan adherence (and in particular taxi route adherence) without automated plan conformance monitoring support.

123 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

18

C2R0_01

Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Possible corruptions are: • At least one mobile (but not all mobiles) is not assigned a default taxi route. • At least one mobile is assigned an erroneous route.

Internal equipment mitigation features • None

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O0_01 • R0C2_01

Operational effects of equipment fault mode

•

• None

•

Until service is restored: • OE-14 Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: • OE-21 • OE-32 • OE-33 • OE-22

The failure is likely to be simultaneous with the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2O0_01 • O0R0_01 19

C2R0_01

Corruption of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Display on the CWP of a “Corruption of routing” alert.

• Semi-automatic routing may remain possible, and manual route assignment should remain possible (cf. O0R0_01) – by ICAO requirement. • Hot switchover.

Public

• As above

Recommendations & comments with respect to ICAO A-SMGCS manual Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance). Therefore, this nondetected fault mode is not a plausible hypothesis.

124 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

20

C2S3_01

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• Flight plan updates (including creation of new flight plans) are not provided any more to the surveillance fusion function: this is prejudicial to target identification.

Internal equipment mitigation features • The surveillance fusion function holds its own flight plan data base which can be modified locally (based on flight plan data coming from the co-operative sensors), and which will be synchronised with the system flight plan data processing system when the service is restored.

Public

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • S3O0_01 • S3C1_01 • S3S4_01 • S3G4_01

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored or failure is detected: • OE-01 • OE-03 • OE-35

The failure is likely to be simultaneous with the loss of: • C2O0_01 • C2C3_01 • C2Ex_01 • C2Ex_02 • C2G1_01

125 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

21

C2S3_01

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) Yes

As above + • Display on the CWP of a “Loss of planning input to fusion” alert.

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

As above + • As above • Manual labelling is still operative. • Hot switchover.

• OE-13

• OE-26

• OE-17

• OE-35

• OE-28

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • Controller workload increase: the controller has to manually label (some) target reports. Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: • The controller is provided with missing and/or erroneous mobile identification. • Controller workload increase: the controller has to mentally maintain the association between the flight plans and the target reports. • Through the TIS-B service, pilots and drivers are provided with missing and/or corrupted surveillance data (including mobile identification). • OE-27 • The controller is provided with missing and/or erroneous plan monitoring alerts. Considering the long list of adverse effects in the alternative, and considering the small additional workload related to manual labelling, the alternative should be rejected (unreasonable hypothesis). 126 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

N°

Internal flow ref.

Fault modes

22

C2S3_01

Corruption of…

No

23

C2S3_01

Corruption of…

Yes

24

C3C2_01

Loss of …

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Possible corruptions are: The failure induces • The surveillance fusion function the corruption of: holds its own flight plan data • At least one (but not all) base which can be modified • S3O0_01 flight plan is not provided locally (based on flight plan data • S3C1_01 to the surveillance data coming from the co-operative fusion. • S3S4_01 sensors), and which will be • At least one flight plan is • S3G4_01 synchronised with the system provided to the flight plan data processing surveillance data fusion The failure is likely system when the service is with missing or corrupted to be simultaneous restored. data. with the corruption • In case of inconsistent data • At least one flight plan is received by the surveillance data of: provided to the • C2O0_01 fusion (from the planning with surveillance data fusion at respect to data received from the • C2C3_01 an inappropriate time (e.g. co-operative sensors) an alert is • C2Ex_01 too early). raised. • C2Ex_02 • Flight plan overflow. • C2G1_01 As above + As above + • As above • Manual labelling is still operative • Display on the CWP of a (to cope with missing “Corruption of planning identification). input to fusion” alert. • Manual labelling overrides any erroneous automatic identification. • Hot switchover.

•

Until service is restored or failure is detected: • OE-01 • OE-03 • OE-35

•

Until service is restored: • OE-13

• Flight plans are not • A safety net is still ensured by the updated anymore with plan traffic monitoring & alerting function. monitoring alerts (i.e. plan deviations), so the latter are not conveyed to the CWP anymore. • Flight progress based on surveillance data is not updated automatically anymore (e.g. support to silent hand-over is lost, entering of actual take-off time into the flight plan upon aircraft takeoff is not performed anymore), so the latter is not conveyed to the CWP anymore.

•

Public

The failure induces the corruption of: • C2O0_01 • C2Ex_01

See also detected loss of C2S3_01.

Recommendations & comments with respect to ICAO A-SMGCS manual

In case of missing flight plan, manual labelling should be very easy (i.e. simply by typing the call sign) in order not to force the controller to quit automation support.

Until service is restored or failure is detected: • OE-04 • OE-05

The failure is likely to be simultaneous with the loss of: • C2C3_01

127 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

25

C3C2_01

Loss of …

26

C3C2_01 Temporary delay of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) Yes

No / Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

As above + As above + • As above • Display on the CWP of a • The controller can manually enter “Loss of plan monitoring & the flight progress (in order to alerting” alert. keep the flight plans up to date). Manual flight plan management helps maintaining consistent coordination support (based on flight plan progress). • Hot switchover.

• OE-12

Flight plan monitoring alerts • A safety net is still ensured by the The failure induces • OE-37 are provided with more than traffic monitoring & alerting the temporary delay 2s delay (but less than 6s). of: function. • C2O0_01

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • Controller workload increase: the controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress. • OE-28 Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.

128 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

27

C3C2_01

Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Internal equipment mitigation features

Possible corruptions are: • A safety net is still ensured by the traffic monitoring & alerting • At least one (but not all) function. flight plan is incorrectly updated (e.g. erroneous actual time of departure / arrival, inconsistent flight plan progress, wrong route assignment, etc.) • Co-ordination between controller positions is messed up (e.g. aircraft not reported in the responsibility zone of the controller who has assumed the plan).

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • C2O0_01 • C2Ex_01

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored or failure is detected: • OE-04 • OE-05

The failure is likely to be simultaneous with the corruption of: • C2C3_01

Note: Corrupted alerts are based on (partial) loss or corruption of traffic movement characterisation events (cf. S3S4_01 and S4C3_01) or loss or corruption of routing (cf. R0C2_01, O0R0_01 and R0O0_01). 28

C3C2_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of plan monitoring” alert.

As above + • As above • The controller can manually enter / correct the flight progress (in order to keep the flight plans up to date). • Hot switchover.

• OE-29

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Until service is restored: • OE-12 • OE-28 Alternatively, until service is restored, the controller may wish to forget about automation, leading to the following operational effects: • OE-28 • The controller is provided with missing and/or erroneous co-ordination support, but he knows it.

129 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

29 G1C2_01

Loss of…

No

Not applicable. • Down link (i.e. from aircraft • Due to compulsory logical acknowledgement messages, it is to ground) clearance impossible not to notice this requests and/or readfailure, so non-detection of failure backs are not provided is not realistic. anymore.

30 G1C2_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of downlink communications with aircraft” alert.

31 G1C2_01

Corruption of…

No

Not applicable. • Down link (i.e. from aircraft • Clearance delivery should be consistent with clearance request to ground) clearance and clearance read-back, so nonrequests and/or readdetection of failure is not realistic. backs are corrupted.

32 G1C2_01

Corruption of…

Yes

• Corruption will automatically and instantaneously be considered as a loss. Please refer to fault mode two lines above.

33 G1G3_01

Loss of…

No

34 G1G3_01

Loss of…

Yes

• Ground guidance aids are • The taxi routes are not unaffected (and they confirm RTF translated onto the vehicle instructions). moving-map. • None of the clearances are This fault mode is likely to be detected immediately by the up-linked to the vehicles. vehicle drivers, so this case is not a reasonable hypothesis. As above + As above + • Hot switchover. • Display on the CWP and on the driver HMI of a “Loss of AGDL guidance” alert.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• None

•

Not applicable.

•

Until service is restored or failure is detected: • OE-31

•

Not applicable.

The failure induces the corruption of: • C2O0_01

•

Until service is restored or failure is detected: • OE-31

The failure is likely to be simultaneous with the loss of: • G1Ex_02

•

Until service is restored or failure is detected: • OE-31

• As above

•

Until service is restored: • OE-21

The failure induces the corruption of: • C2O0_01

• None

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

130 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

35 G1G3_01 Corruption of…

No

Possible corruptions are: • Ground guidance aids are unaffected. • At least one taxi route is not translated onto the • Read-back. vehicle moving-map. • At least one (but not all) With the above mitigation means, clearance is not up-linked this fault mode is likely to be to a vehicle. detected immediately by the vehicle drivers, so this case is not • At least one false clearance is up-linked to a a reasonable hypothesis. However, this is strongly vehicle (i.e. incorrect dependant on the procedure instruction to intended (undefined to date). vehicle or correct instruction sent to unintended vehicle).

The failure is likely to be simultaneous with the corruption of: • G1Ex_02

•

Until service is restored or failure is detected: • OE-33 • OE-34

36 G1G3_01 Corruption of…

Yes

As above + • Display on the CWP and on the driver HMI of a “Corruption of AGDL guidance” alert.

As above + • Hot switchover.

• As above

•

Until service is restored: • OE-21 • OE-34

37 G2G1_01

Loss of…

No

• Loss of feedback information (i.e. acknowledgement) on controllable ground guidance aids state and status (after a guidance control command).

The failure is likely to be simultaneous with the loss of: • G2O4_01.

•

• Not applicable: this flow is the confirmation of the actuation of a ground guidance aid after a guidance command. It is not reasonable to assume that its loss is undetected.

38 G2G1_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of ground guidance acknowledgement” alert.

• Except for the acknowledgement, ground guidance continues to correctly actuate equipment as requested. • Feedback is redundant via the aerodrome-mapping database (cf. G2O4_01). As above + • Ground guidance aids possess their own control & monitoring tools. • Hot switchover

• As above

•

Until service is restored: • OE-21

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Recommendations & comments with respect to ICAO A-SMGCS manual When defining the procedure for A-SMGCS clearance delivery, read-back, whether electronic or via voice, should ensure that a clearance downlink corruption should not go undetected in the uplink connection.

Contrarily to the detected loss of G1G3_01 and G1Ex_02, the use of RTF might be reduced since the ground guidance aids are assumed to be correctly working (single point of failure hypothesis).

131 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

39 G2G1_01 Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Internal equipment mitigation features

Possible corruptions are: • At least one (but not all) ground guidance aid command acknowledgement is not received. • At least one erroneous ground guidance aid command acknowledgement is received.

• Feedback is redundant via the aerodrome-mapping database (cf. G2O4_01).

As above + • Ground guidance aids possess their own control & monitoring tools. • Hot switchover

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode Until traffic is reduced, visibility conditions become acceptable or service is restored: • The controller’s context awareness is (slightly) compromised due to loss or corruption of guidance data.

The failure is likely to be simultaneous with the corruption of: • G2O4_01.

• OE-07

• As above

•

Until service is restored: • OE-21

40 G2G1_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of ground guidance acknowledgement” alert.

41 G2O4_01

Loss of…

No

• Loss of ground guidance • Ground guidance aids continue to aids state and status correctly actuate equipment as updates to the aerodrome- requested, providing a correct mapping database. actuation acknowledgement.

The failure is likely to be simultaneous with the loss of: • G2G1_01.

•

Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: • OE-07

42 G2O4_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of AMDB update” alert.

• As above

•

• As above

43 G2O4_01 Corruption of…

No

Possible corruptions are: • Ground guidance aids continue to correctly actuate equipment as • At least one (but not all) ground guidance aids state requested, providing a correct actuation acknowledgement. or status is not updated to the aerodrome-mapping database. • At least one ground guidance aids state or status is erroneously updated to the aerodromemapping database.

The failure is likely to be simultaneous with the corruption of: • G2G1_01.

•

Until traffic is reduced, visibility conditions become acceptable or service is restored: • OE-07

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Ground guidance aids possess their own control & monitoring tools. • Hot switchover

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

132 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

44 G2O4_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of AMDB update” alert.

As above + • Ground guidance aids possess their own control & monitoring tools. • Hot switchover.

• As above

•

• As above

45 G4G3_01

Loss of…

No

• The traffic situation, as seen and fused by the ground systems, is not sent anymore to the vehicle tracking equipment.

• Vehicles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile cooperative surveillance data.

The failure is likely to be simultaneous with the loss of: • G4Ex_01

•

Until service is restored or failure is detected: • OE-35 (but the drivers do not know it)

46 G4G3_01

Loss of…

Yes

As above + • Hot switchover.

• As above

•

47 G4G3_01 Corruption of…

No

• Vehicles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile cooperative surveillance data, and this may show some inconsistencies with the TIS-B data.

The failure is likely to be simultaneous with the corruption of: • G4Ex_01

•

Until service is restored: • OE-35 (but the drivers know it) Until service is restored or failure is detected: • OE-35 (but the drivers do not know it)

48 G4G3_01 Corruption of…

Yes

As above + • Display on the CWP of a “Loss of TIS-B” alert. Possible corruptions are: • At least one (but not all) ground system track is not reported to the vehicle tracking equipment. • At least one part of the aerodrome (but not all) is not covered by the traffic information service broadcast (TIS-B). • At least one false ground system track is reported to the vehicle tracking equipment. As above + • Display on the CWP of a “Corruption of TIS-B” alert.

As above + • Hot switchover.

• As above

•

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • OE-35 (but the drivers know it)

133 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

49 O0C2_01

Fault modes Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Internal equipment mitigation features

• Each CWP holds its own flight • Controller flight plan plan data base which can be management (i.e. modified locally, and which will be creations, updates – synchronised with the system including route flight plan data processing assignment, deletions) is system when the service is restricted to local HMI restored. impacts (i.e. other TWR controllers and other systems are not notified of the controller actions.)

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2R0_03 • C2O0_01 The failure is likely to be simultaneous with the loss of: • O0C2_02 • C2O0_01

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected (on a long term perspective): • OE-01 • OE-03 • OE-04 • OE-05 • OE-06 • OE-07 The impact is not as dramatic as the list of operational effects could let it believe. In fact, the operational effects appear only very slowly as time goes by.

134 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

50 O0C2_01

Fault modes Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Display on the CWP of a “Loss of planning input” alert.

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features • As above

As above + • Hot switchover.

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored, as above +: • OE-10 • OE-11 • OE-12 The fault mode induces many other fault modes. The controller acting as specified above reduces the effects of a corrupted C2O0_01, so this is the recommended practice. Alternatively, due to lack of confidence in the electronic stripping system, the controller may wish to forget about automation, and thus, until service is restored, as above +: • OE-18 • OE-30 • OE-31 However, in that case, system update upon recovery may not be obvious (i.e. flight plan data inconsistent with traffic).

When the service is restored, the controller may have to deal with some inconsistent updates made on different controller working positions or in external systems. The contingency procedure to be defined for flight plan updates during this fault mode should prescribe minimal updates to keep the system consistent. The loss of the planning function should automatically disable guidance.

135 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

51 O0C2_01

Fault modes Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

52 O0C2_01

Corruption of…

Yes

53 O0C2_02

Loss of…

No

54 O0C2_02

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Possible corruptions are: • Even though the controller is allowed to input nearly anything, • At least one (but not all) the central FDPS performs some flight plan creation, update consistency checks and will warn (including manual route input) and/or deletion input in case of inappropriate inputs. is not recorded in the central flight plan data processing system (FDPS). • At least one flight plan creation, update and/or deletion input is improperly processed by the central FDPS, leading to corrupted data. • At least one request to display a flight plan does not reach the central FDPS (thus resulting in a corrupted C2O0_01). As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of planning input” alert.

Internal equipment Operational escalation effects ref. features The failure induces the corruption of: • C2C3_01 • C2G1_01 • C2Ex_01 • C2Ex_02 • C2O5_01 • C2S3_01 • C2R0_03 • C2O0_01

• All automated co• Surveillance data (ExS3_01 and The failure is likely ordination from the TWR to S3Ex_01) continue to support co- to be simultaneous with the loss of: the adjacent APP is lost. ordination. • O0C2_01 • C2O0_02 As above + As above + • As above • Hot switchover • Display on the CWP of a “Loss of APP co-ordination output” alert.

Public

•

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected (on a long term perspective): • OE-01 • OE-03 • OE-04 • OE-05 • OE-06 • OE-07

•

Until traffic service is restored: • OE-18

•

Until service is restored or failure is detected: • OE-06

•

Until service is restored: • OE-19

The failure is likely to be simultaneous with the corruption of: • O0C2_02

• As above

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual The impact is not as dramatic as the list of operational effects could let it believe. In fact, the operational effects appear only very slowly as time goes by.

Fault mode very similar to loss of C2Ex_02. Please refer to latter form more details.

136 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

55 O0C2_02

Corruption of…

No

Possible corruptions are: • Surveillance data (ExS3_01 and S3Ex_01) continue to support co• At least one (but not all) ordination. automated co-ordination message sent from the TWR to the adjacent APP was never received. • At least one automated coordination message from the TWR to the adjacent APP has missing or erroneous data.

The failure is likely to be simultaneous with the corruption of: • O0C2_01 • C2O0_02

•

Until service is restored or failure is detected: • OE-06

56 O0C2_02

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of APP coordination output” alert.

As above + • Hot switchover

• As above

•

Until service is restored: • OE-19

57 O0G1_01

Loss of…

No

• Ground guidance aids cannot be manually controlled via the CWP.

• Automated guidance (through C2G1_01 and G1Ex_01) should still function properly. • If automated guidance is not used, to avoid guidance aids remaining in an unsafe configuration, all stop bars automatically switch to the “closed” state after a predefined duration. • Vehicle (cf. G1G3_01) and aircraft (cf. G1Ex_02) on-board guidance is unaffected.

The failure induces the corruption of: • G1Ex_01

•

Until service is restored or failure is detected: • OE-30

Pilots and drivers are likely to detect and signal failure to the controller very quickly.

58 O0G1_01

Loss of…

Yes

As above + As above + • As above • Ground guidance aids possess • Display on the CWP of a their own control & monitoring “Loss of external guidance tools, allowing for manual control. control” alert. • Hot switchover

•

• None

Manual guidance being seen as a fallback solution to automated guidance and the FHA being performed with the single point of failure hypothesis, the operational effects consider that automated guidance is operative. Alternatively, the ground guidance aids own control and monitoring tools can be used.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Fault mode very similar to corruption of C2Ex_02. Please refer to latter form more details.

137 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

59 O0G1_01 Corruption of…

No

Possible corruptions are: • Automated guidance (through C2G1_01 and G1Ex_01) should • At least one (but not all) still function properly. manual command to a ground guidance aid does • If automated guidance is not not effect correctly on the used, to avoid guidance aids intended equipment. remaining in an unsafe configuration, all stop bars • At least one (but not all) automatically switch to the manual command to a “closed” state after a predefined ground guidance aid duration. effects as intended, but on an equipment which is not • Vehicle (cf. G1G3_01) and the intended equipment. aircraft (cf. G1Ex_02) on-board guidance is unaffected.

60 O0G1_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of external guidance control” alert.

61 O0R0_01

Loss of…

No

• The controller is not able to • None set taxi route constraints in order to modify the default route proposed by the system.

62 O0R0_01

Loss of…

Yes

As above + • Display of “Loss of route customisation” alarm.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment Operational escalation effects ref. features

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

•

Until service is restored or failure is detected: • OE-32

•

• None

See comment in detected loss of O0G1_01.

• None

•

• Not applicable.

Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance and conformance monitoring). Therefore, this non-detected fault mode is not a plausible hypothesis.

• None

•

Until service is restored, and for the (few) mobiles for which the default route is not applicable: • OE-14 (without semiautomatic routing support.)

The failure induces the corruption of: • G1Ex_01

As above + • As above • Ground guidance aids possess their own control & monitoring tools, allowing for manual control, which override all A-SMGCS commands. • Hot switchover.

As above + • The controller can enter the complete routes manually, without semi-automatic routing support (cf. O0C2_01). • Hot switchover

Operational effects of equipment fault mode

138 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

63 O0R0_01

Corruption of…

No

Possible corruptions are: • None • At least one (but not all) taxi route customisation request does not provide the expected result (i.e. no result or erroneous result.)

• None

•

• Not applicable.

64 O0R0_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of route customisation” alert.

As above + • Hot switchover.

• None

•

Until service is restored, and for the (few) mobiles for which the default route is not applicable: • OE-14 (without semiautomatic routing support.)

65

O0S3_01

Loss of…

No

• None

•

• Not applicable.

66

O0S3_01

Loss of…

Yes

• Loss of controller capability • None to manually associate / dissociate a flight plan ID to a target. As above + As above + • Hot switchover. • Display on the CWP of a “Loss of manual association” alert.

• None

•

Until service is restored, and for the (few) mobiles for which automatic correlation is missing or erroneous: • OE-26 • OE-27 • OE-28 • OE-29 • OE-17

67

O0S3_01

Corruption of…

No

Possible corruptions are: • None • Erratic results to manual associations / dissociations of flight plan IDs to targets.

• None

•

• Not applicable.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Recommendations & comments with respect to ICAO A-SMGCS manual Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance). Therefore, this nondetected fault mode is not a plausible hypothesis.

Since this is a manual command of the controller, it is impossible for this failure to go undetected.

Since this is a manual command of the controller, it is impossible for this failure to go undetected.

139 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

68

O0S3_01

Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Display on the CWP of a “Corruption of manual association” alert.

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features • None

As above + • Hot switchover.

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored, and for the (few) mobiles for which automatic correlation is missing or erroneous: • OE-26 • OE-27 • OE-28 • OE-29 • OE-17

140 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

69

O1Xx_01

Loss of…

70

O1Xx_01

Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• Time distribution (and therefore synchronisation) is lost.

As above + • Display on the CWP of a “Loss of reference time” alert.

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

There is no ICAO requirement on • None this topic. However, most systems have their own clock: • The ADS-B ground stations each carry their own GPS receiver to adjust the internal real time clock of the ground station's processor board. If GPS fails (i.e. the time source fails) the subsystem has the capability to support the correct time stamping for up to 4 hours using the internal real time clock. • For MLAT, there are 2 issues: synchronisation of receivers and time stamping of the output. The inter-ground station time synchronisation is done relatively to the internal oscillator of the calibration ground station. This function is redundant. The ASTERIX time stamping is done within the central processing station based on the system clock of that computer, which is adjusted periodically using an external NTP server. If that NTP source fails, the MLAT can support correct time stamping for at least 4 hours as well. • Other A-SMGCS subsystems have performances similar to the ADS-B or the MLAT regarding correct time stamping and management. As above + • None • Recovery via some form of redundancy.

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

A drift of 500ms can account for a 7m error on the position of an aircraft taxiing at 30 knots, and up to a 20m error on the position of an aircraft taxiing at 80 knots on a rapid exit taxiway.

In case of reference time failure, the impact of the internal drifts on the mobile positions should be assessed. In case it should become unacceptable for operation additional recovery means could be added in the system.

Until service is restored or failure is detected: • OE-01 • OE-03 • OE-35

•

Until service is restored: • OE-25 • OE-27 • OE-35

Corrupted surveillance data should not be broadcast (via TIS-B).

141 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

N°

Internal flow ref.

Fault modes

71

O1Xx_01

Corruption of…

No

Possible corruptions are: • Cf. undetected loss of O1Xx_01. • Different A-SMGCS subsystems are out of synch. • Synch is performed to seldom and/or the configured allowed drift is too high. • The MLAT ground stations are out of synch, leading to false positioning.

• None

Until service is restored or • Cf. undetected failure is detected: loss of • OE-01 O1Xx_01. • OE-03 • OE-35

72

O1Xx_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of time” alert.

As above + • Recovery via some form of redundancy.

• None

•

Until service is restored: • OE-25 • OE-27 • OE-35

Corrupted surveillance data should not be broadcast (via TIS-B).

73 O2O0_01

Loss of…

No

• System status (ok, fault, etc.) is not updated anymore on the CWP.

• None

The failure is likely to be simultaneous with the loss of: • XxO2_01

•

• None

This case is not applicable: a loss of system status can always be detected. Moreover, with the single point of failure hypothesis, all other functions are nominal, so there is no operational effect.

74 O2O0_01

Loss of…

Yes

As above + • Display on the CWP of a “Corruption of technical supervision” alert.

• None

• As above.

•

• None The controller working position should monitor by itself the correct reception of the system status. Alternatively, a human operator (controller or technical supervisor) may detect the loss. In any case, with the single point of failure hypothesis, all other functions are nominal, so there is no operational effect.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

142 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

75 O2O0_01 Corruption of…

No

Possible corruptions are: • The controller is provided with erroneous system status.

• None

The failure is likely to be simultaneous with the corruption of: • XxO2_01

•

76 O2O0_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of technical supervision” alert.

As above + • Hot switchover.

• As above

•

77

O2Xx_01

Loss of…

No

Technical control • This case is likely to be commands (e.g. switchover, impossible. shutdown, enter maintenance mode, etc…) are not executed, and this non-execution is not detected.

•

78

O2Xx_01

Loss of…

Yes

Technical control • With the single point of failure commands (e.g. switchover, hypothesis, all other functions are shutdown, enter nominal, so the control maintenance mode, etc…) commands are assumed to be are not executed, and this is related to non-operational reflected by the technical requirements (e.g. maintenance). supervision system. Therefore no operational effect is considered.

•

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored or failure is detected: • Efficiency loss: even if the equipment is (obviously) working, the controller’s trust in the system will fall and he will revert to fallback or manual procedures, i.e. OE-23. With the single point of failure hypothesis, all other functions are nominal, so the erroneous system status concerns working equipment that is declared faulty. Until service is restored: As above. • Can a controller trust equipment that says it is corrupted? Logically yes, because if it is working, then what it says is true, i.e. it is corrupted; else, it is corrupted; in both cases, it is corrupted! However, we can make the same assumption as above, i.e. OE-23.

143 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

N°

Internal flow ref.

Fault modes

79

O2Xx_01

Corruption of…

No

Technical control • This case is likely to be commands (e.g. switchover, impossible. shutdown, enter maintenance mode, etc…) are not executed correctly, and this incorrect execution is not detected.

•

80

O2Xx_01

Corruption of…

Yes

Technical control • With the single point of failure commands (e.g. switchover, hypothesis, all other functions are shutdown, enter nominal, so the control maintenance mode, etc…) commands are assumed to be are not executed correctly, related to non-operational and this is reflected by the requirements (e.g. maintenance). technical supervision Therefore no operational effect is system. considered.

•

81

O4X0_01

Loss of…

No

The loss may concern one • Guidance aids possess their own or a combination of the control & monitoring tools, which following: provide the status of ground • Updates of rules (e.g. one- guidance aids. way taxiways, maximal • Until the service is restored, the capacity of a taxiway, CWP and the concerned tools allowed types of aircraft, maintain locally the last known taxiing and separation dynamic status of operational rules, etc.) & dynamic parts of the aerodrome and the status of operational parts local weather conditions. of the aerodrome are no • The flight information service – more displayed to the broadcast (FIS-B) provides some controller nor provided to redundant information. the concerned tools. • The different aerodrome mapping databases (ground system, on-board vehicle or aircraft systems) are not synchronised anymore. • Loss of local weather conditions for all stakeholders.

The failure induces • the corruption of: • R0C2_01 (i.e. taxi route elaboration makes use of obsolete rules, dynamic status & weather conditions) • Mobile on-board databases.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Operational effects of equipment fault mode

Until service is restored: • OE-03 • OE-07 • OE-36

Recommendations & comments with respect to ICAO A-SMGCS manual

The aeronautical information system (AIS) also provides redundant information, which may be distributed through a separate digital automatic terminal information service (DATIS).

144 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

N°

Internal flow ref.

Fault modes

82

O4X0_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of aerodrome database” alert.

83

O4X0_01

Corruption of…

No

Possible corruptions are: • Guidance aids possess their own • Erratic updates of dynamic control & monitoring tools, which provide the status of ground status of operational parts guidance aids. of the aerodrome. • The flight information service – • The aerodrome-mapping broadcast (FIS-B) provides some databases maintained locally by the different sub- redundant information. systems get out of synch. • Partial loss or corruption of local weather conditions.

The failure induces • the corruption of: • R0C2_01 (i.e. taxi route elaboration makes use of obsolete rules, dynamic status & weather conditions) • Mobile on-board databases.

Until traffic service is restored: • OE-03 • OE-07 • OE-36

84

O4X0_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of aerodrome database” alert.

As above + • Hot switchover.

• As above

•

Until service is restored, and for the (few) mobiles for which the default route is not applicable: • OE-27 • OE-14 • OE-16 • OE-36

85

R0C2_01

-

-

• Cf. C2R0_01

• Cf. C2R0_01

• Cf. C2R0_01

•

• Cf. C2R0_01

Cf. C2R0_01

• Cf. O0R0_01

• Cf. O0R0_01

Cf. O0R0_01

As above + • Until the service is restored, the controller, pilots & drivers can manually update the dynamic status of operational parts of the aerodrome on their display systems (display impact only for the CWP). • Hot switchover.

• As above

•

Until service is restored, and for the (few) mobiles for which the default route is not applicable: • OE-27 • OE-14 • OE-16 • OE-36

-

-

• Cf. O0R0_01

•

• Cf. O0R0_01

87

S1O0_01

Loss of…

No

• Loss of the raw or pseudo- • Synthetic traffic is unaffected. analogue video on the controller working position It is impossible not to notice this failure, so this case is not realistic.

• Not applicable

•

• Not applicable

88

S1O0_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of raw video” alert.

• None • OE-02

Until traffic service is restored: • The controller is less aware of the size or nature of the traffic.

86 R0O0_01

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Hot switchover.

Public

See comment in undetected loss of O4X0_01.

145 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

N°

Internal flow ref.

Fault modes

89

S1O0_01

Corruption of…

No

90

S1O0_01

Corruption of…

Yes

91

S1O2_01

Loss of…

No

92

S1O2_01

Loss of…

Yes

93

S1O2_01

Corruption of…

No

94

S1O2_01

Corruption of…

Yes

95

S1S3_01

Loss of…

No

96

S1S3_01

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Possible corruptions are: • Part (but not all) of the aerodrome is not covered by the primary surveillance. As above + • Display on the CWP of a “Corruption of raw video” alert.

• Synthetic traffic is unaffected.

• None

•

• None

As above + • Hot switchover.

• None

•

• None

• Loss of the live status of the primary surveillance messages sent to the technical supervision. As above + • Display on the CWP of a “Loss of SMR live status” alert. Possible corruptions are: • At least one (but not all) live status message is lost. As above + • Display on the CWP of a “Corruption of SMR live status” alert.

• Supervision is also performed via • None the XxO2_01 flow.

•

• Not applicable.

• None

•

• None

• Supervision is also performed via • None the XxO2_01 flow.

•

• Not applicable.

• None

•

• None

• Raw or pseudo-analogue video is • None • Loss of all non counaffected (cf. S1O0_01) operative sensor track inputs to the sensor data fusion. As above + As above + • None • Hot switchover. • Display on the CWP of a “Loss of SMR tracks” alert.

•

• Not applicable.

•

Until traffic service is restored: • OE-25 • OE-27

As above + • Hot switchover.

As above + • Hot switchover.

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

This is a control flow: nondetection of its loss is a nonrealistic hypothesis.

This is a control flow: nondetection of its corruption is a non-realistic hypothesis.

Considering the related live status control flow (S1O2_01), the non-detection of this fault mode is highly improbable.

146 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

N°

Internal flow ref.

Fault modes

97

S1S3_01

Corruption of…

No

Possible corruptions are: • Raw or pseudo-analogue video is • None unaffected (cf. S1O0_01) • Same as loss of S1S3_01 but restricted to a subset of non co-operative sensors and/or to a defined part of the aerodrome. • False target reports. • Loss in target report accuracy and/or resolution, which would render fusion difficult.

•

Until service is restored or failure is detected: • OE-01 • OE-03

98

S1S3_01

Corruption of…

Yes

As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of SMR tracks” alert.

• None

•

Until traffic service is restored: • OE-25 • OE-27

99

S2G3_01

Loss of…

No

• Loss of all automatic dependant surveillance between ADS-B out mobiles in ADS-B in equipped vehicles.

• Not applicable.

•

• Not applicable.

This is a distributed function between all ADS-B in and out equipped mobiles. The complete and simultaneous loss of all those flows is not within the scope of this FHA.

100 S2G3_01

Loss of…

Yes

As above + • As above. • Display on the CWP & on the vehicle HMI of a “Loss of ADS-B” alert.

• As above.

•

• As above.

As above.

101 S2G3_01

Corruption of…

No

Possible corruptions are: • At least one vehicle (but not all) does not emit its self-determined ADS-B data anymore. • At least one vehicle (but not all) does not receive ADS-B data anymore. • At least one vehicle emits erroneous ADS-B data.

• Even with in & out corruption, self-positioning data may be used on-board the vehicle for selfsituation awareness.

The failure is likely to be simultaneous with the corruption of: • G4G3_01

•

Until service is restored or failure is detected: • OE-35

102 S2G3_01

Corruption of…

Yes

As above + • Display on the CWP & on the vehicle HMI of a “Corruption of ADS-B” alert.

As above + • Hot switchover.

• As above.

•

Until service is restored or failure is detected: • OE-35

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• Not applicable.

Public

147 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) • Loss of the live status of the co-operative surveillance sent to the technical supervision. As above + • Display on the CWP of a “Loss of co-operative live status” alert. Possible corruptions are: • At least one (but not all) live status message is lost.

Internal equipment mitigation features

Operational effects of equipment fault mode

• Supervision is also performed via • None the XxO2_01 flow.

•

• Not applicable.

• None

•

• None

• Supervision is also performed via • None the XxO2_01 flow.

•

• Not applicable.

• None

•

• None

• Non co-operative sensors continue to provide reliable surveillance data. • Mobiles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile cooperative surveillance data (cf. S2G3_01 and S2Ex_01).

The failure induces the corruption of: • S3C1_01 • S3O0_01 • S3S4_01 • S3G4_01

•

• Not applicable.

As above + • Hot switchover to redundant surveillance should be possible.

• As above

•

Until traffic is reduced, visibility conditions become acceptable, or service is restored: • OE-25 • OE-26 • OE-27 • OE-28 Additionally: • OE-13 Alternatively: • OE-17 • OE-20 • OE-22

103 S2O2_01

Loss of…

No

104 S2O2_01

Loss of…

Yes

105 S2O2_01

Corruption of…

No

106 S2O2_01

Corruption of…

Yes

As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of co-operative live status” alert.

107 S2S3_01

Loss of…

No

108 S2S3_01

Loss of…

Yes

• Loss of surveillance data from co-operative sensors, including mobile selfestablished position, identification, heading, intentions, etc. Considering the related live status control flow (S2O2_01), the nondetection of this fault mode is highly improbable. As above + • Display on the CWP of a “Loss of all co-operative sensors” alert.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment Operational escalation effects ref. features

As above + • Hot switchover.

Public

Recommendations & comments with respect to ICAO A-SMGCS manual This is a control flow: nondetection of its loss is a nonrealistic hypothesis.

This is a control flow: nondetection of its corruption is a non-realistic hypothesis.

148 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

109 S2S3_01

Fault modes Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

110 S2S3_01

Corruption of…

Yes

111 S3C1_01

Loss of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Possible corruptions are: • Partial loss of surveillance data from co-operative sensors, related to a subset of mobiles or to a part of the surveillance coverage area. • False co-operative reports (in terms of position and/or identification). • Overflow of secondary surveillance data. Concerning a system overload, it is not to be excluded that it could be a voluntary “attack” (cf. §1.3.6) As above + • Display on the CWP of a “Loss of co-operative sensors” alert.

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

• Non co-operative sensors continue to provide reliable surveillance data. • If the corruption originates from a failure of ADS-B on-board equipment (aircraft or vehicle), then the non ADS-B co-operative sensors (e.g. MLAT) continue to provide reliable surveillance data.

The failure induces the corruption of: • S3C1_01 • S3O0_01 • S3S4_01 • S3G4_01

As above + • Hot switchover.

As above + • • In case of discrepancy between cooperative and non co-operative sensors, priority might (erroneously) be given to cooperative target reports.

• Traffic data is not provided • The plan monitoring function anymore to the traffic continues to provide the monitoring & alerting. controller with reliable plan deviation alerts. Considering the related live status control flow • On-board traffic monitoring & (S3O2_01), the nonalerting continues to provide detection of this fault mode reliable alerts to pilots and is highly improbable. drivers.

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-01 • OE-03

Unlike the loss of S2S3_01, the detection of the corruption might not be obvious.

The failure induces the loss of: • C1O0_01

•

• Same as loss of S2S3_01.

When a specific co-operative sensor is known to provide corrupted data, should the control authority be able to selectively disconnect it? This may seem surprising, but is it very different from disconnecting surface conflict alerts due to too many false alerts?

• Not applicable.

The failure is likely to be simultaneous with the loss of: • S3O0_01 • S3S4_01 • S3G4_01

149 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

112 S3C1_01

Loss of…

Yes

As above + As above + • Hot switchover. • Display on the CWP of a “Loss of traffic monitoring” • Fused sensor data is currently alert. seen as the sole input to the traffic monitoring and alerting function. Re-configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution.

• As above

•

Until service is restored: • OE-27

113 S3C1_01

Corruption of…

No

Possible corruptions are: • Same as undetected loss of S3C1_01. • Partial loss of surveillance data, related to a subset of mobiles (e.g. faulty secondary surveillance) or to a part of the surveillance coverage area. • The target report continuity is not ensured for (at least) one target. • One target report (at least) is provided with missing cinematic, missing identification or missing classification data. • One target report (at least) is provided with false position, false cinematic, false identification or false classification data. • Overflow of data.

The failure induces the corruption of: • C1O0_01

•

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-03

•

Until service is restored: • OE-27

114 S3C1_01

Corruption of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

For induced corruptions, see undetected corruption of C1O0_01. As above + • Display on the CWP of a “Corruption of traffic monitoring” alert.

• Same as detected loss of S3C1_01.

The failure is likely to be simultaneous with the corruption of: • S3O0_01 • S3S4_01 • S3G4_01

• As above

Public

Recommendations & comments with respect to ICAO A-SMGCS manual Even though the failure origin is on the surveillance, the technical alert will probably be on the traffic alerting failure.

Even though the failure origin is on the surveillance, the technical alert will probably be on the traffic alerting failure.

150 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

115 S3G4_01

Fault modes Loss of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

116 S3G4_01

Loss of…

Yes

117 S3G4_01

Corruption of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

• Mobiles equipped with ADS-B in • The traffic situation, as capability continue to benefit from seen and fused by the some direct mobile-to-mobile coground systems, is not operative surveillance data. provided anymore to the guidance function (for pilot & driver situation awareness).

Internal equipment Operational escalation effects ref. features The failure induces the loss of: • G4G3_01 • G4Ex_01

Public

Recommendations & comments with respect to ICAO A-SMGCS manual

•

• Not applicable.

Considering the related live status control flow (S3O2_01), the non-detection of this fault mode is highly improbable.

•

Until service is restored: • OE-35 (but the pilots & drivers know it)

Even though the failure origin is on the surveillance, the technical alert will probably be on the TIS-B failure.

•

Until service is restored or failure is detected: • OE-35 (but the pilots & drivers do not know it)

The failure is likely to be simultaneous with the loss of: • S3O0_01 • S3S4_01 • S3C1_01

As above + • As above • Hot switchover. • Fused sensor data is currently seen as the sole input to the TISB function. Re-configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution. Possible corruptions are: The failure induces • Same as undetected loss of the corruption of: S3G4_01. • Partial loss of surveillance • G4G3_01 data, related to a subset of mobiles (e.g. faulty • G4Ex_01 secondary surveillance) or to a part of the surveillance The failure is likely coverage area. to be simultaneous • The target report continuity with the corruption is not ensured for (at least) of: one target. • S3O0_01 • One target report (at least) • S3S4_01 is provided with missing • S3C1_01 cinematic, missing identification or missing classification data. • One target report (at least) is provided with false position, false cinematic, false identification or false classification data. • Overflow of data. As above + • Display on the CWP of a “Loss of TIS-B” alert.

Operational effects of equipment fault mode

151 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

118 S3G4_01

Corruption of…

Yes

As above + • Same as detected loss of S3G4_01. • Display on the CWP of a “Corruption of TIS-B” alert.

• As above

•

Until service is restored: • OE-35 (but the pilots & drivers know it)

119 S3O0_01

Loss of…

No

Synthetic track reports are • Raw or pseudo-analogue video not provided anymore to the should continue to provide controller working positions, reliable target localisation to the and so: controller (cf. S1O0_01). • Synthetic track symbols • Co-operative sensors should stop moving on the CWP. continue to provide reliable target localisation to pilots and drivers • Synthetic & pseudo(cf. S2G3_01 & S2Ex_01). analogue target reports become inconsistent on the CWP.

The failure is likely to be simultaneous with the loss of: • S3C1_01 • S3S4_01 • S3G4_01

•

• Not applicable.

Yes

As above + • Display on the CWP of a “Loss of synthetic surveillance” alert.

• As above

•

Until traffic is reduced, visibility conditions become acceptable, or service is restored: • OE-25 • OE-17 • OE-20

121 S3O0_01 Temporary interruption of…

No

Same as undetected loss of • Same as undetected loss of S3O0_01. S3O0_01.

•

Not applicable.

122 S3O0_01 Temporary interruption of…

Yes

As above + Display on the CWP of a “Loss of synthetic surveillance” alert.

•

Until traffic is reduced, visibility conditions become acceptable, or service is restored: • OE-25

120 S3O0_01

Loss of…

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Hot switchover.

As above + • Hot switchover. • The controller working position (CWP) can proceed locally with some short-term system track extrapolation.

Public

Recommendations & comments with respect to ICAO A-SMGCS manual Even though the failure origin is on the surveillance, the technical alert will probably be on the TIS-B failure. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable. Moreover, due to the stopping of all synthetic tracks and due to the inconsistencies between synthetic & pseudo-analogue target reports, failure detection by the controller is also immediate. The synthetic track symbols should remain displayed (afterglow) at the position at which they were last received for an offline configurable duration, and they should retain all their cinematic, identification, and classification attributes. This duration should not be too long: in case of SDF failure, the primary raw video is the better information. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable.

152 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

123 S3O0_01

Fault modes Corruption of…

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users) No

124 S3O0_01

Corruption of…

Yes

125 S3O2_01

Loss of…

No

126 S3O2_01

Loss of…

Yes

127 S3O2_01

Corruption of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features •

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: • OE-01

•

Until traffic is reduced, visibility conditions become acceptable, or service is restored: • OE-25 • OE-17 • OE-20

• Supervision is also performed via • None • Loss of the live status of the surveillance sent to the the XxO2_01 flow. technical supervision. As above + As above + • None • Hot switchover. • Display on the CWP of a “Loss of surveillance live status” alert.

•

• Not applicable.

•

• None

Possible corruptions are: • Supervision is also performed via • None the XxO2_01 flow. • At least one (but not all) live status message is lost.

•

• Not applicable.

Possible corruptions are: • Partial loss of surveillance data, related to a subset of mobiles (e.g. faulty secondary surveillance) or to a part of the surveillance coverage area. • The target report continuity is not ensured for (at least) one target. • One target report (at least) is provided with missing cinematic, missing identification or missing classification data. • One target report (at least) is provided with false position, false cinematic, false identification or false classification data. • Overflow of surveillance data to the CWP. As above + • Display on the CWP of a “Corrupted synthetic surveillance” alert.

• The synthetic track symbol whose position continuity is not ensured should remain displayed (afterglow) at the position at which it was last received for an offline configurable duration, and it should retain all its cinematic, identification, and classification attributes. • The synthetic track symbol whose identification continuity is not ensured should maintain its last received identification. • Pseudo-analogue target reports should continue to provide reliable target localisation to the controller (cf. S1O0_01). • Co-operative sensors should continue to provide reliable target localisation to pilots and drivers (cf. S2G3_01 & S2Ex_01).

The failure is likely to be simultaneous with the corruption of: • S3C1_01 • S3S4_01 • S3G4_01

As above + • Hot switchover.

• As above

Operational effects of equipment fault mode

Public

Recommendations & comments with respect to ICAO A-SMGCS manual Unlike the loss of S3O0_01, the detection of the corruption by the system or by the controller might not be obvious.

Even though pilots and drivers are provided with reliable target localisation (and alerting) pilots or drivers might choose to trust controller instructions rather than own position display and/or alerting.

This is a control flow: nondetection of its loss is a nonrealistic hypothesis.

This is a control flow: nondetection of its corruption is a non-realistic hypothesis.

153 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

128 S3O2_01

Corruption of…

Yes

As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of surveillance live status” alert.

• None

•

• None

129 S3S4_01

Loss of…

No

• The traffic situation, as seen and fused by the ground systems, is not provided anymore to the traffic movement characterisation function. For induced equipment effects, cf. undetected loss of S4C3_01.

• None

The failure induces the loss of: • S4C3_01

•

Not applicable.

The failure is likely to be simultaneous with the loss of: • S3O0_01 • S3C1_01 • S3G4_01

130 S3S4_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of synthetic surveillance” alert.

• Cf. detected loss of S4C3_01

• As above.

•

• Cf. detected loss of S4C3_01

131 S3S4_01

Corruption of…

No

• Cf. undetected corruption of S4C3_01

• Cf. undetected corruption of S4C3_01

The failure induces the corruption of: • S4C3_01

•

• Cf. undetected corruption of S4C3_01.

•

• Cf. detected corruption of S4C3_01

Recommendations & comments with respect to ICAO A-SMGCS manual

Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable.

The failure is likely to be simultaneous with the corruption of: • S3O0_01 • S3C1_01 • S3G4_01 132 S3S4_01

Corruption of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

• Cf. detected corruption of S4C3_01

• Cf. detected corruption of S4C3_01

• As above

Public

154 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

133 S4C3_01

Loss of…

No

134 S4C3_01

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Traffic characterisation • A safety net is still ensured by the events are not sent traffic monitoring & alerting anymore to the plan function. monitoring and alerting function so: • Flight plans are not updated anymore with plan monitoring alerts (i.e. plan deviations), so the latter are not conveyed to the CWP anymore. • Flight progress based on surveillance data is not updated automatically anymore (e.g. support to silent hand-over is lost, entering of actual take-off time into the flight plan upon aircraft takeoff is not performed anymore), so the latter is not conveyed to the CWP anymore. As above + As above + • The controller can manually enter • Display on the CWP of a the flight progress (in order to “Corruption of plan monitoring & alerting” alert. keep the flight plans up to date). • Hot switchover.

Public

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

The failure induces the corruption of: • C3C2_01

•

Until service is restored or failure is detected: • OE-04 • OE-05

• As above

•

Until service is restored: • OE-12 • OE-28 Alternatively, until service is restored, the controller may wish to forget about part of the automation, leading to the following operational effects: • OE-28 • OE-29

Recommendations & comments with respect to ICAO A-SMGCS manual

Even though the failure origin is on the surveillance, the technical alert will probably be on the plan monitoring & alerting failure. Also, even though an alternative set of operational effects has been given, the manual flight plan management (i.e. OE-12) is highly recommended because it has both an impact on plan conformance monitoring and on co-ordination support.

155 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

Possible corruptions are: • A safety net is still ensured by the traffic monitoring & alerting • At least one (but not all) function. traffic characterisation event is missing. • The plan monitoring and alerting function is provided with at least on false traffic characterisation event. • Overflow of events. As above + As above + • The controller can manually enter • Display on the CWP of a the flight progress (in order to “Corruption of plan monitoring & alerting” alert. keep the flight plans up to date). • Hot switchover.

The failure induces the corruption of: • C3C2_01

•

Until service is restored or failure is detected: • OE-04 • OE-05

The possible corruptions mentioned opposite lead to equipment effects similar to those listed in the undetected loss of S4C3_01, but the extent of the effects are limited. Thus the operational effects are also similar, but restricted to a subset of mobiles and/or part of the aerodrome.

• As above

•

Until service is restored: • OE-12 • OE-28

Even though the failure origin is on the surveillance, the technical alert will probably be on the plan monitoring & alerting failure.

No

• Sub-system status • Each sub-system has its own built-in test. monitoring is lost for all internal sub-systems. This case can only happen with the hypothesis that it is the central technical supervision that fails.

The failure is likely to be simultaneous with the loss of: • S1O2_01 • S2O2_01 • S3O2_01

•

• ???

Loss of…

Yes

•-

•-

•-

•

•-

Corruption of… Corruption of…

No

• ???

• ???

• ???

•

• ???

Yes

•-

•-

•-

•

•-

135 S4C3_01

Corruption of…

No

136 S4C3_01

Corruption of…

Yes

137 XxO2_01

Loss of…

138 XxO2_01 139 XxO2_01 140 XxO2_01

Internal equipment mitigation features

141 XxO3_01

Loss of…

No

• Sub-system status recording is lost for all internal sub-systems.

• None

• None

•

• None

142 XxO3_01

Loss of…

Yes

As above + • Display on the CWP of a “Loss of recording” alert.

As above + • Hot switchover.

• None

•

• None

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

This case is not applicable.

This case is not applicable.

156 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

143 XxO3_01

Corruption of…

No

Possible corruptions are: • None • Sub-system status recording is lost for at least one, but not all internal sub-systems.

• None

•

• None

144 XxO3_01

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of recording” alert.

• None

•

• None

145 XxO3_02

Loss of…

No

• Proprietary data recording • None is lost for all internal subsystems.

• None

•

• None

146 XxO3_02

Loss of…

Yes

As above + • Display on the CWP of a “Loss of recording” alert.

• None

•

• None

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

As above + • Hot switchover.

As above + • Hot switchover.

Public

Recommendations & comments with respect to ICAO A-SMGCS manual Reporting of operational alerts shall be carried out in a controlled manner to ensure that the recipient of the alert does not receive a cascade of messages from the recording, which may cause the operator to overlook alerts raised by other runtime applications that may have an impact on system safety.

Failure of the REC runtime application on the central recording servers in the Operational State due to software malfunction shall not degrade the operation of any other runtime application running in the system.

157 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

Internal flow ref.

Fault modes

Fault mode Equipment failure effects 27 (at equipment level but detection visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation effects ref. features

Operational effects of equipment fault mode

147 XxO3_02

Corruption of…

No

Possible corruptions are: • None • CPU overload. • LAN overflow. • Proprietary data recording is lost for at least one, but not all internal subsystems.

• None

• OE-09

Until service is restored or failure is detected: • System response time increases above tolerable values.

148 XxO3_02

Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of recording” alert.

• None

•

• As above.

As above + • Hot switchover. • Recording interruption.

Recommendations & comments with respect to ICAO A-SMGCS manual Recording CPU load shall be limited to 50%. The quantity of recorded data that is transmitted on the LAN when transferring data from remote nodes to the central recording server shall not exceed a load of 350 kilobytes / sec. Failure of local recording running on a remote node shall not degrade the operation of the central runtime application that is carrying out the recording or the operation of any other runtime application on that node.

Table 5-11: Internal fault modes and effects analysis table (part 1)

N°

External flow ref.

149 C2Ex_01

Fault modes

Fault mode detection

Loss of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

• Planning data is not • None provided anymore to external systems (e.g. external FDPS, AODB, FIDS, etc.) or external endusers. If the adjacent APP does not receive the expected data, the controller is likely to detect the failure very quickly. The crisis management, if any, will be on the APP side, not in the tower.

Internal equipment Operational escalation features effects ref. The failure is likely to be simultaneous with the loss of: • C2C3_01 • C2G1_01 • C2O0_01 • C2S3_01 • C2Ex_02 • ExC2_01

Public

•

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

• Not applicable.

158 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

Fault mode detection

Loss of…

Yes

151 C2Ex_01 Corruption of…

No

152 C2Ex_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of external flight plan output” alert.

153 C2Ex_02

No

• All automated co• Surveillance data (ExS3_01 ordination from the TWR to and S3Ex_01) continue to support co-ordination. the adjacent APP is stopped.

150 C2Ex_01

154 C2Ex_02

Loss of…

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

As above + • Hot switchover • Display on the CWP of a “Loss of external flight plan output” alert. Possible corruptions are: • None • Planning data provided to external systems / users are incomplete and / or incorrect. • The external systems suffer from overload. If the adjacent APP receives corrupted data, the controller is less likely to detect the failure than in case of loss. However, the crisis management, if any, will be on the APP side, not in the tower.

• As above

•

Until service is restored: • OE-19

The failure is likely to be simultaneous with the corruption of: • C2C3_01 • C2G1_01 • C2O0_01 • C2S3_01 • C2Ex_02 • ExC2_01

•

• None

• Hot switchover

• As above

•

Until service is restored: • OE-19

As above + • Display on the CWP of a “Loss of APP coordination” alert.

As above + • Hot switchover

The failure is likely to be simultaneous with the loss of: • C2C3_01 • C2G1_01 • C2O0_01 • C2S3_01 • C2Ex_01 • ExC2_02

• OE-06

• As above. • OE-19

Public

Until service is restored or failure is detected: • The controller’s awareness of the traffic situation in adjacent sectors is severely compromised.

Recommendations & comments with respect to ICAO A-SMGCS manual

The operational effect concerns mainly the APP controller. However, if the APP is unable to accept a flight during a hand over process, the TWR controller must handle the crisis. The TWR and APP controllers are likely st to detect the failure at 1 co-ordination mishap.

Until service is restored: • Controller workload increase: need to revert to RTF co-ordination with adjacent APP.

159 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

Fault mode detection

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

155 C2Ex_02 Corruption of…

No

Possible corruptions are: • Surveillance data (ExS3_01 • At least one automated co- and S3Ex_01) continue to support co-ordination. ordination message sent from the TWR to the adjacent APP was never received. • At least one automated coordination message from the TWR to the adjacent APP has missing or erroneous data. • At least one automated coordination message from the TWR to the adjacent APP is sent at an inappropriate time (e.g. too early).

The failure is likely to be simultaneous with the corruption of: • C2C3_01 • C2G1_01 • C2O0_01 • C2S3_01 • C2Ex_01 • ExC2_02

•

Until service is restored or failure is detected: • OE-06

156 C2Ex_02 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of APP coordination” alert.

As above + • Hot switchover

• As above

•

Until service is restored: • OE-19

157 G1Ex_01

No

• The commands for the ground guidance aids are not provided anymore.

• Vehicle (cf. G1G3_01) and aircraft (cf. G1Ex_02) onboard guidance is unaffected.

• Both automatic (cf. C2G1_01) and manual (cf. • OE-30 O0G1_01) commands are concerned.

Loss of…

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Until service is restored or failure is detected: • Pilots and/or drivers do not receive any automated guidance from ground guidance aids.

Recommendations & comments with respect to ICAO A-SMGCS manual Unlike the “loss of C2Ex_02” fault mode, the erratic behaviour of the system in this fault mode makes is unlikely that the TWR and APP controllers detect the failure very quickly.

To avoid guidance aids remaining in an unsafe configuration, all stop bars should automatically switch to the “closed” state after a predefined duration.

160 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

158 G1Ex_01

Fault modes

Fault mode detection

Loss of…

Yes

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

As above + As above + • None • Display on the CWP of a • Ground guidance aids “Loss of external guidance possess their own control & control” alert. monitoring tools. • Hot switchover

• OE-21

• OE-24

159 G1Ex_01 Corruption of…

No

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Possible corruptions are: • Vehicle (cf. G1G3_01) and aircraft (cf. G1Ex_02) on• At least one (but not all) ground guidance command board guidance is unaffected. does not actuate the intended guidance aid. • At least one ground guidance command actuates a guidance aid different from the intended one. • At least one ground guidance command actuates a guidance aid differently from the expected actuation.

• None • OE-32

• OE-34

Public

Operational effects of equipment fault mode Until traffic is reduced or service is restored: • OE-30 • Controller workload increase & frequency congestion: the controller reverts to RTF guidance (optionally supported by on-board guidance). Or • Controller workload increase: the controller uses the guidance aids own control & monitoring tools to manually control them. Until service is restored or failure is detected: • Pilots and/or drivers are provided with missing or erroneous indications via the ground guidance aids (e.g. opened stop bar) • Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board and RTF).

Recommendations & comments with respect to ICAO A-SMGCS manual

A guidance command modifies the state of at least one guidance aid. Supposing a single point of failure, the guidance aids monitoring (cf. G2G1_01) is supposed to be operational. It therefore ensures that the expected actuation really occurs, and so, failure detection should be immediate.

161 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

Fault mode detection

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

160 G1Ex_01 Corruption of…

Yes

As above + • Display on the CWP of a “Corruption of external guidance control” alert.

As above + • None • A-SMGCS control of ground guidance aids can be disconnected. • Ground guidance aids possess their own control & monitoring tools, allowing for manual control, which override all A-SMGCS commands. • Hot switchover

•

Until traffic is reduced, visibility conditions become better or service is restored: • OE-21 (optionally supported by on-board guidance.)

161 G1Ex_02

No

• The taxi routes are not translated onto the pilot CDTI. • None of the clearances (e.g. push, start-up, takeoff, etc.) are up-linked.

• Ground guidance aids are unaffected (and they confirm RTF instructions). • Read-back.

•

Until service is restored or failure is detected: • OE-31 • OE-33

As above + • Display on the CWP and on the pilot CDTI of a “Loss of AGDL guidance” alert.

As above + • Hot switchover.

•

Until service is restored: • OE-21

162 G1Ex_02

Loss of…

Loss of…

Yes

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

The failure is likely to be simultaneous with the loss of: • G1G3_01

Recommendations & comments with respect to ICAO A-SMGCS manual

How is the read-back to be implemented?

Obviously, the loss may occur when an aircraft has already been cleared for a taxi route. In this case, the loss of the route update is comparable to a corruption, and detection far from obvious. • As above

Public

162 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

Fault mode detection

Equipment failure effects (at equipment level but visible by end-users)

163 G1Ex_02 Corruption of…

No

Possible corruptions are: • At least one taxi route is not translated onto the pilot CDTI. • At least one (but not all) clearance is not up-linked to the aircraft. • At least one false clearance is up-linked to an aircraft (i.e. incorrect instruction to intended aircraft or correct instruction sent to unintended aircraft)

• Ground guidance aids are unaffected. • Read-back.

164 G1Ex_02 Corruption of…

Yes

As above + • Display on the CWP and on the pilot CDTI of a “Corruption of AGDL guidance” alert.

As above + • Hot switchover.

165 G4Ex_01

Loss of…

No

166 G4Ex_01

Loss of…

Yes

167 G4Ex_01 Corruption of…

No

• The traffic situation, as • Aircraft equipped with ADSseen and fused by the B in capability continue to ground systems, is not benefit from some direct sent anymore to the pilot mobile-to-mobile coCDTI. operative surveillance data. As above + As above + • Hot switchover. • Display on the CWP of a “Loss of TIS-B” alert. Possible corruptions are: • Aircraft equipped with ADSB in capability continue to • At least one (but not all) benefit from some direct ground system track is not mobile-to-mobile coreported to the CDTI. operative surveillance data, • At least one part of the and this may show some aerodrome (but not all) is inconsistencies with the not covered by the traffic TIS-B data. information service broadcast (TIS-B). • At least one false ground system track is reported to the CDTI.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

•

Until service is restored or failure is detected: • OE-33 • OE-34

• As above

•

Until service is restored: • OE-21 • OE-34

The failure is likely to be simultaneous with the loss of: • G4G3_01

•

Until service is restored or failure is detected: • OE-35 (but the pilots do not know it)

• As above

•

The failure is likely to be simultaneous with the corruption of: • G4G3_01

•

Until service is restored: • OE-35 (but the pilots know it) Until service is restored or failure is detected: • OE-35 (but the pilots do not know it)

The failure is likely to be simultaneous with the corruption of: This fault mode is likely to be • G1G3_01 detected immediately by the aircraft pilots (cf. operational effects), so this case is not a reasonable hypothesis.

Recommendations & comments with respect to ICAO A-SMGCS manual How is the read-back to be implemented?

False tracks may generate false alarms on-board the aircraft.

Public

163 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

168 G4Ex_01 Corruption of…

Fault mode detection Yes

Equipment failure effects (at equipment level but visible by end-users)

Internal equipment mitigation features

As above + As above + • Hot switchover. • Display on the CWP of a “Corruption of TIS-B” alert.

Internal equipment Operational escalation features effects ref. • As above

•

Recommendations & comments with respect to ICAO A-SMGCS manual

Until service is restored: • OE-35 (but the pilots know it)

Loss of…

No / Yes

• Failure of all output devices: screen(s), loudspeakers, diodes, etc.

170 O0Ex_01 Corruption of…

No / yes

Possible corruptions are: Same as loss of O0Ex_01 + • At least one output device • CWP is fail soft (i.e. all fails partially (e.g. screen strips & tracks remain on output is blurred) or totally. the screen in case of failure.) • At least one output device provides erroneous data (e.g. loudspeakers beep continuously).

• Supervisor may need to perform a re-sectorisation.

•

• A wide range of effects, from slight controller discomfort to OE-23.

169 O0Ex_01

• The controller may use a • As a side effect, all redundant HMI, or may input devices • OE-23 share an HMI with another become active controller. unserviceable (cf. ExO0_01.) • The strip printer can rapidly provide a paper copy of all • The level of service electronic strips. provided by the equipment to pilots and drivers is initially unchanged: however, the lack of controller inputs will progressively and rapidly degrade the level of service to all users. • The supervisor may need to perform a resectorisation.

Operational effects of equipment fault mode

Until service is restored: • The controller returns to SMGCS (or worst?) working procedures and conditions.

171 S2Ex_01

Loss of…

No

• Loss of all automatic dependant surveillance between ADS-B out mobiles in ADS-B in equipped aircraft.

• Not applicable.

• Not applicable.

•

• Not applicable.

This is a distributed function between all ADS-B in and out equipped mobiles. The complete and simultaneous loss of all those flows is not within the scope of this FHA.

172 S2Ex_01

Loss of…

Yes

As above + • Display on the CWP & on the CDTI of a “Loss of ADS-B” alert.

• As above.

• As above.

•

• As above.

As above.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

164 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

N°

External flow ref.

Fault modes

Fault mode detection

173 S2Ex_01 Corruption of…

No

174 S2Ex_01 Corruption of…

Yes

Equipment failure effects (at equipment level but visible by end-users) Possible corruptions are: • At least one aircraft (but not all) does not emit its self-determined ADS-B data anymore. • At least one aircraft (but not all) does not receive ADS-B in data anymore. • At least one aircraft emits erroneous ADS-B data. As above + • Display on the CWP & on the CDTI of a “Corruption of ADS-B” alert.

Internal equipment mitigation features

Internal equipment Operational escalation features effects ref.

Operational effects of equipment fault mode

• Even with in & out corruption, self-positioning data may be used on-board the aircraft for self-situation awareness.

The failure is likely to be simultaneous with the corruption of: • G4Ex_01

•

Until service is restored or failure is detected: • OE-35

As above + • Hot switchover.

• As above.

•

Until service is restored or failure is detected: • OE-35

Recommendations & comments with respect to ICAO A-SMGCS manual

Table 5-12: Internal fault modes and effects analysis table (part 2)

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

165 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix E Identification of hazards Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

166 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

When identifying hazards, different levels of hazards can be considered, as a hazard is a potentially unsafe condition at the boundary of the scope of the system under assessment. Ideally hazards should be at the level of the air navigation system or service (cf. SAM v2.0, FHA, guidance material B1, §4). However, since the scope of an A-SMGCS is reduced to a sub-level of this air navigation system, the hazards herein are identified at the boundary of the A-SMGCS, but they encompass all elements of that sub-system, i.e. people (controllers, pilots, and drivers), procedures and equipment. Discussion

The different system safety assessment steps performed up to now (cf. appendixes A to D) have been performed independently of the A-SMGCS implementation levels (cf. §1.6.1), because focus was only on equipment. From now on (i.e. appendix E), the A-SMGCS is considered as a whole, and therefore the level of automation is relevant. How the system is used, in what environment it is used, and all the contingency procedures defined to mitigate system failures will have a dramatic impact on what can be considered the worst credible hazard. Considerations for hazard identification in relationship to aircraft equipment, with respect to surveillance

Surveillance is the function in A-SMGCS that provides position and identification of all mobiles (aircraft, vehicles & obstacles). Surveillance data is needed both for controllers and for feeding the guidance & control functions. In many airports, the surveillance function is currently implemented by direct visual acquisition, help of surface movement radar (SMR) and extensive use of pilot reports via radiotelephony (R/T). Automation of the ground surveillance function can be achieved using multilateration (MLAT) based on automatic dependant surveillance broadcast (ADS-B) mode S. Data fusion from multiple, non co-operative and co-operative sensors lead to a serious improvement in safety as the identification and position of all mobiles are known with appropriate completeness and accuracy. In addition, hazards potentially introduced by on-board co-operative equipment remain properly mitigated by primary means. On-board situation awareness is based on the airport map display, with possible use of the data link to receive traffic information, via the traffic information service broadcast (TIS-B). Accuracy, reliability and integrity of ADS-B, TIS-B & position information from the global positioning system (GPS) and inertial reference system (IRS) have been assessed in the EMMA report on aircraft position issues (cf. D2.1.1 - ref. [12]). The main outcomes are as follows: performance required for A-SMGCS surveillance can be achieved using GPS / global navigation satellite system (GNSS) – ground based augmentation system (GBAS), and to a lower extent by GPS / GNSS – satellite based augmentation scheme (SBAS) if accuracy and integrity performance could be less than required, based on the functional hazard assessment (FHA) results. This will be even more safely achieved in the future by using the Galileo services. Indeed, the GPS itself, notwithstanding certification issues, is not sufficient to meet the performance and safety requirements. Surveillance means (ADS-B and / or MLAT combined with SMR data) contribute in mitigating hazards that may arise from possible erratic target tracking in ground surveillance system. Not mandated by the International Civil Aviation Organisation (ICAO), more advanced automation could be implemented on board via pseudo fusion of both data received from ground (e.g. via TIS-B) and on-board generated data (e.g. via ADS-B in). This would allow both a better coverage of the various airport zones, and / or to cater for the limitations of each single system. In addition, the on-board system could be able to detect misleading surveillance data, using various means such as integrity reports from ADS-B and comparisons between ADS-B and TIS-B at least for ADS-B equipped aircraft. But this remain out of the current scope of the study. Considerations for hazard identification in relationship to aircraft equipment, with respect to routing

Routing is an A-SMGCS function that is used to enhance efficiency of ground traffic in providing designation of routes for aircraft and allows change of destination for any reason (controller or pilot choice). It is currently

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

167 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

implemented via information provided by the controllers via radiotelephony prior to taxi. Automation of route planning includes mainly automated prediction of events and resources allocation. Automation on board the aircraft is limited to the reception of ground taxi route from the air traffic control (ATC) authority. Route definition and description remain an ATC responsibility. Responsibility for the A-SMGCS routing function is never allocated to pilots in any level of ICAO A-SMGCS implementation. However, advanced on-board automation may consist in preparation of ground routes and waypoints to be displayed over the moving map. These functions are similar to those provided by a flight management system (FMS) on-board the aircraft. Then an on-board “ground path plan” function could be sought. Note that the routes as displayed should be checked for consistency with the airport configuration and with the routes as determined by the ATC controller to avoid any induced hazard. Navigation planning performance may require additional requirements beyond basic positioning information. Such performance requirements have not been reviewed as part of EMMA work. Considerations for hazard identification in relationship to aircraft equipment, with respect to guidance

Guidance is the A-SMGCS function that provides indications to pilots on the route to follow. This includes activation of ground visual aids by controllers and use of airport signs to follow the ground path. At most airports, it is currently implemented via ground visual aids (lighting, marking and signage) and clearance given to aircraft pilots via radiotelephony. For A-SMGCS level V implementation under visibility condition 4, an on-board guidance function is clearly playing a role in meeting the most demanding requirements. Guidance is currently using visual cues only. Steering cues et braking cues, possibly complemented by an head up display (HUD), to help follow an assigned route, have been proposed. More automation may be achieved via a cockpit display. An on-board moving map may include representation of airport artefacts taken from an on-board database and possibly pertinent replication of ground visual aids and clearances. The aircraft own position and orientation derived from aircraft sensors and ADS-B or TIS-B may also be visible. Automated ground path computations (routing) can be transmitted via data link to the flight crew after controller’s acceptance. With reference to EMMA D2.1.1 [12], guidance requires more stringent performance than surveillance. Those requirements remain within the scope of the future Galileo performance (GBAS) but are not fully achievable by current GPS-based equipment (mainly for accuracy and continuity reason). Nevertheless, areas of improvements of GPS-based equipment may help meet the requirements, in particular: • hybrid GPS-IRS equipment to improve continuity of the position (+ velocity) measurements, and to provide additional heading & kinematics data needed for high rate guidance, • differential GPS (D-GPS) carrier phase measurements to improve by one order of magnitude the standard GPS position accuracy. The most critical situation that must be considered for the on board automated guidance function is under visibility conditions 4 for an A-SMGCS implementation level V. In this case, pilots can only rely upon automated on-board guidance. Hence any loss or corruption of guidance data may induce major effects, as additional significant workload is required from the flight crew. More advanced airborne equipment may include the use of head up displays (HUD) possibly fitted with enhanced (synthetic) vision systems (EVS) and guidance symbology to help support airport surface movements. Considerations for hazard identification in relationship to aircraft equipment, with respect to control

Control is a critical function to enhance safety in detecting potential conflicts and provide alerts and resolutions. It operates by determining appropriate spacing and sequencing of aircraft and alerting aircraft for any incursion to runways, taxiways or other areas. It is implemented using data provided by the surveillance function and using algorithms to detect intrusions. Radiotelephony is also used to communicate potential conflicts to aircraft. The control activity is under the responsibility of the ATC (taxi route to follow up to the next clearance). However spacing between aircraft is under the responsibility of the pilot (taxi execution along the cleared taxi route).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

168 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Automation is achieved based on the definition of safety volumes around aircraft in particular and implementation of surface conflict alerts systems. The most difficult compromise is that only hazardous situations should raise conflict alerts and there must not be too many false alerts. Control is highly dependent on surveillance, hence integrity and reliability of the surveillance function is a prerequisite. If too many false alerts are generated, the controller will no longer trust his automation. It is very difficult to identify all conflict cases and cater for all procedures to avoid false alarms. In A-SMGCS, responsibility of the control function is not allocated to pilots under visibility conditions 3 and 4. However, automation could be achieved by transmission of surface conflicts alerts via data link and by displaying such artefacts over the on-board airport moving map. In addition, on-board algorithms may provide advanced alerts based on representation of different protection areas or safety nets. Performance for on-board A-SMGCS requirements for a control function may include additional computation for traffic analysis and advisory, conflict prediction and detection and for conflict analysis and resolution. Intermediate conclusion for hazard identification in relationship to aircraft equipment

The automated functions on-board the aircraft will contribute to provide a better situational awareness of airport configuration and traffic, and possibly advanced warning of potential hazards. The purpose of this is not full onboard automation of any surveillance, routing, guidance or control functions of the A-SMGCS but improved ability to communicate useful information to airport users while increasing understanding of the airport and traffic conditions. On-board guidance is the equipment recommended by ICAO to automate to a certain extent the ASMGCS guidance function under visibility condition 4. The severity of hazards associated with that equipment is assessed as "major" (severity 3), due to significant workload in case of failure. Structure of the analysis table

The identification of hazards analysis is presented in a table that is composed of the following data: • columns 1 and 2, “operational effects references” & “operational effects description”: these columns indicate references and descriptions of operational effects, as identified in appendix C and D; the operational effects are sorted according to the classification presented on page 104; • column 3, “A-SMGCS scenario implementation level”: this column sub-divides the previous ones for each step in the automation of advanced surface movement, guidance and control system; it can be expected that unless contingency procedures are correctly set-up, the higher the automation, the more severe will be the effects of an equipment failure; • column 4, “operational mitigation”: this column describes the various safety barriers that already exist at ASMGCS procedure (or people) level, and that provide either prevention, or surveillance/warning of the fault mode, or mitigation of its consequences; • columns 5 and 6, “hazards references” & “hazards description”: these columns indicate references and descriptions of hazards at the boundary of the A-SMGCS; • column 7, “comments / recommendations”: self-explicit.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

169 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

ICAO A-SMGCS implementation levels

Below, the main A-SMGCS implementation levels, as defined by ICAO, are recalled. Possible mapping with the EUROCONTROL levels is also suggested. For each level, the differences with the previous level are highlighted. Opposite are also recalled the 36 types of aerodromes and the visibility conditions, traffic density, and aerodrome layout conditions in which ICAO recommends to use each A-SMGCS implementation level. Thus it can be seen that an A-SMGCS implementation level V is required only in visibility conditions 4, but that an A-SMGCS implementation level IV may be required even in visibility conditions 1 if the layout is complex, and the traffic heavy. Note: this page should be printed in colour; some readability issues may occur with black & white printouts.

ERC

NOTES: 1): Does not apply in visibility condition 3

0

1* Painted centre line and taxiway guidance signs 2* Fixed centre line lights 3* Manual switched centre line lights 4* Automatic switched centre line lights

1/2

2/3

3/4

4

Figure 25: ICAO A-SMGCS implementation levels Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

170 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-01

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

The controller’s traffic situational II awareness is severely compromised (due to undetected loss or undetected At this implementation corruption of surveillance data as level, the surveillance normally provided by the equipment). function is shared between controller and system. This is only possible in visibility conditions 1 and 2. In other cases, the airport is to be closed or the system not used. Reminder: at this level, guidance is static.

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

According to the EMMA operational requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label.

HZ-01

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data to ensure (limited) tactical separation (essentially on or near runways).

When that is no longer possible, i.e. in case of surveillance loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Loss of surveillance data (as normally provided by the equipment) is evident for the controller. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment.

HZ-05

Comments and recommendations (related to the system under assessment) Automation requires the introduction of new procedures for recovery from fault modes, as well as training and practice. Remark: HZ-01 and HZ-05 are mutually exclusive.

An aircraft / vehicle identification may be confirmed by correlating a particular target report with: • an aircraft / vehicle position reported by the pilot / driver; • an aircraft / vehicle position reported by the pilot / driver. Even though the identification procedure proposed by EUROCONTROL is direct recognition of aircraft / vehicle ID through the surveillance label, to prevent misuse of automation, we recommend that the identification is confirmed before first use. Remark: HZ-01 and HZ-05 are mutually exclusive.

Automation assists the operator in maintaining the situational awareness and hence the operator’s ability to manage higher traffic capacity, density and complexity. If automation fails it is reasonable to anticipate that manual take-over will be less efficient and with a safety impact on on-going operations.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

171 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

III

According to the EMMA operational requirement document (D135), the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label.

HZ-02

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

At this implementation level, the surveillance function is completely automated; guidance is dynamic but manually controlled.

When that is no longer possible the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system.

HZ-06

Loss of surveillance data (as normally provided by the equipment) is evident for the controller in any visibility conditions. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. In visibility conditions 3, immediate detection of corruption by the controller is not a realistic hypothesis.

IV

Same as above.

HZ-03

At this implementation level, ground guidance is automated.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations (related to the system under assessment)

Automation will require the introduction of new procedures for recovery from this fault mode, as well as training and practice. Abuse of automation (i.e. manage more traffic than controller will be able to cope during a failure recovery) should be prevented: • either through adequate training of the supervisor, • or through automated equipment alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult. Remark: HZ-01, HZ-05, HZ-02, HZ-08 are mutually exclusive. In visibility condition 3, due to An aircraft / vehicle identification may be over-reliance on automation, the confirmed by correlating a particular target report with: controller does not detect the corruption of equipment • an aircraft / vehicle position reported by surveillance data, and continues the pilot / driver. to use this corrupted Even though the identification procedure surveillance data to ensure proposed by EUROCONTROL is direct tactical separation. recognition of aircraft / vehicle ID through the surveillance label, to prevent misuse of automation, we recommend that the identification is confirmed before first use. Remark: HZ-02, HZ-08 are mutually exclusive. In visibility condition 3, the Automated guidance should not depend controller needs to recover from only upon surveillance data. Guidance an equipment surveillance should depend on clearance inputs by failure by reverting to ICAO doc. the controller. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

172 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

V

Operational mitigation (other than equipment), i.e. people and procedures

Same as above + OE-35.

Hazards ref.

Hazards description (at system level)

HZ-07

In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. In visibility conditions 1 to 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected.

HZ-04

At this implementation level, pilots and drivers are provided with automated on-board guidance. At this level, all aircraft and vehicles are capable of assessing their own position independently from the ground system, so surveillance inconsistency is assumed to be immediately detected by at least one pilot or driver.

HZ-08

HZ-09

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations (related to the system under assessment)

At this implementation level, pilots and drivers are denied the responsibility of conflict prediction or detection, analysis and resolution. On board guidance is provided for navigation purposes only.

173 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-02

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

The controller’s traffic situational awareness is slightly compromised (due to undetected loss or undetected corruption of some surveillance data, as normally provided by the equipment, e.g. loss of only one source of surveillance, such as raw video, co-operative sensors, non cooperative sensors, etc.). Remains at least one source of co-operative surveillance, and one source of non co-operative surveillance. Complete loss of one source is covered by OE01. There is no significant impact on conflict detection.

II

According to the EMMA operational requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label.

HZ-10

When that is no longer possible, i.e. in case of surveillance loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system.

Hazards description (at system level) In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure (limited) tactical separation (essentially on or near runways).

Comments and recommendations (related to the system under assessment) Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). Pilots may provide position reports, but those reports lack the position accuracy of automated surveillance. The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.

Loss of surveillance data (as normally provided by the equipment) is evident for the controller. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. Automation assists the operator in maintaining the situational awareness and hence the operator’s ability to manage higher traffic capacity, density and complexity. If automation fails it is reasonable to anticipate that manual take-over will be less efficient and with a safety impact on on-going operations.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

174 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

III

According to the EMMA operational requirement document (D135), the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label.

HZ-11

In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

Same comment as HZ-10.

IV

Loss of surveillance data (as normally provided by the equipment) is evident for the controller in any visibility conditions. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. In visibility conditions 3, immediate detection of corruption by the controller is not a realistic hypothesis. Same as above.

HZ-12

In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

Same comment as HZ-10.

V

Same as above + OE-35.

HZ-09

When that is no longer possible the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

175 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref. HZ-13

OE-03

Detection of surface conflicts & incursions by the controller is severely compromised (due to the undetected loss or undetected corruption of control data as normally provided by the equipment).

II At this implementation level, the equipment supports the controller in the task of conflict prediction and/or detection. III IV V

OE-04

The controller’s projected situational awareness is severely compromised (due to the undetected loss or undetected corruption of flight plan data as normally provided by the equipment).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

II III

Hazards description (at system level) In visibility condition 4, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

Comments and recommendations (related to the system under assessment) Same comment as HZ-10.

None.

-

Controllers should not rely on SCA to ensure that the traffic is well separated and/or does not enter a restricted area. Automation will require training with simulated conflicts to ensure controller conflict detection capability at all times.

In visibility conditions 3 and 4, procedures related to use of automated surface conflict alert data in an ASMGCS are still undefined. However, surface conflict detection is a safety net and its non-functioning does not create additional hazards. Not applicable. Procedures related to the use of flight plan data in an A-SMGCS are still undefined.

-

For more details, please refer to §1.7.8.

At this implementation level, routing is automated, but guidance is manual. However, the following has been assumed: flight plan management is done through an electronic strip bay,

Public

HZ-14

In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips.

Automation will require the introduction of new procedures for recovery from this fault mode, as well as training and practice. Remark: HZ-14 and HZ-17 are mutually exclusive.

176 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

IV

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

whilst paper strips represent a fallback solution. The computed route is used for controller display only.

HZ-17

In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing.

Main flight plan data related to routing are the allocated stand, and runway data, plus the taxi route between the two above. Undetected corruption of runway data does not seem to be a realistic hypothesis. Since the pilot has an independent source of plan data, he should be able to detect the corruption of stand data. Remains the undetected corruption of taxi route data, e.g. the route passes via a restricted area and the controller & pilot have forgotten about this restriction (as normally published in a NOTAM). At this level, guidance is dynamic, but manual, which gives the controller an additional chance to notice the corruption. Moreover, the surface conflict alert function should detect conflicts and incursions.

Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay,

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

HZ-15

Remark: HZ-14 and HZ-17 are mutually exclusive. In visibility condition 3, the Remark: HZ-15 and HZ-18 are mutually controller needs to recover from exclusive. an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

177 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

V

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and potentially stop bars.

HZ-18

In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated ground guidance.

Procedures related to the use of flight plan data in an A-SMGCS are still undefined.

HZ-16

However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and stop bars. The route is also up-linked to the aircraft and/or vehicles.

OE-05

The detection of plan deviations by

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

II

Not applicable.

HZ-19

Comments and recommendations (related to the system under assessment)

Main flight plan data related to routing are the allocated stand, and runway data, plus the taxi route between the two above. Undetected corruption of runway data does not seem to be a realistic hypothesis. Since the pilot has an independent source of plan data, he should be able to detect the corruption of stand data. Remains the undetected corruption of taxi route data, e.g. the route passes via a restricted area and the controller & pilot have forgotten about this restriction (as normally published in a NOTAM). At this level, guidance is dynamic and automated, which gives the controller no additional chance to notice the corruption. However, the surface conflict alert function should detect conflicts and incursions. Remark: HZ-15 and HZ-18 are mutually exclusive. In visibility condition 4, the Remark: HZ-16 and HZ-19 are mutually controller needs to recover from exclusive. an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility conditions 4, due to The pilot relies entirely on on-board over-reliance on automation, the guidance for his navigation. controller does not detect the corruption of equipment flight Remark: HZ-16 and HZ-19 are mutually plan data, and continues to use exclusive. this corrupted data to ensure routing and automated on-board guidance.

-

Public

178 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

the controller is severely compromised (due to the undetected loss or undetected corruption of plan conformance monitoring data as normally provided by the equipment).

III

Operational mitigation (other than equipment), i.e. people and procedures Procedures related to the use of plan conformance monitoring data in an ASMGCS are still undefined.

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

-

However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display and conformance monitoring.

IV

In visibility 3, conformance monitoring is seen as non-compulsory. Procedures related to the use of flight plan data in an A-SMGCS are still undefined.

-

However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display, conformance monitoring, and to automatically control centre line lights and potentially stop bars.

V

In visibility 3, conformance monitoring is seen as non-compulsory. Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

HZ-23

Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously.

Remark: HZ-23 and HZ-24 are mutually exclusive.

179 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-06

Operational effects description of equipment fault mode

The controller’s awareness of the traffic situation in adjacent sectors is severely compromised (due to loss or corruption of flight plan and / or surveillance data related to adjacent sectors as normally provided by the equipment).

A-SMGCS scenario implementation level

II III

IV

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

solution. The computed route is used for controller display, conformance monitoring, and to automatically control centre line lights and potentially stop bars. The route is also up-linked to the aircraft and/or vehicles.

HZ-24

Misuse of automation in visibility Remark: HZ-23 and HZ-24 are mutually exclusive. conditions 4: due to overreliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions.

HZ-20

In visibility conditions 3, due to over-reliance on automation, the controller does not detect the corruption of equipment coordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

HZ-21

In visibility conditions 3, due to over-reliance on automation, the controller does not detect the corruption of equipment coordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

In visibility 4, conformance monitoring is seen as mandatory. Not applicable. Procedures related to use of system co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; co-ordination is still done by voice, with the support of surveillance displays, which allow to view relevant traffic in adjacent sectors. Procedures related to use of system co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; a standardized protocol (AIDC or OLDI) allows silent co-ordination with the approach centre; the surveillance displays allows to view relevant traffic in adjacent sectors.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

180 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level V

OE-07

The controller’s context awareness is slightly compromised (due to loss or corruption of guidance data, e.g. incorrect knowledge of equipment state and status, or due to loss or corruption of aerodrome-mapping data as normally provided by the equipment).

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

II

Operational mitigation (other than equipment), i.e. people and procedures Procedures related to use of system co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; a standardized protocol (AIDC or OLDI) allows silent co-ordination with the approach centre; the surveillance displays allows to view relevant traffic in adjacent sectors. Procedures related to use of aerodrome-mapping data in an ASMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodromemapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03).

Public

Hazards ref.

Hazards description (at system level)

HZ-22

In visibility conditions 4, due to over-reliance on automation, the controller does not detect the corruption of equipment coordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

None.

Comments and recommendations (related to the system under assessment)

For each aircraft, the guidance function should send & apply the adequate command instructions (e.g. turn it on / off), independently from the current state.

181 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

III

Procedures related to use of guidance and procedures related to use of aerodrome-mapping data in an ASMGCS are still undefined.

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodromemapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03) and routing. Guidance is performed through manually switched centre line lights, as a support to verbal instructions. In visibility condition 3, an A-SMGCS level III should only be used on basic or simple airport layouts; therefore the pilot should be able to detect the inconsistency between the verbal and ground guidance.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

182 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

IV

Procedures related to use of guidance and procedures related to use of aerodrome-mapping data in an ASMGCS are still undefined.

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodromemapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03), routing and guidance. Guidance is performed through automatically switched centre line lights, as a support to verbal instructions. If the guidance function checks the state & status of equipment before sending an on/off command, it might leave one or many taxiway centreline lights in an undesired state, incorrectly routing the aircraft.

V

Any deviation from the assigned route is assumed to be detected by the conformance monitoring function. Any dangerous situation is assumed to be detected by the surface conflict alert function. At level V, there is no more ground guidance. Procedures related to use of aerodrome-mapping data in an ASMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is synchronised between ground and onboard databases. The aerodromemapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03), routing and guidance.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

183 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-08

Operational effects description of equipment fault mode The controller HMI is stuck in a display configuration that is improper for normal (safe) control operations.

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

II

According to the EMMA operational requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label.

HZ-01

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

HZ-02

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

III

When that is no longer possible, i.e. in case of display corruption or loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Electronic flight strips and routing are introduced.

HZ-14

IV

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

HZ-03

Public

Comments and recommendations (related to the system under assessment)

Guidance will probably also be unusable due to the combined loss of surveillance and planning. Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

184 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

HZ-15

In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another. In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another.

HZ-27

V

HZ-04

HZ-16

HZ-27

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations (related to the system under assessment)

Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

Guidance will probably also be unusable due to the combined loss of surveillance and planning. Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

185 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-09

Operational effects description of equipment fault mode Equipment response time increases above tolerable values (e.g. due to overload of recording), and the equipment does not detect this slowing down.

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

II

Hazards ref.

Hazards description (at system level)

HZ-01

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data to ensure (limited) tactical separation (essentially on or near runways). In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips.

HZ-05

HZ-02

III

HZ-06

HZ-14

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations (related to the system under assessment)

186 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

IV

Hazards ref.

Hazards description (at system level)

HZ-17

In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated ground guidance.

HZ-03

HZ-07

HZ-15

HZ-18

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

Comments and recommendations (related to the system under assessment)

187 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

V

Hazards ref.

Hazards description (at system level)

HZ-04

In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation. In visibility condition 4, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility conditions 4, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

HZ-08

HZ-16

HZ-19

Comments and recommendations (related to the system under assessment)

Remark: HZ-16 and HZ-19 are mutually exclusive.

The pilot relies entirely on on-board guidance for his navigation. Remark: HZ-16 and HZ-19 are mutually exclusive.

HZ-09 OE-10

The controller has to manually

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

II

Not applicable.

Public

188 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS).

III

IV

V

OE-11

The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by adjacent tower positions.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

II III

Operational mitigation (other than equipment), i.e. people and procedures Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display only. Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and potentially stop bars. Procedures related to the use of flight plan data in an A-SMGCS are still undefined.

Hazards ref.

Hazards description (at system level)

HZ-25

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

HZ-25

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

HZ-25

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

HZ-25

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and stop bars. The route is also up-linked to the aircraft and/or vehicles. Not applicable. Standard verbal co-ordination procedures.

Public

Comments and recommendations (related to the system under assessment)

189 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-12

Operational effects description of equipment fault mode

The controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

IV

Standard verbal co-ordination procedures.

HZ-25

V

Standard verbal co-ordination procedures.

HZ-25

II

Not applicable.

III

?

HZ-25

IV

?

HZ-25

V

?

HZ-25

Public

Comments and recommendations (related to the system under assessment)

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

190 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-13

OE-14

Operational effects description of equipment fault mode The controller has to manually label (some) target reports.

The controller has to assign all taxi routes manually (with or without semiautomatic routing support.)

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

II

None.

HZ-25

III

?

HZ-25

IV

?

HZ-25

V

?

HZ-25

II

None.

HZ-25

Public

Comments and recommendations (related to the system under assessment)

191 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-15

Operational effects description of equipment fault mode

The controller has to manually control the ground guidance aids.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

III

?

HZ-25

IV

?

HZ-25

V

?

HZ-25

II

None.

HZ-25

III

?

HZ-25

Public

Comments and recommendations (related to the system under assessment)

192 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-16

Operational effects description of equipment fault mode

The controller has to manually update the aerodrome-mapping database.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

IV

?

HZ-25

V

?

HZ-25

II

None.

HZ-25

III

?

HZ-25

IV

?

HZ-25

Public

Comments and recommendations (related to the system under assessment)

193 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-17

Operational effects description of equipment fault mode

The controller has to mentally maintain the association between the flight plans and the target reports.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

V

?

HZ-25

II

None.

HZ-01

III

?

HZ-02

IV

?

HZ-03

Public

Comments and recommendations (related to the system under assessment)

194 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-18

OE-19

Operational effects description of equipment fault mode

The control procedures have to revert to paper strips.

The controller has to revert to RTF coordination with the adjacent approach centre.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

V

?

HZ-04

In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.

II III

Not applicable. ?

HZ-14

IV

?

HZ-15

V

?

HZ-16

In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

II III

Not applicable. ?

HZ-25

Public

Comments and recommendations (related to the system under assessment)

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

195 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-20

Operational effects description of equipment fault mode

The controller has to rely (more) on pilots’ RTF reports for mobile positioning & identification data.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

IV

?

HZ-25

V

?

HZ-25

II

None.

HZ-01

III

?

HZ-02

Public

Comments and recommendations (related to the system under assessment)

196 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-21

Operational effects description of equipment fault mode

The controller has to revert to RTF guidance.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.

IV

?

HZ-03

V

?

HZ-04

II III

Not applicable. ?

HZ-25

IV

?

HZ-25

Public

Comments and recommendations (related to the system under assessment)

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

197 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-22

OE-23

Operational effects description of equipment fault mode

The controller has to monitor plan adherence (and in particular taxi route adherence) without automated plan conformance monitoring support.

The controller has to return to SMGCS working procedures and conditions.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

HZ-25

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

V

?

II

Not applicable.

III

?

HZ-26

IV

?

HZ-26

V

?

HZ-26

II

None.

HZ-01

Public

Comments and recommendations (related to the system under assessment)

198 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level III

Operational mitigation (other than equipment), i.e. people and procedures ?

Hazards ref.

Hazards description (at system level)

HZ-02

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity. In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.

HZ-14

IV

?

HZ-03

HZ-15

V

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

?

HZ-04

Public

Comments and recommendations (related to the system under assessment)

199 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-24

OE-25

Operational effects description of equipment fault mode

The controller has to use the ground guidance aids own control & monitoring tools to manually control them.

The controller is provided (by the equipment) with missing and/or corrupted traffic data. He knows it, but cannot / does not prevent it. Note: This effect includes OE-20, whose hazards are not repeated here.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

HZ-16

In visibility condition 4, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

II III IV

Not applicable. Not applicable. None.

HZ-25

V

None.

HZ-25

II

None.

HZ-26

III

?

HZ-26

Public

Comments and recommendations (related to the system under assessment)

200 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-26

OE-27

Operational effects description of equipment fault mode

The controller is provided (by the equipment) with missing and/or erroneous mobile identification. He knows it, but cannot / does not prevent it. Note: This effect includes OE-17, whose hazards are not repeated here.

The controller is provided (by the equipment) with missing or false traffic alerts. He knows it, but cannot / does not prevent it.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

IV

?

HZ-26

V

?

HZ-26

II

None.

HZ-26

III

?

HZ-26

IV

?

HZ-26

V

?

HZ-26

II

None.

HZ-26

Public

Comments and recommendations (related to the system under assessment)

The safety impact of nuisance alerts is that the controllers becomes desensitised to alerts, and therefore they do not react adequately when real conflicts occur. In the extreme case, the surface conflict alerts are totally ignored, 201 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

OE-28

Operational effects description of equipment fault mode

The controller is provided (by the equipment) with missing and/or erroneous plan monitoring alerts. He knows it, but cannot / does not prevent it.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level) Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

III

?

HZ-26

IV

?

HZ-26

V

?

HZ-26

II

Not applicable.

HZ-26

III

?

HZ-26

IV

?

HZ-26

V

?

HZ-26

Public

Comments and recommendations (related to the system under assessment) which brings us back to a complete loss of the function.

202 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref. OE-29

OE-30

OE-31

Operational effects description of equipment fault mode The controller is provided (by the equipment) with missing and/or erroneous co-ordination support. He knows it, but cannot / does not prevent it.

Pilots and/or drivers do not receive any automated guidance from ground guidance aids. Note: This effect includes OE-34.

Pilots and/or drivers do not receive any automated guidance from onboard equipment. Note: This effect includes OE-34.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

II

Not applicable.

III

?

HZ-26

IV

?

HZ-26

V

?

HZ-26

II

Not applicable.

III

Not applicable.

IV

?

V

?

II

Not applicable.

III

Not applicable.

IV

Not applicable.

V

Procedures related to use routing instructions are still undefined. If the failure to receive an initial clearance may be easily detectable by the pilot or driver, it is not the case for a reclearance. Integrity of the latter should therefore be improved compared to the initial clearance.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment) Significant increase of controller’s workload.

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing. Significant increase of pilot and controller’s workload.

Public

203 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Operational effects ref.

Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

OE-32

Pilots and/or drivers are provided with missing or erroneous indications via the ground guidance aids.

OE-33

Pilots and/or drivers are provided with missing or erroneous guidance indications via the on-board equipment.

Not applicable. ? ? ? Not applicable. Not applicable. Not applicable.

OE-34

Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board and RTF). Note: When the failure is detected, this effect includes OE-21.

II III IV V II III IV V II III

Not applicable.

IV

Not applicable.

V

?

OE-35

OE-36

OE-37

Pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification).

Pilots and/or drivers are provided with inconsistent aeronautical information (between the A-SMGCS aerodromemapping database, the ATIS, the FISB, the RTF). Note: When the failure is detected, this effect includes OE-21.

Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.

Operational mitigation (other than equipment), i.e. people and procedures

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under assessment)

Not applicable.

II

Not applicable.

III

Not applicable.

IV

Not applicable.

V

II

Procedures related to use of spacing delegation in an A-SMGCS are still undefined. Not applicable.

III

Not applicable.

IV

Not applicable.

V

?

V

?

Table 5-13: Operational effects and hazards Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

204 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix F Assessment of hazard severity and probability of occurrence Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

205 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Objectives

This annex is the core of the functional hazard assessment: it assigns a severity to each hazard (cf. Table 5-14), and draws a possible set of safety objectives (cf. Table 5-15). Severity allocation

The severity classification scheme specified by the safety regulation commission in ESARR4 provides only the “effect on operations”. The examples of effects on operations provided in the ESARR4 severity classification scheme are not directly applicable to every system under assessment, as they refer generally to hazards at overall ATM level but not to lower level hazards such as at sub-system level. Therefore as requested by ESARR4 (appendix A-2, Page 17, 2nd note a)), the approach is to customise the severity classification scheme in order to adequately reflect the operational environment and make it meaningful in the context of the A-SMGCS under assessment. Please refer to §5.2-Term definitions for more details. Another complementary and interesting approach to severity classification has been used by NATS Ltd. Because it is not always possible to be categorical about the possible consequences of a hazard, it is often necessary to limit the analysis to undeveloped outcomes (noted SCUx for severity classification undeveloped), which define merely the effect of the hazard on the ability to maintain separation. A formula is then used to map undeveloped outcomes into a probability of accident, cf. §1.7.5 for more details. In the previous annex, a set of hazards has been identified. By assigning severities to each of these hazards, we are in fact defining a probability that an accident might occur if one of these hazards occurs (i.e. global severity) – cf. §3.4.1 for more details. Considering that the target level of safety (TLS) is defined by the ICAO manual on ASMGCS [32], the global safety objective can be defined by the following scalar product: global TLS = global safety objective * global severity Unlike what has been performed in [27] or [25] we do not feel it is acceptable at this stage of the safety assessment to (evenly or unevenly) split the global target level of safety between the different hazards. This assignment can be performed at a more detailed preliminary system safety assessment (PSSA) level, when more analysis of each of the fault trees and available mitigation means is performed. A-SMGCS scenario implementation level

Share of the target level of safety (TLS) allocated to hazards originating from equipment failures

Share of the target level of safety (TLS) allocated to hazards originating from people & procedure failures

I II III IV V

0% 15% 35% 45% 55%

100% 85% 65% 55% 45%

Figure 26: Share of the TLS allocated to equipment

Similar to the EUROCONTROL A-SMGCS safety case (cf. §1.7.3), our safety assessment does not consider all ASMGCS hazards, but only those hazards that originate from equipment. It is therefore needed to assume a share of the total target level of safety (TLS) that will be allocated to the equipment. In [27], 15% of the total target level of safety (TLS) was allocated to equipment for an A-SMGCS implementation level 1 & 2 (according the EUROCONTROL terminology – corresponding more or less to ICAO level II). We tend to agree with this share, and propose the following allocations for higher scenario implementation levels (to be discussed and agreed at European / international level). We propose a major step between A-SMGCS scenario implementation level II and level III (i.e. +20 points) because at level III, on basic and simple airports with light or medium traffic, the A-

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

206 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

SMGCS is suppose to support operations in visibility conditions 3, i.e. a visibility sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. For us, this is a major step that implies very high confidence in the equipment and new conflict prediction & resolution tools. In our view, later steps up the A-SMGCS scenario implementation levels are less dramatic, and therefore, are only assigned a +10 points. As automation increases, the share of the target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases. This will imply that for similar risks, the safety objectives set on equipment will increase with the A-SMGCS scenario implementation levels. Structure of the severity analysis table

The hazard severities are presented in a table that is composed of the following data: • columns 1 and 4, “hazard reference” & “hazard description”: these columns indicate references and descriptions of hazards, as identified in appendix E; here, the hazards are basically described through their negative safety effects on the air navigation service; • column 2, “A-SMGCS scenario implementation level (SIL)”: this column recalls the ICAO A-SMGCS implementation level to which this hazard relates; this is very important as the same fault mode may have different effects depending on the A-SMGCS scenario implementation level; • column 3, “Hazard typology”: hazards are derived from the operational effects at system level (as undeveloped outcomes), taking into account people and procedures; when the operational effects of a fault mode are not detected, the corresponding hazard is classified as a misuse; when the operational effects of a fault mode are detected, the corresponding hazard is classified as recovery; • columns 5 to 7, are descriptions that help assess the severity (in column 8); focus is set on the hazard effects at aerodrome ATC level, the exposure, and the mitigation means that are external to the system; • column 8, “severity”: this column describes the severity of the hazard effects; in theory, different severities may be considered in different weather conditions or in different traffic load conditions, however, different hazards have been defined for different SIL, and therefore the worst case is always considered for each level; • column 9, “probability to lead to an accident”: based on the severity, the probability that such an hazard, if raised, will lead to an accident (according to NATS mapping); • column 10, “comments / recommendations”: self-explicit • description of the worst-case credible scenario supporting the severity assessment: these descriptions are provided only for hazards related to scenario implementation levels (SIL) I and II; they were elaborated during a FHA workshop held in June 2005, with the help of 4 controllers from ANS-CZ, one controller from DFS, one ex-controller from DSNA, one controller from ENAV, one ex-controller from NATS and one safety expert from ANS-CZ.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

207 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-01

28 29

A-SMGCS scenario implementation level (SIL)

Hazard typology

II

Recovery (from a total or partial equipment surveillance failure, e.g. loss of primary sensor, loss of time synchronisation, loss of labelling, etc.)

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or flow complexity.

Exposure (duration, number of exposed)

Situational awareness • Duration: may may be slightly persist for a short 28 impaired during the period of time . recovery phase. Once • Number: medium the mental picture is traffic if layout is re-established and basic, light traffic if traffic reduced, no layout is simple. more effects are expected.

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

• Announcement information: none. • Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by 29 visual reference . • Rate of development: sudden.

4 Minor

10 %

-3

Comments: it is irrelevant to know the exact nature of the failure; in fact the surveillance may still seem to work; the simple fact that the surveillance equipment is declaring a malfunction or that the controller suspects a malfunction is sufficient for the controller to trigger a recovery procedure. Recommendations: Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

Doc. 4444 is considered safe. Hazard duration is only related to the shift from Doc. 9830 to Doc 4444 (i.e. the recovery procedure itself). This duration is independent from the equipment failure duration itself. It is not so much the visibility which is of interest, but the capability in that visibility for the pilot / driver to mitigate the hazard & its severity.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

208 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility conditions 1, medium traffic density. Visibility degrades to conditions 2 (e.g. sudden heavy rain).The equipment surveillance failure occurs and is detected just after the visibility conditions shift from 1 to 2.. The controllers loose nearly simultaneously visual and equipment surveillance. HAZARD: in visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). Supposing five aircraft going for takeoff. Three aircraft have landed, of which two are already taxiing. One aircraft has been cleared for line-up at threshold, and a Beech 90 has been cleared for intersection line-up. One B737 is ten miles on final. The local controller has some workload related to vehicle control. Due to loss of visibility & surveillance means, the controller needs to ask last landed aircraft to report when runway is vacated, and the controller needs to check who is lined-up on intermediate. Position reports from pilots cannot be checked. After Beech 90 takeoff, the controller needs to wait for airborne report. The worst credible case foreseen is that, due to loss of time, the controller needs to request a GO AROUND to the B737 on final (with a possible issue related to slow Beech 90).

HZ-02

30

III

Recovery (from a total or partial equipment surveillance failure)

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

Situational awareness • Duration: may • Announcement may be slightly information: none. persist for a short 30 impaired during the period of time . • Contingency recovery phase. Once • Number: medium measures: visibility the mental picture is traffic if layout is sufficient for a pilot re-established, no basic, light traffic if to taxi, supported by more effects are ground guidance. layout is simple; expected. alternatively, heavy • Rate of traffic if layout is development: basic and visibility sudden. condition is only 2.

2 Hazardous

1%

Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

Doc. 4444 is considered safe. Hazard duration is only related to the shift from Doc. 9830 to Doc 4444 (i.e. the recovery procedure itself). This duration is independent from the equipment failure duration itself.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

209 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility conditions 3. LVP are in force due to ILS. One landing-aircraft has just vacated the runway sensitive area. Pilot has changed frequency to ground control. Another aircraft is on final, about to land. At that moment, there is a loss of equipment surveillance. HAZARD: In visibility condition 3, the controllers need to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The ground controller stops all traffic. One taxiing pilot asks why. The landing aircraft uses the same exit as the previous landed aircraft (highly probable on basic layout), but is still on TWR frequency and continues taxi, waiting for hole in frequency to report runway vacated. BANG (at low speed)!

HZ-03

IV

Recovery

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

Situational awareness • Duration: may may be slightly persist for a short impaired during the period of time. recovery phase. Once • Number: heavy the mental picture is traffic. re-established, no more effects are expected.

• Announcement information: none. • Contingency measures: visibility sufficient for a pilot to taxi, supported by ground guidance. • Rate of development: sudden.

3 Major

0.1%

Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

HZ-04

V

Recovery

In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

Situational awareness • Duration: may may be slightly persist for a short impaired during the period of time. recovery phase. Once • Number: heavy the mental picture is traffic. re-established, no more effects are expected.

• Announcement information: none. • Contingency measures: on-board equipment sufficient for a pilot to taxi, supported by onboard guidance. • Rate of development:

3 Major

0.1%

Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

210 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

II

Misuse (of corrupted surveillance data)

In visibility condition 2 the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data.

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

sudden. HZ-05

31

Situational awareness • Duration: may is impaired until an persist for a 31 unexpected event substantial period alerts the controller on of time. the corruption of • Number: medium equipment traffic if layout is surveillance data. basic, light traffic if It is to be noted that at this level layout is simple. (i.e. level II) the controller is assumed to systematically check surveillance data (at least once for departing aircraft). Hazard effect must NOT include abuse of automation.

• Announcement information: none. • Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by visual reference. • Rate of development: sudden.

2 Hazardous

Upon failure detection by the controller, hazard HZ01 is triggered.

This hazard relates to an A-SMGCS level II, in which conflict analysis and conflict resolution is still under responsibility of the controller (i.e. not the equipment) and in which responsibility over surveillance is shared (i.e. equipment only supports the controller, and the controller is not allowed to control based only on equipment surveillance data). Therefore, by "unexpected event" we mean that the controller detects something (e.g. a conflict), which is "unexpected" in relation to the surveillance and/or control data provided by the equipment. In accordance with controller responsibility, sufficient time for conflict processing (detection time + controller reaction time + instruction time + crew reaction time + resolution time) should still remain. The hazard is related to the "surprise effect" to detect the conflict (i.e. the worst “surprise”) simultaneously with the equipment surveillance failure identification.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

211 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility condition 2, medium traffic density. Two aircraft are waiting for line-up, one at threshold, the other at an intermediate taxiway, whilst a third aircraft is approaching. When the arriving aircraft has landed, controller gives the line-up clearance to aircraft at threshold… but the equipment is providing corrupted surveillance data such as the 2 labels of the departing aircraft have been switched. The controller did not use the “…line-up from…” phraseology. HAZARD: in visibility condition 2 the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data. The controller does not notice the label switch. Whilst expecting to clear the aircraft at threshold, the controller in fact clears the aircraft at intermediate takeoff, 1000m in front of the threshold and still in front of landing traffic. With a 30° angle with the runway, this taxiway would provide absolutely no visibility to the entering aircraft on traffic coming from the threshold,. As the aircraft enters the obstacle free zone (OFZ) in front of the landing traffic, an incursion alert is triggered. The intruder stops by himself (due to visibility 2 conditions) or is stopped by the controller (due to the alert and/or because even though the labels are wrong, the position reports are correct). The worst credible case is a large reduction is safety margins.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

212 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-06

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

III

Misuse (of corrupted or obsolete surveillance data)

In visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Situational awareness • Duration: may 1 • Announcement is impaired until an information: none. persist for a Catastrophic unexpected event substantial period • Contingency alerts the controller on of time. measures: visibility the corruption of • Number: medium is just sufficient for a equipment pilot to taxi. traffic if layout is surveillance data. basic, light traffic if • Rate of Two types of hazard layout is simple; development: effects may be alternatively, heavy sudden. considered at system traffic if layout is level: basic and visibility condition is only 2. • A dangerous situation develops unbeknownst to the controller, e.g. a conflict between aircraft on a taxiway, a runway incursion, a take-off without clearance, a route deviation, etc.. The equipment provides no alert. • Due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on th December 6 , 1999, or the Überlingen st accident in July 1 , 2002). Public

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

100%

Upon failure detection by the controller, hazard HZ02 is triggered. In ICAO implementation table, “X” in conflict prediction and/or detection means conflict is detected but not solvable in visibility 3. What is meant here?

213 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

Worst-case credible scenarios supporting the severity assessment: three scenarios were elaborated. st Scenario 1: Supposing an aerodrome with a basic layout, visibility condition 3, two outbound aircraft, taxiing to holding position, correctly separated. There is no other traffic. The 1 aircraft reaches the holding position and stops. At that moment, the controller surveillance screen freezes. HAZARD: in visibility condition 3 the controller does not detect the corruption of equipment surveillance data, and nd st continues to use this corrupted surveillance data to ensure separation. The two aircraft seem separated and stopped, but in reality, the 2 aircraft continues to taxi and runs into the 1 aircraft. Scenario 2: Supposing the same scenario as for HZ-05, the visibility conditions 3 make it worst because the pilot of the departing aircraft is not able to detect the approaching aircraft. The controller can only avoid the accident. Scenario 3: Supposing an aerodrome with a basic layout, visibility condition 3, medium traffic density. One aircraft is waiting for line-up whilst a second aircraft is approaching. The equipment is providing false positions: the approaching aircraft is displayed 500m in front of its actual position (corresponding to 7 to 10 seconds error in the extrapolation). HAZARD: in visibility condition 3 the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation. When the controller sees that the inbound aircraft has landed, he clears the outbound aircraft (at threshold) in front of the landing aircraft. The equipment does not provide any incursion alert and the pilot of the departing aircraft is not able to detect the approaching aircraft (due to visibility condition 3).

HZ-07

HZ-08

IV

V

Misuse

Misuse

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

In visibility condition 3, due to Same as above. over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

• Duration: may persist for a substantial period of time. • Number: heavy traffic.

In visibility condition 4, the Same as above. controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

• Duration: may • Announcement information: none. persist for a substantial period • Contingency of time. measures: aircraft • Number: all aircraft and vehicles are in the A-SMGCS equipped with ADScoverage area. B in and continue to receive positions and identification of other mobiles. • Rate of Public

• Announcement information: none. • Contingency measures: none. • Rate of development: sudden.

1 Catastrophic

2 Hazardous

100%

1%

Upon failure detection by the controller, hazard HZ03 is triggered. In ICAO implementation table, “X” in conflict prediction and/or detection means conflict is detected but not solvable in visibility 3. What is meant here? Upon failure detection by the controller, hazard HZ04 is triggered.

214 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Situational awareness • Duration: brief. • Announcement may be slightly information: none. • Number: all aircraft impaired. and vehicles in the • Contingency measures: none. A-SMGCS coverage area. • Rate of development: sudden.

5 No effect

0%

Situational awareness • Duration: may may be slightly persist for a impaired. substantial period of time. • Number: medium traffic if layout is basic, light traffic if layout is simple.

5 No effect

0%

Comments and recommendations (related to items external to the system under assessment)

development: sudden. HZ-09

V

Recovery

HZ-10

II

Misuse (of obsolete or corrupted surveillance data.)

In visibility condition 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected. In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse 32 some procedures to ensure separation (essentially on or near runways).

• Announcement information: none. • Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by visual reference. • Rate of development: sudden.

Comment: no equivalent of RVSM is foreseen for ground control based on high precision surveillance data; therefore, some minor loss of precision, update rate or integrity will have no effect on safety.

It is to be noted that at this level (i.e. level II) surveillance responsibility is shared between the controller and equipment, and therefore controller is assumed to systematically check surveillance data. Hazard effect must NOT include abuse of automation. Worst-case credible scenario supporting the severity assessment: Supposing an aircraft A, lined-up awaiting takeoff clearance and an aircraft B starting to vacate. EQUIPMENT FAILURE: due to corrupted surveillance, aircraft B is seen as having vacated (or starting to vacate). HAZARD: Due to stress, the controller has little time to wait and check pilot’s report: he delivers take-off clearance. Since surveillance is erroneous, there is no alerting… and NO additional RISK due to equipment (because it is already done today with advance-clearance).

32

Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

215 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-11

33

34

35

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

3 0.1% • Duration: may • Announcement information: none. persist for a Major substantial period • Contingency of time. measures: none. • Number: medium • Rate of traffic if layout is development: basic, light traffic if sudden. layout is simple; alternatively, heavy traffic if layout is basic and visibility condition is only 2. Worst-case credible scenario supporting the severity assessment: Supposing 2 aircraft taxiing, one behind the other. EQUIPMENT FAILURE: undetected loss of precision & integrity. HAZARD: In visibility condition 3, the controller continues to use the equipment surveillance to allow for the separation of taxiing aircraft. The worst credible outcome is: a strong reduction in separation. Note: this supposes that the current procedural control procedure that only allows clearing an aircraft to a point to which the complete route is free, is not applied anymore. III

Misuse (of obsolete or corrupted surveillance data.)

In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse 33 some procedures to ensure separation.

Safety margins may be severely impaired.

HZ-12

IV

Misuse

In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse 34 some procedures to ensure tactical separation.

Safety margins may be severely impaired.

• Duration: may persist for a substantial period of time. • Number: heavy traffic.

• Announcement information: none. • Contingency measures: none. • Rate of development: sudden.

3 Major

0.1%

HZ-13

V

Misuse

In visibility condition 4, due to undetected loss of surveillance precision or integrity, the controller continues to misuse 35 some procedures to ensure tactical separation.

Safety margins may be severely impaired.

• Duration: may persist for a substantial period of time. • Number: heavy traffic.

• Announcement information: none. • Contingency measures: aircraft and vehicles are equipped with ADS-

4 Minor

10 %

-3

Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected. Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected. Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

216 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

B in and continue to receive positions and identification of other mobiles. • Rate of development: sudden. 5 0% • Duration: may • Announcement information: none. persist for a short No effect period of time. • Contingency measures: none. • Number: medium traffic if layout is • Rate of basic, light traffic if development: layout is simple; sudden. alternatively, heavy traffic if layout is basic and visibility condition is only 2. Worst-case credible scenario supporting the severity assessment: Supposing a controller controlling and performing silent co-ordination using electronic strips. EQUIPMENT FAILURE: some flight data are obviously missing. HAZARD: In visibility condition 3, the controller has to request the printout of paper strips and arrange them. Use of paper strips has become exceptional (i.e. training sessions only). Some paper strips may need to be filled in manually. The worst credible outcome is: controller overload due to visibility condition 3 and recovery procedures, some co-ordination hiccups and need to temporarily reduced traffic. NO SAFETY impact is expected. -3 HZ-15 IV Recovery In visibility condition 3, the Small time during 4 10 % • Duration: may • Announcement controller needs to recover from which flight plan data information: none. persist for a short Minor an equipment flight data failure may not be available period of time. • Contingency by reverting to paper strips. (time to print and measures: none. • Number: heavy arrange the paper The controller may need to traffic. • Rate of simultaneously reduce the traffic strips.) development: density and/or complexity. sudden. -3 HZ-16 V Recovery In visibility condition 4, the Small time during 4 10 % • Duration: may • Announcement controller needs to recover from which flight data may information: none. persist for a short Minor an equipment flight data failure not be available (time period of time. • Contingency by reverting to paper strips. to print and arrange measures: none. • Number: heavy the paper strips.) The controller may need to traffic. • Rate of simultaneously reduce the traffic development: density and/or complexity. HZ-14

III

Recovery (from an equipment flight data processing failure)

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips and voice communications system (VCS).

Small time during which flight plan data may not be available (time to print and arrange the paper strips.)

Public

217 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-17

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

sudden. An aircraft may be 2 1% • Duration: may • Announcement cleared on a wrong information: none. persist for a Hazardous route, which may substantial period • Contingency result in a taxiway of time. measures: restricted area • Number: medium surveillance and incursion (immediately traffic if layout is conflict detection are detected) or a nose-to- basic, light traffic if unaffected, and nose conflict with layout is simple; visibility is sufficient another aircraft. for a pilot to taxi. alternatively, heavy Runway incursion is traffic if layout is • Rate of not considered basic and visibility development: (because guidance is condition is only 2. sudden. manual and controller misuse is not credible). Worst-case credible scenario supporting the severity assessment: Supposing an inbound aircraft with wrong aircraft type, e.g. MD-80 instead of B747. HAZARD: In visibility condition 3, the controller continues to use this corrupted data to ensure verbal and manual routing: routing is wrongly performed thru a taxiway that is forbidden to large-winged aircraft. The worst credible outcome is: both wings are damaged, as well as some building… possibly causing death of people inside the building. III

Misuse (of flight data)

In visibility condition 3 the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure verbal and manual routing.

HZ-18

IV

Misuse

In visibility condition 3, the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure routing and automated ground guidance.

An aircraft may be • Duration: may cleared on a wrong persist for a route, which may substantial period result in a taxiway or a of time. runway incursion • Number: heavy (immediately traffic. detected), or a noseto-nose conflict with another aircraft.

HZ-19

V

Misuse

In visibility conditions 4, the controller does not detect the corruption of equipment flight

An aircraft may be cleared on a wrong route, which may

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

• Duration: may persist for a substantial period

• Announcement information: none. • Contingency measures: surveillance and conflict detection are unaffected, and visibility is sufficient for a pilot to taxi. • Rate of development: sudden.

3 Major

0.1%

• Announcement information: none.

3 Major

0.1%

218 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Exposure (duration, number of exposed)

result in a taxiway or a of time. runway incursion • Number: heavy (immediately traffic. detected), or a noseto-nose conflict with another aircraft.

Public

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

• Contingency measures: ground and on-board surveillance and ground conflict detection are unaffected. • Rate of development: sudden.

219 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-20

36

A-SMGCS scenario implementation level (SIL)

Hazard typology

III

Misuse (of surveillance or flight data related to adjacent sectors)

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

In visibility conditions 3 the controller does not detect the corruption of equipment coordination support (surveillance and/or flight data), and continues to use this corrupted data to ensure co-ordination.

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

At 1st serious co• Duration: may • Announcement ordination mishap, the information: none. persist for a controller has to substantial period • Contingency manage an of time. measures: none. unexpected event • Number: medium • Rate of when assuming or traffic if layout is development: transferring a flight. basic, light traffic if sudden. The event is nonlayout is simple; critical because handalternatively, heavy over is usually traffic if layout is performed in nonbasic and visibility critical conditions. condition is only 2.

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

4 Minor

10 %

-3

Flights that are being provided with an ATC service are transferred from one ATC unit to the next in a manner designed to ensure complete safety. In order to accomplish this objective, it is a standard procedure that the passage of each flight across the boundary of the areas of responsibility of the two units is coordinated between them beforehand and that the control of the flight is transferred when it is at, or adjacent to, the said boundary. For ground control, at operational level, the key interoperability topic is coordination between controllers in the tower, and controllers of the APP/ACC centres. The controllers must have common situation awareness, and they must have the means (systems and procedures) to co36 ordinate in order to handover the control of aircraft.

This interoperability is studied in the EMMA deliverable D121 (cf. [3]). The safety assessment will need to be co-ordinated with that of co-ordination between APP/ACC centres, and is out scope of this document. The severity assessment opposite is a conservative proposal.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

220 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

Worst-case credible scenario supporting the severity assessment: (see comment above)

HZ-21

IV

Misuse

In visibility conditions 3, the controller does not detect the corruption of equipment coordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

HZ-22

V

Misuse

In visibility conditions 4, the controller does not detect the corruption of equipment coordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

HZ-23

V

Recovery

Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

At 1st serious coordination mishap, the controller has to manage an unexpected event when assuming or transferring a flight. The event is noncritical because handover is usually performed in noncritical conditions. At 1st serious coordination mishap, the controller has to manage an unexpected event when assuming or transferring a flight. The event is noncritical because handover is usually performed in noncritical conditions. If automation fails it is reasonable to anticipate that mental take-over will be less efficient and with a safety impact on ongoing operations.

Public

-3

• Duration: may persist for a substantial period of time. • Number: one aircraft.

• Announcement information: none. • Contingency measures: none. • Rate of development: sudden.

4 Minor

10 %

• Duration: may persist for a substantial period of time. • Number: one aircraft.

• Announcement information: none. • Contingency measures: none. • Rate of development: sudden.

4 Minor

10 %

• Duration: may persist for a short period of time. • Number: heavy traffic.

• Announcement information: system alert. • Contingency measures: none. • Rate of development: sudden.

4 Minor

10 %

-3

-3

Severity might drop to “no effect” if conformance monitoring is provided onboard.

221 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS scenario implementation level (SIL)

Hazard typology

HZ-24

V

Misuse

HZ-25

All

Recovery

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Misuse of automation in visibility conditions 4: due to overreliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions. Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

Exposure (duration, number of exposed)

Recovery (announcement information, availability of external contingency measures, rate of development)

Severity

Probability to lead to an accident (with NATS’ mapping)

Comments and recommendations (related to items external to the system under assessment)

3 Major

0.1%

Severity might drop to “no effect” if conformance monitoring is provided onboard.

If automation fails it is • Duration: may • Announcement reasonable to persist for a information: system anticipate that manual alert. substantial period take-over will be less of time. • Contingency efficient and with a measures: none. • Number: all aircraft safety impact on on(with respect to the • Rate of going operations. level of development: implementation). sudden.

5 No effect

0%

• Duration: may • Announcement persist for a information: system alert. substantial period of time. • Contingency measures: none. • Number: all aircraft (with respect to the • Rate of level of development: implementation). sudden.

5 No effect

0%

• Duration: may persist for a substantial period of time. • Number: heavy traffic.

• Announcement information: none. • Contingency measures: none. • Rate of development: sudden.

Worst-case credible scenario supporting the severity assessment: NO IMPACT ON SAFETY.

HZ-26

All

Recovery

Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

If automation fails it is reasonable to anticipate that mental take-over will be less efficient and with a safety impact on ongoing operations.

Worst-case credible scenario supporting the severity assessment: NO IMPACT ON SAFETY.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

222 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-27

A-SMGCS scenario implementation level (SIL)

Hazard typology

IV or V

Recovery

Hazard description (at system Hazard effects at level) aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

• Duration: may persist for a short period of time. • Number: heavy.

In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another.

Recovery (announcement information, availability of external contingency measures, rate of development) • Announcement information: selfevident. • Contingency measures: none. • Rate of development: sudden.

Severity

Probability to lead to an accident (with NATS’ mapping)

4 Minor

10 %

Comments and recommendations (related to items external to the system under assessment)

-3

Table 5-14: Severity allocation

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

223 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Structure of the safety allocation table

The safety objectives are presented in a table that is composed of the following data: • column 1, “A-SMGCS scenario implementation level”: self-explicit; • column 2, “share of the target level of safety (TLS) allocated to hazards originating from equipment failures”: focusing on hazards originating from equipment failures represents one of the main weaknesses of this analysis; indeed, the A-SMGCS target level of safety (i.e. 1 x 10-8 per operation) has to be divided between all hazards, not only the former; some part of the target level of safety should be set aside for other hazards; column 3 presents a possible share; as automation increases, the share of the target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases; • column 3, “share of the TLS allocated to hazards originating from people & procedure failures” represents the difference between 100% and column 3; • column 4, “global safety objective per movement allocated to equipment”: all hazards (including hazards originating from equipment failures) are identified at the boundary of the system; this means that people and procedures act as mitigation to reduce the probability to evolve from an equipment failure to a hazard; for a hazard to be raised, we need that an equipment failure occurs and that neither the people nor the procedures correctly mitigate the equipment failure; procedures to detect equipment failures and to recover from them need to be safe, and the people need to be adequately trained to cope with such equipment failures; in other terms, part of the target level of safety (TLS) allocated to hazards originating from equipment failures needs to be allocated to recovery procedures and to training; the proposal in column 4, is to use the “share of the target level of safety (TLS) allocated to hazards originating from equipment failures”, as provided in column 2, to cover all these allocation and mitigation aspects; thus, for a level II A-SMGCS implementation, the global safety objective per movement allocated to equipment is 10-8 * 15% = 1.5 10-9; • column 5, “hazards references”: list of all the hazards likely to be raised for the given A-SMGCS scenario implementation level; • column 6, “maximum hazard severity that can occur”: the worst case; • column 7, “equipment safety objective (per movement)”: using the hypothesis of equiprobability of occurrence of hazards, this column provides the maximum probability at which a hazard (of the severity defined in column 6) may occur; thus, for a level II A-SMGCS scenario implementation, as there are only one hazardous and one minor hazards totalling 0.0101 SCU (using NATS mapping as explained in §1.7.5), the equipment safety objective (per movement) is equal to 1.5 10-9 / 0.0101 ≈ 1.5 10-7. • columns 8 and 9, present the same data as column 7, but expressed with different units. Another possible weakness of the analysis is linked to the disputable independence of hazards. Indeed, if the probability that a hazard is raised is linked to the probability that another hazard occurs, then the computations will be wrong. However, at this stage there is no known means to ensure the independence of the identified hazards, and the impact is assumed to be small.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

224 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

A-SMGCS scenario implementation level

Share of the target level of safety (TLS) allocated to hazards originating from equipment failures

Share of the TLS allocated to hazards originating from people & procedure failures

Global safety objective per movement allocated to equipment

I

0%

100%

Not applicable (no A-SMGCS equipment)

II

15%

85%

1.35E-09

III

35%

65%

3.5E-09

IV

45%

55%

4.5E-09

V

55%

45%

5.5E-09

Hazards ref.

Maximum hazard severity that can occur

Equipment safety objective (per movement) for worst hazard

i.e. one equipment failure leading to a hazard every X movements

i.e. one equipment failure leading to a hazard at Paris CDG every

Not identified.

n/a

n/a

n/a

n/a

Hazardous

1.50E-07

6 673 333

12 years

Catastrophic

3.43E-09

291 717 143

521 years

Catastrophic

4.49E-09

222 895 556

398 years

Hazardous

4.21E-07

2 372 727

4 years

HZ-01, HZ-05, HZ10, HZ-25, HZ-26 HZ-02, HZ-06, HZ11, HZ-14, HZ-17, HZ-20, HZ-25, HZ-26 HZ-03, HZ-07, HZ12, HZ-15, HZ-18, HZ-21, HZ-25, HZ26, HZ-27 HZ-04, HZ-08, HZ09, HZ-13, HZ-16, HZ-19, HZ-22, HZ23, HZ-24, HZ-25, HZ-26, HZ-27

Table 5-15: Derivation of safety objectives per A-SMGCS scenario implementation level

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

225 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Assessing the results

At this stage, it is interesting to compare our results with the results obtained by EUROCONTROL in [27], even though the scope is not exactly the same. As mentioned previously, the scenario implementation level (SIL) II is the closest scenario to the one considered in the EUROCONTROL A-SMGCS safety case. At this level, five hazards have been identified, of which only two have safety effects. The EMMA SIL II hazards and safety objective are recalled in Table 5-16. Emma (most) equivalent hazard ref. HZ-01

EMMA (most) equivalent hazard description

EMMA SO (per movement)

Recovery (from a total or partial equipment surveillance failure, e.g. loss of primary sensor, loss of time synchronisation, loss of labelling, etc.) Misuse (of highly corrupted surveillance data) Misuse (of slightly corrupted surveillance data, e.g. accuracy issue)

HZ-05 HZ-10 HZ-25

1.50 E-04

Recovery: the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time. Recovery: the controller needs to compensate an equipment failure by an increased cognitive processing.

HZ-26

1.50 E-07 None: no safety effects None: no safety effects None: no safety effects

Table 5-16: Summary of hazards and their associated safety objectives for SIL II

In [27], the total credible failures with safety consequences and their severity classification are illustrated in Table 5-17. These are grouped into a set of common hazards (labelled H01 through H10). Eurocontrol safety case hazard ref.

Eurocontrol safety case hazard description

Eurocontrol safety case safety objective (per movement)

H01 H02 H03 H04 H05

Total loss of A-SMGCS Loss of the position function for one aircraft Loss of the position function impacting multiple aircraft Corruption of the position function for one aircraft Corruption of the position function impacting multiple aircraft Total loss the identification function Loss of the identification function impacting multiple aircraft Corruption of the identification function for one aircraft Corruption of the identification function impacting multiple aircraft Corruption of the conflict prediction function

2.96 E-05 2.82 E-03 1.51 E-05 1.54 E-03 1.83 E-03

H06 H07 H08 H09 H10

1.83 E-03 1.83 E-03 7.90 E-05 5.52 E-04 1.67 E-04

Table 5-17: Summary of credible failures for each hazard and their associated safety objective as extracted from the EUROCONTROL A-SMGCS safety case [27]

The mapping of the Eurocontrol A-SMGCS safety case hazards to the EMMA hazards is not straightforward, so results are difficult to compare. Let us just point out that EMMA really highlights the issue of undetected failures (whatever the function – position or identification) with a very stringent safety objective on misuse. The logic behind is the assumption that the controller(s) can revert to aerodrome ATC using a "safe" SMGCS if the ASMGCS is detected as failed. Therefore the main risk of A-SMGCS is misusing corrupted A-SMGCS data, whatever the data. Failures must be detected.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

226 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix G 1 workshop questionnaire, analysis and lessons learnt st

Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

227 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Presentation of the questionnaire

During the workshop, the audience was given, by surprise, a questionnaire pre-formatted as “Table 5-14: Severity allocation” of appendix F. Each table on each of the 4 sheets of paper (one per A-SMGCS implementation level) had 3 lines in order to allow for 3 hazards to be filled in per A-SMGCS implementation level. The audience was asked to stick, if possible, to the hazard typology (misuse, recovery, abuse), to assign the severity, to choose the most severe hazards they could think of, and to think about effects, exposure, recovery means, etc. Due to time constraints on the workshop, audience was given only 15 minutes. The results of the questionnaire are provided in Table 5-18. Objective outcomes

Six controllers, safety and/or A-SMGCS experts participated. Twenty-three hazards were collected, all but one dealing with the ground part of the A-SMGCS. None of the expert had time to fill in the 12 expected hazards. Only one participant filled in hazards for A-SMGCS implementation levels IV and V. The number of hazards filled per participant ranged from 2 to 6. The hazard typology (i.e. misuse, recovery, abuse) was used by all but one participant (3 hazards). One participant did not provide the severity of any of his identified hazards. Three other participants left one of their hazards without a severity allocation. Thus, five hazards have not been ranked on the severity scale.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

228 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-28

A-SMGCS implementation level

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

II

visibility 2

Loss of MLAT information.

Hazard effects at aerodrome ATC level (i.e. failure condition)

Position is determined using SMR. Loss of automatic identification.

Exposure (duration, number of exposed)

Recovery (annunciation information, availability of external contingency measures, rate of development)

• Duration:

• Annunciation information:

long

yes

• Number of exposed:

• Contingency measures:

>1

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

5

use of manual labelling when possible • Rate of development:

suddenly HZ-29

II

visibility 2

Loss of surveillance data (SMR+MLAT)

• Duration:

• Annunciation information:

long

yes

• Number of exposed:

• Contingency measures:

>1

4

The controllers rely on procedural control and pilots positioning data. • Rate of development:

HZ-30

II

visibility 2

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Loss of surveillance data (SMR+MLAT)

Public

• Duration:

• Annunciation information:

long

• Contingency measures:

• Number of exposed:

• Rate of development:

4

229 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS implementation level

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

• >1 HZ-31

II

Misuse Controllers get misleading aircraft position via automated surveillance without knowing it is wrong.

ATCO fooled by the error.

• Duration:

Recovery (annunciation information, availability of external contingency measures, rate of development)

(1 to 5)

Comments and recommendations (related to items external to the system under assessment)

Slow • Annunciation information:

not detected • Number of exposed:

Severity

4 Minor

• Contingency measures:

one aircraft Cross-check using radar data & visual but many possible • Rate of development: HZ-32

II

Abuse

ATC will use a system for surveillance during LVC 2+

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

10

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

2

• Rate of development:

230 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-33

A-SMGCS implementation level

II

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Misuse The use of the system by ATC after the system loss (undetected)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Situational awareness impaired

Exposure (duration, number of exposed)

Recovery (annunciation information, availability of external contingency measures, rate of development)

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

1

• Rate of development:

HZ-34

II

Recovery Unidentified false alert stage 2

Possible go-around or aborted take-off

• Duration:

2 or more

II

Corrupt Aircraft displayed on controller’s HMI (Misuse) as off RWY when actually not

Severity depends on visibility – can ATCO check the situation looking out of the window?

short • Number of exposed:

HZ-35

• Annunciation information:

Controller may issue • Duration: take off / landing Short clearance when aircraft still on RWY • Number of

• Contingency measures:

• Rate of development:

• Annunciation information:

1

None • Contingency measures:

exposed:

1

• Rate of development:

Sudden Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

231 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-36

A-SMGCS implementation level

II

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Misuse Labels between two aircraft swapping

Hazard effects at aerodrome ATC level (i.e. failure condition)

Controller giving instruction to “wrong” aircraft

Exposure (duration, number of exposed)

Recovery (annunciation information, availability of external contingency measures, rate of development)

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

2

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

2

• Rate of development:

Sudden HZ-37

II

Recovery Unidentified call sign-code correlation error

Possible accident due to loss of situational awareness

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

?

HZ-38

II

m

Label swapping with vis 2

-Taxi conflicts - Rwy incursion

• Duration:

high

Public

• Rate of development:

• Annunciation information:

3

>5sec • Number of exposed:

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Severity depends on visibility conditions

• Contingency measures:

-Label drops after 5 sec of no update - No manual labelling 232 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

A-SMGCS implementation level

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

Recovery (annunciation information, availability of external contingency measures, rate of development)

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

• Rate of development:

HZ-39

II

m

False alert with vis 2

Misinterpretation of • Duration: true alerts as false more than 2 alerts -> rwy incursion per hour

• Annunciation information:

4

• Contingency measures:

• Number of exposed:

high

• Rate of development:

slowly HZ-40

II

m

Missed alert with vis 2 (by target loss -> surveillance failure)

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

• Rate of development:

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

233 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-41

A-SMGCS implementation level

III

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Misuse ATC will continue to use equipment for Situational awareness surveillance after a system loss strongly impaired (undetected)

Exposure (duration, number of exposed) • Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

10

HZ-42

III

Misuse Wrong routing calculation provided by the system without being detected by anybody.

Wrong route taken by the aircraft with potential conflict

• Duration:

Potentially many aircraft affected III

Abuse

ATC will use a system for surveillance during LVC

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

1

• Rate of development:

• Annunciation information:

not detected • Number of exposed:

HZ-43

Recovery (annunciation information, availability of external contingency measures, rate of development)

3 Major

• Contingency measures:

• Rate of development:

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

• Rate of development:

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

234 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-44

A-SMGCS implementation level

III

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Recovery Equipment failure

Hazard effects at aerodrome ATC level (i.e. failure condition)

over-load head-down

Exposure (duration, number of exposed) • Duration:

III

Misuse (over-reliance on system) Loss of system in a situation when recovery procedures still increase risk unacceptability

III

m

(1 to 5)

Comments and recommendations (related to items external to the system under assessment)

3 • Contingency measures:

10+

• Rate of development:

• Duration:

• Annunciation information:

• Number of exposed:

• Contingency measures:

• Rate of development:

valid for all further levels HZ-46

Severity

• Annunciation information:

1-10 min • Number of exposed:

HZ-45

Recovery (annunciation information, availability of external contingency measures, rate of development)

• Duration:

Target at wrong position

• Annunciation information:

1

> 2s • Number of exposed:

low

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

• Contingency measures:

no idea • Rate of development:

235 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-47

A-SMGCS implementation level

III

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

R

Hazard effects at aerodrome ATC level (i.e. failure condition)

Exposure (duration, number of exposed)

• Duration:

Loss of all EFS

Recovery (annunciation information, availability of external contingency measures, rate of development) • Annunciation information:

Severity (1 to 5)

Comments and recommendations (related to items external to the system under assessment)

3

> 1 min • Number of exposed:

high

• Contingency measures:

Redundant EFS display that freeze the last setting • Rate of development:

HZ-48

III

m

• Duration:

Wrong EFS information

• Annunciation information:

3

• Contingency measures: • Number of exposed:

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

• Rate of development:

236 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Severity indicators Hazard ref.

HZ-49

A-SMGCS implementation level

IV

Hazard typology

Hazard description (at system level)

(misuse, recovery, or abuse)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Misuse Misleading ground guidance to aircraft Aircraft deviation remaining undetected from ground path or wrong way

Exposure (duration, number of exposed) • Duration:

V

Misuse Misleading on-board guidance data remaining undetected

Deviation from ground path

• Annunciation information:

not detected • Number of exposed:

HZ-50

Recovery (annunciation information, availability of external contingency measures, rate of development)

(1 to 5)

Comments and recommendations (related to items external to the system under assessment)

4 Minor

• Contingency measures:

consistency check with onboard Moving Map

Potentially on many aircraft

• Rate of development:

• Duration:

• Annunciation information:

not detected • Number of exposed:

Severity

3 Major

• Contingency measures:

one aircraft EVS or ATCO monitoring • Rate of development:

Table 5-18: Workshop questionnaire result

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

237 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Appendix H 2nd workshop short report Ref. number: D1.3.9

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

238 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

The 2nd workshop has held on 24 June 2005 at the Prague, ANS training centre. The participants were Cenek Novotny, Daniel Gaspar, Filip Prahl, Lubomir Kozav and Richard Pichl from ANS-CR, Raimund Weidemann from the DFS, Nicolas Marcou and Pascale Henry-Ducos from DSNA, Maria Grazia Bechere from ENAV, Jean-Pierre Lesueur from EUROCONTROL and Stéphane Paul from TATM. After a short round table, Stéphane Paul: • explained the objectives of the meeting; • defined the notion of hazard, its causes (fault modes) and effects (severity), as well as the notion of scenario implementation levels (SIL). The rest of the meeting was spent discussing all the hazards related to SIL I and II, trying to describe the worst credible outcomes of hazards. All the results are provided in the final release of the FHA, starting from release 0.30. For information, the curriculum vitae of four of the participants of the 2nd workshop are provided below. Please note that the presence of those curriculum vitae do not mean that these persons commit on the results of this report. Richard PICHL, Ph.D. 1996 PhD in geophysics and volcanic hazard (Charles University, Prague) 1997-98 Airborne geophysical survey (World Geoscience Corp.) 1999-2003 ATC (ACC, APP/TWR Prague - ANS of the CR) 2003Aviation hazard analysis with a focus on the Prague airport and the TMA Praha, a member of RWY Safety team as well as RWY capacity team (ANS of the CR). Pascale HENRY-DUCOS French Air Traffic Controller 1982-83 ATC training at the French Civil Aviation Academy (ENAC) 1983 Aerodrome Qualification 1984 Approach Qualification 1989 ATC manager in Toussus le Noble 1994 Fully qualified radar, approach and aerodrome controller 1997 Control Instructor Tower Control Simulator Instructor 1983-1991 Toussus le Noble airport 1991-2001 Roissy Charles de Gaulle airport 2001 Operational expert in charge of Validation experiments Human Machine Interfaces Studies A-SMGCS specialist Representing DSNA in Eurocontrol “A-SMGCS Procedures” Working Group 2001-05 R&D Experimental Centre – DSNA/DTI/SDER - Paris Former private pilot licence for aircraft (C152-C172-TB20-TB21) and helicopter (Hughes 300, Alouette 2) Maria Grazia BECHERE Aeronautical Technical School of Rome Former Private Pilot 1996Air Traffic Controller since at ENAV the Italian Agency for Air Navigation Services, qualified as Tower and Radar Approach. Present position: in force at the Airport Department at the Head Office in Rome Seven years as active controller at Genoa airport Internal expert for operations and procedures during low visibility conditions Member of the “A-SMGCS Procedure Group” within EUROCONTROL

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

239 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Member for ENAV of the EC project “EMMA” Jean-Pierre LESUEUR A-SMGCS Expert EUROCONTROL DAP/APT 1968-74: Cadet ATCO at the French academy (ENAC Toulouse) Transfer to Basle airport –LFSBAPP/TWR Controller Niamey airport /ACC -DRRNParis Le Bourget Airport -LFPB-. Paris Charles De Gaulle Airport -LFPG-. 1974-97 Part time detachment to Thomson Coop. (EU Tacis II Project in Russia) UTA Airline Training Centre (OPS agents training) and Institut Français de la Sécurité aérienne (IFSA): Courses on CNS-ATM, Safety on manoeuvring area and airport crash rescue plan Vice –president of the French ATC guild (1986-97) Member of the IFATCA Standing Technical Committee (90-97), IFATCA representative to the Airport Air traffic System interface – APATSI – project board and steering group on new ATC procedures (1993-97) 1974-99: ATCO, Supervisor, Instructor In charge of the training organisation of the tower side of the ATS Member of many Working Groups, notably SALADIN (SMGCS) and AVISO (A-SMGCS) projects for ADP 1999 Paris, Air Navigation Direction, Deputy Head of the Air Traffic Control Division (DNA 2C) 2003 Contractor to ADV Systems Europe responding to a EUROCONTROL TRS as operational support to the Head of Airport Program, mainly for A-SMGCS.

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

240 of 241 Version 1.0

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

(End of document)

Save Date: 2006-10-11 File name: D139_FHAvPSSA_V1.0.doc

Public

241 of 241 Version 1.0