Upload
helios
View
106
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation at MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 Presenter: Philip Church of Helios [email protected] _______________________________________________________________________ Follow Helios via Linkedin, www.twitter.com/askhelios and www.facebook.com/askhelios
Citation preview
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 1
Development of the Safety Case for LPV at Monastir
Euromed GNSS II project/MEDUSA Final event on GNSS for aviation
Your logo here
Philip Church Principal Consultant [email protected]
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 2
Agenda
The requirement for safety
The design for implementation
Methodology
Implementation for Monastir
Conclusions of the safety assessment
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 3
Scope of the Safety Case
Operational Environment Aircraft type, Traffic levels, Weather, Terrain, Type of airspace
Aircraft
Procedures
Equipment
Human
ATM System
Procedures
Equipment
Human
ATM Services
ATC Hazards
Causes, focusing
on the deltas
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 4
Design for implementation
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 5
Ongoing Safety Management Planning – Safety Requirements are met through
• Design – e.g. reliability, procedures, conformance with standards
• ATCO awareness through training and familiarisation
• Transition assurance and readiness
• Ongoing safety management and assurance / maintained safety margin • Arrangements to ensure ATCOs remain familiar with system
• Contingency arrangements • What are the arrangements for old system decommission?
• Arrangements to monitor alerting functions
• Maintenance planning and arrangements
• Arrangements to monitor occurrence and fault reports
• Unit Safety (Case?) arrangements
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 6
Some considerations for monitoring of risk
• A number of factors influence the probability of an accident occurring • These factors could be termed as “barriers”
• The effectiveness of these barriers increases or decreases over time in response to changing environments, services etc.
• A combination of leading and lagging indicators can be defined to assess the effectiveness of some of these key barriers, and report them to the Board
• E.g. Top 10 risk of a catastrophic accident
• How to monitor and evaluate this risk, in the absence of the specific outcome
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 7
Ongoing safety risk in an organisation
Tolerable level of
safety = ICAO norms =
1E-08 per flight hour
Actual
safety
level
Safety
margin
Initiative in
response to
specific risk
Degrading safety margin
due complacency or
changing context
In order to measure this, there needs to be
a mature reporting system
(despite more reporting leading to the
appearance of more incidents)
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 8
Relating the probability of an accident to measurable metrics
• It isn’t an exact linear sequence, but the relationship between the accident and the underlying barriers (which prevent the accident occurring) can be presented as probabilities
For every 1 accident…
…we tend to have 10 non-
fatal accidents…
…and 600 minor
occurrences (unsafe
acts)
…30 serious reportable
incidents… Data on probability based
on Heinrich model from
Industrial Accident
Prevention: A Safety
Management Approach
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 9
Methodology
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 10
Methodology
• Number of different options
• SAE ARP1476 (Fault and Event Tree Analysis, FMEA)
• ED-125
• Probability Risk Assessments
• Eurocontrol SAM
• PSSA
• FHA
• SSA
• ESARRs
• For PBN:
• the assessment needs to be more operationally than technically focused
• The HAZARD needs to be set at the right level to set the Safety Requirements
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 11
Linking the Hazard Assessment to Safety Requirements
Operational Hazards
Contributing Factors & Operational Outcomes
Bow Tie Model
Safety Targets Derivation
Safety Objectives specified
Quantitative Fault Tree Analysis on contributing factors
Integrity, Functional/ Performance and SWAL Safety Requirements Specified
Hazard Log
Qualitative Event Tree Analysis on operational outcomes
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 12
Hazard Assessment – Example of the Bow-tie Model
Safety Objective Safety Target Safety Requirements
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 13
Ops failures
Ops failures
Justification for safety objectives – e.g. major occurrences
Safety target, SC3, ACC
e.g. 4E-05 / ATSU hour
Non ATM related
ATM related Not a factor quantitatively, since target only includes ATM-related factors
H-01 H-02
Ops failures Ops
failures
Ops failures
Ops failures
Organised into 4 hazards for clarity – target divided equally
1E-05 1E-05
H-03
Ops failures
Ops failures
Ops failures
1E-05
H-04
Ops failures
Ops failures
Ops failures
1E-05
Safety Objective
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 14
What is the safety case trying to prevent?
Localisation of CONOPS
Local Safety Objectives
HAZARD identification
Risk assessment
Safety Case development
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 15
Implementation for Monastir
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 16
Monastir – Top Level Safety Argument
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 17
Customisation of CONOPS
• The operational environment describes: • the level of ATS provided
• traffic types/levels
• CNS equipment
• airport ground equipment
• airspace and existing procedures
• Assumptions confirmed by local operational and technical experts
• The EUROCONTROL CONOPS provides generic concept of operations for APV SBAS approach • Essential to that these are validated locally to ensure safety
assessment remains valid
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 18
Local safety requirements – safety classification
• Not only the classification – also the content of the safety assessment
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 19
Local safety requirements – Hazard Log
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 20
Nominal operations
• Claim that conducting APV SBAS and LNAV/APV Baro approach operations are safe by design when all systems are working normally
• Combination of all elements: • flight crew
• aircraft avionics
• flight databases
• ATCOs, and
• EGNOS signal
• Show that the operations are consistent with established requirements for system integration, reliability and safety
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 21
Nominal operations
• Important to consider risk from an operational perspective, with involvement of operational and technical experts, early in the analysis as part of a ‘top-down’ process
• Use Cases were derived where the operation could be affected by the procedures (changes) introduced based on the step-by-step flight profile through final approach: • intercepting the final approach path
• follow the final approach path
• descend to DA
• (execute correct Missed Approach )
• Does not propose any new requirements – simply asserts that existing ones are complied with
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 22
Non-nominal operations
• Claim addresses the risks of failures of APV SBAS and LNAV/APV Baro operations as implemented at Monastir aerodrome:
• CONOPS contains no known deficiencies
• All hazards correctly identified and assessed
• All mitigations captured as safety requirements or assumptions as appropriate
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 23
Non-nominal operations
• HAZID held in Rome, June 2013 with representatives from the airport, procedure design and flight ops
• HAZID panel did not note any new additional hazards that would exist in the implementation at Monastir: • Hazard H3 - Fly low while intercepting the final approach path (vertical
profile);
• Hazard H4 - Attempt to intercept the final approach path from above (vertical profile);
• Hazard H6 - Failure to follow the correct final approach path;
• Hazard H7 - Descending below Decision Altitude (DA) without visual;
• Hazard H8 - Failure to execute correct MA.
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 24
Non-nominal operations
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 25
Non-nominal operations – FTA/ETA
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 26
Non-nominal operations – Integrity requirements (SOs)
Cause (Event) Probability of occurrence
[per approach]
Procedure validation error 4.20 E-04
Error in coding the procedure 1.00 E-08
Procedure publishing error 1.00 E-07
Aircraft DB coding/packing error 1.00 E-07
Error in DB loading tools 1.00 E-08
High pressure given by ATC/AFIS 1.63 E-06
High pressure given by MET system 1.26 E-06
High pressure set by pilot 1.63 E-06
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 27
Non-nominal operations - TLS
Accident type TLS in accidents per approach
Controlled flight into terrain
(CFIT)
1.0 x 10-8
Landing accident 2.0 x 10-7
Mid-air collision (MAC) 1.0 x 10-10
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 28
Non-nominal operations – setting SOs
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 29
Practical design and implementation steps
• The design and implementation of APV SBAS and LNAV/APV Baro at Monastir, when deployed, fully satisfies the specified functional and performance SRs and IRs
• Presents evidence consistent with the following sub-claims: • Assumptions for aircraft equipment and operators are adequately
specified and validated for the implementation of APV SBAS and LNAV/APV Baro
• Safety requirements and assumptions for ATC (people and equipment) are adequately specified and met/validated for the implementation of APV SBAS and LNAV/APV Baro
• The APV SBAS and LNAV/APV Baro procedures are demonstrated to be practical
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 30
Transition into operation
• APV SBAS and LNAV/APV Baro are acceptable for initiation of operations, with transition risks fully addressed and mitigated as appropriate, i.e. • The APV SBAS and LNAV/APV Baro procedures are accepted as meeting
the safety requirements • HMI is shown to be satisfactory • There are sufficient trained staff to operate and maintain the system • The APV SBAS (LPV) and LNAV/APV Baro procedures are published and
promulgated to all relevant people • Validation flight trials have been successfully completed • All appropriate regulatory approvals to operate the procedure have been
obtained • Any remaining system shortcomings have been highlighted and accepted
for operation, including any unvalidated assumptions • A transition and reversion plan has been developed
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 31
In service safety monitoring
• The risks associated with operating APV SBAS and LNAV/APV Baro at Monastir will be monitored in service and corrective actions taken as necessary
• Imperative that the safety of the APV SBAS and LNAV/APV Baro procedures at Monastir are monitored to ensure that safety is not eroded • Safety management
• SBAS status and performance monitoring
• Change management
• Incident reporting
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 32
Conclusions of the safety assessment
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 33
Conclusions
Hazard ID Safety objective Achieved
probability of occurrence
Objective met
H3 6.40 E-05 4.63 E-06
H4 2.67 E-04 4.77 E-06
H6 6.40 E-05 1.78 E-06
H7 4.00 E-08 2.29 E-08
H8 2.00 E-07 1.22 E-07
• Compliance with the safety requirements, validation of the assumptions and fulfilment of the safety argument claims through evidence will support the overall claim of the assessment that APV SBAS and LNAV/APV Baro procedures at Monastir are acceptably safe for introduction and continued operational use
MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 34