episode 3 - eurocontrol.int · episode 3 d2.4.3-02 - sesar top-down systemic risk assessment...

Episode 3

D2.4.3-02 - SESAR Top-Down Systemic Risk Assessment Version : 1.01

of 240

Issued by the Episode 3 consortium for the Episode 3 project co-funded by the European Commission and Episode 3 consortium.

EPISODE 3 Single European Sky Implementation support through Validation

Document information

Programme Sixth framework programme Priority 1.4 Aeronautics and Space

Project title Episode 3

Project N° 037106

Project Coordinator EUROCONTROL Experimental Centre

Deliverable Name SESAR Top-Down Systemic Risk Assessment

Deliverable ID D2.4.3-02

Version 1.01

Owner

Eric Perrin EUROCONTROL

Contributing partners

AENA, CAST, DFS, ERC, INECO, NATS, NLR

Episode 3


of 240


- This page is intentionally blank -

Episode 3


of 240


DOCUMENT CONTROL

Approval

Role Organisation Name

Document owner EUROCONTROL Eric Perrin

Technical approver EUROCONTROL Andreas Tautz

Quality approver EUROCONTROL Ludovic Legros

Project coordinator EUROCONTROL Alistair Jackson

Version history

Version Date Status Author(s) Justification - Could be a

reference to a review form or a comment sheet

1.00 08/06/2009 Approved Eric PERRIN Approved by the EP3 Consortium.

1.01 10/06/2009 Approved Eric PERRIN Approved by the EP3 Consortium (minor changes)

Episode 3


of 240


TABLE OF CONTENTS EXECUTIVE SUMMARY......................................................................................................... 11

OBJECTIVE ............................................................................................................................ 11 METHODOLOGY ..................................................................................................................... 11 FIRST PROTOTYPE OF A POTENTIAL PREDICTIVE MODEL FOR SESAR....................................... 12 SESAR SAFETY TARGET ....................................................................................................... 12 BASELINE RISK PICTURE ........................................................................................................ 13 “DO NOTHING” RISK PICTURE ................................................................................................. 14 AN INITIAL SESAR RISK PICTURE .......................................................................................... 14 COMPARISON WITH SESAR SAFETY TARGET.......................................................................... 15 RECOMMENDATIONS .............................................................................................................. 16

1 INTRODUCTION ............................................................................................................. 17 1.1 FOREWORD ............................................................................................................... 17 1.2 WHY DO WE NEED A MODEL OF ATM SAFETY?............................................................. 17 1.3 BACKGROUND............................................................................................................ 18 1.4 OBJECTIVES .............................................................................................................. 18 1.5 SCOPE ...................................................................................................................... 19 1.6 REPORT STRUCTURE ................................................................................................. 19

2 METHODOLOGY ............................................................................................................ 20 2.1 WHAT IS A RISK PICTURE ........................................................................................... 20 2.2 IRP IN THE SESAR CONTEXT .................................................................................... 20 2.3 OVERVIEW OF THE RISK MODEL.................................................................................. 21

2.3.1 Overall Risk Model structure............................................................................ 21 2.3.2 IRP in Predictive Modes .................................................................................. 23 2.3.3 IRP as a model for SESAR.............................................................................. 23 2.3.4 Effects of ATM Changes.................................................................................. 24

2.4 FURTHER DETAILS ON THE IRP/STAR METHODOLOGY................................................ 25 3 SESAR KEY FEATURES & REPRESENTATION IN THE IRP..... ................................. 26

3.1 INFORMATION SOURCES ............................................................................................. 26 3.2 KEY FEATURES .......................................................................................................... 26 3.3 PROCESS MODEL....................................................................................................... 27 3.4 OPERATIONAL IMPROVEMENTS ................................................................................... 28 3.5 ATM CHANGES.......................................................................................................... 31 3.6 SAFETY TARGETS ...................................................................................................... 32

4 BASELINE RISK PICTURE .............................. .............................................................. 33 4.1 BASELINE YEAR ......................................................................................................... 33 4.2 FATAL ACCIDENTS FREQUENCIES ............................................................................... 33 4.3 ICAO ACCIDENT FREQUENCIES.................................................................................. 35 4.4 BASELINE FOR SESAR RISK TARGET ......................................................................... 36 4.5 UNCERTAINTIES ......................................................................................................... 36 4.6 VERIFICATION ............................................................................................................ 36 4.7 VALIDATION ............................................................................................................... 37 4.8 RISK PICTURE FOR MID-AIR COLLISION....................................................................... 38

4.8.1 Choice of Accident Category ........................................................................... 38 4.8.2 Fault Tree Model.............................................................................................. 38 4.8.3 Barrier Model ................................................................................................... 38 4.8.4 Positive Contribution of ATM ........................................................................... 39 4.8.5 Causal Breakdown........................................................................................... 40 4.8.6 Influence Breakdown ....................................................................................... 48

5 “DO NOTHING” RISK PICTURE.......................... .......................................................... 50 5.1 CASE DEFINITION....................................................................................................... 50 5.2 MODELLING APPROACH.............................................................................................. 50 5.3 FATAL ACCIDENT FREQUENCIES ................................................................................. 51

Episode 3


of 240


5.4 ICAO ACCIDENT FREQUENCIES.................................................................................. 52 5.5 UNCERTAINTIES ......................................................................................................... 53 5.6 VERIFICATION ............................................................................................................ 53 5.7 VALIDATION ............................................................................................................... 53 5.8 IMPLICATIONS FOR THE SESAR RISK TARGET............................................................. 54

6 AN INITIAL SESAR RISK PICTURE ...................... ........................................................ 54 6.1 CASE DEFINITION....................................................................................................... 55 6.2 FATAL ACCIDENT FREQUENCIES ................................................................................. 55 6.3 ICAO ACCIDENT FREQUENCIES.................................................................................. 57 6.4 UNCERTAINTIES ......................................................................................................... 58 6.5 COMPARISON WITH SESAR RISK TARGET .................................................................. 58 6.6 EFFECTS OF INDIVIDUAL OIS....................................................................................... 58 6.7 VERIFICATION ............................................................................................................ 63 6.8 VALIDATION ............................................................................................................... 64 6.9 RISK PICTURE FOR MID-AIR COLLISION....................................................................... 64 6.10 IMPROVEMENT OF SESAR ......................................................................................... 67

7 TARGET-COMPLIANT RISK PICTURE...................... ................................................... 69 7.1 CASE DEFINITION....................................................................................................... 69 7.2 FATAL ACCIDENT FREQUENCIES ................................................................................. 70 7.3 ICAO ACCIDENT FREQUENCIES.................................................................................. 71 7.4 IMPLICATION FOR SESAR TARGETS ........................................................................... 72

8 CONCLUSIONS AND RECOMMENDATIONS.................... ........................................... 77 8.1 INITIAL RESULTS AND IRP STATUS.............................................................................. 77 8.2 CONCLUSIONS ON SESAR SAFETY ASSESSMENT ....................................................... 78 8.3 RECOMMENDATIONS FOR IMPROVED METHODOLOGY................................................... 79 8.4 RECOMMENDATIONS FOR SESAR .............................................................................. 80

9 REFERENCES ................................................................................................................ 80

10 GLOSSARY OF TERMS.................................. ............................................................... 82

11 ANNEX I. IRP METHODOLOGY AT GREAT LENGTH ........... ...................................... 85 11.1 THE QUALITATIVE MODEL........................................................................................... 85

11.1.1 Identification of Causal Factors ....................................................................... 85 11.1.2 Accident Categories......................................................................................... 85 11.1.3 Barrier Model ................................................................................................... 86 11.1.4 Accident Precursors......................................................................................... 88 11.1.5 Accident Scenarios .......................................................................................... 89 11.1.6 Failure Causes................................................................................................. 90 11.1.7 Fault Tree Structure......................................................................................... 91 11.1.8 Influences......................................................................................................... 93 11.1.9 Interdependencies ........................................................................................... 96

11.2 ANALYSIS OF HISTORICAL DATA.................................................................................. 97 11.2.1 Data Availability ............................................................................................... 97 11.2.2 Frequency Data Analysis................................................................................. 97 11.2.3 Causal Data Analysis....................................................................................... 98 11.2.4 Common Cause Data Analysis...................................................................... 101 11.2.5 Performance-Based Influence Data Analysis ................................................ 102

11.3 QUANTIFICATION OF THE FAULT-TREE MODEL ........................................................... 104 11.3.1 Quantification Approach ................................................................................ 104 11.3.2 Event Presentation ........................................................................................ 105 11.3.3 Logic Gates.................................................................................................... 108 11.3.4 Common Causes ........................................................................................... 110 11.3.5 Contributions of Fault Tree Events ................................................................ 113 11.3.6 Uncertainties .................................................................................................. 114

11.4 QUANTIFICATION OF THE INFLUENCE MODEL ............................................................. 116

Episode 3


of 240


11.4.1 Quantification approach................................................................................. 116 11.4.2 Performance-Based Influences ..................................................................... 117 11.4.3 Stratified Influences ....................................................................................... 122 11.4.4 Overall Influence Model ................................................................................. 125 11.4.5 Interdependencies ......................................................................................... 125

11.5 MODEL IMPLEMENTATION ......................................................................................... 126 11.5.1 IRP Main Model ............................................................................................. 126 11.5.2 STAR Tool ..................................................................................................... 126 11.5.3 Uncertainty Model.......................................................................................... 127 11.5.4 OI Modelling................................................................................................... 127

11.6 FORM OF RESULTS .................................................................................................. 132 11.6.1 Available Results ........................................................................................... 132 11.6.2 Contributions.................................................................................................. 132 11.6.3 Uncertainties .................................................................................................. 137 11.6.4 Comparison.................................................................................................... 137 11.6.5 Validation ....................................................................................................... 138

12 ANNEX II. PLANNED AIR TRAFFIC MANAGEMENT CHANGES... ........................... 139 12.1 INTRODUCTION......................................................................................................... 139

12.1.1 Objective ........................................................................................................ 139 12.1.2 Grouping ........................................................................................................ 140 12.1.3 Review Topics ............................................................................................... 140 12.1.4 Sources.......................................................................................................... 141 12.1.5 Results ........................................................................................................... 141

12.2 AIRSPACE ORGANIZATION AND MANAGEMENT ........................................................... 142 12.3 NETWORK MANAGEMENT ......................................................................................... 150 12.4 QUEUE MANAGEMENT .............................................................................................. 154 12.5 CONFLICT MANAGEMENT.......................................................................................... 156 12.6 AIRPORT OPERATIONS ............................................................................................. 178 12.7 AIRCRAFT OPERATIONS............................................................................................ 196 12.8 INFORMATION MANAGEMENT .................................................................................... 209 12.9 OTHER CHANGES MODELLED IN STAR...................................................................... 215

13 ANNEX III. MODELLING THE INFLUENCE LAYER & COMMON C AUSE IN THE IRP THROUGH NETWORKS – A FEASIBILITY STUDY ............. .............................................. 219

13.1 INFLUENCE LAYER.................................................................................................... 219 13.1.1 Introduction .................................................................................................... 219 13.1.2 Current IRP Influence Model ......................................................................... 220 13.1.3 Fault Trees and Networks.............................................................................. 220 13.1.4 Bayesian Belief Nets...................................................................................... 221 13.1.5 Types of BBN................................................................................................. 222 13.1.6 Types of BBN................................................................................................. 223

13.2 FEASIBILITY OF REPRESENTING COMMON CAUSES IN BBNS ...................................... 224 13.2.1 The Study....................................................................................................... 224 13.2.2 Conclusions ................................................................................................... 230

14 ANNEX IV. MODELLING OF ANOTHER ACCIDENT CATEGORIES: LOSS OF CONTROL DURING LANDING ............................. ............................................................... 230

14.1 PRESENTATION ........................................................................................................ 230 14.2 RUNWAY VEER-OFF DURING LANDING ........................................................................ 232

14.2.1 Fault Tree....................................................................................................... 232 14.2.2 Quantification................................................................................................. 232

14.3 RUNWAY OVERRUN DURING LANDING ....................................................................... 234 14.3.1 Fault Tree....................................................................................................... 234 14.3.2 Quantification................................................................................................. 234

14.4 HARD LANDING ........................................................................................................ 237 14.4.1 Fault Tree....................................................................................................... 237 14.4.2 Quantification................................................................................................. 237

Episode 3


of 240


14.5 RUNWAY UNDERSHOOT............................................................................................ 238 14.5.1 Fault Tree....................................................................................................... 238 14.5.2 Quantification................................................................................................. 239

Episode 3


of 240


LIST OF TABLES

Table 1: ATM Contributions to Fatal Aircraft Accidents............................................ 13

Table 2: Relative Change in ATM Contributions to Fatal Aircraft Accidents in the “Do Nothing” Case .................................................................................................. 14

Table 3: Relative Change in ATM Contributions to Fatal Aircraft Accidents for SESAR in 2020 ............................................................................................................. 15

Table 4: List of Operational Improvements and ATM Changes................................ 29

Table 5: ATM Contributions to Fatal Aircraft Accidents............................................ 34

Table 6: ATM Contributions to ICAO Aircraft Accidents........................................... 35

Table 7: Causal Breakdown of Mid-Air Collision for 2005 Baseline.......................... 42

Table 8: Relative Change in ATM Contributions to Fatal Aircraft Accidents in the “Do Nothing” Case .................................................................................................. 52

Table 9: Relative Change in ATM Contributions to ICAO-Defined Accidents in the “Do Nothing” Case .................................................................................................. 53

Table 10: Relative Change in ATM Contributions to Fatal Aircraft Accidents for SESAR in 2020 ................................................................................................ 56

Table 11: Causes of Changes in ATM Contributions to Fatal Aircraft Accidents for SESAR in 2020 ................................................................................................ 56

Table 12: Relative Change in ATM Contributions to ICAO-Defined Accidents for SESAR in 2020 ................................................................................................ 57

Table 13: Effect of Individual Operational Improvements Applied to 2005 Baseline. 59

Table 14: Mapping of Individual Operational Improvements onto ATM Elements for Mid-Air Collision ............................................................................................... 67

Table 15: ATM Contributions to Fatal Aircraft Accidents in the Target-Compliant Case......................................................................................................................... 70

Table 16: Relative Change in ATM Contributions to Fatal Aircraft Accidents in the Target-Compliant Case .................................................................................... 71

Table 17: ATM Contributions to ICAO Aircraft Accidents in the Target-Compliant Case ................................................................................................................ 71

Table 18: Relative Change in ATM Contributions to ICAO-Defined Accidents in the Target-Compliant Case .................................................................................... 72

Table 19: Base Event Probabilities for Mid-Air Collision in the Target-Compliant Case......................................................................................................................... 73

Table 20: Barriers against Mid-Air Collisions ........................................................... 86

Table 21: Precursor Sequence for Mid-Air Collisions............................................... 88

Table 22: Precursor Alternatives in Mid-Air Collision Scenarios............................... 90

Table 23: ATM Tasks in the Influence Model........................................................... 95

Table 24: ATM-Related Equipment ......................................................................... 96

Table 25: Example Causal Investigation of Loss of Separation Incident ................ 100

Episode 3


of 240


Table 26: Example Causal Analysis of STCA Warning Failures ............................ 100

Table 27: Example Common Cause Data for Mid-Air Collision .............................. 102

Table 28: Example Influence Investigation of Loss of Separation Incident............. 102

Table 29: Examples of Human Error Influences .................................................... 103

Table 30: Maximum Effect of Human Factors Fundamentals on Actor Tasks for Mid-Air Collisions .................................................................................................. 104

Table 31: Effect of Visibility Restrictions on Taxiway Collisions ............................. 123

Table 32: Probabilities of human performance in BBN – an example .................... 222

Table 33: Conditional Probability Table for the BBN of Figure 45 .......................... 225

Table 34: Conditional Probability Tables for the BBN of Figure 46 ........................ 226

Table 35: Conditional Probability Tables for BBN in Figure 49 .............................. 228

LIST OF FIGURES

Figure 1: Overall Risk Model Structure.................................................................... 12

Figure 2: Predicted and Required Trends in ATM Contributions to Fatal Aircraft Accidents per Flight and per Year for SESAR .................................................. 16

Figure 3: Overview of Relationship between IRP, STAR and SESAR ..................... 20

Figure 4: Overall Risk Model Structure.................................................................... 22

Figure 5: Effects of ATM changes ........................................................................... 24

Figure 6: Summary of the SESAR ATM Process Model .......................................... 27

Figure 7: Uncertainties in Fatal Accident Frequencies............................................. 36

Figure 8: Barrier Model of Mid-Air Collision for 2005 Baseline................................. 39

Figure 9: Contribution of ATM to Preventing Mid-Air Collision for 2005 Baseline..... 40

Figure 10: Main ATM Causes of Mid-Air Collision for 2005 Baseline ....................... 47

Figure 11: ATM Influences on Mid-Air Collision for 2005 Baseline........................... 49

Figure 12: Influences on ATC Conflict Management for 2005 Baseline ................... 50

Figure 13: Predicted trend in ATM Contributions to Fatal Aircraft Accidents in the “Do Nothing” Case .................................................................................................. 52

Figure 14: Predicted Trend in ATM Contributions to Fatal Aircraft Accidents for SESAR............................................................................................................. 57

Figure 15: ATM Influences on Mid-Air Collision for SESAR..................................... 65

Figure 16: ATM Influences on Mid-Air Collision for SESAR..................................... 66

Figure 17: Predicted and Required Trends in ATM Contributions to Fatal Aircraft Accidents per Flight and per Year .................................................................... 79

Figure 18: Swiss Cheese Diagram of Mid-Air Collisions .......................................... 87

Figure 19: Mapping from SESAR Process Model to IRP Barrier Model for Mid-Air Collisions.......................................................................................................... 87

Episode 3


of 240


Figure 20: Mid-Air Collision Scenarios..................................................................... 90

Figure 21: Failure Causes of Barriers Against Mid-Air Collisions ............................. 91

Figure 22: Schematic Fault Tree Structure .............................................................. 92

Figure 23: Simplified Fault Tree for Mid-Air Collisions ............................................. 92

Figure 24: Influences on Barriers Against Mid-Air Collisions.................................... 93

Figure 25: Generic Influence Model......................................................................... 94

Figure 26: Mid-Air Collision Frequency, 1990-2005................................................. 98

Figure 27: Event Tree Model of STCA Warning..................................................... 101

Figure 28: Quantification Approach for Mid-Air Collision Model ............................. 105

Figure 29: Fault Tree for Mid-Air Collision for 2005 Baseline................................. 107

Figure 30: Fault Tree for STCA Warning ............................................................... 108

Figure 31: Schematic Fault Tree Logic Gates........................................................ 108

Figure 32: Event Tree Equivalence of OR Gate..................................................... 109

Figure 33: Common-Cause Failures in AND Gates ............................................... 111

Figure 34: Fault Tree for Visual Warning Showing Common Cause Failures......... 113

Figure 35: Types of Uncertainties.......................................................................... 115

Figure 36: Conversion from Performance Score to Modification Factor ................. 119

Figure 37: Effect of Visibility Restrictions on Taxiway Collision Risk...................... 124

Figure 38: Example Influence Model for Conflict Management.............................. 125

Figure 39: Effects of OI Changing System Coverage ............................................ 129

Figure 40: Direct Effects of OI on Base Events...................................................... 129

Figure 41: Effects of OI on Influence Performance ................................................ 131

Figure 42: Positive and Negative Contribution of ATM .......................................... 133

Figure 43: Simple BBN.......................................................................................... 221

Figure 44: Common-Cause Failures in AND Gates ............................................... 224

Figure 45: Simple representation of the causal structure of accident A by a BBN.. 224

Figure 46: Representation of the causal structure of accident A by a layered BBN 226

Figure 47: Chosen form for Display in the IRP....................................................... 227

Figure 48: Illustrative representation of the causal structure.................................. 227

Figure 49: Concise representation of the causal structure..................................... 228

Figure 50: Further limited representation of the causal structure ........................... 229

Figure 51: Overarching aircraft accident fault tree (Baseline – see Table 1).......... 230

Figure 52: Fault Tree for Runway veer-off during landing (baseline scenario) ....... 232

Figure 53: Fault Tree for Runway Overrun during landing (baseline scenario) ...... 234

Episode 3


of 240


EXECUTIVE SUMMARY

OBJECTIVE

In the SESAR Definition Phase, the SESAR Consortium developed a Concept of Operations (ConOps) for future Air Traffic Management (ATM) in Europe. As part of the SESAR development, it is necessary to demonstrate that the concept will meet its performance targets, which include a quantitative safety target. It is also necessary to decompose this into lower level targets for constituent components of the SESAR system. The performance analysis of the SESAR concept recognised that this requires “an agreed model of incident-accident relationship”. During the SESAR Definition Phase, after screening the concept for impacts on safety regulation, it was recommended that “a new accident model should be developed that represents the SESAR operational concept (related to redefinition of ATM scope, functions and boundaries)”.

Since 2004, EUROCONTROL has constructed an Integrated Risk Picture (IRP), showing the overall contribution of Air Traffic Management (ATM) to aviation accident risks, and highlighting possible interdependencies, so that the priorities for safety improvements can be identified in a systematic way. EP3 now wishes to use the Integrated Risk Picture (IRP) to quantify the accident risks in this ConOps, and show how it can achieve the safety target that SESAR has set. Ultimately, this will create a Safety Target Achievement Roadmap (STAR), demonstrating how ATM will minimise risks while evolving from the present to the future ConOps.

The objectives of this report is to present how the IRP has been developed and applied as a prototype to model SESAR, identifying the main uncertainties and information gaps that would need to be addressed to complete the work. It presents the preliminary estimates made by IRP of the accident risks in the SESAR ConOps, showing whether it achieves the overall SESAR safety target.

METHODOLOGY

The IRP consists of a risk model, which shows the risks of aviation accidents and provides a structured breakdown of their causes, with particular emphasis on ATM contributions. The overall structure of the risk model is shown in Figure 1. Five accident categories are identified where ATM may make a significant contribution either in causing or preventing accidents:

• Mid-air collision

• Runway collision

• Taxiway collision

• Controlled flight into terrain (CFIT)

• Wake turbulence accident

Episode 3


of 240


Figure 1: Overall Risk Model Structure

Taxiw

ay collision

Mid-air

collision

Runw

ay

collision

Wake

turbulence

CF

ITAccident categories

Fault tree models(technical failures, human errors)

Influence model(task performance, operating environment)

Accident risks (fatal/non-fatal frequencies)

An influence model is used to represent more diffuse factors such as human, equipment and managerial performance, and the nature of the operating environment. These are modelled as modifications to the probabilities of the events in the fault tree. This influence model is the same for all accident categories, and hence represents common causes underlying the barrier failures, as well as factors too diffuse to model in a fault tree.

FIRST PROTOTYPE OF A POTENTIAL PREDICTIVE MODEL FOR SESAR

The risk picture for SESAR is formed by modifying the IRP to represent the combined effects of the set of operational improvements (OIs) and other ATM changes that are expected to be in place by 2020. Each ATM change is modelled through adjustments representing its expected impacts on appropriate elements of the risk model. These effects, together with the effects of changes in traffic levels, can then be summed to estimate the total risks and causal breakdown for 2020. The effects of positive and negative interactions between improvements are also modelled as far as possible. This approach allows investigation of the improvements that are necessary to satisfy the overall safety targets.

IRP concentrates on the way the elements of the future ConOps could be integrated to achieve overall targets. Detailed safety assessment of the individual ATM systems will still be necessary to demonstrate that they actually will achieve the performance assumed.

SESAR SAFETY TARGET

The SESAR safety target requires there to be no increase in the expected annual number of accidents with an ATM contribution. The term “accident”, as defined by ICAO (International Civil Aviation Organization), includes events causing fatality or serious injury to people or damage to the aircraft requiring repair. The results from this study show that ICAO-defined accidents are dominated by taxiway collisions, which implies that reducing these would be the easiest way of achieving target compliance. This is contrary to conventional views of what is important in ATM safety, and indicates that the ICAO-defined accidents may not be an

Episode 3


of 240


appropriate basis for the SESAR safety target. Therefore, in the present report the fatal accident frequency is used as the primary risk target, despite the apparent contradiction with the SESAR target.

The definition of “ATM contribution” includes accidents with causes that either are part of the ATM system (whether ground-based, space-based or airborne) or that ATM could reasonably have been expected to mitigate. In the present study, this means that any accident in the 5 modelled categories would inevitably include an ATM contribution. Thus the frequency of these accidents is equal to the frequency of ATM contributions.

The scope of the target covers the population of instrument flight rules (IFR) flights in the ECAC (European Civil Aviation Conference) region. The risk picture for this population is summarised below.

BASELINE RISK PICTURE

The baseline model is quantified using accident and incident data, with corrections for recent trends, so as to obtain risks for 2005 that are fully consistent with accident experience. It uses causal factors of different types of accidents and incidents, mapped onto the IRP risk model.

Table 1 shows the estimated contribution of ATM to fatal accidents in the five modelled accident categories for the 2005 baseline case. The frequencies of other types of aircraft accidents are included based on trended statistics, although these have not been modelled in detail in IRP and potential ATM contributions have not been estimated. The results are given as frequencies per flight, per flight hour (based on an average flight length of 1.5 hours) and as numbers of accidents per year in ECAC among IFR flights.

Table 1: ATM Contributions to Fatal Aircraft Accide nts

ACCIDENT CATEGORY

FATAL ACCIDENT

FREQUENCY (per flight)

FATAL ACCIDENT

FREQUENCY (per flight hr)

FATAL ACCIDENTS

IN ECAC (per year)

% OF FATAL

ACCIDENTS

% OF ATM CONTRIB-UTIONS

Mid-air collision 1.3E-08 8.8E-09 0.12 4% 17%

Runway collision 2.2E-08 1.5E-08 0.20 6% 28%

Taxiway collision 4.9E-10 3.2E-10 0.00 0% 1%

CFIT 3.9E-08 2.6E-08 0.36 11% 50%

Wake turbulence accident 3.2E-09 2.1E-09 0.03 1% 4%

Total ATM contributions 7.8E-08 5.2E-08 0.71 22% 100%

Loss of control in flight* 1.3E-07 8.5E-08 1.16 36% -

Loss of control in take-off* 4.8E-08 3.2E-08 0.44 13% -

Loss of control in landing* 6.4E-08 4.3E-08 0.58 18% -

Structural accident* 1.6E-08 1.1E-08 0.15 4% -

Fire/explosion* 2.2E-08 1.5E-08 0.20 6% -

Total aircraft accidents 3.6E-07 2.4E-07 3.23 100% -

* Potential ATM contributions to these accident categories have not yet been estimated (see Annex IV (section14) for loss of control during in landing).

These results show that 22% of fatal accidents involve some ATM contribution. The overall frequency of fatal accidents with an ATM contribution is estimated as 8 x 10-8 per flight, or 0.7 per year. These are dominated by CFIT as shown in the last column of the table, because the CFIT frequency was relatively high (although declining) in 2005, and because ATM always has at least the potential to prevent such accidents.

Episode 3


of 240


This high contribution from ATM and the high share from CFIT result from the functional definition of ATM. IRP estimates that only 1% of accidents are directly caused by ATM, through errors of commission by controllers or critical failures of their equipment. These events are dominated by runway collisions, which are more commonly due to instructions from a controller.

Equivalent values for ICAO-defined accidents are that 13% involve an ATM contribution, with an overall frequency of 3 x 10-7 per flight, or 2.4 per year. These are dominated by taxiway collisions, because many taxiway collisions are severe enough to be included as ICAO-defined accidents, although they are almost never severe enough to cause a fatality. The percentage ATM contribution is less than for fatal accidents, because of the dominance of non-fatal landing accidents, which have no significant ATM contribution.

“DO NOTHING” RISK PICTURE

IRP is able to model a “do nothing” case, in which no changes are made to ATM safety, while traffic is allowed to increase until it reaches the level predicted by SESAR for 2020, which would be 73% higher than in 2005. This is predicted to cause a corresponding 73% increase in the probability of a deviation encountering another aircraft and resulting in a collision, and an increase in controller workload, which indirectly increases the risks of all accident types. Table 2 shows the overall effects in the different risk measures relative to the 2005 baseline. The final column shows that the annual number of collisions varies with the square of the traffic, i.e. an increase by 1.732 = 3-fold. Overall, there must be a reduction by a factor of 2.4 in the overall frequency, in order to avoid any increase in the annual number of fatal accidents with ATM contributions.

Table 2: Relative Change in ATM Contributions to Fa tal Aircraft Accidents in the “Do Nothing” Case 1

Frequency in 2020 “Do Nothing” Case

Frequency in 2005 Baseline

ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)

Mid-air collision 1.73 1.73 2.99

Runway collision 1.73 1.73 2.98

Taxiway collision 1.73 1.73 2.98

CFIT 1.07 1.07 1.85

Wake turbulence accident 2.10 2.10 3.62

Total ATM contributions 1.42 1.42 2.44

The equivalent change in the number of ICAO-defined accidents is estimated as 2.9, due to the greater effect of taxiway collisions and the smaller effect of CFITs.

AN INITIAL SESAR RISK PICTURE

To represent the future case for SESAR, the operational improvements and other ATM changes are all modelled in combination with the traffic growth, to the extent that they are

1 The values in Table 2 (this applies to Table 3) are ratios of frequencies in 2020 divided by frequencies in 2005. The first column is the ratio of the frequencies per flight; the second is the ratio of the frequencies per flight hour. Because the flight time is assumed to be the same in 2005 and 2020, the ratios are also the same.

Episode 3


of 240


expected to be implemented by 2020 (based on linear growth between their initial and final operating capability).

Table 3 shows the overall effects in the different risk measures relative to the 2005 baseline. The bottom line shows that the fatal accident frequency is predicted to reduce by 6%, and as a result of traffic growth the overall number of accidents is predicted to increase by 62%. The equivalent change in the annual number of ICAO-defined accidents is estimated to be similar.

Table 3: Relative Change in ATM Contributions to Fa tal Aircraft Accidents for SESAR in 2020

Frequency in 2020 SESAR Case 2


ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)




CFIT 0.82 0.82 1.41



This combined model is of course very uncertain, but it represents a preliminary prediction of the overall effect of SESAR in a realistically developing environment. Part of the uncertainty is due to the lack of maturity of the concept. Although the current activities on safety assessment, risk modelling activities and validation provide a useful trial of the methods, the full validation activities will have to await the further development of the concept and will be completed within the SESAR JU (Joint Undertaking) program.

COMPARISON WITH SESAR SAFETY TARGET

Current predictions, as an outcome from how SESAR is currently modelled into the IRP, indicate that the SESAR ConOps is sufficient to prevent increases in the frequency per flight of fatal accidents with ATM contributions, while traffic increases by 73%, but is not sufficient on its own to prevent any increase in the number of fatal accidents. Figure 2 shows that, in simple terms, the modelled OIs achieve approximately half of the required improvement, compared to the “do nothing” case.

2 The flight time is still assumed to be the same in 2005 and 2020 (no operational efficiencies from future concepts yet taken into consideration), the ratios are also the same.

Episode 3


of 240


Figure 2: Predicted and Required Trends in ATM Cont ributions to Fatal Aircraft Accidents per Flight an d per Year for SESAR

0.0E+00

2.0E-08

4.0E-08

6.0E-08

8.0E-08

1.0E-07

1.2E-07

2000 2005 2010 2015 2020

FR

EQ

UE

NC

Y O

F F

AT

AL

AC

CID

EN

TS

WIT

H A

TM

C

ON

TR

IBU

TIO

N (

per

fligh

t)

Do nothing

Prediction

Target

0.0

0.5

1.0

1.5

2.0

2000 2005 2010 2015 2020

NU

MB

ER

OF

FA

TA

L A

CC

IDE

NT

S W

ITH

AT

M

CO

NT

RIB

UT

ION

(pe

r ye

ar)

Do nothing

Prediction

Target

RECOMMENDATIONS

Predictions of this type are difficult to achieve and verify, and the current results are inevitably uncertain. In particular the effects of each OI have been identified through preliminary suggestions by the project team, combined with relatively few expert review sessions. The main conclusions above are likely to be sensitive to the omission of ongoing harmonisation actions, and the lack of updated calibration of the model against historical trends and recommendations for improved methodology. It is therefore recommended that these should be included in future model development. The report includes several other recommendations for improving the current methodology. Therefore, the results in the present report, while suitable for use in validation and improvement of the risk model during the SESAR Development Phase and SESAR itself, are not yet considered robust, and may be subject to substantial revision in the near future.

Nevertheless, the work is considered sufficiently mature to begin to identify ways to reduce the ATM contribution to accident risks, and hence to improve the safety of the SESAR ConOps. The report includes information of this type, and it is recommended that this should be extracted from future evolutions of the IRP (SESAR WP16.1.1.1) in a systematic way and used to review and possibly improve the safety measures in the SESAR ConOps.

Episode 3


of 240


1 INTRODUCTION

1.1 FOREWORD

European airspace is fragmented and will become increasingly congested, as traffic is forecast to grow steadily over the next 15 years or so. ATM services and systems are not sufficiently integrated and are based on technologies that are already stretched to their limits. Therefore, in order to accommodate future air traffic needs, the European ATM services must undergo a massive operational change, supported by state-of-the-art and innovative technologies.

SESAR - the Single European Sky ATM Research Programme - is the means of defining, designing and delivering the operational and technological changes necessary to achieve a more efficient, better integrated, more cost-efficient, safer and more environmentally sustainable European ATM infrastructure by the year 2020.

In the SESAR Definition Phase, the SESAR Consortium developed a Concept of Operations (ConOps) for future Air Traffic Management (ATM) in Europe (SESAR D3, Ref 1). This represents a paradigm shift from the current airspace-based environment to a trajectory-based environment, so as to enable a 3-fold increase in capacity, which should handle traffic growth well beyond 2020.

As part of the SESAR development, it is necessary to demonstrate that the concept will meet its performance targets, which include a quantitative safety target (SESAR D2, Ref 2). It is also necessary to decompose this into lower level targets for constituent components of the SESAR system. The performance analysis of the SESAR concept recognised that this requires “an agreed model of incident-accident relationship” (D3 p63). After screening the concept for impacts on safety regulation, it was recommended that “a new accident model should be developed that represents the SESAR operational concept (related to redefinition of ATM scope, functions and boundaries)” (D3 p87).

1.2 WHY DO WE NEED A MODEL OF ATM SAFETY?

Effective safety management requires a detailed understanding of the potential contribution of ATM to aviation accidents and incidents as well as the existing benefits of ATM in preventing accidents and incidents, in order to optimise safety improvement efforts. There are many new concepts being developed for future ATM, e.g. conflict detection and resolution systems, new traffic management and airport throughput systems, etc. Each can have its own safety assessment and assurance programme but evaluating their combined effects on safety requires an integrated approach. This integrated approach considering the ATM System as a whole has the advantage of being able to organize and integrate the otherwise disparate array of assessments that would arise if only a compartmentalised approach (considering individual controller tools and concepts) was used. With the latter, it is possible that unrecognised interdependencies between ATM systems may prevent their planned safety benefits from being realised.

With SESAR, the new ATM concept will involve a number of such new tools or systems or concepts. This raises a number of questions:

• What is the safety assessment of the overall system?

• How might these new elements interact?

• Are there negative interactions that can be avoided, or even positive interactions, as yet unplanned into the system design concept, which could yield extra safety?

• Where are the strong and weak safety areas in the overall system?

• Is the resultant system risk sensitive to the sequence and timing of implementation?

Episode 3


of 240


• During the implementation phase, how do we demonstrate we are still on target?

• What happens if expected safety impacts of ATM changes fall short?

A causal risk model can help to answer questions like these.

1.3 BACKGROUND

Since 2004, EUROCONTROL has constructed an Integrated Risk Picture (IRP), showing the overall contribution of Air Traffic Management (ATM) to aviation accident risks, and highlighting possible interdependencies, so that the priorities for safety improvements can be identified in a systematic way. The IRP consists of a risk model (in effect, an accident-incident model as required by SESAR), which can represent a future concept of operations for ATM and predict whether it will meet overall safety targets. A methodology has also been developed for a Safety Target Achievement Roadmap (STAR), which shows the risks during the implementation of this concept of operations, i.e. the transition from the present towards the future vision. A specific version of IRP has been developed, known as a STAR tool, which will generate the STAR as the concept of operations is finalised.

EP3 now wishes to use the IRP to model the accident risks in the SESAR ConOps, to show how it can achieve its target for improving ATM safety and to apportion the target between the constituent components of the ATM system. In the present work, the IRP has been developed with a preliminary representation of the SESAR ConOps. This has been developed to represent each of the operational improvements (OIs) in the SESAR ConOps and provide a first quantitative estimate of their overall effects on safety, so as to predict whether SESAR will be able to meet its quantitative safety target.

1.4 OBJECTIVES

This report explains how the Integrated Risk Picture (IRP) can be used to quantify the accident risks in the SESAR Concept of Operations, thereby supporting a systemic risk assessment of the SESAR concept as a whole. It:

• Explains how IRP has been applied as a prototype to model SESAR, identifying the main uncertainties and information gaps that would need to be addressed to complete the work.

• Explains what types of results are available from IRP, outlining their potential utility for the safety management of SESAR. This includes recent improvements in the presentation of positive contributions of ATM elements to accident risks.

• Presents the preliminary estimates made by IRP of the accident risks in the SESAR ConOps (an initial SESAR Risk Picture), showing whether it achieves the overall SESAR safety target. The work is intended to deliver consistent design targets for SESAR concept components, which together will be sufficient to achieve the overall SESAR safety target.

• Provides in an appendix (section 11) a thorough description of the methodology behind the IRP itself, including recent improvements in the modelling of uncertainties, common cause failures and influences.

However, although EP3 2.4.3 activities on safety assessment and validation provides a useful trial of the methods, the full validation activities will have to await the further development of the concept and will be completed within the SESAR JU programme.

Consequently, this deliverable:-

• Builds the building blocks for the work under SESAR WP 16.1.1.1 and 16.6.1 (Ref. 13)

• Enhances the maturity of models

Episode 3


of 240


• Provides preliminary results at a level of details that is appropriate for the current stage of development of the CONOPS and with a degree of uncertainty that is inherent to judgmental inputs that have been collected

1.5 SCOPE

The geographical scope of SESAR covers the 42 member states of the European Civil Aviation Conference (ECAC), excluding oceanic airspace. IRP has the same scope. EP3 WP2.4.3 Deliverable 4 (“D2.4.3-04 – Method for Units of Operations”) will provide a methodology for obtaining results for specific ATM units within this region (Ref 3). With appropriate adjustment factors, the IRP methodology is in principle applicable world-wide.

The aircraft types that the SESAR safety target addresses (D2 p55) are instrument flight rules (IFR) flights of aircraft over 2250kg maximum take-off weight (MTOW). Due to data limitations, IRP currently approximates these using Western-built fixed-wing commercial aircraft over 5700kg MTOW. It also includes cases of collision with other types, e.g. military, very light jets (VLJ) or visual flight rules (VFR) aircraft, including gliders.

This work covers all OIs in SESAR that require ATM capability level 1-4. This includes all OIs with initial operating capability by 2020. Some OIs in level 4 have initial operating capability after 2020, but at present risk predictions are not attempted beyond that date.

1.6 REPORT STRUCTURE

Section 2 provides a high-level overview of the IRP/STAR methodology, outlining the risk model that is used to generate the risk picture of ATM, and how this represents the SESAR ConOps. Appendix I describes the IRP/STAR methodology at length.

Section 3 describes SESAR in more detail, explaining the key features that are represented in IRP. Appendix II gives full details on how the SESAR OIs and other ATM changes are modelled.

Section 4 presents the baseline risk picture for ATM in 2005. At present, the mid-air collision risk model is used to illustrate the available results. The models of other accident categories are available in the IRP 2008 package (Ref. 16).

Section 5 estimates the changes in risk that would result if no changes were made to ATM safety, while traffic was allowed to increase as predicted by SESAR. This “do nothing” case provides an alternative benchmark for ATM improvements up to 2020.

Section 6 estimates the future risk picture for ATM in 2020 with SESAR implemented. It also shows the estimated risk impacts of each OI, and highlights key modelling assumptions that affect the overall risk. Once validated to an acceptable standard, the risk picture can be used to identify additional risk reduction measures that might be reasonably practicable or help meet the overall risk targets.

Section 7 gives an indicative risk picture for that includes the SESAR ConOps and also complies with the SESAR safety target. For illustrative purposes, target compliance is achieved by improving the modelled safety management performance of ANSPs (Air Navigation Service Provider), airport and aircraft operators. These results allow the SESAR safety targets to be apportioned into specific airspaces and projects implementing the OIs.

Section 8 gives the current status of the work and recommends future improvements.

Episode 3


of 240


2 METHODOLOGY

2.1 WHAT IS A RISK PICTURE

The Integrated Risk Picture (IRP) represents the way that air traffic management (ATM) elements in Europe combine to minimise accident risks – the “big picture” of ATM safety.

• “Integrated” - IRP adds together the causal contributions from all ATM elements, taking account of inter-dependencies.

• “Risk” - IRP quantifies the likelihood of accidents and incidents of defined levels of severity.

• “Picture” - IRP gives a structured breakdown of the causal factors underlying the accident risk, as tree diagrams and pie charts.

• “ATM” – In line with the White Paper on the SESAR Safety Target (Ref 4), IRP applies to Air Navigation Services (ANS), which rely on the ATM functional system, including CNS (Communication, Navigation and Surveillance), ASM (Airspace Management) and ATFCM (Air Traffic Flow and Capacity Management) functions.

• “Elements” - IRP covers people, procedures and equipment, as well as management, organisation and culture.

2.2 IRP IN THE SESAR CONTEXT

The relationship between IRP, STAR and SESAR is illustrated in Figure 3.

Figure 3: Overview of Relationship between IRP, STA R and SESAR

Integrated risk picture (IRP)

•Risk levels•Risk breakdown by

ATM element

Safety target achievement

roadmap (STAR)•Risk evolution

•Target compliance

Risk model

ATM model•SADT process

model

ATM changes•Hazard identification•Quantitative effects

ATM model•SADT process

model

ATM changes•Hazard identification•Quantitative effects

Clusters of OIs•OIs definition

•Safety assurance process (SESAR SMP/SESAR D6)

•Safety case

Concept of operations

Target apportionment

The Integrated Risk Picture (IRP) consists of a risk model, which is used to generate a risk picture. The risk picture shows the risks of aviation accidents and provides a structured breakdown of their causes, with particular emphasis on ATM contributions. A preliminary risk picture for SESAR has been developed through the present project.

The Safety Target Achievement Roadmap (STAR) consists of a STAR tool, which is an enhanced version of the IRP, used to generate the roadmap for ATM evolution to the future ConOps. The STAR tool for SESAR has been developed through the present project.

Episode 3


of 240


The SESAR Consortium has established performance targets for ATM in 2020 and beyond (D2), and has defined a target ATM concept to meet them (D3), including a Concept of Operations (ConOps), its associated human roles, technical architecture and enabling technologies. Implementation of the ConOps will be through a set of Operational Improvements (OIs), whose definition is currently being developed. These OIs, together with other ATM changes over the same period must be represented in the risk model, in order to obtain the risk picture and demonstrate compliance with safety targets.

The IRP representing the SESAR Concept is to be used to decompose the SESAR safety criteria into lower level targets for constituent components (OI/Cluster of OIs) of the SESAR System as a whole. It also shows the more critical areas of change in the gate-to-gate ATM cycle, and the safety impacts of future ATM developments in SESAR. With a particular emphasis on ATM contributions (both positive and negative), it predicts the relationships between accidents and incidents taking due consideration of ATM scope, functions and boundaries. It also, together with uncertainty analyses, predicts what the frequencies of accidents and incidents and the different types of causal breakdowns, would be for any given situation with SESAR, if SESAR were properly specified from a safety perspective and implemented in accordance with that specification 3 . Consequently, the complementing bottom-up safety assessments will assess whether the lower level safety design targets coming from the system view are achievable (see SESAR Safety Management Plan and SESAR D6 (Ref. 14 and 15 respectively). If they cannot be met, the top-down view represented by the IRP must develop more realistic targets, and compensating changes must be made to other ATM elements if the overall target-compliance is to be maintained. This requires a process of negotiation between the overall risk model and the bottom-up safety assessments. This will be achieved through an iterative revision of modelling assumptions and apportioned targets. In particular, since the SESAR System architecture can only attain the required level of safety if the architectural elements each meet their Safety Requirements, the Safety Requirements achievability process will lead to a revised version of the overall risk model.

2.3 OVERVIEW OF THE RISK MODEL

2.3.1 Overall Risk Model structure

The chosen structure for the IRP risk model is illustrated in Figure 4. The measures of risk are the frequencies of fatal and non-fatal accidents and precursor incidents. This approach treats all accidents as equally important. In future work, it would be desirable to quantify the consequences more precisely in terms of numbers of fatalities or severity of damage to the aircraft.

3 Data-based, static models such as IRP, whilst providing a useful view of how ATM contribution to safety could look in the future, cannot provide assurance that it will actually look like that in practice, since the latter requires more direct, and for some purposes more dynamic, representations of safety contribution through the specification, modelling and simulation of the safety properties (functionality, performance, reliability and integrity) of the future ATM system.

Episode 3


of 240


Figure 4: Overall Risk Model Structure

Taxiw

ay collision

Mid-air

collision

Runw

ay collision

Wake

turbulence

CF

ITAccident categories

Fault tree models(technical failures, human errors)

Influence model(task performance, operating environment)

Accident risks (fatal/non-fatal frequencies)

In order to focus on accidents with potential ATM contributions, the IRP at present models the following accident categories4:

• Mid-air collision

• Runway collision

• Taxiway collision

• Controlled flight into terrain (CFIT)

• Wake turbulence accident

Fault tree models are used to represent distinct causal factors such as technical failures and human errors, which are the immediate causes of failure of the safeguards against accidents. Since different safeguards apply to different accident categories, a separate causal model is used for each category. Interdependencies within each fault tree are represented by common-cause modelling.

An influence model is used to show the effects of more diffuse factors such as human, equipment and managerial performance, and the nature of the operating environment, which are usually the underlying causes of accidents. These do not have distinct “failed” or “operating” states, but they do affect the probability of causal factors that are represented in the fault trees. One influence model is used to cover all accident categories, thus representing the interdependencies between the different fault trees.

The modelling techniques chosen for the IRP are those with established capability in aviation causal modelling. More advanced network-based techniques have theoretical advantages,

4 In addition, the modelling of loss of control during landing is described in Appendix IV. Of particular importance is the role of ATM in assisting the flight crew to maintain the correct approach path and of providing the flight crew with adequate information for the landing. Within the ‘loss of control in landing’ group the following general accident categories are addressed: ‘runway veer-off during landing’, runway overrun during landing’, ‘hard landing’ and runway undershoot. For those types, the appendix identifies the base events impacted by ATM and associated probability of occurrence. Full modelling of other accident categories (e.g. loss of control) and scenarios (e.g. runway incursion of vehicles) will take place during the SESAR Development Phase (WP16.1.1.1).

Episode 3


of 240


but these are unproven in practice, and less easily accepted by stakeholders. However, Appendix III presents the results of a feasibility study (including mathematical feasibility, computation complexity, added value, etc. and example focused application(s)) and added values of modelling the influence layer in the IRP through networks – e.g. via a Bayesian Belief Network (BBN). It also investigates the potential of modelling the Common Cause via BBN.

2.3.2 IRP in Predictive Modes

The model is first quantified for a baseline year (2005), using historical data on accident frequencies, causal distributions and maximum effects of influences. The direction of quantification is broadly top-down through the model. This gives generic values of the probabilities of base events in the fault tree, and a breakdown of causal factors.

This baseline model can then be modified to represent any specific case using the influence model or direct adjustment of the causal factors, derived from user inputs. This alters the base event probabilities, from which case-specific accident frequencies can be obtained, together with a case-specific risk picture. The direction of quantification in this predictive mode is broadly bottom-up through the model. The IRP structure is also adapted to fully represent SESAR principles (see Section 2.2.3).

The model is implemented using two separate sets of fault trees - one for the generic mode (baseline model), and one for the predictive mode. By ensuring that the two give identical results when user inputs are appropriate for ATM in 2005, this approach provides basic verification that the fault trees have been implemented without obvious errors.

The predictive mode is used to represent SESAR in 2020. It can also be used retrospectively to represent ATM in 1990, which provides another simple form of validation if the results are shown to match historical accident experience (EP3 2.4.3 D3, Ref 5). In other work, the predictive mode is used to represent specific ATM units (Ref 3).

2.3.3 IRP as a model for SESAR

The SESAR ConOps represents a change from an airspace-based environment to an aircraft trajectory-based environment. In doing so, it amplifies the existing need for collaboration amongst all stakeholders; exchange and sharing of data; communication media; and reliance on automated support tools both airborne and ground-based. One of the key safety issues about SESAR is that there will be more emphasis on the overall Network and on User Preferences - and both these may place extra constraints on executive controllers and reduce the standardisation within a sector.

It is also important to note that:

• The human will still be central in the future SESAR System as controllers, pilots, technicians, managers and decision makers (D3 p9).

• New separation modes will only be implemented only gradually over time5 (D3 p9).

• The ConOps is in all respects compatible with ICAO Concept of Operations (D3 p5).

• A continuous and balanced evolution of enablers, e.g. Communication, Navigation, Surveillance (CNS) technology, is foreseen from now onwards till SESAR end-state, and many enablers are already implemented or planned (D3 p48).

5 This report covers airborne separation, in which the role of separator is temporarily delegated to the Flight Crew to assure separation with regard to other aircraft under specific circumstances. Since it is only about the 2020 concept, it does not cover self-separation.

Episode 3


of 240


• As a whole, the SESAR ConOps is capitalizing on the current developments in ATM. In particular, many current programmes are building blocks for, and stepping stones to the future SESAR System – e.g. P-RNAV (Area Navigation) in Terminal Airspace, RNAV in Final Approach, Time Based Separation (TBS), TCAS RA Downlink, FASTI, TMA 2010, Link 2000+, DMEAN, CCAMS etc. (D3 p0)

The overall SESAR ConOps implementation strategy is based on a sound roadmap with achievable transition steps. It is clearly an evolution from where ATM is now, until 2020 and beyond. The predictive IRP model is therefore able to represent SESAR by modelling the cumulative risk impacts of a series of operational improvements. In fact, this is essential to ensure that the risk estimates for SESAR are soundly based, and that a realistic risk transition can be predicted and monitored.

For this work, the underlying structure of the IRP has been adapted to represent the SESAR ConOps, while ensuring that a similar structure can be used for both generic and predictive modes (see section 2.3.2). The modifications made to the previous IRP structure to represent the paradigm shift to a trajectory-based environment include:

• Definition of all mid-air conflicts in terms of trajectories.

• Separate modelling of conflict management by ATC (Air Traffic Control) and pilot.

• Separate modelling of ATC and airborne collision avoidance.

• Modelling of the influences of changed airspace structure and demand/capacity balancing.

• Modelling of common information inputs to all stages of conflict management.

Most of the changes are represented through changes (see section 2.2.4) in the parameters of the risk model. Future ATM can then be modelled by switching on elements that will be introduced by SESAR, whereas current ATM can be modelled by switching them off. In many cases, IRP represents changes by modifying the probabilities of events, which as far as possible are given names that represent both current and future ATM.

2.3.4 Effects of ATM Changes

The risk picture for future ATM concepts is based on a set of changes, which are expected to be in place by a certain time horizon. ATM changes may have complex effects on the risk model. Figure 5 shows the safety impacts that are represented in the model. These are categorised as:

• Safety benefits. These are the successful results of changes that are intended to improve safety.

• Safety hazards. These are the results of failures of changes that are intended to improve safety or the unintended results of changes that address other targets.

• Enabled changes. Many changes aim to increase capacity, and when the traffic increases this will increase risk. This enabled change is distinguished to simplify the modelling of the changes, which can be considered in the absence of any traffic change as a first step. For example, traffic changes will affect the initiating events and some circumstantial probabilities.

• Interdependent effects. Changes that interact with other ATM changes are of particular importance for risks, and therefore these need to be reflected in the model. Sections 11.1.9 and 11.2.4 describe how factors that either exacerbate or ameliorate each other are represented making the entire risk model non-linear.

Figure 5: Effects of ATM changes

Episode 3


of 240


These effects are identified for each change by a systematic process based on (E-OCVM Step 3 – Ref. 17):

• Judgemental techniques;

• Fast-time techniques;

• Real-time techniques.

The safety impacts are then represented in the model in several different ways:

• Direct effects on the base events of the fault tree. Events may be introduced, made obsolete or made more or less likely.

• Changes in the coverage of systems that are explicitly modelled in the fault tree. This can be used to control groups of events related to existing or new systems.

• Effects on components of the influence model. This will affect all events linked to an individual task or actor (see ‘Influence Layer’ above).

• New hazard in the fault tree structure that have not been revealed in accident and incident experience (switching on elements – see above). These new hazards are identified applying a “Prognostic” or “Predictive” approach to hazard identification, including cross-boundary hazards.

2.4 FURTHER DETAILS ON THE IRP/STAR METHODOLOGY

A more detailed presentation of the IRP/STAR methodology is contained in Appendix I in section 11.

Episode 3


of 240


3 SESAR KEY FEATURES & REPRESENTATION IN THE IRP

3.1 INFORMATION SOURCES

The Single European Sky ATM Research Programme (SESAR) has defined a target concept for ATM in Europe in 2020 and beyond. The target ATM concept (Ref 1) consists of:

• A Concept of Operations (ConOps) that defines how this ATM concept will operate.

• The human roles necessary to support the ATM concept.

• The architecture of the technical ATM system.

• The communication, navigation and surveillance (CNS) technologies that are expected to be used to implement the concept.

The present work has made use of the following information that is being developed to define the ConOps in more detail:

• An ATM process model using the Structured Analysis and Design Technique (SADT), showing the information flows through the ConOps.

• A set of Operational Improvements (OIs), defining each individual step in implementing the ConOps.

3.2 KEY FEATURES

The aim of the target concept is to enable a 3-fold increase in capacity, while meeting other performance objectives, so as to accommodate traffic growth well beyond 2020. The initial target for 2020 is a 73% increase in capacity (D2 p51).

The key features of the target concept that affect the risk modelling are:

• ATM will be based on 4D trajectories (i.e. position and time) instead of the current ICAO flight plans. These will be defined and flown with much higher precision than today, and shared between aircraft and ATM.

• Each flight will be executed as close as possible to the intentions of its owner, expressed by business/mission trajectories that evolve through:

Business development trajectory (BDT) - a long-term plan, internal to the airspace user.

Shared business trajectories (SBT) - mid/short term plans, made available to all stakeholders between months and hours before the flight.

Reference business trajectories (RBT) - The RBT represents the business/mission trajectory which the airspace user agrees to fly and the ANSP and Airports agree to facilitate, subject to separation provision. Most times indicated in the RBT are estimates, some may be target times (TTA) to facilitate planning and some of them may become constraints (CTA, CTO) to assist in queue management when appropriate - e.g. at AMAN horizon. The RBT consists of a 2D route, altitude and time constraints when required, altitude, time and speed estimates at way points and trajectory change points.

Executed trajectories - the actual aircraft flight, which is intended to be as close as possible to the RBT.

• System Wide Information Management (SWIM) will allow the sharing of all trajectory, aeronautical and meteorological data between stakeholders.

• Airspace design will allow aircraft to follow their preferred routes whenever possible, while pre-defined routes will be used in high-density airspace for capacity reasons.

Episode 3


of 240


• Only two categories of airspace will be defined:

Managed airspace where a separation service will be provided, although the role of separator may in some cases be delegated to the pilot.

Unmanaged airspace where the separation task lies solely with the pilot.

• Collaborative layered planning, will balance capacity and demand while taking account of constraints and specific events. A Network Operations Plan (NOP) will contain continuously updated results. This will ensure a degree of strategic de-conflicting, while minimising holding and ground queues.

• Airports will be integrated into ATM, so as to reduce the impact of adverse weather and improve the use of available runway capacity.

• Controllers will remain central to ATM, but will change their role towards earlier conflict resolution and monitoring of agreed trajectories.

• Controller task-load per flight will be reduced through advanced automation support, which will identify conflicting trajectories at an earlier stage than today, and provide resolution advice.

• New separation modes will help minimise controller task-load, while accommodating different aircraft capabilities. Separation modes will include:

Conventional modes as used today, but with better data and tools.

Precision trajectory clearances, in which the aircraft maintains a 2D, 3D or 4D trajectory within agreed containment.

Airborne separation, in which the role of the separator is delegated to the flight crew, supported by airborne separation systems. New airborne Separation Modes using ASAS (Airborne Separation Assistance System) applications for:

Airborne separation, in which the role of separator is temporarily delegated to the Flight Crew to assure separation with regard to other aircraft under specific circumstances

Self-separation6, in which the Flight Crew are the designated separator for a defined segment of a flight during which they shall assure separation from all other aircraft.

• Safety nets against mid-air collisions, such as STCA (Short Term Conflict Alert) and ACAS (Airborne Collision and Avoidance System), will be improved and extended.

• Safety nets against CFIT, such as MSAW (Minimum Safe Altitude Warning System), will be extended.

• Improved airport surveillance, procedures and safety nets will reduce runway collision risks and enable improved throughput in adverse weather conditions (e.g. low visibility conditions, strong head wind, etc.).

3.3 PROCESS MODEL

Figure 6 shows a simplified version of the ATM process model that has been developed for the SESAR ConOps. Most of the content of this model refers to the long-term and medium/short-term planning phases (A1 and A2). The parts of the model with more direct impact on safety are traffic separation and collision avoidance (A3.3 and A3.4). In future work, it would be desirable to develop a more detailed process model of these phases.

Figure 6: Summary of the SESAR ATM Process Model

6 Self-separation is a Level 5 capability and therefore outside of the scope of the study. It is mentioned here only for information purposes.

Episode 3


of 240


A2. Manage medium/short term planning phase

A1. Manage long term planning phase

A3. Manage execution phase

Forecast (Traffic + specific events)

Target performance levelsLong term resource capacity plan (NOP)

Catalogue of solutionsShared business trajectories (SBTs)

Activated plan (NOP + activated resources)Reference business trajectories (RBTs)

Pre-departure sequenceCatalogue of solutions

A3.3 De-conflict and separate traffic

A3.4 Avoid collision

A3.2 Manage traffic queues

A3.1 Adjust resources and traffic demand

A3.5 Dynamically adjust traffic and airspace



A3.2 Manage traffic queues

A3.1 Adjust resources and traffic demand

A3.5 Dynamically adjust traffic and airspaceExecuted business trajectories

A2.3 Balance planned demand and capacity

A2.4 Prepare flight for departure

A2.2 Refine local ATM resources

A2.1 Plan traffic and airspace requirements

A2.3 Balance planned demand and capacity

A2.4 Prepare flight for departure

A2.2 Refine local ATM resources

A2.1 Plan traffic and airspace requirements

A1.3 Optimise ATM resources

A1.4 Long term demand capacity balancing

A1.2 Initiate traffic and airspace demand planning

A1.1 Establish performance framework

A1.5 Determine long term user traffic demand

A1.3 Optimise ATM resources

A1.4 Long term demand capacity balancing

A1.2 Initiate traffic and airspace demand planning

A1.1 Establish performance framework

A1.5 Determine long term user traffic demand

3.4 OPERATIONAL IMPROVEMENTS

The list of Operational Improvements (OIs) that have been defined to plan the implementation of the SESAR ConOps is detailed in (Ref. 18).

OIs have been grouped into the following areas of ATM:

• AOM - airspace organisation and management

• DCB - demand/capacity balancing

• TS - traffic synchronisation

• CM - conflict management

• AO - airport operations

• AUO - airspace user operations

• IS - information services

There are 220 separate OI steps, each with a code (e.g. AO-0101), reflecting the ATM area above. These have been gathered into 10 lines of change (coded L01 etc), and 44 OIs (coded L01-01 etc).

The IRP/STAR work addresses all OIs that may be implemented before 2020. Where they have significant or diverse impacts on safety, the work addresses the individual OI steps. One OI step that covers several safety nets (CM-0801) has been split into part steps covering one safety net at a time. This results in a total of 80 OIs that are suitable for analysis in IRP (consisting of 30 actual OIs, 46 OI steps and 4 part OI steps).

The following sources of information have been used to help interpret the OIs:

• The definition/rationale provided in the OI list (Ref. 18) - this is the main source.

• Explanation from topic specialists at EEC during the hazard identification sessions - used where the definition/rationale was unclear.

Episode 3


of 240


• Detailed information from safety cases or safety assessments - used in a few cases where available.

Table 4 lists the full set of modelled OIs (including other ATM changes, as explained below). It also summarises the modelling approach, and the years when implementation is assumed to start and finish, based on the initial and final operating capability defined by SESAR. The prefix “STAR” in the table below means other changes modelled in STAR. Appendix II provides documentation of the sources used and information available for each OI.

Table 4: List of Operational Improvements and ATM C hanges

ID ATM CHANGE MODELLING APPROACH START YEAR

FINISH YEAR

STAR-01 Increased traffic Theoretical effect 2005 2020

STAR-02 Reduced delays IRP 2007 judgements 2005 2020

STAR-03 Reduced ATCO task load IRP 2008 judgements 2005 2020

STAR-04 Changed ATCO role IRP 2008 judgements 2005 2020

STAR-05 Larger aircraft Assumed negligible effect 2005 2020

STAR-06 Additional runways IRP 2005 judgements 2005 2020

STAR-07 Growth of medium-sized airports IRP 2007 judgements 2005 2020

AOM-0101 Harmonised airspace classification IRP 2005 judgements 2008 2011

AOM-0102 Three categories of airspace IRP 2007 judgements 2013 2021

AOM-0103 Two categories of airspace IRP 2007 judgements 2015 2021

L2-02 Optimising airspace allocation Assumed negligible effect 2008 2013

L2-03 Advanced FUA IRP 2005 judgements 2008 2025

L2-04 Facilitating OAT transit IRP 2007 judgements 2008 2021

L2-05 Flexibility of route network IRP 2008 judgements 2007 2028

L2-06 Free routes IRP 2008 judgements 2015 2021

L2-07 Enhanced terminal airspace IRP 2008 judgements 2007 2016

L2-08 Optimising climb/descent IRP 2008 judgements 2007 2017

L2-09 Flexible airspace configuration Assumed negligible effect 2008 2025

L3-01 Network operations plan (NOP) Enabler - modelled elsewhere 2007 2020

L3-02 User-driven prioritisation IRP 2008 judgements 2007 2020

L3-03 Shared business trajectory IRP 2008 judgements 2008 2023

L4-01 Network capacity management IRP 2008 judgements 2007 2021

L4-02 Monitoring ATM performance Assumed negligible effect 2007 2016

L7-01 Arrival traffic synchronisation IRP 2007 judgements 2007 2023

L7-02 Departure traffic synchronisation IRP 2007 judgements 2007 2019

L7-03 Managing interactions Assumed negligible effect 2011 2020

L5-02 Managing air traffic complexity Assumed negligible effect 2007 2023

L5-03 Enlarging ATC planning horizon IRP 2008 judgements 2008 2020

CM-0201 Coordination support IRP 2008 judgements 2008 2013

CM-0202 Conflict prevention support IRP 2008 judgements 2007 2015

CM-0203 Flight path monitoring IRP 2007 judgements 2007 2015

Episode 3


of 240



FINISH YEAR

CM-0204 Near-term conflict detection IRP 2008 judgements 2016 2020

CM-0401 Shared 4D trajectory IRP 2008 judgements 2016 2022

CM-0402 Coordination free transfer of control IRP 2007 judgements 2016 2022

CM-0403 Conflict dilution by action on speed Assumed negligible effect 2016 2022

CM-0404 Enhanced conflict detection Duplicates CM-0204 2016 2022

CM-0405 Preventing conflicts in terminal areas

IRP 2007 judgements 2015 2020

CM-0406 Detecting conflicts in terminal areas IRP 2007 judgements 2015 2020

L8-02 Precision trajectory clearance IRP 2007 judgements 2013 2025

TS-0105 ASAS spacing in TMA IRP 2008 judgements 2013 2017

CM-0702 ASAS crossing & passing IRP 2008 judgements 2020 2030

CM-080101 STCA IRP 2008 fault tree model 2007 2012

CM-080102 APW IRP 2007 judgements 2007 2102

CM-080103 MSAW IRP 2005 fault tree model 2007 2012

CM-080104 Approach path monitor Model required 2007 2012

CM-0802 ACAS RA downlink IRP 2007 judgements 2009 2015

CM-0803 Enhanced ACAS IRP 2007 judgements 2008 2013

CM-0804 ACAS adapted to new separation modes

Enabler - modelled elsewhere 2020 2025

CM-0805 STCA adapted to new separation modes

Enabler - modelled elsewhere 2020 2025

CM-0806 Safety net compatibility IRP 2008 judgements 2020 2030

CM-0807 Information sharing Assumed negligible effect 2017 2020

AO-0101 Airport runway incursion prevention Safety assessment judgements 2005 2013

AO-0201 A-SMGCS Level 1 IRP 2005 judgements 2005 2016

AO-0102 A-SMGCS Level 2 (RIMCAS) IRP 2005 fault tree model 2005 2016

AO-0103 Airport layout IRP 2007 judgements 2009 2016

AO-0104 Taxiway deviation alert IRP 2007 judgements 2013 2018

AO-0202 FOD detection Not modelled 2010 2015

L10-02 A-SMGCS Level 3 IRP 2007 judgements 2009 2018

AO-0301 Crosswind reduced separation Assumed negligible effect 2009 2013

AO-0302 Time based separation Safety assessment judgements 2012 2015

AO-0303 Wake vortex prediction Assumed negligible effect 2012 2015

AO-0304 Wake vortex detection IRP 2007 judgements 2015 2019

AO-0305 Rapid exit taxiways IRP 2007 judgements 2006 2009

AO-0402 Interlaced take-off and landing IRP 2005 judgements 2007 2015

AO-0403 Optimised dependent parallel operations

Assumed negligible effect 2012 2015

L10-06 Low visibility operations IRP 2007 judgements 2012 2015

Episode 3


of 240



FINISH YEAR

L10-03 Airport collaboration IRP 2007 judgements 2007 2013

L10-08 Sustainable operations IRP 2007 judgements 2007 2015

AUO-0301 Datalink communications IRP 2008 judgements 2007 2016

AUO-0302 Datalink RBT clearances IRP 2008 judgements 2013 2018

AUO-0303 Datalink RBT revision IRP 2008 judgements 2013 2018

AUO-0304 Cruise-climb trajectories Assumed negligible effect 2010 2016

AUO-0401 ATSAW on the airport IRP 2005 judgements 2010 2016

AUO-0402 ATSAW in flight IRP 2005 judgements 2010 2017

AUO-0403 Enhanced vision IRP 2007 judgements 2013 2018

AUO-0404 Synthetic vision IRP 2007 judgements 2018 2025

L10-07 Visual approaches IRP 2007 judgements 2009 2015

AUO-0602 Guidance on airport surface IRP 2008 judgements 2008 2013

AUO-0603 Surface routing assistance IRP 2008 judgements 2010 2014

AUO-0604 Taxi automation IRP 2008 judgements 2018 2023

AUO-0605 Pilot alerting for runway incursion IRP 2007 judgements 2010 2015

L10-04 Minimising runway occupancy time Assumed negligible effect 2007 2019

L1-01 Flight data consistency IRP 2007 judgements 2007 2012

L1-03 From AIS to AIM IRP 2007 judgements 2009 2015

L1-05 Airspace user data for ground tools IRP 2007 judgements 2010 2020

L1-02 Information provision IRP 2007 judgements 2007 2018

L1-06 Enhanced weather forecast IRP 2007 judgements 2017 2021

L1-04 Implementing SWIM Enabler - modelled elsewhere 2011 2025

3.5 ATM CHANGES

Some changes are expected to occur in ATM between 2005 and 2020 that are not represented as OIs by SESAR. Other ATM changes, which need to be modelled by IRP, include:

• Enabled changes (e.g. increased traffic, reduced delays) resulting from the implementation of SESAR.

• Combined effects (e.g. reduced controller task-load, changed role) which are the result of several OIs, but are more conveniently grouped together for modelling.

• Key enablers (e.g. Mode S), which are represented in SESAR as technology changes, not OIs.

• Changes in the operating environment (e.g. additional runways, growth of medium-sized airports), which will occur in the same timeframe as SESAR but are not included as OIs.

These changes are described in Appendix II (section 12) as far as they are modelled at present. Further work would now be desirable to represent them in more detail.

In order to model historical trends in risks, which is necessary to calibrate the model against historical experience, the historical ATM changes must be defined in the same way. This

Episode 3


of 240


historical calibration has not been updated since IRP 2005 (Ref 9). It would be desirable to complete this exercise to improve the predictions for SESAR.

3.6 SAFETY TARGETS

The safety goal for the SESAR programme is to “improve the safety performance by a factor of 10”. In risk modelling terms, this appears to refer to safety performance measured as the probability of collision given an encounter between a pair of aircraft (i.e. a case where their trajectories would infringe separation minima in the absence of any action by ATM). This risk metric varies according to the square of the traffic, so that the 10-fold improvement is needed to accept a 3-fold traffic increase during the SESAR concept life without any increase in the expected annual number of collisions. In general, allowing for the possibility of single-aircraft accidents, SESAR requires the safety performance to improve so that there is no increase in the expected annual number of accidents.

The scope of this target is defined as follows (Ref 4):

• Safety occurrences - as defined in ESARR2 (EUROCONTROL Safety Regulatory Requirement), i.e. any type of safety-related event (excluding unlawful related events) with an ATM contribution.

• Involvements - in the case of collisions, each aircraft involved is counted separately.

• ATM contribution - a contribution to an accident or an incident from any person or system (whether ground-based, space-based or airborne) performing an ATM function, or the positive contribution of ATM in preventing aviation accidents and incidents.

• ATM - it applies to Air Navigation Services (ANS), which rely on the ATM functional system, including CNS, ASM (Airspace Management) and ATFCM functions. It also applies to the safety levels of AIS (Aeronautical Information Services) and MET (Meteorological) data used by these elements.

• Geographical extent - The entire ECAC region.

• Airspace - all types of airspace (whether intended or unknown traffic environments).

• Traffic - all types of aircraft with MTOW > 2.25 tonnes, operating under IFR.

• Flight phases - the whole gate-to-gate cycle is included.

• Time period - from 2005 to 2020.

Key modelling issues are defined as follows:

• Traffic growth - average annual growth of 3.7% during the period 2005-2020, leading to an increase in traffic of 1.73x the 2005 level.

• Other traffic changes - to be modelled as accurately as possible.

• Safety nets - to be modelled as installed.

An ATM contribution in Ref 4 is made up of aspects that:

• Lie within the ATM system loop – irrespective as to whether the problem is in the ground, air or space segment of that loop; or

• Lie outside of the ATM loop but ATM could reasonably have been expected to mitigate the initiation or consequences of the causal event.

In the present study, this means that any accident in the 5 modelled categories would inevitably include an ATM contribution. Thus the frequency of these accidents is equal to the frequency of ATM contributions.

Episode 3


of 240


In summary, compliance with the SESAR safety target is considered to be achieved provided there is no increase in the expected annual frequency of ATM contributions to ICAO-defined accident involvements of all IFR traffic with MTOW over 2.25 tonnes, in all gate-to-gate phases, in all airspace types, over the whole ECAC region, between 2005 and 2020

In order to demonstrate target compliance, this requires IRP/STAR to be able to estimate the annual number of accidents with ATM contribution within the scope defined above, and show that it does not increase as SESAR is implemented. The necessary results are presented below. IRP/STAR should also be able to help optimise safety improvements so that risks of accidents also reduce where possible. This is also considered in Section 6 below.

4 BASELINE RISK PICTURE

4.1 BASELINE YEAR

The year 2005 has been used as the IRP baseline since the IRP work was first completed (Ref 9). The baseline model (ATM in 2005) is quantified using accident and incident data, with corrections for recent trends, so as to obtain risks for 2005 that are fully consistent with accident experience. It uses causal factors from fully reported investigations of different types of accidents and incidents, mapped onto the IRP risk model. This is convenient because the data for quantification is mainly drawn from the period 1990-2005, and so risk predictions for 2005 can be based on the trends in this data without any extrapolation. The end date reflects the fact that investigation reports on major accidents typically become available 1-3 years after the event.

It would be more appropriate for the baseline date to roll forward, since 2005 is now rather old. This could be achieved by updating the statistical analysis regularly. However, this is inefficient because the small numbers of events tend to produce year-on-year changes in the results that have no statistical significance, and are within the estimated uncertainty ranges. A better approach would be to use the predictive mode in IRP to estimate the effects of ongoing ATM changes. This would provide a continuous calibration of the model. However, few of these ongoing changes are represented in the SESAR OIs, and therefore it would be necessary to make a detailed definition of these before attempting to model their effects.

Meanwhile, it should be noted that the current (i.e. 2008) risk levels may be different from the 2005 baseline. During this period, traffic levels have increased, while various safety initiatives have been implemented; notably the mandated fitment of terrain awareness and warning systems (TAWS). It would be desirable to model these explicitly in future work, and then to update the baseline risk model.

4.2 FATAL ACCIDENTS FREQUENCIES

Table 5 shows the estimated fatal accident frequencies in the five modelled accident categories for the 2005 baseline case (see section 11.2.2 for further details). To set them in context, the frequencies of other types of aircraft accidents are included, although these are based on trended statistics and have not been modelled in detail in IRP. The results are given in three forms:

• Frequencies per flight.

• Frequencies per flight hour, based on an average flight length of 1.5 hours, obtained from the total number of flights and flight times during one week in June 2005.

• Numbers of accidents per year in ECAC, based on a total of 9.1 million IFR flights in Europe in 2005 (Ref 10).

The risk breakdown is the same in all three units.

Episode 3


of 240


Table 5: ATM Contributions to Fatal Aircraft Accide nts

for IFR Flights within ECAC Region in 2005

ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)

% OF FATAL

ACCIDENTS





CFIT 3.9E-08 2.6E-08 0.36 11% 50%



Loss of control in flight* 1.3E-07 8.5E-08 1.16 36% -

Loss of control in take-off* 4.8E-08 3.2E-08 0.44 13% -

Loss of control in landing* 6.4E-08 4.3E-08 0.58 18% -

Structural accident* 1.6E-08 1.1E-08 0.15 4% -

Fire/explosion* 2.2E-08 1.5E-08 0.20 6% -

Total aircraft accidents 3.6E-07 2.4E-07 3.23 100% -

* Potential ATM contributions to these accident categories have not yet been estimated (see Annex IV (section14) for loss of control during in landing).

The table also shows the ATM contributions to accidents. These are the frequencies of accidents in which ATM provides at least one of the modelled causes. ATM here includes any person or system performing an ATM function (for consistency with the targets in Section 3.6). This in effect includes controllers, navigation infrastructure and flight crew (in their actions to prevent or avoid collisions with aircraft, terrain or other obstacles). This functional definition in effect means that any accident in the 5 modelled categories would inevitably include an ATM contribution. Thus the frequency of these accidents is equal to the frequency of ATM contributions.

Potential ATM contributions to the other accident categories have not yet been estimated, but are expected to be small. However, loss of control during landing is an important category of accidents, and so it would be desirable to quantify the ATM contribution to this. It is addressed Appendix IV (section 14).

The results show that 22% of fatal accidents involve some ATM contribution. The overall frequency of fatal accidents with an ATM contribution is estimated as 8 x 10-8 per flight, or 0.7 per year. The last column of the table above shows that CFIT provides the largest share (50% of the ATM contribution), followed by runway and mid-air collisions. These are the most important accident categories, according to this risk measure.

This high contribution from ATM and the high share from CFIT result from the functional definition of ATM. Different definitions could produce significantly different results. For example, CFIT accidents are mainly the result of actions or omissions by the flight crew, and any definition of ATM that excludes terrain separation by the flight crew will have a much lower contribution from CFIT. For example, a possible risk measure is the frequency of direct causes of fatal accidents, i.e. cases where separation (from other aircraft, terrain or wake turbulence) is lost because of errors of commission by executive controllers or critical failures of their equipment. IRP estimates that only 1% of fatal accidents are directly caused by ATM. In these direct causes, CFIT forms only 24% of the ATM direct contribution, while runway collision dominates the risks. This change is because the ATM contribution to CFIT is mainly a failure to prevent the accident rather than the direct cause.

Episode 3


of 240


4.3 ICAO ACCIDENT FREQUENCIES

Table 6 shows the equivalent frequencies of ICAO-defined accidents (see Ref. 4 for the definition) in the 2005 baseline case. Compared to fatal accidents, the frequencies of ICAO accidents are much higher, especially for taxiway collisions. Loss of control in landing is also an important category of ICAO accidents, and so it would be desirable to quantify the ATM contribution to this.

Table 6: ATM Contributions to ICAO Aircraft Acciden ts


ACCIDENT CATEGORY

ICAO ACCIDENT


ICAO ACCIDENT


ICAO ACCIDENTS

IN ECAC (per year)

% OF ICAO ACCIDENTS

% OF ATM

CONTRIB-UTIONS




CFIT 4.5E-08 3.0E-08 0.41 2% 17%



Loss of control in flight* 2.5E-07 1.6E-07 2.24 12%

Loss of control in take-off* 1.4E-07 9.2E-08 1.26 7%

Loss of control in landing* 1.3E-06 8.4E-07 11.44 61%

Structural accident* 3.6E-08 2.4E-08 0.33 2%

Fire/explosion* 1.0E-07 6.8E-08 0.93 5%

Total aircraft accidents 2.1E-06 1.4E-06 18.63 100%

* Potential ATM contributions to these accident categories have not yet been estimated.

The results show that 13% of ICAO-defined accidents involve some ATM contribution.

This is less than for fatal accidents, because of the dominance of non-fatal landing accidents, which have no significant ATM contribution.

The overall frequency of ICAO accidents with an ATM contribution is estimated as 3 x 10-7 per flight, or 2.4 per year. The last column of the table above shows that taxiway collision provides the largest share (55% of the ATM contribution), whereas mid-air collision provides the smallest modelled share (6%). This is because many taxiway collisions are severe enough to be included under the ICAO definition, although they are almost never severe enough to cause a fatality.

This distribution is not greatly affected by the functional definition of ATM. Although only 0.2% of ICAO-defined accidents are directly caused by ATM, taxiway collisions still provide 60% of the ATM contribution7. This is because, while taxiway accidents are usually the result of flight crew errors, any ATC causal contribution (e.g. incorrect ground movement clearance) is a direct cause.

7 The 0.2% and 60% come from the IRP itself (Ref. 16). For brevity the report does not have the full tables of direct contributions.

Episode 3


of 240


4.4 BASELINE FOR SESAR RISK TARGET

The defined safety target for SESAR is the annual number of ICAO-defined accidents with ATM contributions (Section 3.6). This implies that the critical value that should not increase is the value of 2.43 ICAO-defined accidents per year from Table 6.

However, this result is dominated by taxiway accidents, and implies that reducing these would be the easiest way of achieving target compliance. This is contrary to conventional views of what is important in ATM safety, and indicates that the ICAO-defined accidents may not be an appropriate basis for the SESAR safety target (as discussed in Ref 4).

Therefore, in the present report the fatal accident frequency is used as the primary risk target, despite the apparent contradiction with the SESAR target. This implies that the critical value that should not increase is the value of 0.71 fatal accidents per year from Table 5. The implications of this choice are discussed at each stage below.

4.5 UNCERTAINTIES

The results from IRP are inevitably uncertain due to the limitations of available accident data and the difficulty of representing accident risks in a quantitative model. These uncertainties must be taken into account when interpreting the results. Figure 7 shows example uncertainties on the fatal accident frequencies per flight. The main bars represent the best-estimates from Table 5. The I-shaped bars represent the 90% confidence ranges, between the 5%ile and 95%ile of the underlying probability distributions.

Figure 7: Uncertainties in Fatal Accident Frequenci es

1.0E-10 1.0E-09 1.0E-08 1.0E-07 1.0E-06

Mid-air collision

Runway collision

Taxiway collision

CFIT

Wake turbulence accident

FATAL ACCIDENT FREQUENCY (per flight)

These results show that only differences greater than a factor of about 3 can be considered statistically significant. They also highlight the very large uncertainty in the fatal taxiway collision frequency (since fatal accidents of this type have not yet occurred), and in the lower bound of the CFIT frequency (due to uncertainty about the effects of TAWS implementation up to 2005). Similar uncertainties apply to all the results in the baseline model.

4.6 VERIFICATION

To verify that the results above are as intended, the following explains the sources of selected values. This also serves to highlight some of the key assumptions underlying the results.

The frequency of fatal mid-air collisions is based on 11 Western commercial aircraft (4 large jets, 6 turboprops and 1 small jet) known to have been involved in mid-air collisions world-wide during 1990-2006, divided by an estimated experience of 487 million flights on these aircraft in this period. A trend analysis indicates the frequency has reduced and the 2005 value is estimated as 0.72x the historical average. A regional breakdown indicates that the

Episode 3


of 240


frequency in Europe is 0.83x the world average. Hence the overall frequency is estimated as 11/487 million x 0.72 x 0.83 = 1.3 x 10-8 per flight, as in Table 5. The uncertainties due to the regional breakdown exceed those due to the small dataset and trend analysis, and indicate a confidence range from 0.3x to 2.1x the best-estimate, as shown in Figure 7.

The frequency of ICAO-defined taxiway collisions is based on 136 Western commercial aircraft involved in taxiway collisions world-wide during 1990-2005, divided by an estimated experience of 453 million flights on these aircraft in this period. The dataset was obtained from a search of ADREP (Accident/Incident Data Reporting) and other sources, and it is recognised that this may be incomplete. The ICAO accident definition covers only 52% of these collision involvements. A trend analysis indicates the frequency has increased and the 2005 value is estimated as 2.1x the historical average. A regional breakdown indicates that the frequency in Europe is 0.45x the world average. Hence the overall frequency is estimated as 136/453 million x 0.52 x 2.1 x 0.45 = 1.5 x 10-7 per flight, as in Table 5. The main uncertainties are due to the regional breakdown and trend analysis, and indicate a confidence range from 0.5x to 2.2x the best-estimate. Figure 7 shows larger uncertainties due to the uncertain fatality probability, given that none of the accidents were fatal.

The number of ICAO-defined accidents due to loss of control on la nding is based on 209 accidents on large Western commercial jets (over 27,000kg MTOW) world-wide during 1993-2002, divided by an estimated experience of 166 million flights on these aircraft in this period. The dataset was provided by Boeing and has not been updated. No trend analysis or regional breakdown is available for it. It would be desirable to improve this analysis. The IFR traffic in Europe in 2005 was 9.1 million flights. Hence the number of accidents is estimated as 209/166 x 9.1 = 11.4 per year, as in Table 6.

Verification of base event probabilities, which underpin the results in the following sections, is similar in principle although much more lengthy. It is omitted for brevity in this report.

4.7 VALIDATION

The process of validating the IRP model has been explained in section 11.6.5. Simple checks of face validity of the overall results are made as follows:

• Fatal mid-air collisions involving commercial aircraft in Europe last occurred at Überlingen in 2002 and prior to that in Zagreb in 1976. Given the recent traffic growth since then, this is roughly consistent with the prediction from Table 5 of an average return period of 8 years for this event.

• Fatal runway collisions involving commercial aircraft in Europe last occurred at Milan Linate in 2001 and Paris Charles de Gaulle in 2000. This is roughly consistent with the prediction from Table 5 of an average return period of 5 years for this event.

• Fatal CFITs involving commercial aircraft in Europe last occurred at Isparta in 2007, Brest in 2003, Diyarbakir in 2003 and Zurich in 2001. Given the adoption of TAWS during this period, this is roughly consistent with the prediction from Table 5 of an average return period of 3 years for this event.

• There have been no fatal wake turbulence accidents or taxiway collisions involving commercial aircraft in Europe. This is consistent with the prediction from Table 5 of an average return period of 30 and 200 years respectively for these events.

To validate the results above, it is desirable to compare against independent analyses. However, genuinely comparable and independent data sources are difficult to find, as the following examples show.

The SRC Annual Report (Ref 7) includes numbers of accidents on aircraft above 2250kg MTOW in ECAC. In 2005, it reported no mid-air collisions, 7 aircraft-aircraft collisions on the ground, and 5 CFIT accidents. However, this includes VFR aircraft, which increases the numbers and prevents a direct comparison with IRP.

Episode 3


of 240


Data from the Aviation Safety Network (Ref 11) shows an average of 6.7 fatal accidents per year in Europe for the 10 years to 2005. This is based on multi-engine airliners, but includes accidents in Russia, which is outside ECAC, and on fire-fighting aircraft (which together amounted to 35% of accidents in Europe during 2002-05). The data trend suggests that the number in 2005 is approximately 70% of that in 1990-2005. Hence the number of fatal accidents in 2005 could be estimated from this data as approximately 3.0 fatal accidents per year. This is consistent with the value of 3.2 estimated in Table 5.

Previous estimates of the contribution of ATM to aviation accidents have been in the range 2-6% (Ref 12). The results above show values ranging from 0.2% to 22%, depending on the definition of ATM contribution and the accident severity included. Therefore, no simple comparison is possible without further study of the definitions.

This is not an independent empirical validation because the historical data is used in developing the IRP. Nevertheless it does give encouragement that the model is valid for future predictions.

It is concluded validation of this type of risk model is difficult, but the baseline risk estimates are considered to be validated as far as practicable with the currently available information.

4.8 RISK PICTURE FOR MID-AIR COLLISION

4.8.1 Choice of Accident Category

The IRP includes a complete causal model for each of the 5 modelled accident categories. For brevity, simplified results are presented here for just mid-air collisions. The mid-air collision model is selected in part because it has received the most extensive reviews of face validity. In principle, each part of the model requires verification and validation, and this is an ongoing task.

4.8.2 Fault Tree Model

Figure 29 in section 11.3.2 shows the top levels of the mid-air collision fault tree for the 2005 baseline. This is the first form of results provided by IRP for mid-air collisions, from which the other results are derived. The main structure is explained in detail section 11. The top event frequency for fatal mid-air collision involvements of 1.3 x 10-8 per flight is the result shown in Table 5 above (section 4.2).

4.8.3 Barrier Model

Figure 8 shows an alternative presentation of this type of information, in the form of a barrier diagram. This shows the main precursor event frequencies and the main barrier failure probabilities. For simplicity, it shows only the barrier failure probabilities after the effects of common-cause failures (CCFs). This produces some minor differences in barrier failure probabilities compared to Figure 29. The accident frequency for mid-air collisions of 8.8 x 10-9 per flight hour is for event MF3, and appears on the third row of Figure 29.

The event frequencies on the right side of the barrier model form a logical sequence of precursor events, which could be used to monitor safety performance. The precursor events and barriers are all defined in section 2.

Episode 3


of 240


Figure 8: Barrier Model of Mid-Air Collision for 20 05 Baseline

BARRIER FAILURES ACCIDENT PRECURSORS(given precursor failures)

MC4 Avoidance essential 1.1E-03 per imminent collision

MF3 Mid-air collision 8.8E-09 per flight hour

MB1 Ineffective visual warning 5.1E-01 per ACAS failure

MB2 Ineffective ACAS warning 2.4E-01 per imminent collision

MF4 Imminent collision 6.2E-05 per flight hour

MB4 Ineffective other ATCO warning

8.8E-01 per STCA failure

MB3 Ineffective STCA warning 6.1E-01 per separation infringment

MF5-8 Separation infringement

1.2E-04 per flight hour

MB5 Ineffective management of plannable conflict

2.6E-02 per conflict in revised RBT

MF5 Separation infringement from plannable conflict


MB6 Ineffective management of RBT deviation

1.8E-01 per conflict in RBT deviation

MF6 Separation infringement from unplannable conflict


MB7 Ineffective management of ATCO induced conflict

9.2E-01 per ATCO induced conflict

MF7 Separation infringement from ATCO-induced conflict


MB8 Ineffective conflict management by pilot

1.0E-01 per pilot managed

MF8 Separation infringement from pilot-managed conflict


MF8.1 Pilot managed conflict 2.1E-04 per flight hour

MF7.1 Trajectory instructions result in conflict


MF6.1 Conflict in RBT deviation


MF6.1.1 Conflict due to airspace infringement


MF6.1.2.1 Conflict due to level bust


MF6.1.2.2 Conflict due to lateral deviation


MB9 Ineffective sector planning 2.1E-01 per conflict in initial RBT

MF5.1 Conflict in revised RBT 8.4E-04 per flight hour

MC5 Ineffective procedural synchronisation

1.0E-01 per conflict in initial RBT

MB10 Ineffective DCB 2.0E-01 per conflict in SBT

MF5.2 Conflict in initial RBT 4.0E-02 per flight hour

MF5.3 Conflict in SBT 2.0E-01 per flight hour

Commercial flights 9.1E+06 per year in ECAC

4.8.4 Positive Contribution of ATM

The barrier model implicitly includes the positive contribution of ATM to preventing mid-air collisions. Figure 9 makes this explicit showing how the barriers progressively reduce

Episode 3


of 240


conflicts, leaving a small residual number of collisions. This presentation is in the units of annual numbers of events involving IFR aircraft in ECAC. These are equal to the values per flight hour in Figure 8, multiplied by 9.1 million flights per year and 1.5 hours per flight.

Figure 9: Contribution of ATM to Preventing Mid-Air Collision for 2005 Baseline

ACCIDENT PRECURSORS BARRIER SUCCESSES

MF3 Mid-air collision 1,20E-01 per year in ECAC

1-MC4 Providential avoidance 1,05E+02 per year in ECAC

1-MB1 Successful visual warning 1,02E+02 per year in ECAC

MF4 Imminent collision 8,51E+02 per year in ECAC

1-MB2 Successful ACAS warning 6,43E+02 per year in ECAC

1-MB4 Successful other ATCO warning

1,16E+02 per year in ECAC



1-MB3 Successful STCA warning 6,28E+02 per year in ECAC

MF5 Separation infringement from plannable conflict


MF6 Separation infringement from unplannable conflict


MF7 Separation infringement from ATCO-induced conflict


MF8 Separation infringement from pilot-managed conflict


MF8.1 Pilot managed conflict 2,80E+03 per year in ECAC

1-MB8 Successful conflict management by pilot


MF7.1 Trajectory instructions result in conflict


1-MB7 Successful management of ATCO induced conflict


MF6.1 Conflict in RBT deviation


1-MB6 Successful management of unplannable conflict


MF6.1.1 Conflict due to airspace infringement


MF6.1.2.1 Conflict due to level bust


MF6.1.2.2 Conflict due to lateral deviation


MF5.1 Conflict in revised RBT 1,14E+04 per year in ECAC

1-MB5 Successful management of plannable conflict


1-MB9 Successful sector planning 4,31E+04 per year in ECAC

MF5.2 Conflict in initial RBT 5,45E+05 per year in ECAC

1-MB9 Successful procedural synchronisation


MF5.3 Conflict in SBT 2,73E+06 per year in ECAC

1-MB10 Successful DCB 2,18E+06 per year in ECAC

Commercial flights 9,09E+06 per year in ECAC

In future work, this format may be useful for validating the model results, and if necessary adjusting them to match actual experience.

4.8.5 Causal Breakdown

The barrier model implies that all mid-air collisions include at least 6 causes, as follows:

Episode 3


of 240


• Ineffective conflict prevention, which may be:

• Ineffective sector planning, ineffective procedural synchronisation, ineffective DCB and strategic conflict (MF5.3)

• Separation infringement from unplannable conflict (MF6)

• Separation infringement from ATCO (Air Traffic Controller)-induced conflict (MF7)

• Separation infringement from pilot-managed conflict (MF8)

• Ineffective conflict management, which may be:

• Ineffective management of plannable conflict (MB5)

• Ineffective management of unplannable conflict (MB6)

• Ineffective management of ATCO induced conflict (MB7)

• Ineffective conflict management by pilot (MB8)

• Ineffective other ATCO warning (MB4)

• Ineffective STCA warning (MB3)

• Ineffective ACAS warning (MB2)

• Ineffective visual warning (MB1)

Table 7 shows the breakdown of these causes that is available from the IRP model (Ref. 16). The contribution of each event is a simple estimate of the fractional reduction in mid-air collision frequency that would be achieved if the event could be eliminated. It is equivalent to the non-dimensional risk reduction worth (NRW) measure that is used in Section 6.6 below. The table also includes the frequencies of conflicts, separation infringements and collisions that are associated with each of these causes.

Episode 3


of 240


Table 7: Causal Breakdown of Mid-Air Collision for 2005 Baseline

BARRIER SCENARIO EVENT CONTRIB-UTION TO COLLISIO

N

COLLISION

FREQUENCY (per flight

hr)

SEP INF

FREQUENCY

(per flight hr)

CONFLICT


hr)

MB9.1 No sector planning 0.091 8.0E-10 1.1E-05 4.0E-04

MB9.2.1.1 Inadequate strategic surveillance picture 0.011 9.6E-11 1.3E-06 4.8E-05

MB9.2.1.2 Inadequate trajectory information 0.019 1.7E-10 2.2E-06 8.4E-05

MB9.2.2 Planning controller failure to identify conflict 0.036 3.2E-10 4.3E-06 1.6E-04

MB9.2.3 Planning controller misjudgement in planning 0.007 6.4E-11 8.5E-07 3.2E-05

MB9.3 Inadequate planning controller coordination 0.012 1.1E-10 1.4E-06 5.4E-05

Plannable conflict

MB9.4 Planning controller failure to alert tactical controller to conflict 0.012 1.1E-10 1.4E-06 5.4E-05

MF6.1.1.1 Airspace infringement by military aircraft 0.066 5.8E-10 7.7E-06 4.2E-05

MF6.1.1.2 Airspace infringement by VFR aircraft 0.064 5.7E-10 7.5E-06 4.1E-05

MF6.1.1.3 Airspace infringement by CAT aircraft 0.014 1.3E-10 1.7E-06 9.3E-06

MF6.1.2.3 Pilot lateral deviation 0.026 2.3E-10 3.1E-06 1.7E-05

MF6.1.3.1 Inadequate communication of level/height to pilot 0.080 7.0E-10 9.3E-06 5.1E-05

MF6.1.3.2 Pilot handling error causing level bust 0.149 1.3E-09 1.7E-05 9.6E-05

MF6.1.3.3 Altimeter setting error causing level bust 0.036 3.1E-10 4.2E-06 2.3E-05

MF6.1.3.4 Aircraft technical failure causing level bust 0.049 4.3E-10 5.7E-06 3.1E-05

MF6.1.3.5 ACAS RA 0.005 4.6E-11 6.1E-07 3.4E-06

Conflict prevention

Unplannable conflict

MF6.1.3.6 Weather induced level bust 0.010 8.8E-11 1.2E-06 6.4E-06

Episode 3


of 240



N

COLLISION


hr)

SEP INF

FREQUENCY

(per flight hr)

CONFLICT


hr)

ATCO induced conflict

MF7.1 Trajectory instructions result in conflict 0.135 1.2E-09 1.6E-05 1.7E-05

MF8.1.1 Encounter in unmanaged airspace 0.161 1.4E-09 1.9E-05 1.9E-04

Pilot managed conflict MF8.1.2 Separation delegated to pilot 0.015 1.3E-10 1.7E-06 1.7E-05

Barrier total 1.000 8.8E-09 1.2E-04 1.4E-03

MB5.1.1.1 Inadequate traffic picture 0.009 7.9E-11 1.0E-06

MB5.1.1.2 Inadequate trajectory planning information 0.004 3.9E-11 5.2E-07

MB5.1.2 ATCO failure to identify conflict in time 0.102 9.0E-10 1.2E-05

MB5.1.3.1 ATCO misjudgement in separation 0.021 1.9E-10 2.5E-06

MB5.1.3.2 ATCO lost awareness of previously identified conflict 0.005 4.7E-11 6.3E-07

MB5.2.1 Inadequate ATCO transmission of instructions 0.011 1.0E-10 1.3E-06

MB5.2.2 Loss of communication 0.015 1.3E-10 1.8E-06

MB5.2.3 Inadequate pilot readback 0.014 1.2E-10 1.6E-06

Plannable conflict

MB5.3 Inadequate pilot response to ATC 0.006 5.4E-11 7.2E-07

MB6.1.1 Inadequate traffic picture 0.015 1.3E-10 1.7E-06

Conflict management


MB6.1.2 ATCO failure to identify conflict in time 0.384 3.4E-09 4.5E-05

Episode 3


of 240



N

COLLISION


hr)

SEP INF

FREQUENCY

(per flight hr)

CONFLICT


hr)

MB6.2.1 Inadequate ATCO transmission of instructions 0.008 7.1E-11 9.5E-07



MB6.3 Inadequate pilot response to ATC 0.072 6.3E-10 8.4E-06

ATCO induced conflict

MB7 Ineffective management of ATCO induced conflict 0.135 1.2E-09 1.6E-05

MB8.1 Inadequate traffic information from ATCO 0.114 1.0E-09 1.3E-05

MB8.2.1 Inadequate ATCO transmission of information 0.002 2.1E-11 2.8E-07



MB8.3 Inadequate coordination of separation modes 0.013 1.2E-10 1.5E-06

Pilot managed conflict

MB8.4 Inadequate separation by pilot 0.039 3.5E-10 4.6E-06

Barrier total 1.000 8.8E-09 1.2E-04

MB3.1 No STCA coverage 0.291 2.6E-09 3.4E-05

MB3.2.1.1 Transponder not operating 0.016 1.4E-10 1.9E-06

MB3.2.1.2 Surveillance technical failure 0.032 2.8E-10 3.7E-06

STCA warning

MB3.2.2 STCA technical failure 0.200 1.8E-09 2.3E-05

Episode 3


of 240



N

COLLISION


hr)

SEP INF

FREQUENCY

(per flight hr)

CONFLICT


hr)

MB3.3 ATCO failure to respond to STCA warning in time 0.304 2.7E-09 3.6E-05

MB3.4 ATCO failure to recover separation in time 0.157 1.4E-09 1.8E-05


MB4.1 No independent ATCO monitoring 0.432 3.8E-09 5.1E-05

MB4.2.1 Inadequate traffic picture for unplannable conflict management 0.025 2.2E-10 2.9E-06

MB4.2.2 ATCO failure to identify unplannable conflict in time 0.233 2.1E-09 2.7E-05

MB4.3 Other ATCO failure to communicate warning 0.138 1.2E-09 1.6E-05

Other ATCO warning

MB4.4 ATCO failure to recover separation in time 0.172 1.5E-09 2.0E-05


MB2.1.1 ACAS not installed 0.423 3.7E-09

MB2.1.2.1 Transponder not operating 0.084 7.4E-10

MB2.1.2.2 ACAS failure to give RA in time 0.254 2.2E-09

MB2.1.3.1 Pilot failure to respond to RA in time 0.060 5.2E-10

MB2.1.3.2 Pilot incorrectly prioritises ATC instructions 0.059 5.2E-10

ACAS warning

MB2.1.4 ACAS avoidance invalidated by other aircraft 0.121 1.1E-09

Barrier total 1.000 8.8E-09

Episode 3


of 240



N

COLLISION


hr)

SEP INF

FREQUENCY

(per flight hr)

CONFLICT


hr)

MB1.1.1 Other aircraft effectively invisible 0.575 5.1E-09

MB1.1.2 Flight crew failure to observe visible aircraft in time 0.348 3.1E-09

MB1.1.3 Pilot failure to take avoidance action in time 0.035 3.1E-10

Visual warning

MB1.1.4 Visual avoidance action unsuccessful 0.041 3.6E-10

Barrier total 1.000 8.8E-09

Episode 3


of 240


The contributions may be used to focus attention on the main risk contributors. Figure 10 below shows the same contributions, arranged into three types of ATM causes (direct causes, prevention failures and prevention opportunities), as explained in section 11.6. For simplicity, this omits contributions from flight crew, which are included in the table above.

Figure 10: Main ATM Causes of Mid-Air Collision for 2005 Baseline

0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70

Direct ATC causes

MB7 Ineffective management of ATCO induced conflict

MB5.1.1.1 Inadequate traffic picture

MB5.1.1.2 Inadequate trajectory planning information

MB5.1.2 ATCO failure to identify conflict in time

MB5.1.3.1 ATCO misjudgement in separation

MB5.1.3.2 ATCO lost awareness of previously identified conflict

MF6.1.3.5 ACAS RA

ATC prevention failures

MB9.2.1.1 Inadequate strategic surveillance picture

MB9.2.1.2 Inadequate trajectory information

MB9.2.2 Planning controller failure to identify conflict

MB9.2.3 Planning controller misjudgement in planning

MB9.3 Inadequate planning controller coordination

MB9.4 Planning controller failure to alert tactical controller to conflict

MB8.1 Inadequate traffic information from ATCO

MB8.2.1 Inadequate ATCO transmission of information

MB8.3 Inadequate coordination of separation modes

MB6.1.1 Inadequate traffic picture

MF6.1.3.1 Inadequate communication of level/height to pilot

MB6.1.2 ATCO failure to identify conflict in time

MB5.2.1/MB6.2.1/MB8.2.1 Inadequate ATCO transmission of instructions

MB5.2.2/MB6.2.2/MB8.2.2 Loss of communication

MB5.2.3/MB6.2.3/MB8.2.3 Inadequate pilot readback

MB3.2.2.1/MB2.1.2.1 Transponder not operating

MB3.2.1.2 Surveillance technical failure

MB3.2.2 STCA technical failure

MB3.3 ATCO failure to respond to STCA warning in time

MB3.4 ATCO failure to recover separation in time

MB4.2.1 Inadequate traffic picture for unplannable conflict management

MB4.2.2 ATCO failure to identify unplannable conflict in time

MB4.3 Other ATCO failure to communicate warning

MB4.4 ATCO failure to recover separation in time

Prevention opportunities

MB10 Ineffective DCB

MB9.1 No sector planning

MF6.1.1.1 Airspace infringement by military aircraft

MF6.1.1.2 Airspace infringement by VFR aircraft

MF6.1.1.3 Airspace infringement by CAT aircraft

MF8.1.1 Encounter in unmanaged airspace

MB3.1 No STCA coverage

MB4.1 No independent ATCO monitoring

MB2.1.1 ACAS not installed

MF6.1.3.6 Weather induced level bust

MB1.1.1 Other aircraft effectively invisible

ATM CONTRIBUTION(NRW: maximum potential reduction / mid-air collision accident frequency)

It shows that the main direct causes of mid-air collision are:

Episode 3


of 240


• Ineffective management of ATCO-induced conflict (MB7)

• ATCO failure to identify plannable conflict in time (MB5.1.2)

The main causes of failure to prevent a mid-air collision are:

• ATCO failure to identify unplannable conflict in time (MB6.1.2)

• ATCO failure to respond to STCA warning in time (MB3.3)

• Other ATCO failure to identify unplannable conflict in time (MB4.2.2). This refers to cases where ATCOs not directly responsible for conflict management are monitoring the traffic.

The main opportunities to prevent mid-air collisions in the future that are identified directly from the model (before considering whether they would be realistic in practice) are:

• Improved visibility of other aircraft (MB1.1.1)

• Extended independent ATCO monitoring (MB4.1)

• Wider installation of ACAS (MB2.1.1). This refers to non-commercial aircraft.

• Greater STCA coverage (MB3.1)

4.8.6 Influence Breakdown

The results above refer to causes that are modelled explicitly in the fault tree. Other causal factors that are not suitable for modelling in this way are represented in the influence model (Ref. 16). Their contributions are shown in Figure 11, broken down by ATM element, as defined in section 2. Unlike the results above, these include contributions from flight crew.

Some of these influences are very closely aligned to the causes above. For example, every ATCO failure to identify a conflict in time is associated with the task “ATC conflict management”, and with the performance of the executive controller. In order to prevent double-counting, the breakdown distinguishes “indirect influences”, which are the influence effects exceeding the direct causes. These are identified in the figure.

The main indirect influences in the model are:

• Traffic conditions - the various constraints on ATCO performance resulting from traffic conditions that are modelled in the unit-specific model (Ref 3).

• Surveillance - the influences of traffic picture on the conflict management and sector planning tasks.

• Cruise/climb/descent - the influences of flight crew performance on tasks such as ATC communication.

• ACAS - the interaction between ACAS quality and flight crew visual observation of other aircraft.

Episode 3


of 240


Figure 11: ATM Influences on Mid-Air Collision for 2005 Baseline

0.0 0.2 0.4 0.6 0.8 1.0

Airspace design

DCB

ATC sector planning

ATC conflict management

ATC communication

ATC collision avoidance

Traffic sequence

Separation modes

Communications

Navigation

Surveillance

ATC system

ACAS

Aircraft equipment

Flight planning

Cruise/ climb/descent

ACAS warning response

Pilot visual mid-air collision avoid'ce

Information management

Traffic conditions

Ambient conditions


Direct cause

Prevention failure

Prevention opportunity

Indirect influence

More detailed breakdowns of the influences are available from influence model. The maximum effect (ME) values in this model show the contributions, and are again in effect the non-dimensional risk reduction worth (NRW) for each component influence on the task.

Figure 12 shows an example influence breakdown for ATC conflict management. The components of the influence model (documented in section 2) are:

• Actor, in this case the executive controller. The maximum potential reduction in task errors from improvements to controller performance is estimated as 91%, and this is strongly affected by the fundamentals of resources, reliability and teamwork, as shown.

• Equipment, in this case the en-route ATC system. The maximum potential reduction in task errors from improvements to system quality is estimated as 28%, and this is not broken down at present.

• Task inputs. The maximum potential reduction in task errors from improvements to input quality is estimated as 63%, and the main modelled input influence is the traffic picture.

Episode 3


of 240


• Constraints, in this case from the ATC environment. The maximum potential reduction in task errors from improvements to constraints is estimated as 71%, and the main modelled influence is traffic complexity.

Figure 12: Influences on ATC Conflict Management fo r 2005 Baseline

ATC CONFLICT MANAGEMENT

0% 20% 40% 60% 80% 100%

Executive controller

ATC system

Task inputs

ATC environment

MAXIMUM EFFECT

0% 20% 40% 60% 80% 100%

Resources

Competence

HMI

Reliability

Procedures

Teamw ork

PE

RF

OR

MA

NC

E

FU

ND

AM

EN

TA

LS

MAXIMUM EFFECT

0% 20% 40% 60% 80% 100%

NOP/f light plans

Traffic picture

Traff ic sequence

ATC coordination

Info from pilot

TA

SK

INP

UT

S

MAXIMUM EFFECT

0% 20% 40% 60% 80% 100%

Airspace design

Traff ic level

Traff ic complexity

Traffic saturation

Traff ic variability

Airspace boundaries

Storm activity

TA

SK

CO

NS

TR

AIN

TS

MAXIMUM EFFECT

These breakdowns can be used to identify measures with a significant potential for risk reduction. The use of IRP in this way is considered after creating the model of future traffic conditions and SESAR below.

It should be noted that combined effects of several influences cannot be modelled simply by summing these percentages, as a simple sum of all the influences above would clearly exceed 1. Instead, the IRP converts the effects to modification factors, which can be combined as if they were independent, without producing more than a 100% reduction in task errors (section 2). In reality, practical improvements are only likely to achieve a small proportion of the theoretical maximum.

5 “DO NOTHING” RISK PICTURE

5.1 CASE DEFINITION

In the “do nothing” case, no changes are made to ATM safety, while traffic is allowed to increase until it reaches the level predicted by SESAR for 2020, which would be 73% higher than in 2005. It is assumed that this increase affects commercial traffic, but not VFR or military traffic, which are assumed to remain constant.

5.2 MODELLING APPROACH

This is modelled as a simple version of the STAR tool, in which the ATM change STAR-01 is switched on, and all other changes are switched off. The quantification approach is explained in Appendix I, and consists of two elements:

Episode 3


of 240


• A direct effect of the traffic increase on conflict probability, due to the increased probability of a deviation encountering another aircraft. This is represented by increasing the probability per flight that deviations result in mid-air conflicts (except with VFR or military traffic), runway conflicts, taxiway conflicts and wake turbulence encounters. There is no direct effect on the probability per flight of terrain conflicts. This means that, in the absence of any compensating measures, the annual number of mid-air, runway and taxiway collisions and wake turbulence accidents will increase in proportion to the square of the traffic, while the annual number of CFITs will increase in direct proportion to traffic. Validation of this assumption is considered in Section 5.7.

• An indirect effect of the traffic increase on controller workload. This is represented by increasing the probability per demand of controller errors associated with resources in proportion to the traffic increase. This is applied to executive controllers en-route and approach/departure controllers, but not to planning controllers, runway controllers or ground controllers. This is because it is assumed that workload increases for the latter can be mitigated by reducing their responsibilities, whereas the former must normally remain responsible for all the sector traffic, even if it increases. This assumption is based on the expert reviews used to develop the IRP modelling of SESAR, since no suitable human reliability data has yet been identified to validate or quantify it. It increases the above effects for mid-air collisions, CFITs and wake accidents.

5.3 FATAL ACCIDENT FREQUENCIES

Table 8 shows the estimated fatal accident frequencies for the 5 modelled accident categories in the “do nothing” case, expressed as fractions of the 2005 baseline case. This shows an overall increase by 42% in the frequency per flight or per flight hour, and a consequent factor of 2.44 (i.e. 144%) increase in the annual number of ATM contributions to fatal accidents. The final column shows that the annual number of collisions varies with the square of the traffic, i.e. an increase by 1.732 = 3-fold. The effects on the different accident categories are verified in Section 5.6.

Episode 3


of 240


Table 8: Relative Change in ATM Contributions to Fa tal Aircraft Accidents in the “Do Nothing” Case 8



ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)




CFIT 1.07 1.07 1.85



Figure 13 illustrates the growth in the annual number of fatal accidents, as calculated by the STAR tool. It assumes that traffic growth is steady at 3.7% per year, which produces the 73% overall growth by 2020. Each accident category begins with the values from Table 5, and increases by the fractions shown in Table 8. This shows that most of the overall growth results from increases in the number of runway and mid-air collisions and CFITs.

Figure 13: Predicted trend in ATM Contributions to Fatal Aircraft Accidents in the “Do Nothing” Case

0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

1.6

1.8

2.0

2005 2010 2015 2020

FATA

L A

CC

IDE

NTS

IN E

CA

C (p

er y

ear)

Total ATMcontributions

CFIT

Runwaycollision

Mid-aircollision

Taxiwaycollision

Waketurbulenceaccident


Table 9 shows the estimated ICAO accident frequencies for the 5 modelled accident categories in the “do nothing” case, expressed as fractions of the 2005 baseline case. This shows an overall increase by 66% in the frequency per flight or per flight hour, and a consequent factor of 2.86 (i.e. 186%) increase in the annual number of ATM contributions to ICAO accidents.

8 The values in Table 8 (this applies to Table 9, Table 10 and Table 12) are ratios of frequencies in 2020 divided by frequencies in 2005. The first column is the ratio of the frequencies per flight; the second is the ratio of the frequencies per flight hour. Because the flight time is the same in 2005 and 2020, the ratios are also the same.

Episode 3


of 240


The effects on each accident category are identical to those in Table 8, but the total is different because of the greater weight given to taxiway collisions in this metric. The vales for each accident category are in effect averaged using the weights in the last column of Table 6.

Table 9: Relative Change in ATM Contributions to IC AO-Defined Accidents in the “Do Nothing” Case



ACCIDENT CATEGORY

ICAO ACCIDENT


ICAO ACCIDENT


ICAO ACCIDENTS

IN ECAC (per year)




CFIT 1.07 1.07 1.85



5.5 UNCERTAINTIES

Predictions from IRP for future cases, particularly hypothetical ones such as the “do nothing” case, are inevitably more uncertain than the baseline risk picture from Section 4. The uncertainties in this case are dominated by the uncertain model of the effects of increasing traffic, which at present cannot be validated (see Section 5.7). Therefore, the lower bound of uncertainty is considered to be no increase in the accident frequency per flight. An upper bound, which may be pessimistic, is based on the square of the values per flight above. From this, the uncertainties on the overall risk ratios are estimated as follows:

• Fatal accident frequency per flight in 2020 “do nothing” case = 1.42x base case (confidence range 1x to 2.02x base case).

• Fatal accidents per year in ECAC in 2020 “do nothing” case = 2.44x base case (confidence range 1.73x to 3.49x base case).

5.6 VERIFICATION

The reasons for the increases in Table 8 in response to the 73% increase in traffic are:

• A 73% increase in runway and taxiway collision and wake accident risks per flight, due to the increased conflict probability, as in Section 5.2 above.

• A 52% increase in mid-air collision risks per flight, due to the above factor applying to collisions with other commercial aircraft but not airspace penetrations or collisions in uncontrolled airspace with military or VFR traffic.

• A further increase of 14% in mid-air collisions, 7% in CFITs and 21% in wake accidents, due to the increased controller workload. This model is verified in Section 6 below.

5.7 VALIDATION

To validate the model in the “do nothing” case, it would be desirable to obtain data that showed the effect on collision risks of changing the number of flights. For example, does the number of accidents really vary according to the square of the number of flights if nothing else

Episode 3


of 240


changes? It might be expected that the accident frequencies per flight would be independent of traffic, and hence that the numbers of accidents would simply increase in proportion to the traffic.

In investigating this, it is difficult to obtain sufficiently large datasets with significant traffic changes independent of safety changes. One problem is there have been too few collisions on commercial aircraft to obtain reliable evidence. Trends have been obtained for frequencies of accidents of all types and for mid-air separation infringements since 1990, but these show the accident frequencies have remained roughly constant (Ref 4). If no other changes had occurred, this would be sufficient to invalidate the above assumption. In reality, it is believed that the safety improvements over this period have been just sufficient to offset any adverse effects from the increase in traffic. They have kept the numbers of accidents broadly constant. In the current model, which explicitly represents planned safety measures, the continuance of this balance cannot be taken for granted, and should be the result of the model not an input to it.

The available data does show what changes in accident patterns would have resulted in the absence of these safety improvements. In future work, it might be possible to segregate the data by time, day or season, in search of cases where traffic differs while safety measures remain constant. Meanwhile, the model above remains not validated. This is reflected in the wide confidence limits adopted above.

5.8 IMPLICATIONS FOR THE SESAR RISK TARGET

In order to prevent any increase in the annual number of fatal accidents with ATM contributions, Table 8 shows that a corresponding reduction by a factor of approximately 2.5 (i.e. 60%) would be required, compared to this “do nothing” case. This is greater than the factor of 1.7 that might be expected from considering traffic increases alone, and results from the collision numbers depending on traffic squared. However, it is less than the factor of 1.732 = 3 expected by SESAR (D2 p55) because of the smaller effect on CFIT, although this is offset by the modelled negative effect of traffic increases on controller workload. Unless it is achieved by constraining the traffic or assuming an altered relationship between traffic and conflict probability, this reduction must be made in the conflict frequency or probability of collision per conflict.

If the annual number of ICAO accidents with ATM contributions were used as the target, Table 9 shows that a corresponding reduction by a factor of 2.9 (i.e. 66%) would be required, compared to this “do nothing” case. This is in effect identical to the factor of 1.732 = 3 expected by SESAR (D2 p55) because of the smaller effect on CFIT on ICAO-defined accidents is completely offset by the negative effect of traffic increases on controller workload.

This suggests that the SESAR target is based on consideration of collisions, and is compared to an equivalent “do nothing” case. This insight arises more clearly from the IRP model of the “do nothing” case than the theoretical analysis in (Ref 4).

6 AN INITIAL SESAR RISK PICTURE9 Although the current activities in EP3 on safety assessment, risk modelling activities and validation provide a useful trial of the methods, the full validation activities will have to await the further development of the concept and refinement of the risk model (see section 8) and will be completed within the SESAR JU programme, in particular in WP16.1.1.1 (Ref 13) with respect to the accident-incident model. Consequently, at present this combined model is of course very uncertain, and only represents a first preliminary prediction of the overall effect of

9 Based on the results of related development in Europe (inc. this report), SESAR WP16.1.1.1 will further develop a top-down accident-incident model and a Safety Target Achievement Roadmap (STAR) (D16.1.1) (Ref. 19)

Episode 3


of 240


SESAR in a realistically developing environment. The risk model results should be treated with caution.

6.1 CASE DEFINITION

To represent the future case for SESAR, all the operational improvements and other ATM changes, which are described in Appendix II, are all modelled in combination with the traffic growth.

The OIs are implemented to the extent that they are predicted for 2020, based on linear growth between the start and end years in Table 4. Several OIs cannot be implemented in full because of interactions with other OIs:

• Four OIs cannot be fully implemented as they depend on CM-0401 (shared 4D trajectory), which is implemented during 2016-2022:

L2-06 (free routes), intended to be implemented during 2015-2021.

CM-0204 (near-term conflict detection), intended to be implemented during 2016-2020.

CM-0405 (preventing conflicts in terminal areas), intended to be implemented during 2015-2020.

CM-0406 (detecting conflicts in terminal areas), intended to be implemented during 2015-2020.

These OIs are constrained by IRP/STAR so that they do not exceed the implementation of CM-0401 in any one year.

• Two OIs have limited effectiveness until CM-0401 (shared 4D trajectory) is fully implemented in 2022:

CM-0202 (conflict prevention support).

CM-0203 (flight path monitoring).

• L7-03 (managing interactions), intended to be implemented during 2011-2020, depends on L7-01 (arrival traffic synchronisation), which is implemented during 2007-2023.

These restrictions have a small effect, amounting to less than 1% of the overall risk.


Table 10 shows the overall effects in the different risk measures relative to the 2005 baseline. The bottom line shows that the fatal accident frequency is predicted to reduce by 6%, but as a result of traffic growth the overall number of accidents is predicted to increase by 62%.

Episode 3


of 240


Table 10: Relative Change in ATM Contributions to F atal Aircraft Accidents for SESAR in 2020

Frequency in 2020 SESAR Case 10


ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)




CFIT 0.82 0.82 1.41



The underlying reasons are summarised in Table 11. This is obtained by using IRP to progressively switch on the groups of changes.

Table 11: Causes of Changes in ATM Contributions to Fatal Aircraft Accidents for SESAR in 2020

CHANGE MODELLED EFFECTS

FATAL ACCIDENT FREQUENCY (per flight)

Modelled/Baseline

Traffic increase 73% increase in conflict probability 1.33 (33% increase)

73% increase in ATCO task load 1.10 (10% increase)

ATM changes All modelled effects 0.96 (4% reduction)

Modelled OIs 78% reduction in ATCO task load 0.84 (16% reduction)

54% reduction in active separation 1.03 (3% increase)

Other modelled effects 0.78 (22% reduction)

Total 0.94 (6% reduction)

The table shows that the following main changes roughly cancel out:

• The 73% increase in traffic, as modelled in the “do nothing” case (Section 5). This includes a 73% increase in ATCO task load.

• A 78% reduction in ATCO task load (i.e. workload per controlled flight) due to the combined effects of the modelled OIs.

• A 54% reduction in active separations due to the changed ATCO role represented in the combined effects of the modelled OIs.

• The other modelled effects of the OIs, which amount to a 22% reduction in fatal accident frequency, excluding effects on ATCO task load and role.

• The other modelled ATM changes, which amount to a 4% reduction in fatal accident frequency.

The effects of the OIs and other modelled ATM changes are considered individually below.

10 The flight time is still assumed to be the same in 2005 and 2020 (no operational efficiencies from future concepts yet taken into consideration), the ratios are also the same.

Episode 3


of 240


The STAR tool is able to show how this risk evolves during the interval 2005 to 2020, as OIs are progressively implemented according to the SESAR plan. It in effect calculates the IRP in each intervening year, while taking account of interactions that limit their effects. Figure 14 illustrates the growth in the annual number of fatal accidents. Each accident category begins with the values from Table 5, and increases by the fractions shown in Table 10. As in Section 5, most of the overall growth results from increases in the number of runway and mid-air collisions and CFITs.

Figure 14: Predicted Trend in ATM Contributions to Fatal Aircraft Accidents for SESAR

0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

2005 2010 2015 2020

FATA

L A

CC

IDE

NTS

IN E

CA

C (p

er y

ear)

Total ATMcontributions

CFIT

Runwaycollision

Mid-aircollision

Taxiwaycollision

Waketurbulenceaccident


Table 12 shows the estimated ICAO accident frequencies for the 5 modelled accident categories in the “do nothing” case, expressed as fractions of the 2005 baseline case. The bottom line shows that the ICAO accident frequency is predicted to reduce by 4%, but as a result of traffic growth the overall number of accidents is predicted to increase by 65%.

The effects on each accident category are identical to those in Table 10, but the total is different because of the greater weight given to taxiway collisions in this metric. The vales for each accident category are in effect averaged using the weights in the last column of Table 6.

Table 12: Relative Change in ATM Contributions to I CAO-Defined Accidents for SESAR in 2020

Frequency in 2020 SESAR Case


ACCIDENT CATEGORY

ICAO ACCIDENT


ICAO ACCIDENT


ICAO ACCIDENTS

IN ECAC (per year)




CFIT 0.82 0.82 1.41



Episode 3


of 240


6.4 UNCERTAINTIES

Predictions from IRP for future cases, including the SESAR case, are inevitably more uncertain than the baseline risk picture from Section 4. The uncertainties include both the uncertain model of the effects of increasing traffic, as in Section 5, and the uncertain effects of the OIs, which at present are preliminary judgements. Part of the uncertainty is due to the lack of maturity of the concept.

IRP includes the capability to quantify uncertainties, but they depend on the uncertainties in the effects of the OIs, which at present are very difficult to quantify. The confidence ranges in Appendix I are inevitably more uncertain than the basic effects. The most important uncertainties are likely to be in the modelled effects of traffic (as in Section 5) and ATCO task load. Therefore, the uncertainty bounds are based on the square of the values per flight from Table 11. From this, the uncertainties on the overall risk ratios are estimated as follows:

• Fatal accident frequency per flight in 2020 SESAR case = 0.94x base case (confidence range 0.71x to 1.77x base case);

• Fatal accidents per year in ECAC in 2020 SESAR case = 1.62x base case (confidence range 1.22x to 3.06x base case).

6.5 COMPARISON WITH SESAR RISK TARGET

These results suggest that the SESAR ConOps as modelled does not meet its own risk target, and that this is independent of the choice of fatal or ICAO-defined accidents, and not sensitive to the estimated confidence range in the results. However, the result may be affected by the limitations of the current model (see Section 8).

6.6 EFFECTS OF INDIVIDUAL OIS

The effects of individual operational improvements and other ATM changes have been calculated by the STAR tool, switching each one on in turn. In order to obtain a meaningful comparison, each OI is applied to the 2005 base case. Each OI is also applied in full, assuming the maximum implementation represented in Appendix II, and ignoring any restrictions from interactions with other OIs. These simplifications are used in this section only; and not in the combined results above.

The results are expressed as the non-dimensional risk reduction worth (NRW) of each OI (see section 2), defined as:

)(

)()(

o

oOI BR

OIRBRNRW

−=

Where:

R(Bo) = baseline risk without OI

R(OI) = risk with OI

The chosen risk unit is the ATM contribution to fatal accident frequency from Table 5. For the total effect, the value is. 7.8 x 10-8 per flight.

The advantage of this approach is that the results for any one OI are not sensitive to the extent to which the other OIs have been adopted. However, its disadvantage is that it fails to show the importance of OIs that address failure causes that are not important in 2005 but will become important by 2020.

Table 13 shows the NRW for each OI in each accident category and as a total (in effect weighted according to the last column of Table 5). It also ranks the OIs by the overall NRW, from which the major contributors can be identified. The effects for STAR-03 (reduced ATCO task load) and STAR-04 (changed ATCO role) are the sum of the effects on these parameters

Episode 3


of 240


from various other OIs. These effects are also included in the individual OIs as well, so care must be taken not to double-count these when considering the combined effects of OIs under SESAR.

Table 13: Effect of Individual Operational Improvem ents Applied to 2005 Baseline

NRW OF OI IN ACCIDENT CATEGORY ID ATM CHANGE RANK

MAC RUNWAY TAXI CFIT WAKE TOTAL

STAR-01 Increased traffic 88 -73.4% -72.7% -72.7% -7.1% -109.9% -41.5%

STAR-02 Reduced delays 4 3.0% 1.9% 2.2% 4.4% 0.7% 3.3%

STAR-03 Reduced ATCO task load

1 15.8% 0.0% 0.0% 10.2% 23.8% 8.7%

STAR-04 Changed ATCO role 87 -1.6% 0.0% 0.0% -8.4% -7.6% -4.8%

STAR-05 Larger aircraft 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

STAR-06 Additional runways 83 0.0% -2.5% -4.1% 0.0% 0.0% -0.7%

STAR-07 Growth of medium-sized airports

22 0.0% 2.4% 3.9% 0.0% 0.0% 0.7%

AOM-0101

Harmonised airspace classification

36 1.3% 0.0% 0.0% 0.0% 1.4% 0.3%

AOM-0102

Three categories of airspace

36 1.3% 0.0% 0.0% 0.0% 1.4% 0.3%

AOM-0103

Two categories of airspace

36 1.3% 0.0% 0.0% 0.0% 1.4% 0.3%

L2-02 Optimising airspace allocation

34 1.5% 0.0% 0.0% 0.0% 1.4% 0.3%

L2-03 Advanced FUA 81 -1.2% 0.0% 0.0% 0.0% -1.4% -0.3%

L2-04 Facilitating OAT transit 20 0.5% 1.7% 2.5% 0.1% 3.7% 0.8%

L2-05 Flexibility of route network

27 1.2% 0.0% 0.0% 0.7% 1.9% 0.6%

L2-06 Free routes 84 -5.0% 0.0% 0.0% -0.8% -0.9% -1.3%

L2-07 Enhanced terminal airspace

21 1.5% 0.0% 0.0% 0.8% 2.2% 0.8%

L2-08 Optimising climb/descent

12 3.0% 0.0% 0.0% 1.7% 4.5% 1.5%

L2-09 Flexible airspace configuration

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L3-01 Network operations plan (NOP)

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L3-02 User-driven prioritisation

79 -0.3% 0.0% 0.0% 0.0% -0.4% -0.1%

L3-03 Shared business trajectory

24 0.4% 1.5% 2.1% 0.1% 3.2% 0.7%

L4-01 Network capacity management

30 1.8% 0.0% 0.0% 1.2% -11.3% 0.4%

L4-02 Monitoring ATM performance

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L7-01 Arrival traffic synchronisation

31 2.5% 0.0% 0.0% 0.0% 0.0% 0.4%

Episode 3


of 240




L7-02 Departure traffic synchronisation

53 0.0% 0.0% 10.0% 0.0% 0.0% 0.1%

L7-03 Managing interactions 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L5-02 Managing air traffic complexity

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L5-03 Enlarging ATC planning horizon

18 2.5% 0.0% 0.0% 0.8% 2.2% 0.9%

CM-0201 Coordination support 35 1.9% 0.0% 0.0% -0.3% 2.0% 0.3%

CM-0202 Conflict prevention support

26 5.4% 0.0% 0.0% -0.9% 5.4% 0.7%

CM-0203 Flight path monitoring 11 3.2% 0.0% 0.0% 2.2% 0.0% 1.6%

CM-0204 Near-term conflict detection

28 3.6% 0.0% 0.0% 0.0% 0.0% 0.6%

CM-0401 Shared 4D trajectory 46 1.7% 0.0% 0.0% -0.4% 1.7% 0.2%

CM-0402 Coordination free transfer of control

14 3.8% 0.0% 0.0% 0.8% 4.7% 1.2%

CM-0403 Conflict dilution by action on speed

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

CM-0404 Enhanced conflict detection

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

CM-0405 Preventing conflicts in terminal areas

50 0.9% 0.0% 0.0% 0.0% 0.0% 0.1%

CM-0406 Detecting conflicts in terminal areas

47 0.9% 0.0% 0.0% 0.0% 0.0% 0.2%

L8-02 Precision trajectory clearance

56 0.2% 0.0% 0.0% 0.0% 0.0% 0.0%

TS-0105 ASAS spacing in TMA 32 -2.9% 0.1% 0.1% 1.4% 3.4% 0.4%

CM-0702 ASAS crossing & passing

41 -0.1% 0.0% 0.0% 0.4% 1.1% 0.2%

CM-080101

STCA 39 1.6% 0.0% 0.0% 0.0% 0.0% 0.3%

CM-080102

APW 54 0.3% 0.0% 0.0% 0.0% 0.0% 0.1%

CM-080103

MSAW 42 0.0% 0.0% 0.0% 0.5% 0.0% 0.2%

CM-080104

Approach path monitor 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

CM-0802 ACAS RA downlink 44 1.3% 0.0% 0.0% 0.0% 0.0% 0.2%

CM-0803 Enhanced ACAS 29 2.8% 0.0% 0.0% 0.0% 0.0% 0.5%

CM-0804 ACAS adapted to new separation modes

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

CM-0805 STCA adapted to new separation modes

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

CM-0806 Safety net compatibility 10 10.6% 0.0% 0.0% 0.0% 0.0% 1.8%

Episode 3


of 240




CM-0807 Information sharing 40 1.4% 0.0% 0.0% 0.0% 0.0% 0.2%

AO-0101 Airport runway incursion prevention

9 0.0% 6.4% 1.6% 0.0% 0.0% 1.8%

AO-0201 A-SMGCS Level 1 43 0.0% 0.8% 1.7% 0.0% 0.0% 0.2%

AO-0102 A-SMGCS Level 2 (RIMCAS)

16 0.0% 3.5% 0.0% 0.0% 0.0% 1.0%

AO-0103 Airport layout 5 0.0% 8.7% 13.5% 0.0% 0.0% 2.6%

AO-0104 Taxiway deviation alert 19 0.0% 2.9% 1.2% 0.0% 0.0% 0.8%

AO-0202 FOD detection 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L10-02 A-SMGCS Level 3 25 0.0% 2.3% 0.6% 0.0% 0.0% 0.7%

AO-0301 Crosswind reduced separation

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

AO-0302 Time based separation 80 0.0% 0.0% 0.0% 0.0% -3.8% -0.2%

AO-0303 Wake vortex prediction 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

AO-0304 Wake vortex detection 51 0.0% 0.0% 0.0% 0.0% 2.5% 0.1%

AO-0305 Rapid exit taxiways 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

AO-0402 Interlaced take-off and landing

85 0.0% -5.1% 0.0% 0.0% 0.0% -1.4%

AO-0403 Optimised dependent parallel operations

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L10-06 Low visibility operations 86 0.0% -7.4% -0.5% 0.0% 0.0% -2.1%

L10-03 Airport collaboration 57 0.0% 0.0% 2.0% 0.0% 0.0% 0.0%

L10-08 Sustainable operations 82 0.0% 0.0% 0.0% -1.4% 0.0% -0.7%

AUO-0301

Datalink communications

13 2.5% 0.0% 0.0% 1.5% 4.2% 1.3%

AUO-0302

Datalink RBT clearances

15 2.0% 0.0% 0.0% 1.1% 3.0% 1.0%

AUO-0303

Datalink RBT revision 2 10.0% 1.0% 1.1% 12.2% 0.3% 8.1%

AUO-0304

Cruise-climb trajectories 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

AUO-0401

ATSAW on the airport 7 0.0% 7.3% 11.5% 0.0% 0.0% 2.1%

AUO-0402

ATSAW in flight 78 -0.3% 0.0% 0.0% 0.0% 0.0% 0.0%

AUO-0403

Enhanced vision 8 0.0% 7.0% 1.1% 0.0% 0.0% 2.0%

AUO-0404

Synthetic vision 3 0.0% 12.1% 1.1% 0.0% 0.0% 3.4%

L10-07 Visual approaches 58 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

AUO-0602

Guidance on airport surface

45 0.0% 0.7% 1.1% 0.0% 0.0% 0.2%

Episode 3


of 240




AUO-0603

Surface routing assistance

23 0.0% 2.4% 3.7% 0.0% 0.0% 0.7%

AUO-0604

Taxi automation 6 0.0% 7.8% 12.3% 0.0% 0.0% 2.3%

AUO-0605

Pilot alerting for runway incursion

52 0.0% 0.2% 0.8% 0.0% 0.0% 0.1%

L10-04 Minimising runway occupancy time

59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

L1-01 Flight data consistency 17 0.6% 2.0% 2.9% 0.1% 4.4% 0.9%

L1-03 From AIS to AIM 48 0.1% 0.4% 0.5% 0.0% 0.1% 0.1%

L1-05 Airspace user data for ground tools

33 1.5% 0.0% 0.0% 0.0% 1.7% 0.3%

L1-02 Information provision 48 0.1% 0.4% 0.5% 0.0% 0.1% 0.1%

L1-06 Enhanced weather forecast

55 0.1% 0.0% 0.0% 0.0% 0.1% 0.0%

L1-04 Implementing SWIM 59 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%

The largest beneficial effects on risks are from:

• STAR-03 Reduced ATCO task load. This is the sum of the effects on task load from various other OIs, prior to the increase in traffic. It is modelled as affecting only en-route and approach controllers, and hence has an effect on mid-air collision, CFIT and wake accidents but not on runway or taxiway collision.

• AUO-0303 Datalink RBT revision. This is the airborne side of the benefits of the trajectory-based environment. It is modelled as a reduction in pilot deviations, which has a large effect on mid-air collision and CFIT.

• AUO-0404 Synthetic vision. This is modelled as very beneficial for visual warning of runway collision.

• STAR-02 Reduced delays. This is the combined reduction in delays from various other OIs. It is modelled as reducing in-flight holding, which reduces mid-air collision and CFIT accidents. It is also modelled as reducing flight crew errors due to fatigue, which affects all accident types to a lesser extent. The complete relationship to traffic changes is not modelled at present.

• AO-0103 Airport layout. This is modelled as a reduction in runway crossings and pilot errors in taxi, which has a large effect on runway and taxiway collisions.

It is noted that several OIs with beneficial effects on mid-air collision are not ranked among the most beneficial OIs overall, because mid-air collision provides only 17% of ATM contributions to fatal accidents (see Table 5).

The largest negative effects on risks are from:

• STAR-01 Increased traffic. This has by far the largest effects, as in Section 5.

• STAR-04 Changed ATCO role. This is the combined reduction in active separation from various other OIs. It is modelled as reducing ATCO reliability, which increases mid-air collision, CFIT and wake accidents.

• L10-06 Low visibility operations. This includes an increase in operations in low visibility, which has a negative effect on runway collisions. The improved safety measures and beneficial effects of reduced delays are modelled separately.

Episode 3


of 240


• AUO-0402 Air Traffic Situational Awareness (ATSAW) during Flight Operations. This is a capacity increasing measure, which increases a key precursor of runway collisions.

• L2-06 Free routes. This reduces the route separation barrier against mid-air collision.

Many OIs have zero or near-zero effects in the model. This may be due to:

• OIs with no significant effects on safety, whose effects were assumed to be zero in the hazard identification sessions (see Table 4).

• OIs represented as enablers for other OIs. To avoid double-counting, the model does not attach any benefit to enablers at present.

• OIs whose effects apply to small risk contributions, so they appear negligible when measured as NRW in overall risk.

• OIs with positive and negative safety impacts that approximately cancel out in the model.

The absolute value of the NRW from Table 13 forms a preliminary measure of the criticality of each OI, and hence indicates the level of assurance that is required in its safety assessment. In future work, the rankings from the table could be split into assurance levels.

6.7 VERIFICATION

To verify that the above results are as intended, the following explains the sources of the results for selected OIs. OIs with relatively simple modelling have been chosen for clarity.

AO-0102 A-SMGCS (Advanced Surface Movement Guidance and Con trol System) Level 2, also known as runway incursion monitoring and collision avoidance system (RIMCAS), is an example of an OI modelled through a parameter represented in IRP, namely event RB2.2.1 (RIMCAS not present). The OI is assumed to increase RIMCAS coverage from 8% in 2005 to 50% by 2016 (Appendix II). This reduces RB2.2.1 by a modification factor MF = (1-0.5)/(1-0.08) = 0.54. Its contribution to runway collisions in the base case is 0.24, so a reduction of 0.24 x (1-0.54) = 10.9% might be expected. In fact, the high values for other events mean that the reduction in RB2.2 (Ineffective conflict warning system) is only 6.4%. Because common cause failures (CCFs) are mainly due to ATCO response, the reduction in RB2 (Ineffective ATC collision avoidance) is only 5.3%, and the reduction in RF3 (runway collision) is only 3.5%. This is the value that appears in Table 13. In this example, CCFs reduce the expected safety improvement by a factor of 10.9/3.5 = 3.

CM-0406 Detecting conflicts in terminal areas is an example of an OI modelled through a direct modification of a base event in IRP, namely event MB6.1.2 (ATCO failure to identify conflict). The OI is assumed to reduce this event by 10% in terminal areas (Appendix II). It is assumed that 70% of conflicts occur in terminal areas, resulting in a 7% reduction overall. This reduces MB6.1.2 by MF = 0.93. Its contribution to mid-air collisions in the base case is 0.384, so a reduction of 0.384 x (1-0.93) = 2.7% might be expected. The actual value is lower, as follows. The contribution of MB6.1.2 to MB6 (Ineffective management of unplannable conflict) is 0.383/0.5 = 0.766, so the reduction in MB6 is 0.97 x 0.766 = 5.4%. Because CCFs are modelled as due to ATCO response to level bust, the reduction in MF6 (separation infringement from unplannable conflict) is only 3.0%. Because unplannable conflicts only cause 50% of separation infringements, the reduction in MF5-8 (separation infringement) is 3 x 0.5 = 1.5%. After CCFs associated with collision avoidance, the final reduction in MF3 (mid-air collision) is only 0.9%. This is the value that appears in Table 13. In this example too, CCFs reduce the expected safety improvement by a factor of 2.7/0.9 = 3.

AOM-0101 Harmonised airspace classification is an example of an OI modelled using the influence model in IRP, namely influence A1 (airspace design). The OI is assumed to reduce ATCO/pilot errors influenced by airspace design by 10% (Appendix II). In the case of conflict management by the ATCO, the maximum effect (ME) for this influence is 3%, so the MF for

Episode 3


of 240


events influenced by this task is 1-(0.1x0.03) = 0.997. For presentation in the influence model, this is converted into a performance score PS = 70+30log(1-0.1x0.03)/log(1-0.03) = 73. In the case of cruise/climb/descent by the pilot, the ME is 22%, so the MF is 1-(0.1x0.22) = 0.978. The ATCO and pilot influences have contributions of 1.000 and 0.323 respectively to mid-air collisions, so a reduction of (1-0.997) + 0.323x(1-0.978) = 1.0% might be expected. After CCFs, which are dominated by ATCO and pilot performance, the combined effect is a reduction in MF3 (mid-air collision) by 1.3%. This is the value that appears in Table 13. In this example, CCFs increase the expected safety improvement by a factor of 1.3/1.0 = 1.3.

AUO-0302 Datalink RBT clearances is an example of an OI modelled as a change in ATCO task load (collected under STAR-03). The OI is assumed to reduce voice communications in all flight phases by 10% (Appendix II). In the case of conflict management by the ATCO, the ME for resources is 46%, so the MF for events influenced by this task is estimated as 1-(0.1x0.46) = 0.954. For presentation in the influence model, this is converted into a performance score PS = 70+30log(1-0.1x0.46)/log(1-0.46) = 72.3. When combined with the other fundamentals, whose total MF is 91%, the overall PS is 70.6. In the case of ATC collision avoidance, the overall ME is 22%. Using the PS of 70.6 gives an MF of 0.99 for this task. The ATCO contributes to all mid-air collisions, so a reduction of 1-0.954 = 4.6% might be expected. Although CCFs are dominated by ATCO performance, the small effect on ATC collision avoidance reduces the overall effect to a reduction in MF3 (mid-air collision) by 2.0%. This is the value that appears in Table 13. In this example, CCFs reduce the expected safety improvement by a factor of 4.6/2.0 = 2.3.

The verification also serves to highlight the key assumptions in the modelling of OIs. These are considered to be:

• The common cause modelling. This may increase or reduce the OI effects, depending on whether the OI affects the CCFs or not. Although it is considered realistic in principle, it would be desirable to make the CCF modelling more robust before basing any conclusions on it.

• The influence modelling. This represents effects that would otherwise be difficult to model, but it would be desirable to make the influence modelling more robust.

• The OI effects assumed in Appendix II. These are considered preliminary judgements, and it would be desirable to make a more detailed review in combination with verification of the effects on the risks.

6.8 VALIDATION

It is impossible at present to compare the above predictions with any independent source. Meanwhile the best practical check of face validity is to compare the results to expert expectations. To date, reviews of draft results have been made by the IRP/STAR team and ATM specialists, and suggested changes have been incorporated in the modelling (as documented in Appendix II). In future work, it would be desirable to validate the results using wider groups of SESAR stakeholders during the SESAR Development Phase.

6.9 RISK PICTURE FOR MID-AIR COLLISION

IRP produces a detailed causal breakdown for the SESAR case, in the same form as presented for the base case in Section 4.8. Figure 15 shows the ATM influences on mid-air collision. Most of the detailed results are omitted for brevity, but the overall they are strikingly similar to the baseline case. While there are many differences, they are mainly small compared to the uncertainties in each component.

This result may seem surprising, but it can be explained by the following:

• The traffic change affects the accident categories differently, but does not affect the causal breakdown within each category.

Episode 3


of 240


• Some of the most important ATM changes affect ATCO performance and other parts of the influence model, which has a diffuse effect throughout the risk picture.

• Some OIs affect the collision avoidance barrier, but these have similar effects on most of the causal factors.

• The large number of other OIs, each affecting the risk model at several points, has the overall effect of reducing many causal contributions by a similar extent.

• To date, there has been no attempt to focus OIs on the largest causal contributors in IRP, so the effects appear to occur at random throughout the model.

This conclusion is likely to change once the model of SESAR is more focussed on achieving large risk reductions in the model. Meanwhile, the baseline risk picture, combined with the effects of individual OIs, give suitable preliminary guidance for the practical purpose of suggesting improvements to SESAR.

Figure 15: ATM Influences on Mid-Air Collision for SESAR

0.0 0.2 0.4 0.6 0.8 1.0

Airspace design

DCB

ATC sector planning


ATC communication


Traffic sequence

Separation modes

Communications

Navigation

Surveillance

ATC system

ACAS

Aircraft equipment

Flight planning





Traffic conditions

Ambient conditions


Direct cause

Prevention failure


Indirect influence

In order to simplify the comparison with the base case, Figure 16 shows the changes in ATM contributions for mid-air collision. These are expressed as the fractional reduction in the dimensional form of risk reduction worth, which is found to be better than NRW for this purpose. The benefit for each ATM element is defined as:

Episode 3


of 240


)()(

)()()()(

oo

oo

BFBC

BFBCBFBCBenefit 11−

=

Where:

C(Bo) = contribution of element to baseline risk

F(Bo) = frequency (per flight hour) of accident category in base case

C(B1) = contribution of element to risk in SESAR

F(B1) = frequency (per flight hour) of accident category in SESAR

This gives positive values for contributions that have reduced (in terms of frequency per flight hour) and negative values for contributions that have increased.

Figure 16: ATM Influences on Mid-Air Collision for SESAR

-0.3 -0.2 -0.1 0.0 0.1 0.2 0.3 0.4

Airspace design

DCB

ATC sector planning


ATC communication


Traffic sequence

Separation modes

Communications

Navigation

Surveillance

ATC system

ACAS

Aircraft equipment

Flight planning





Traffic conditions

Ambient conditions

BENEFIT OF CASE(fractional reduction of ATM contribution to mid-air collision accident frequency)

Direct cause

Prevention failure


Indirect influence

In these results, the main negative benefits (i.e. ATM elements whose contribution increases between the 2005 baseline and the 2020 SESAR results) are:

• Separation modes - due to the new separation modes introduced by SESAR (Section 3.2).

Episode 3


of 240


• Aircraft equipment - due to the increased importance of FMS (Flight Management System) and transponders in SESAR.

The main positive benefits (i.e. ATM elements whose contribution reduces between the 2005 baseline and the 2020 SESAR results) are:

• ACAS warning response - due to the beneficial effect of RA downlink (CM-0802).

• Navigation - because the small contribution of navigation to pilot performance reduces as pilot performance improves as a result of several OIs (e.g. STAR-02).

It is notable that most of the changes are in ATM elements whose overall contribution is small, as shown in Figure 15. Therefore, these results may be misleading because they highlight large fractional changes, without taking account of the size of the underlying effect. They may be useful in highlighting areas of SESAR that are under-supplied with OIs, but Figure 16 is considered a better starting point for identifying areas where OIs are really needed.

6.10 IMPROVEMENT OF SESAR

Despite its limitations, the IRP model is considered sufficiently mature to begin to identify ways to reduce the ATM contribution to accident risks, and hence to improve the safety of the SESAR ConOps. Sections 4.8, 6.6 and 6.9 include information of this type.

Based mainly on Figure 15, the most important areas for further improvements in mid-air collision risks are:

• ATC conflict management (i.e. tactical separation). This is involved in all mid-air collisions, and makes the largest contribution to direct causes of them. The main potential for improvement is in detection of conflicts inadvertently introduced by the ATCO (MB7) and earlier identification of conflicts (MB5.1.2 and MB6.1.2).

• ACAS. This is also involved in all mid-air collisions. This is an opportunity to improve the fitment on non-commercial aircraft (MB2.1.1). It would be desirable to avoid ACAS discouraging pilots from visual lookout; otherwise the benefit of this will be lost.

• Traffic conditions. Reduction in the complexity of traffic, through airspace or route design, has a large potential to reduce mid-air collision risks.

• ATC collision avoidance. This covers the ATCO response to STCA (MB3.3, MB3.4). There is also a potential to prevent accidents through improved warning from ATCOs not directly responsible for separation (MB4.3, MB4.4).

• Ambient conditions. There is a large potential to reduce collisions by improving visibility of conflicting aircraft (MB1.1.1).

• ATC system, which includes STCA. There is an opportunity to extend STCA coverage into unmanaged airspace (MB3.1), and improve the reliability and timeliness of warnings (MB3.3.3).

It is recognised that some of these aspects may already be reflected in SESAR, but not adequately translated into the IRP model. Table 14 shows how the SESAR OIs relate to these ATM elements for mid-air collision.

Table 14: Mapping of Individual Operational Improve ments onto ATM Elements for Mid-Air Collision

ATM ELEMENT ID ATM CHANGE NRW - MAC

Airspace design L2-06 Free routes -5.0%

L2-03 Advanced FUA -1.2%

L2-09 Flexible airspace configuration 0.0%

Episode 3


of 240



L2-04 Facilitating OAT transit 0.5%

L2-05 Flexibility of route network 1.2%

AOM-0103 Two categories of airspace 1.3%

AOM-0102 Three categories of airspace 1.3%

AOM-0101 Harmonised airspace classification 1.3%

L2-07 Enhanced terminal airspace 1.5%

L2-02 Optimising airspace allocation 1.5%

DCB L3-02 User-driven prioritisation -0.3%

L4-02 Monitoring ATM performance 0.0%

L3-01 Network operations plan (NOP) 0.0%

L4-01 Network capacity management 1.8%

ATC sector planning L7-03 Managing interactions 0.0%

L7-02 Departure traffic synchronisation 0.0%

L7-01 Arrival traffic synchronisation 2.5%

ATC conflict TS-0105 ASAS spacing in TMA -2.9%

management CM-0702 ASAS crossing & passing -0.1%

CM-0404 Enhanced conflict detection 0.0%

CM-0403 Conflict dilution by action on speed 0.0%

L5-02 Managing air traffic complexity 0.0%

L8-02 Precision trajectory clearance 0.2%

CM-0405 Preventing conflicts in terminal areas 0.9%

CM-0406 Detecting conflicts in terminal areas 0.9%

CM-0401 Shared 4D trajectory 1.7%

CM-0201 Coordination support 1.9%

L5-03 Enlarging ATC planning horizon 2.5%

CM-0203 Flight path monitoring 3.2%

CM-0204 Near-term conflict detection 3.6%

CM-0402 Coordination free transfer of control 3.8%

CM-0202 Conflict prevention support 5.4%

ATC communication AUO-0302 Datalink RBT clearances 2.0%

AUO-0301 Datalink communications 2.5%

AUO-0303 Datalink RBT revision 10.0%

ATC system CM-0805 STCA adapted to new separation modes 0.0%

CM-080104 Approach path monitor 0.0%

CM-080103 MSAW 0.0%

CM-080102 APW 0.3%

CM-0807 Information sharing 1.4%

CM-080101 STCA 1.6%

Episode 3


of 240



CM-0806 Safety net compatibility 10.6%

ACAS CM-0804 ACAS adapted to new separation modes 0.0%

CM-0802 ACAS RA downlink 1.3%

CM-0803 Enhanced ACAS 2.8%

Aircraft equipment AUO-0402 ATSAW in flight -0.3%

AUO-0401 ATSAW on the airport 0.0%

Cruise/climb/descent AUO-0304 Cruise-climb trajectories 0.0%

L2-08 Optimising climb/descent 3.0%

Visual collision AUO-0404 Synthetic vision 0.0%

avoidance AUO-0403 Enhanced vision 0.0%

Information L1-04 Implementing SWIM 0.0%

management L1-06 Enhanced weather forecast 0.1%

L1-02 Information provision 0.1%

L1-03 From AIS to AIM 0.1%

L3-03 Shared business trajectory 0.4%

L1-01 Flight data consistency 0.6%

L1-05 Airspace user data for ground tools 1.5%

When considering all accident categories together, the most important areas for further improvements are in managing CFIT and runway collisions.

In future work, it is recommended that this type of information should be extracted from IRP in a systematic way and used to review and possibly improve the safety measures in the SESAR ConOps.

7 TARGET-COMPLIANT RISK PICTURE

7.1 CASE DEFINITION

In order to develop targets for SESAR, following the methodology outlined in Section 2, it is necessary to develop a case that fully complies with the SESAR risk target. The risk prediction in Section 6 does not achieve this.

There are innumerable ways in which target compliance could be achieved. The assumed benefits of existing OIs could be increased. New OIs could be introduced. Safety management factors could be applied. Risk reduction factors could be added, equal to the short-fall between the SESAR case and the target. The existing OI modelling could be removed, and risk reduction factors could be used instead, representing the required reduction from the “do nothing” case. All OI and traffic change modelling could be removed, and risk reduction factors could be used, representing the complete required change from the baseline case. All these methods involve assumptions that are to some extent arbitrary, unrealistic and/or difficult to explain.

Ultimately, if the SESAR ConOps is to ensure that the modelled risks are not exceeded in reality, and if IRP is to be used to monitor progress during the transition, it will be necessary to link all risk reduction factors to specific OIs. Therefore, it is considered desirable for the target-compliant case to include all OIs as far as possible, and to minimise the use of arbitrary factors. Therefore, the target-compliant case is formed by modifying safety management

Episode 3


of 240


factors, which could be related to possible new OIs or ongoing ATM changes, and could be replaced in future work by improved models of ongoing safety harmonisation actions.

To form the target-compliant case, modifications are made to the safety management factors for ANSPs, airports and aircraft operators. The performance score (defined in section 2) in each case is modified from the baseline value of 70 to a value of 74.3. This has the effect of reducing the accident frequencies until target compliance is achieved.

It is recognised that the safety management model is uncertain and cannot be validated at present. Therefore, its effects are not free of the arbitrary and unrealistic assumptions mentioned above. However, it represents a first attempt at a realistic target-compliant model.


Table 15 shows the fatal accident frequencies in the 5 modelled accident categories for the target compliant case. To set them in context, the frequencies of other types of aircraft accidents are included, although these are based on extrapolation of historical trends, and have not been modelled in detail in IRP.

Table 15: ATM Contributions to Fatal Aircraft Accid ents in the Target-Compliant Case


ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)

% OF FATAL

ACCIDENTS





CFIT 1.8E-08 1.2E-08 0.29 10% 40%










Table 16 shows the fatal accident frequencies, expressed as fractions of the 2005 baseline case. This shows a reduction of 42% is sufficient to prevent any growth in number of fatal accidents with ATM contributions, as required by the target.

Episode 3


of 240


Table 16: Relative Change in ATM Contributions to F atal Aircraft Accidents in the Target-Compliant Cas e

Frequency in 2020 Target-Compliant Case


ACCIDENT CATEGORY

FATAL ACCIDENT


FATAL ACCIDENT


FATAL ACCIDENTS

IN ECAC (per year)




CFIT 0.47 0.47 0.80



In this case there has been most growth in the number of mid-air collisions, while the number of CFITs has reduced. This rebalancing of accident categories arises from the fact that traffic increases are expected to have most effect on collision risks, which means that reducing these is more difficult than for CFIT accidents.


Table 17 shows the equivalent frequencies of ICAO-defined accidents in the target-compliant case. Table 18 shows the ICAO accident frequencies, expressed as fractions of the 2005 baseline case.

Table 17: ATM Contributions to ICAO Aircraft Accide nts in the Target-Compliant Case


ACCIDENT CATEGORY

ICAO ACCIDENT


ICAO ACCIDENT


ICAO ACCIDENTS

IN ECAC (per year)

% OF ICAO ACCIDENTS





CFIT 2.1E-08 1.4E-08 0.33 2% 13%










Episode 3


of 240


Table 18: Relative Change in ATM Contributions to I CAO-Defined Accidents in the Target-Compliant Case

Frequency in 2020 Target-Compliant Case


ACCIDENT CATEGORY

ICAO ACCIDENT


ICAO ACCIDENT


ICAO ACCIDENTS

IN ECAC (per year)




CFIT 0.47 0.47 0.80



Because of the rebalancing of accident categories above, it is not possible to satisfy the target exactly for both fatal and ICAO-defined accidents. In this case there is a 5% increase in ICAO accidents compared to be baseline. This could be prevented by a further increase in the safety management factor, but at present this has not been done.

7.4 IMPLICATION FOR SESAR TARGETS

The values above can be treated as risk targets for SESAR, and can be apportioned into specific airspaces or ANSPs using the IRP unit-specific methodology (Ref 3). The base events of the fault tree show how the overall frequencies can be apportioned into their contributory causes, which may be used as targets for individual ATM elements. Table 19 shows the results for mid-air collision in the target-compliant case.

Episode 3


of 240


Table 19: Base Event Probabilities for Mid-Air Coll ision in the Target-Compliant Case

BARRIER SCENARIO EVENT PROBABILITY UNITS

MB9.1 No sector planning 1.0E-01 per conflict in SBT

MB9.2.1.1 Inadequate strategic surveillance picture 1.1E-02 per conflict in initial RBT

MB9.2.1.2 Inadequate trajectory information 5.5E-03 per conflict in initial RBT

MB9.2.2 Planning controller failure to identify conflict 4.9E-03 per conflict in initial RBT

MB9.2.3 Planning controller misjudgement in planning 5.4E-03 per conflict in initial RBT

MB9.3 Inadequate planning controller coordination 2.6E-03 per conflict in initial RBT

Plannable conflict

MB9.4 Planning controller failure to alert tactical controller to conflict 7.8E-04 per conflict in initial RBT

MF6.1.1.1 Airspace infringement by military aircraft 5.7E-05 per CAT flight hour

MF6.1.1.2 Airspace infringement by VFR aircraft 5.0E-05 per CAT flight hour

MF6.1.1.3 Airspace infringement by CAT aircraft 8.8E-06 per CAT flight hour

MF6.1.2.3 Pilot lateral deviation 6.8E-05 per flight hour

MF6.1.3.1 Inadequate communication of level/height to pilot 4.2E-05 per flight hour

MF6.1.3.2 Pilot handling error causing level bust 6.2E-06 per flight hour

MF6.1.3.3 Altimeter setting error causing level bust 2.9E-05 per flight hour

MF6.1.3.4 Aircraft technical failure causing level bust 6.9E-05 per flight hour

MF6.1.3.5 ACAS RA 2.9E-06 per flight hour


MF6.1.3.6 Weather induced level bust 1.4E-05 per flight hour

ATCO induced conflict MF7.1 Trajectory instructions result in conflict 1.6E-05 per flight hour

MF8.1.1 Encounter in unmanaged airspace 1.8E-04 per flight hour

Conflict prevention


MF8.1.2 Separation delegated to pilot 1.6E-05 per flight hour

Episode 3


of 240



MB5.1.1.1 Inadequate traffic picture 9.5E-04 per conflict in revised RBT

MB5.1.1.2 Inadequate trajectory planning information 2.4E-04 per conflict in revised RBT

MB5.1.2 ATCO failure to identify conflict in time 4.4E-03 per conflict in revised RBT

MB5.1.3.1 ATCO misjudgement in separation 8.9E-04 per conflict in revised RBT

MB5.1.3.2 ATCO lost awareness of previously identified conflict 3.0E-04 per conflict in revised RBT

MB5.2.1 Inadequate ATCO transmission of instructions 4.5E-04 per conflict in revised RBT

MB5.2.2 Loss of communication 1.4E-03 per conflict in revised RBT

MB5.2.3 Inadequate pilot readback 5.5E-04 per conflict in revised RBT

Plannable conflict

MB5.3 Inadequate pilot response to ATC 3.8E-04 per conflict in revised RBT

MB6.1.1 Inadequate traffic picture 3.4E-03 per conflict in RBT deviation

MB6.1.2 ATCO failure to identify conflict in time 3.9E-02 per conflict in RBT deviation

MB6.2.1 Inadequate ATCO transmission of instructions 7.0E-04 per conflict in RBT deviation

MB6.2.2 Loss of communication 2.1E-03 per conflict in RBT deviation

MB6.2.3 Inadequate pilot readback 8.4E-04 per conflict in RBT deviation


MB6.3 Inadequate pilot response to ATC 9.5E-03 per conflict in RBT deviation

ATCO induced conflict MB7 Ineffective management of ATCO induced conflict 4.1E-01 per ATCO induced conflict

MB8.1 Inadequate traffic information from ATCO 3.7E-02 per pilot managed conflict

MB8.2.1 Inadequate ATCO transmission of information 5.3E-04 per pilot managed conflict

MB8.2.2 Loss of communication 1.6E-03 per pilot managed conflict

MB8.2.3 Inadequate pilot readback 6.4E-04 per pilot managed conflict

Conflict management


MB8.3 Inadequate coordination of separation modes 4.3E-03 per pilot managed conflict

Episode 3


of 240



MB8.4 Inadequate separation by pilot 1.3E-02 per pilot managed conflict

MB3.1 No STCA coverage 1.8E-01 per separation infringement

MB3.2.1.1 Transponder not operating 1.3E-02 per separation inf with STCA

MB3.2.1.2 Surveillance technical failure 2.5E-02 per separation inf with STCA

MB3.2.2 STCA technical failure 2.1E-01 per separation inf with adequate info

MB3.3 ATCO failure to respond to STCA warning in time 2.1E-01 per STCA warning

STCA warning

MB3.4 ATCO failure to recover separation in time 1.1E-01 per STCA response

MB4.1 No independent ATCO monitoring 6.3E-01 per separation infringement

MB4.2.1 Inadequate traffic picture for unplannable conflict management 3.7E-02 per monitored infringement

MB4.2.2 ATCO failure to identify unplannable conflict in time 1.9E-01 per monitored infringement

MB4.3 Other ATCO failure to communicate warning 1.9E-01 per identified conflict

Other ATCO warning

MB4.4 ATCO failure to recover separation in time 2.3E-01 per other ATCO warning

MB2.1.1 ACAS not installed 6.3E-02 per imminent collision

MB2.1.2.1 Transponder not operating 1.3E-02 per imminent collision

MB2.1.2.2 ACAS failure to give RA in time 3.8E-02 per imminent collision

MB2.1.3.1 Pilot failure to respond to RA in time 6.1E-03 per imminent collision

MB2.1.3.2 Pilot incorrectly prioritises ATC instructions 8.7E-04 per imminent collision

ACAS warning

MB2.1.4 ACAS avoidance invalidated by other aircraft 1.2E-02 per imminent collision

MB1.1.1 Other aircraft effectively invisible 3.7E-01 per involvement

MB1.1.2 Flight crew failure to observe visible aircraft in time 4.7E-01 per involvement

Visual warning

MB1.1.3 Pilot failure to take avoidance action in time 4.6E-02 per involvement

Episode 3


of 240



MB1.1.4 Visual avoidance action unsuccessful 1.5E-02 per involvement

Episode 3


of 240


These targets are consistent with actual in-service performance, averaged for IFR flights in the ECAC region. They also include systematic adjustment to represent the effects of OIs and other modelled ATM changes, and (at present) arbitrary adjustments to the management factors to achieve target-compliance. Before they can be used to specify targets for new system designs, it is necessary to distinguish between performance targets and design targets.

Design targets are used as part of the design process for equipment or software that supports ATM. The design significantly affects the reliability of the equipment in performing the specified task, but the designer cannot know whether the specification for the equipment is appropriate, or what standard of manufacture, installation, maintenance or operation will apply. In reality, most failures are not due to predictable equipment failures, but due to gross errors in the design process or errors during manufacture, installation, maintenance or operation. Therefore, design targets should only be a small fraction of the performance targets above.

Three factors are distinguished, which justify more stringent design targets:

• Failure origin. The design target should be based on failures that result from the design process. Analysis of representative ATM equipment failures (including surveillance, communications and overall ATC systems) shows that most have some design contribution, but only 20% result from reliability failures that might be reduced if the targets were made more demanding. In future work, this breakdown could be represented through an influence model.

• Variability between units. The design target should be based on the equipment performance in units experiencing the lowest in-service failure rates. The unit-specific model (Ref 5) has a 90% range for safety management from 0.79 to 1.26x the average event probabilities. Judgementally, a greater range in equipment failures might be expected, and it is assumed that the best unit might achieve failure rates of 0.3x the average. In future work, this could be represented through an improved unit-specific influence model.

• Continuous improvement. The design target will apply to the small proportion of systems that are replaced each year. This replacement of legacy systems forms one of the drivers for continuous improvement of overall risks towards target compliance. As a result, it will be necessary for new systems to have significantly less than current average failure rates, if the average is to continue reducing. For example, if the average system life was 20 years, and the average failure rate was required to reduce at a compound rate of 5% per year, new systems should have a failure rate of approximately 0.95(20/2) = 0.6x current average.

In combination, these factors indicate that system design targets should be 0.2 x 0.3 x 0.6 = 0.036x the values in the table. This result should be used with caution because the calculations above are preliminary and are not validated against actual system design practice.

The assumed OI effects in Appendix II, together with the required safety management performance score selected in Section 7.1 above, can be used as safety requirements for the projects implementing these OIs. Because they refer to relative changes rather than absolute probabilities, they can be used directly as design targets, provided that current design practice is known.

8 CONCLUSIONS AND RECOMMENDATIONS

8.1 INITIAL RESULTS AND IRP STATUS

This report has applied the IRP methodology to the SESAR ConOps and has completed a first preliminary risk picture for SESAR, at a level of detail that is appropriate for the current

Episode 3


of 240


stage of development of the ConOps. Illustrative results have been extracted to give preliminary comparison of the SESAR safety criteria, from which very tentative conclusions on the safety of the SESAR ConOps can be based. This will provide input to the SESAR safety assessment during the SESAR Development Phase. The results are also sufficient to begin to evaluate the face validity of the IRP results through review by a wider group of stakeholders.

At present, the assessment of the SESAR ConOps has been limited in the following areas:

• Quantifying the safety impacts of each OI requires participation from expert teams combining knowledge of SESAR, IRP and the individual OIs. To date, there has been relatively limited availability of ATM experts with knowledge of the SESAR OIs. Therefore the effects of each OI have been identified through preliminary suggestions by the project team, combined with relatively few expert review sessions.

• SESAR does not form a complete model of future European ATM, and in particular it does not represent ongoing harmonisation actions, which are likely to have a significant impact on risks in the short-term. It would be desirable to model in the IRP the complete set of ATM changes that have taken place since 2005, as these form a more comprehensive baseline for implementation of SESAR.

• The calibration of the IRP model against historical trends has not been updated from the previous work (Ref 9). In fact, it would be difficult to calibrate the model without taking account of ongoing harmonisation actions, as above.

• The initial work presented here uses a simple model of the evolution of the Business Trajectory. The analysis would benefit from a higher fidelity model of the trajectory management process envisaged by SESAR.

Therefore, the results in the present report, while suitable for use in validation and improvement of the risk model during the SESAR Development Phase and SESAR itself, are not yet considered robust, and may be subject to substantial revision in the future (in particular during the SESAR Development Phase).

8.2 CONCLUSIONS ON SESAR SAFETY ASSESSMENT

The results presented in this report are intended to form an input to the SESAR safety assessment. The following specific conclusions are drawn:

• ICAO-defined accidents may not be an appropriate basis for the SESAR safety target because of the dominance of taxiway collisions (see Section 4.4). Instead, the value of 0.71 fatal accidents with an ATM contribution per year in ECAC is used as the primary risk target, despite the apparent contradiction with the SESAR target (see options presented in section 5.1 of (Ref. 4) to be further worked on during the SESAR Development Phase (WP16)).

• In order to prevent any increase in the annual number of fatal accidents with ATM contributions, a reduction by a factor of 2.5 (i.e. 60%) would be required in the frequency per flight, compared to the “do nothing” case where traffic increases by 73% with no other ATM changes. This is broadly consistent with the factor of 3 assumed by SESAR.

• The SESAR ConOps as currently modelled in the IRP does not meet this target (see important caveat on the current state of the model and recommendations in section 8.3 below). It predicts that the accident frequency per flight may remain roughly constant, which will produce a 71% increase in the annual number of fatal accidents with ATM contributions by 2020.

The latter two conclusions are independent of the choice of fatal or ICAO-defined accidents. However, it is possible that the last conclusion is sensitive to the omission of ongoing harmonisation actions, the need to update the calibration of the model against historical

Episode 3


of 240


trends, as noted Section 8.1 and the recommendations for improved methodology in section 8.3.

Figure 17 illustrates the current model of the 3 cases, using the two metrics of fatal accidents per flight and fatal accidents per year. It shows that, in simple terms, the modelled OIs achieve approximately half of the required improvement, compared to the “do nothing” case.

Figure 17: Predicted and Required Trends in ATM Con tributions to Fatal Aircraft Accidents per Flight a nd per Year

0.0E+00

2.0E-08

4.0E-08

6.0E-08

8.0E-08

1.0E-07

1.2E-07

2000 2005 2010 2015 2020

FR

EQ

UE

NC

Y O

F F

AT

AL

AC

CID

EN

TS

WIT

H A

TM

C

ON

TR

IBU

TIO

N (

per

fligh

t)

Do nothing

Prediction

Target

0.0

0.5

1.0

1.5

2.0

2000 2005 2010 2015 2020

NU

MB

ER

OF

FA

TA

L A

CC

IDE

NT

S W

ITH

AT

M

CO

NT

RIB

UT

ION

(pe

r ye

ar)

Do nothing

Prediction

Target

8.3 RECOMMENDATIONS FOR IMPROVED METHODOLOGY

The following recommendations for future work during the SESAR Development Phase are:

• Integrating other accident categories (e.g. loss of control, landing accidents) and scenarios (e.g. runway incursion of vehicles) to which ATM may contribute with the results presented in the core of this report. Appendix III provides the set of fault tree models for the loss of control during landing accident for the baseline scenario (2005),

• Risk weighting of the accident categories. At present, all fatal accident involvements are considered equivalent, although some types (e.g. mid-air collisions) may be more likely to result in multiple fatalities than others (e.g. taxi collisions).

• Modelling the effects of safety management. At present, user inputs on safety management quality are used as a simple control on pilot and controller performance, but the specific influences of safety management systems on actor and equipment performance are not modelled.

• Analysis of more historical accidents and incidents. Further increases in the size of the dataset would be desirable to reduce uncertainties and make more use of incident experience.

• Accident analysis workshops. At present, the IRP is based on documented interpretations of the accidents/incidents. In principle, the interpretation of this data (and future enlargement of the datasets) should be the product of expert consideration.

• Analysis of precursor data. At present, the risk model uses separation infringement and runway incursion data. It would be desirable to make use of more extensive ATC, airport or airline incident data.

Episode 3


of 240


• Analysis of exposure and conflict data, to improve the modelling of the positive aspects of ATM safety prior to occurrence of incidents and accidents. At present these aspects are represented only in an approximate way.

• Expert validation for IRP model. Although many aspects of the model are based on judgement, the IRP has used only a few brief sessions with domain experts to estimate parameters from expert judgement. Now that the model is complete, it would be desirable to review its predictions using workshops with experts in each subject.

• Expert judgement for OI effects. The risk model gives a preliminary interpretation of the effects of OIs and other ATM changes. It would be desirable to review these predictions using more extensive workshops with all experts familiar with the OIs.

• Modelling the capacity benefits of ATM changes. At present, traffic changes are entered independently from the modelling of ATM changes. In reality, capacity changes are enabled by ATM changes, and it would be desirable to show this interdependency within the IRP. This would require input estimates of the capacity contribution of each ATM change.

8.4 RECOMMENDATIONS FOR SESAR

Despite its limitations, the IRP model is considered sufficiently mature to begin to identify ways to reduce the ATM contribution to accident risks, and hence to improve the safety of the SESAR ConOps. Section 6.10 includes information of this type, and it is recommended that this should be extracted from future evolutions of the IRP (SESAR WP16.1.1.1) in a systematic way and used to review and possibly improve the safety measures in the SESAR ConOps. Opportunities to improve safety for mid-air collision risks from section 6.10 are repeated below:

• ATC conflict management (i.e. tactical separation). This is involved in all mid-air collisions, and makes the largest contribution to direct causes of them. The main potential for improvement is in detection of conflicts inadvertently introduced by the ATCO and earlier identification of conflicts.

• ACAS. This is also involved in all mid-air collisions. These is an opportunity to improve the fitment on non-commercial aircraft. It would be desirable to avoid ACAS discouraging pilots from visual lookout, otherwise the benefit of this will be lost.

• Traffic conditions. Reduction in the complexity of traffic, through airspace or route design, has a large potential to reduce mid-air collision risks.

• ATC collision avoidance. This covers the ATCO response to STCA. There is also a potential to prevent accidents through improved warning from ATCOs not directly responsible for separation.

• Ambient conditions. There is a large potential to reduce collisions by improving visibility of conflicting aircraft.

• ATC system, which includes STCA. There is an opportunity to extend STCA coverage into unmanaged airspace, and improve the reliability and timeliness of warnings.

9 REFERENCES Ref 1. SESAR Consortium, “The ATM Target Concept”, D3, DLM-0612-001-02-00a,

September 2007.

Ref 2. SESAR Consortium, “Air Transport Framework: The Performance Target”, D2, DLM-0607-001-02-00a, December 2006.

Episode 3


of 240


Ref 3. EC EP3, “D2.4.3-04 – Method for Units of Operations”, to be produced, July 2009.

Ref 4. EC EP3, “D2.4.3-01 - White Paper on the SESAR Safety Target”, v1.2, approved, September 2008.

Ref 5. EC EP3, “D2.4.3-03 – Note on Risk Model Validation”, to be produced, June 2009.

Ref 6. SESAR Consortium, “SESAR Safety Screening”, WP1.6.2 D3, DLT-0000-162-00-07, June 2007.

Ref 7. Safety Regulation Commission (2007), “Annual Safety Report”, SRC Document 43, EUROCONTROL, v1, December 2007.

Ref 8. NASA Office of Safety and Mission Assurance, “Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners”, August 2002.

Ref 9. EUROCONTROL, “Main Report for the 2005/2012 Integrated Risk Picture for Air Traffic Management in Europe”, EEC Note 05/06, March 2006.

Ref 10. EUROCONTROL, “Medium-Term Forecast - Flight Movements (2008-2014)”, v1.0, February 2008.

Ref 11. Ranter, H. (2006), “Airliner Accident Statistics 2005”, Aviation Safety Network.

Ref 12. Safety Regulation Commission (2002), “Aircraft Accidents/Incidents and ATM Contribution”, SRC Document 2, EUROCONTROL, v3, December 2002.

Ref 13. SESAR JU, WP 16 - R&D Transversal Areas, Description of Work (DoW), v4.0, 17th December 2008

Ref 14. SESAR Consortium, Task Deliverable: 4.2.1/D6 – Safety Management Plan - WP4.2.1 System Engineering Development & Validation Process

Ref 15. SESAR Consortium, “Work Programme for 2008-2013”, D6, D L M - 0 7 1 0 - 0 0 2 - 0 2 - 0 0, April 2008

Ref 16. EC EP3, IRP2008 Package (Excel Tool) supporting EC EP3, D2.4.3-02

Ref 17. EUROCONTROL, European Operational Concept Validation Methodology (E-OCVM), version 2, March 2007

Ref 18. EC EP3, SESAR Information Navigator, December 2008

Ref 19. SESAR JU, WP16 – R&D Transversal Areas, Description of Work, v4.0

Ref 20. Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F. (1981). Fault Trees Handbook, NUREG-0492, U.S. Nuclear Regulatory Commission, Washington D.C., USA.

Ref 21. Bedford, T. and R. Cooke (2002). Vines - A New Graphical Model for Dependent Random Variables. Annals of Statistics 30 (4), 1031{1068.

Ref 22. Cooke, R. (1997). Markov and Entropy Properties of Tree and Vine-Dependent Variables. In Proceedings of the Section on Bayesian Statistical Science, American Statistical Association.

Ref 23. Kurowicka, D. and R. Cooke (2004). Distribution - Free Continuous Bayesian Belief Nets. Proceedings Mathematical Methods in Reliability Conference.

Ref 24. A.L.C. Roelen, B.A. van Doorn, J.W. Smeltink, M.J. Verbeek, R. Wever, Quantification of Event Sequence Diagrams for a causal risk model of commercial air transport, NLR-CR-2006-520, NLR Amsterdam, October 2006.

Episode 3


of 240


Ref 25. Es, G.W.H., van. 2005. Running out of runway, analysis of 35 years of landing overrun accidents, NLR-TP-2005-498, NLR Amsterdam.

10 GLOSSARY OF TERMS Term Definition

ACAS airborne collision and avoidance system

ADD aircraft derived data

ADREP accident/Incident Data Reporting

AIM aeronautical information management

AIS aeronautical information services

AMAN arrival manager

ANS air navigation services

ANSP air navigation service provider

AO Airport operation

AOM airspace organisation and management

APW airspace proximity warning

ASAS airborne separation assistance system

ASM airspace management

A-SMGCS advanced surface movement guidance and control system

ATC air traffic control

ATCO air traffic control officer

ATFM air traffic flow management

ATFCM air traffic flow and capacity management

ATM air traffic management

ATM 2000+ Air Traffic Management Strategy for the Years 2000+

ATN aeronautical telecommunication(s) network

ATS air traffic services

ATSA air traffic situational awareness

ATSA-SURF ATSA surface

ATSA-VSA ATSA visual separation on approach

ATSAW air traffic situational awareness

AUO Airspace user operations

BBN Bayesian Belief Network

BTV Brake to Vacate

CAT commercial air transport

CATS Causal Model of Air Transport Safety

CBA Cost-Benefit Analysis

CCF common cause failure

CFIT controlled flight into terrain

Episode 3


of 240


Term Definition

ConOps concept of operations

CNS communication, navigation and surveillance

CPDLC controller-pilot data link communications

CRM crew resource management

DCB demand/capacity balancing

DMAN Departure Manager

ECAC European Civil Aviation Conference

EEC EUROCONTROL Experimental Centre

E-FPL E-Flight Plan

EGPWS Enhanced Ground Proximity Warning System

ESARR EUROCONTROL Safety Regulatory Requirement

ETA Estimated Time of Arrival

FDPS Flight Data Processing System

FLIR Forward Looking Infra-Red

FMS flight management system

FOD foreign object debris

FT fault tree

FUA flexible use of airspace

GA general aviation

GPS Global Positioning System

GPWS ground proximity warning system

ICAO International Civil Aviation Organization

IFR instrument flight rules

ILS Instrument Landing System

IRP Integrated Risk Picture

IS Information Services

JU Joint Undertaking

LIDAR Light Detection and Ranging

MAC Mid-Air Collision

MET meteorological

ME maximum effect

MF modification factor

MLS Microwave Landing System

MSAW minimum safe altitude warning system

MTCD medium term conflict detection

MTOW maximum take-off weight

MUAC Maastricht Upper Area Control Centre

Episode 3


of 240


Term Definition

NAV navigation

NAW non-dimensional risk achievement

NOP network operations plan

NRW non-dimensional risk reduction worth

OAT operational air traffic

OI operational improvement

PS performance score

PT Predicted Trajectory

RA resolution advisory

RAAS Runway Awareness Advisory System

RBT reference business trajectory

RET Rapid Exit Taxiway

RIASS Runway Incursion Alerting System

RIMCAS runway incursion monitoring and collision avoidance system

RNAV area navigation

ROT runway occupancy time

RTA Required Time of Arrival

SADT structured analysis and design technique

SAM safety assessment methodology

SBT shared business trajectory

SESAR Single European Sky ATM Research Programme

SSR secondary surveillance radar

STAR Safety Target Achievement Roadmap

STCA short term conflict alert

SWIM system-wide information management

TAWS terrain awareness and warning system

TBS Time-Based Separation

TLS target level of safety

TMA terminal manoeuvring area

TMR Trajectory Management Requirements

UAV unmanned aerial vehicle

VHF very high frequency

VFR visual flight rules

VMC visual meteorological conditions

Episode 3


of 240


11 ANNEX I. IRP METHODOLOGY AT GREAT LENGTH

11.1 THE QUALITATIVE MODEL

11.1.1 Identification of Causal Factors

The IRP risk model must represent all the main causes of accidents, and the main factors that influence their risks. It must cover all the elements of ATM and the main interactions between them. It must also take account of the main effects of each ATM change, whether positive or negative. Collectively, all these issues could be described as “hazards”, but because some may be beneficial while others have adverse effects, they are described here as “causal factors”.

In order to ensure completeness, several techniques have been used in combination to identify the causal factors:

• Systematic analysis of failure causes. For each accident category, the main preventative barriers have been identified from knowledge of current ATM and the future ConOps. The potential causes of barrier failure and the influences on them have been identified systematically, using logical decomposition, with reference to the ATM model, accident experience and the fundamental aspects of safety. Further details are given below.

• Generalisation of accident experience. Causal investigations of relevant accidents and incidents have been particularly useful in identifying causal factors and potential common causes affecting several such factors at once. Further details are given in Section 2.4 below.

• Expert reviews of OIs. Review sessions were held with specialists in different areas of ATM from EP3 Safety study team, in order to identify the main hazards and safety improvements from the OIs (see Annex I). In future work it would be desirable to secure more time from the experts to evaluate the OIs at an appropriate level of detail. Ultimately, this activity would become part of the OI safety assessment.

• Expert hazard identification meetings. Short “brainstorming” sessions were held with specialists in different areas of ATM, who were invited to state their own views about the major hazards and safety improvements for future ATM. This proved an efficient way of capturing the main issues, so as to check that they are covered in the model. This approach has the potential to identify hazards that have not yet been revealed in accident experience, and are not related to any specific OI. Hence it would be desirable to extend the approach in future work.

11.1.2 Accident Categories

In order to focus on accidents with potential ATM contributions, the IRP at present models the following accident categories:

• Mid-air collision - a contact between two aircraft in flight.

• Runway collision - a contact between two aircraft on an active runway. At present, collisions with obstacles, vehicles or people on the runway are not yet integrated into the overall model.

• Taxiway collision - a contact between two aircraft on the ground, other than on an active runway. This includes collisions where one aircraft is parked, being pushed back, under tow, or taxiing up to the point of runway entry.

• Controlled flight into terrain (CFIT) - an in-flight collision with terrain, water or another obstacle without prior loss of control.

Episode 3


of 240


• Wake turbulence accident - an aircraft suffers a damage or serious injuries to occupants due to an encounter with the wake of another aircraft.

Other accidents types, which are represented using statistics instead of causal models, are:

• Loss of control in flight

• Loss of control in take-off

• Loss of control in landing

• Structural accident

• Fire/explosion

Although ATM may indirectly contribute to these accidents (e.g. loss of control due to fuel exhaustion due to delays; landing accident due to supply of incorrect MET data), these are neglected here in order to focus the model on the main ATM contributions. In future work, it would be desirable to include ATM contributions to such accidents.

The following sections illustrate the methodology using examples drawn from the mid-air collision model. More detailed explanations and equivalent for the other modelled accident categories will be provided in separate documentation.

11.1.3 Barrier Model

The integrated concept as defined in SESAR Deliverable D3 defines interdependent components that will be integrated to form the future ATM System. The overall ATM System needs to be disaggregated to understand the sometimes complex interrelationships between its components. The ATM System otherwise cannot function without all of its components, which must be integrated. Those components are represented for Mid-air collisions in a set of layers (ATM barriers) in Figure 18 below. Failures of any layer could take one of three forms: (i) a fixed hole in the barrier due to limitations on the barrier capability (functionality and performance); (ii) a 'randomly' occurring hole in the barrier due to a sudden loss of functionality or performance; and (iii) anomalous operation. The work for this report has consisted in understanding the holes in the ATM barriers as well as revisiting the complex interrelationships between the different layers. In particular, the work has taken due account of the fact that with the new ATM System, the physical boundary between the System and its operational environment is becoming blurred by the incorporation of parts of the environment into the ATM System (in particular the provision of all relevant airspace user operational information to be made available to the ATM System.

The layers of protection provided by ATM are represented in the IRP as sequences of barriers against each accident type. The barriers operate in a rough time sequence (but may overlap in time), and each barrier contributes positively to safety by removing a percentage of the conflicts which exist in the ATM system. As an example, Table 20 identifies the barriers defined for mid-air collisions. Similar barriers have been identified for other accident categories. The barriers reflect different timescales before the potential collision. In general, once there is insufficient time for the barrier to change the aircraft trajectory, it has in effect failed and the event develops to the next stage where the next barrier is intended to intervene.

Table 20: Barriers against Mid-Air Collisions

BARRIER DEFINITION

Demand-capacity balancing (DCB)

The medium/short-term planning phase in SESAR aims to balance demand and capacity, but by separating different traffic types and regularising traffic flow it also reduces complexity, and helps prevent conflicts that might lead to collisions. It is also the case under the SESAR Concept that DCB, although shown purely as a “Strategic” barrier, is applied to Aircraft in flight, as well as to (what is largely the situation today) prior to take-off.

Episode 3


of 240


Sector planning The actions of the planning controller in co-ordinating traffic entering the sector, so as to minimise conflicts that are presented to the executive controller.

Conflict management

Clearances and instructions by the executive controller and/or actions by the flight crew in maintaining separation. [This term does not refer to the whole of conflict management as defined by ICAO, but to tactical traffic separation, together with equivalent actions in unmanaged airspace.]


Conflict alerts by STCA or other controllers, followed by ATC instructions intended to resolve the conflict.

Airborne collision avoidance

Alerts by ACAS or flight crew observation of imminent collision, followed by pilot avoidance action.

Providence The collision is avoided by chance

Figure 18 illustrates the barrier model for mid-air collisions in the form of a “Swiss Cheese” diagram. The barriers each have several possible causes of failure (represented by holes in the slices of cheese). Each causal factor has a probability of occurrence (represented by the sizes of the holes). An accident results if causal factors occur in all barriers (represented by all the holes being in line).

Figure 18: Swiss Cheese Diagram of Mid-Air Collisio ns

Airborne collision

avoidance

Airborne collision

avoidance



Conflict management

Conflict management

Sector planningSector planning

Inadequate flight planning information

ATCO failure to identify conflict

No STCA coverage

Pilot failure to respond to ACAS

Causal factors Flight exposure

Collision

Barriers

Demand/capacity balancing


Ineffective demand capacity balancing

Figure 19 relates the barrier model to the SESAR ATM process model. The 5 barriers correspond to 3 key elements of the process model. Other elements of the process model are represented in IRP as influences.

Figure 19: Mapping from SESAR Process Model to IRP Barrier Model for Mid-Air Collisions

Episode 3


of 240


Conflict in initial RBT

Conflict in revised RBT

Sector planning

Separation infringement

Mid-air collision

Imminent collision

Conflict management

Conflict in SBT




IRP Barrier Model



A2. Manage medium/short term planning phase

SESAR Process ModelAccident

PrecursorsBarriers

Exposure

11.1.4 Accident Precursors

The events between the barriers form a sequence of precursors, progressing in severity from routine exposure to the accident. Where possible, these have been arranged to make use of available data (e.g. separation infringements). The precursor sequence comprises events that could usefully be monitored to give leading indicators of accident risks.

As an example, Table 21 shows the precursors that have been identified for mid-air collisions. These are mainly conflicts, which are defined as cases where the trajectories of two aircraft would result in separation infringement in the absence of intervention by ATM. The different types of conflicts represent different stages of development of the event.

Table 21: Precursor Sequence for Mid-Air Collisions

PRECURSOR DEFINITION EXAMPLE FOR SESAR

Strategic conflict11

A conflict in the trajectories before demand/capacity balancing, where a separation infringement would occur in the absence of any intervention by ATM.

A conflict in SBTs, e.g. two operators request to use the same route at the same time.

Pre-tactical conflict

A conflict in the trajectories after demand/capacity balancing.

A conflict in initial RBTs, e.g. when supplied to the sector planner, two approved 4D flight plans intersect.

Tactical conflict A traffic situation where a separation infringement would occur in the absence of intervention by a controller or pilot.

A conflict in revised RBTs12, e.g. when aircraft enter the sector, two 4D flight trajectories intersect.

Separation An event where a pair of aircraft violate the Two aircraft pass within 1000ft vertically

11 Strategic conflicts could be predicted using simulation (e.g. by CFMU). Given the EOBT and SBT of all flights, their 4D trajectories could be simulated and the number of separation infringements counted if ATM did not intervene. This would be a really powerful tool to monitor the impact of ATFCM and ATC interventions. In reality, strategic conflicts predict sector workload. In future development a model could be based on this, if the data was available, although it would be a challenge to convert to collision risks because a simple established relationship between workload and infringements is not available. Anyway, a model of ATFCM at present would have to use sector workload. The impact of DCB would be refined under SESAR WP16.1.1.1 - further develop a top-down accident-incident model and a Safety Target Achievement Roadmap (STAR) (D16.1.1) (Ref. 19). 12 Meaning "RBT including updates and revisions (if any)". The worst case is probably an unrevised RBT, but a term to distinguish this from "RBT when first agreed" was needed.

Episode 3


of 240


infringement separation standards so that ATC collision avoidance is required.

and 5 (or sometimes 3) miles horizontally.

Imminent collision

An incident where a pair of aircraft have violated the separation standards with no effective recovery by ATC so that airborne collision avoidance is required.

An ACAS RA is triggered, or see & avoid action is needed.

11.1.5 Accident Scenarios

The barrier model above represents the role of ATM in preventing conflicts that are present in the intended trajectories from developing into actual collisions. However, another role of ATM is to respond to conflicts that develop at a later stage. Furthermore, ATM may inadvertently create one conflict while attempting to manage another. These possibilities are all represented in the model as accident scenarios.

Accident scenarios are sequences of events or combinations of adverse circumstances that result in an individual accident. In certain scenarios, some of the barriers above may not be relevant. This could be modelled as a type of “failure” but, because non-applicability is different to the other modelled causes, it is modelled as an accident scenario that by-passes some barriers.

Identification of such scenarios has been achieved by evaluating actual accidents and incidents using the barrier model, looking for cases where some barriers are not relevant. In future work, this could be improved through group-based hazard identification, in order to identify scenarios not yet realised through accident/incident experience.

Figure 20 shows the scenarios that have been identified for mid-air collisions, and how they relate to the barriers above. Each is distinguished by a different type of conflict that must be managed by ATC or the pilot. Table 22 defines the types of tactical conflict that occur in each scenario.

Episode 3


of 240


Figure 20: Mid-Air Collision Scenarios

Table 22: Precursor Alternatives in Mid-Air Collisi on Scenarios

SCENARIO DEFINITION EXAMPLES

Plannable conflict

Conflict between shared business trajectories, which can therefore be prevented through DCB or sector planning.

- Two SBTs intersect, and the conflict remains in the revised RBTs when the aircraft enter the sector.


Conflict presented to the tactical controller due to an aircraft deviating from its business trajectory.

- Deviations by IFR aircraft, including level busts and lateral deviations.

- Airspace penetrations by military or GA aircraft.

ATC-induced conflict

Conflict created by unsuccessful ATC conflict management.

- The controller accidentally creates a conflict that was not present in the RBTs.


Conflict managed by the pilot. - Encounters in unmanaged airspace.

- Conflicts in which separation or spacing is delegated to the pilot.

11.1.6 Failure Causes

The causes of failures of each barrier are the events that are modelled in the fault trees. Fault trees are suitable for causal factors that are:

• Distinct, i.e. can be clearly distinguished from other causal factors.

• Binary, i.e. only exhibit two distinct states - e.g. failed/working, correct/erroneous, adequate/inadequate etc.

• Independent, i.e. can change without changing other causal factors (except those directly above or below them in the tree, or linked through common cause failures).

Episode 3


of 240


• Either necessary (for factors combined through AND gates) or sufficient (for factors combined through OR gates) to cause the event above them in the tree.

In principle, a fault tree should only represent causal factors that satisfy all the above criteria. In practice, the definitions of causal factors for the fault trees can be chosen to meet these criteria as far as possible. The underlying influences of human, equipment and management performance, which are more diffuse and interdependent, are represented through the influence model (Section 11.1.8).

Figure 21 illustrates some of the modelled causes of failure in the mid-air collision model. As far as possible, they form a logical and complete sequence, so that any individual failure is always an example of one of the modelled causes.

Figure 21: Failure Causes of Barriers Against Mid-A ir Collisions


Tactical conflict

Sector planning

Loss of separation

Mid-air collision

Imminent collision

Conflict management

Strategic conflict




Ineffective conflict management by ATC:•Inadequate traffic information•Inadequate conflict identification•Inadequate separation instructions •Inadequate communication with pilot•Inadequate pilot response

Ineffective ATC collision avoidance:•Ineffective STCA warning•Ineffective other ATCO warning

Ineffective airborne collision avoidance:•Ineffective ACAS warning•Ineffective visual warning

Ineffective sector planning:•No sector planning•Inadequate pre-tactical traffic information•Inadequate pre-tactical conflict identification•Inadequate pre-tactical separation planning•Inadequate communication of plan

Ineffective conflict management by pilot:•Inadequate traffic information from ATC•Inadequate communication with pilot•Inadequate separation by pilot

11.1.7 Fault Tree Structure

The fault tree provides a logical structure showing how causal factors could combine to cause an accident. The top event in the fault tree is an accident. At the first level of decomposition, this is split into accidents in each of 5 accident categories (Figure 4). There is a separate fault tree for each accident category.

The remaining structure of the fault tree is determined by sequences of accident precursors and barrier failures, as illustrated in Figure 22. Different accident scenarios invoke different sequences of precursors and barrier failures, which complicates the fault tree and so are omitted for simplicity.

Episode 3


of 240


Figure 22: Schematic Fault Tree Structure

Precursor

Accident

Ineffective barrier 2

Cause 2.1 Cause 2.2

OR

Exposure Ineffective barrier 1

Cause 1.1 Cause 1.2

AND

OR

AND

The fault tree makes use of two main types of logic gates:

• OR gates represent the alternative causes of failure of any one barrier.

• AND gates represent the combination of failures of different barriers, necessary to produce the top event.

A simple qualitative version of the resulting fault tree for mid-air collisions is shown in Figure 23. The base events are the most detailed causal factors that are appropriate for modelling through the fault tree technique, according to the criteria above (see paragraph 11.1.6). In the qualitative version of the model, common causes of failure affecting several barriers at once are represented through the influence model (see below).

Figure 23: Simplified Fault Tree for Mid-Air Collis ions

Episode 3


of 240


11.1.8 Influences

General Outline

Underlying the direct human and technical causes of accidents are various organisational and cultural factors, which cannot be satisfactorily represented as distinct failure events in a fault tree. These factors are invariably influential to some extent in an accident, but no specific failure is necessary or sufficient for the accident to occur. Hence they cannot be represented as simple combinations of failure events through AND or OR gates.

For example, excessive controller workload is an important causal factor in some accidents. However, excessive workload does not inevitably lead to a barrier failure, and accidents may occur in cases where workload is light (low vigilance). Hence, workload cannot be modelled in the fault tree through either AND or OR gates. Its effect is more diffuse, producing a greater probability of various types of failure.

Such causal factors are most efficiently modelled separately from the fault tree, having an influence on selected bottom events in the tree. In turn, they may be influenced by other causal factors, and several factors may combine to influence individual events in the fault tree. The same applies to many other aspects of human, equipment and managerial performance, and also to many features of the operating environment.

As an example, Figure 24 illustrates the influences on the model of mid-air collisions.

Figure 24: Influences on Barriers Against Mid-Air C ollisions


Tactical conflict

Sector planning

Loss of separation

Mid-air collision

Imminent collision

Conflict management

Strategic conflict






Airborne collision

avoidance

Sector planning

Pilot conflict management

Executive controller performanceEquipment quality: •ATC tactical system•ATC communications system•STCAInputs:•NOP + RBT•Traffic picture•Traffic sequence•ATC coordinationConstraints: •Airspace design•Resource configuration

Flight crew performanceEquipment quality: •Aircraft•ACASConstraints: •Airspace design•Separation mode

Planning controller performanceEquipment quality:•ATC planning system•MTCDConstraints/inputs - as above

Task influencesTaskBarriers

Airspace user safety

management

ATC safety management

Managerial influences

Influence Model Structure

The factors that influence collision risks also influence other accident categories. In order to be able to combine their influences in the risk model, and to represent common causes systematically, a general model of influences is required, rather than a model optimised for collisions alone.

The chosen structure for the IRP influence model is shown in Figure 25.

Episode 3


of 240


Figure 25: Generic Influence Model

Most of the base events in the fault tree can be related to an ATM task. The influences on each task are categorised as:

• Performance of the actor responsible for the task (e.g. ATCO, flight crew etc). IRP splits this into the following fundamental components:

Resources (including workload)

Competence (including training)

Technology interface (also known as human-machine interaction, HMI).

Human reliability (including fatigue)

Procedures (including conflict resolution)

Teamwork (including communication)

• Quality of the equipment provided for the task (e.g. ATC systems, aircraft systems etc), including their capability, design and maintenance.

• Quality of the inputs to the task. Some of these result from the performance of other interdependent tasks.

• Nature of the constraints on the task due to the operating environment. IRP categorises these as follows:

Business demand (e.g. traffic density/complexity, operation type etc).

Physical environment (e.g. airspace/airport design, terrain etc).

Ambient conditions (i.e. weather plus light conditions).

Organisation (e.g. resource configuration).

The performance of the actors and their equipment is in turn influenced by the safety management of the responsible organisation.

Episode 3


of 240


Some of the base events in the fault tree are related to certain equipment (e.g. STCA), or are circumstantial events influenced mainly by traffic levels. The influences on these events are modelled using appropriate parts of the model above.

Modelled Tasks

Table 23 lists the ATM tasks that are represented in the influence model, together with their responsible actors and equipment. In future work, further tasks could be defined to represent ASM and DCB, but at present there is insufficient data to quantify them.

Table 23: ATM Tasks in the Influence Model

ATM TASK ACTORS EQUIPMENT

Conflict management Conflict management Executive controller13 ATC system

Sector planning Planning controller ATC system

ATC communications Tactical controller & pilot Communications system

ATC collision avoidance Tactical controller ATC system

Airport operations Ground control Ground controller Airport ATC system

Runway control Tower controller Airport ATC system

Approach/departure control Approach controller TMA ATC system

Runway communications Tower controller & pilot Communications system

Approach communications Approach controller & pilot Communications system

Runway collision avoidance Tower controller Airport ATC system

Aircraft user operations Taxi Flight crew Aircraft equipment

Take-off/landing Flight crew Aircraft equipment

Approach/departure Flight crew Aircraft equipment

Cruise/climb/descent Flight crew Aircraft equipment

On-board monitoring Flight crew Aircraft equipment

Visual runway collision avoidance Flight crew Aircraft equipment

Visual mid-air collision avoidance Flight crew Aircraft equipment

ACAS warning response Flight crew ACAS

Visual terrain warning response Flight crew Aircraft equipment

GPWS warning response Flight crew GPWS

Modelled Equipment

Table 24 lists the ATM systems and equipment that are represented in the influence model.

13 Will include Flight Crew in case of new separation mode (e.g. ASAS S&M, ASAS separation or ASAS Self-separation)

Episode 3


of 240


Table 24: ATM-Related Equipment

Aircraft design and safety equipment (ATM-related)

Cockpit layout (inc visibility from windows)

Flight control systems (manual, FMS)

Navigation systems (conventional, RNAV, GPS)

Transponder (Mode A/C, S)

Safety warning systems (ACAS & GPWS)

ATC equipment (non-airport)

ATC systems (inc STCA, MTCD – Medium Term Conflict Detection)

Surveillance systems (primary, secondary radar)

Navigation infrastructure (NDB, VOR/DME, GPS, SBAS)

Communications systems (VHF and datalink)

Airport design and safety equipment

Airport ATC systems (inc A-SMGCS, RIMCAS)

Airport surveillance equipment

Airport navigation infrastructure (ILS, airport NBD, VOR/DME, GBAS)

Airport visual aids (taxiway lights, stop bars runway guard lights, runway/taxiway signs & markings, runway lights etc)

Airport facilities

Airport design (layout, runway condition, obstacles, visibility from tower)

Some equipment appears in the influence hierarchy and also explicitly in the fault tree. The distinction is as follows:

• The fault tree represents major equipment failures that contribute directly to the failure of a barrier (e.g. absence of ground radar, failure of STCA to give a warning etc). These failures are either necessary (represented through AND gates) or sufficient (represented through OR gates) to cause the barrier failure.

• The influence model represents other equipment inadequacies (e.g. unclear radar picture, indistinct STCA warning etc), which may cause the barrier failure in some cases, although in others the barrier may succeed despite them. Hence they do not necessarily cause barrier failures, but they do influence their likelihood.

11.1.9 Interdependencies

In a simple risk model, all causal factors would be assumed to be independent. In reality, the elements of ATM are interdependent, and these interdependencies may have a large effect on the risks. Therefore, it is desirable to identify interdependencies and represent them in the model. However, quantifying interdependencies is difficult, and so it is necessary to prioritise the most important ones.

In the IRP, interdependencies are represented in the following ways:

• Events in the fault tree are in general conditional on failure of all preceding barriers, and are derived from incident data or trials representing this state. Definition of events in this way automatically handles many types of dependency.

Episode 3


of 240


• Common cause events within the fault trees have been identified, and are reflected in the quantitative model (Section 11.3.4).

• The influence model represents some of these common causes, affecting several base events at once.

• Negative interactions between equipment and actor performance are represented within the influence model (Section 11.4.2).

Dependencies between OIs that result from the implementation sequence (i.e. some OIs will not work or will be ineffective unless others are implemented) are represented in the STAR tool (Section 11.5.4).

11.2 ANALYSIS OF HISTORICAL DATA

11.2.1 Data Availability

The scope of the work requires risks for all IFR traffic over 2250kg MTOW in the ECAC region. The quantitative model approximates this using a combination of:

• Overall numbers of IFR flights in the ECAC region, obtained from EUROCONTROL traffic forecasts.

• Risks per flight for Western fixed-wing commercial aircraft over 5700kg MTOW, obtained from accident and traffic data described below.

This choice is dictated by the lack of suitably analysed accident and traffic data in the following areas:

• Eastern-built aircraft.

• Commercial traffic in the range 2250 - 5700kg MTOW.

• General aviation (GA) aircraft operating under IFR.

• Helicopters operating under IFR.

• Military aircraft operating under IFR. Most military aircraft are designated operational air traffic (OAT) and are understood to operate under VFR. However, some aircraft are designated general air traffic (GAT) and operate under IFR, and in the future OAT will more commonly operate under IFR. However, at present no accident or traffic data is available for these aircraft.

It is also noted that the SESAR size threshold of 2250kg MTOW appears to exclude very light jets (VLJs). However, the scope does include the potential impacts of such aircraft on SESAR operations.

11.2.2 Frequency Data Analysis

Accident and incident frequencies quantify the accident and precursor events in the fault tree model. Frequencies are the numbers of events per flight, flight hour or other suitable measure of exposure. To estimate an event frequency requires comprehensive counts of numbers of events among known exposure. These are only available for relatively few events, and the model is therefore constructed to make use of the available data.

As an example, in the case of mid-air collisions there have been only 11 events (9 fatal and 2 non-fatal) involving Western commercial aircraft over 5700kg MTOW world-wide during the period 1990-2005. The corresponding exposure during this period has been estimated as 487 million flights. Figure 26 shows that, despite the scatter in the annual frequency values, the 5-year average frequency has declined slightly, at an average of 4% per year. The decline is not statistically significant, but it is consistent with the overall trend in Airprox data from

Episode 3


of 240


different European countries. Hence the best estimate for 2005 is based on the trend but with an upper confidence limit equal to the average frequency over the whole time period. This is based on world-wide data, and a further adjustment is made to reflect European conditions, which have a lower collision frequency per flight than elsewhere. There have been too few accidents in Europe to support a trend analysis there, so the world-wide trend is assumed to be applicable.

Figure 26: Mid-Air Collision Frequency, 1990-2005

Best estimate for 2005

0.0E+00

2.0E-08

4.0E-08

6.0E-08

8.0E-08

1.0E-07

1990 1992 1994 1996 1998 2000 2002 2004 2006

CO

LLIS

ION

FR

EQ

UE

NC

Y (

per

fligh

t)

Annual frequencies

5-year average

4% annual reduction

2005 estimate

Confidence range

Other frequency data used to quantify the mid-air collision model includes:

• Separation infringement frequencies obtained from EUROCONTROL data (Ref 7). This is a comprehensive collection, although increased reporting standards make trends difficult to interpret.

• Strategic conflict frequencies obtained from simulations of flights without ATM interference.

In the 5 accident categories that are modelled statistically (see Section 11.1.2), trended accident frequencies are that is used. In future work, it would be desirable to include causal breakdowns, which might be based on work in the Causal Model of Air Transport Safety (CATS)14 project.

11.2.3 Causal Data Analysis

Event probabilities quantify the barrier failure events in the fault tree model. Probabilities are the likelihood of failure events per demand, in specified conditions such as failure of previous barriers or events. To estimate an event probability requires comprehensive counts of numbers of failures among known numbers of demands. These can be obtained using representative samples of events in which all the causes are known. It is not necessary for all events to be known, provided the sample is representative.

In the case of mid-air collisions, causal investigations involving Western commercial aircraft have been analysed as follows:

14 The Causal Model of Air Transport Safety (CATS) has been developed by a consortium including Delft University of Technology (TUD), National Aerospace Laboratory (NLR) and White Queen (WQ) in The Netherlands, and Det Norske Veritas (DNV) in the UK. The motivation for the project is the need for a thorough understanding of the causal factors underlying the risks of air transport so that efforts to improve safety can be made as effective as possible. The project was commissioned by the Dutch Ministry of Transport.

Episode 3


of 240


• 11 mid-air collisions world-wide, 1990-2005.

• 24 Airprox incidents in the UK, 2003

• 10 loss of separation incidents in Switzerland, 2003-2004

• 9 loss of separation incidents in Finland, 2000-2003

• 20 loss of separation incidents at MUAC, 2001

This gives a total of 11 collisions and 63 losses of separation (including Airprox) incidents. In future work, this dataset could be expanded using further UK and MUAC incidents, which are readily available, but to keep the dataset representative it would be desirable to obtain suitable investigations from other ECAC countries.

Other, larger datasets have been used elsewhere in the model to quantify specific event probabilities. The uncertainty that results from the limited data quantity is included in the uncertainty analysis (Section 11.3.6). Although larger datasets are desirable to reduce this, there is also uncertainty if the accidents and incidents are not adequately understood and not correctly matched to the risk model, and this difficulty increases with dataset size.

Each event in the above datasets has been compared to the barrier model for the appropriate accident category to determine what were the causes of failure of each of the barriers. Table 25 shows an example investigation.

Episode 3


of 240


Table 25: Example Causal Investigation of Loss of S eparation Incident

Date 6 Sep 02

Location Lower airspace, BALTI, Finland

Type DC-9 B757

Operation Finnair (passenger) Finnair (passenger)

Flight phase Initial descent Initial descent

Reference AIB Report 9/2002

Description of failure Fault tree event

Environment The DC9 and B757 were on converging tracks. Traffic density was low.

Sector planning

The DC9 was descending from FL270 to FL110. The B767 was descending from FL277 to FL130, and converging towards the same reporting point. Tallinn approach control applied vertical separation, instructing the DC9 to descend at 2000 ft/min or more, and the B767 at 2000 ft/min or less. The DC9 initially complied but incorrectly reduced its rate of descent when transferred to Helsinki approach control. The B756 co-pilot (PF) did not use the autopilot vertical speed mode to control the rate of descent, but continued under FMS control, which produced descent at 3000 ft/min, infringing separation with the DC9 ahead.

Conflict due to level bust (autopilot handling error)

Conflict management

The aircraft were transferred to Helsinki approach control approximately 1 minute before the infringement. The Tallinn controller did not inform Helsinki approach about the vertical speed restrictions because he assumed that this would maintain vertical separation. The traffic situation was quiet. After accepting the aircraft and confirming their clearances, the controller paid attention to other traffic and did not notice that separation was infringed.

ATCO failure to recognise loss of separation

STCA warning Presumed not fitted (not mentioned) STCA not installed

Other ATCO warning

The Tallinn conflict alerter system gave a warning after the aircraft had been transferred. The controller telephoned Helsinki approach assistant, but the unusual nature of the warning meant that the infringement was over before the Helsinki controller understood.

Other ATCO failure to communicate warning

ACAS warning (A)

The DC9 flight crew did not see the other aircraft on TCAS, probably because conditions for a TA were not triggered.

Did not fail

ACAS warning (B)

The B757 flight crew saw the other aircraft on TCAS but did not receive an RA.

Did not fail

Visual warning (A)

Conditions were daylight (12:52) and VMC. The DC9 flight crew did not see the other aircraft, probably it was above and behind.

Other aircraft effectively invisible

Visual warning (B)

The B757 flight crew saw the other aircraft. Other aircraft effectively invisible

CPA 2.7 nm horizontally and 0 ft vertically

Table 26 shows part of the causal distribution obtained from the full dataset. In future work, if sufficient events could be analysed, it would be possible to obtain different distributions for different countries, airspaces etc. At present, there is only sufficient data to use the overall distribution.

Table 26: Example Causal Analysis of STCA Warning F ailures

FAULT TREE EVENT UK SWITZ. FINLAND MUAC TOTAL

No STCA coverage 11 2 9 22

STCA failure to give warning in time 2 2 1 5

Episode 3


of 240


FAULT TREE EVENT UK SWITZ. FINLAND MUAC TOTAL

ATCO failure to respond to STCA 3 1 1 5

ATCO failure to recover separation in time 2 2

Did not fail 8 5 2 15

Total 24 10 9 6 49

Some of these failure events can only occur if previous events in the sequences have not occurred. Therefore, the sequence is shown in the event tree in Figure 27. Quantifying this gives probabilities for the fault tree model.

Figure 27: Event Tree Model of STCA Warning

OUTCOME PROB EVENTS

Recovery successful Success 3.1E-01 158.8E-01

ATCO responds7.7E-01

MB3.4 ATCO failure to recover separation in time Failure 4.1E-02 2

STCA warning 1.2E-018.1E-01 MB3.3 ATCO failure to

respond to STCA warning in time Failure 1.0E-01 5

STCA installed 2.3E-015.5E-01

MB3.2 STCA failure to give warning in time Failure 1.0E-01 5


1.9E-01

MB3.1 No STCA coverage Failure 4.5E-01 224.5E-01

TOTAL 1 49

Failure 0.69 34

11.2.4 Common Cause Data Analysis

Selected events in the above datasets have been used to categorise causes of pairs of barrier failures joined by AND gates into common cause failures (CCF) or independent cause failures (ICF). Table 27 shows example results for mid-air collisions. The fraction of CCFs among all known causes (Beta) is used in the fault tree analysis below. The number of events is used to determine the confidence range for the result.

Episode 3


of 240


Table 27: Example Common Cause Data for Mid-Air Col lision

BARRIERS AFFECTED BY COMMON CAUSES CCFs KNOWN CAUSES

BETA

1. DCB and sector planning 4 7 57%

2. Plannable conflicts and conflict management 2 8 25%

3. Unplannable conflicts and conflict management 4 9 44%

4. ATCO-induced conflicts and conflict management 2 3 67%

5. STCA and other ATCO warning 5 19 26%

6. Separation infringement and ATC collision avoidance 2 18 11%

7. Visual warning on both aircraft 4 12 33%

8. ACAS and visual warning 0 5 0%

9. Imminent collision and collision avoidance 1 4 25%

11.2.5 Performance-Based Influence Data Analysis

Selected events in the above datasets have been used to identify influences of failure events. For each event modelled in the fault tree, the relevant task and actor in the influence model have been identified, together with the corresponding fundamental human influences. Table 28 shows an example investigation.

Table 28: Example Influence Investigation of Loss o f Separation Incident

ACTOR'S PERFORMANCE TASK EQUIPMENT TASK INPUTS

TASK CONSTRAINTS

OPER-ATING ENVIR-BARRIER DESCRIPTION OF BARRIER FAILURE FAULT TREE EVENT TASK

INFLUENCES

ACTOR

Manoeuvring Flight crew (non CAT)

Resources and Competence (high workload training)

ATC instructions (see below)

Airspace design (if military and civilian airspace separated)

Traffic separation

Traffic picture (SSR lost)

Conflict management (unplannable conflict)

The civilian controller’s workload was high and was not aware of the GR4 until STCA was triggered 40 sec after the GR4 entered the airway.

ATCO failure to identify conflict Traffic separation


Resources (high workload); Reliability (did not see conflict)

STCA warning On warning from STCA the controller gave the FK100 instructions for descent, but this was overuled by a TCAS RA.

STCA failure to give warning in time


ATC system (if better STCA possible)

Other ATCO warning

Once Mode C contact with the GR4 was regained, military ATC identified the CAS penetration and instructed immediate descent. [Not really independent since in control of GR4]

No independent monitoring ATC collision avoidance

ATC planning The GR4 was receiving traffic information from the military ATS radar information service, but Mode C contact was temporarily lost due to its rapid manoeuvres, and the ATS was downgraded to a flight information service 2 minutes prior to the AIRPROX. The GR4 crew was distracted by their training workload and made an unauthorised penetration of the airway.

Conflict due to military penetration of controlled airspace

Influences that could have prevented event

if improved

Event modelled in fault tree

Relevant task and responsible actor

Table 29 illustrates how the recorded error types mentioned in the incident investigation have been linked to the human factors fundamentals. These are preliminary judgements that improved performance in the influences could have prevented event. In future work, it would be desirable to replace these with judgements by an expert group.

Episode 3


of 240


Table 29: Examples of Human Error Influences

FUNDAMENTAL EXAMPLE ATCO ERRORS EXAMPLE PILOT ERROR S

Resources High workload

Complex task

Insufficient time

Distraction by other tasks

Insufficient technical aids

Changing runway

Competence Training in progress

Lack of instructions

Incorrect assumption

Confusion

Lack of experience

Lack of knowledge

Slow response

“Press-on-itis”15

Over-confidence

Lack of preparation

Technology interface Misused equipment

Workstation design

Misunderstood equipment

Cockpit design

Human reliability Mistake

Misjudgement

Overlooked conflict

Lack of vigilance

Omitted action

Absorbed in other task

Lack of fitness (fatigue)

Procedures Procedures not followed

Unclear procedures

Inappropriate procedures

Teamwork Incorrect communication

Lack of clarification

Lack of warning

Poor phraseology

Non-English language

Distraction by colleague

Over-complex clearance

Conditional clearance

Poor Crew Resource Management (CRM)

Lack of cross-check

Unclear readback

Distraction by aircrew

Poor understanding of English

The example results in Table 30 show the fraction of events that could have been prevented by improved influences of various types. This is the maximum effect (ME) of the influence, which is used in the influence model quantification below. The number of events is used to determine the confidence range for the result.

15 Continuing toward the destination despite a lack of readiness of the airplane or crew (Flight Safety Foundation)

Episode 3


of 240


Table 30: Maximum Effect of Human Factors Fundament als on Actor Tasks for Mid-Air Collisions


Military controller

Planning controller

Flight crew

Flight crew (non CAT)

Total

ATCO Grand Total

Resources 46% 33% 50% 0% 29% 45% 35%

Competence 36% 0% 0% 63% 86% 30% 44%

Tech interface 7% 0% 0% 13% 29% 6% 10%

Reliability 46% 67% 50% 25% 29% 48% 42%

Procedures 0% 0% 50% 13% 0% 3% 4%

Teamwork 43% 67% 50% 75% 14% 45% 46%

No of events 28 3 2 8 7 33 48

11.3 QUANTIFICATION OF THE FAULT-TREE MODEL

11.3.1 Quantification Approach

Quantification of the fault tree for 2005 begins from the actually experienced frequency of fatal accidents, and proceeds gate-by-gate in a top-down manner towards the base events of the fault tree.

Apportionment through OR gates is based on causal breakdowns of accident or precursor datasets. Each AND gate requires an additional source of information. The following options are available, and the choice depends on which appears most robust for each specific causal factor:

• Precursor frequency data - separate sources of precursor frequencies can be introduced.

• Bottom-up barrier failure probabilities - fault trees of barrier failures can be quantified from generic probabilities of base events. This is in fact the more traditional method of quantifying fault trees.

• Expert judgement - due to the limited availability of experts in this field, judgement is at present a last resort, but may be seen as a preliminary identification of areas where more detailed expert judgement studies might be desirable.

Where there are alternative data sources, these are used to indicate uncertainties (see Section 2.5.6 below).

Once the complete set of base events has been quantified as above, these generic probabilities may be adjusted to represent any specific case and effects propagated bottom-up through the tree.

Conventional fault trees quantify the base events first and calculate all other events from them automatically using cut sets16. Compared to this, the present top-down approach has several advantages:

• It ensures that the results are consistent with actual accident experience.

• It allows the frequencies of precursors to be incorporated where known, and to be estimated otherwise.

16 “Cut sets” are collections of base events such that, if all the events in the cut set occurred, the top event would occur.

Episode 3


of 240


• It shows the extent to which the tree can be quantified with existing data, and allows it to be extended as more data becomes available.

• It assists correct propagation of the units of all frequencies and the conditionalities of all probabilities throughout the tree.

However, the gate-by-gate approach has some inherent disadvantages compared to the conventional cut set approach:

• Gate-by-gate quantification is vulnerable to errors in predicting case-specific top event frequencies if base events are not independent. The approach to interdependencies is considered in Section 2.6.5 below.

• Gate-by-gate quantification involves more painstaking calculations. This also requires detailed documentation for traceability.

• Top-down quantification is not available in commercial fault tree packages, and hence a bespoke fault tree tool is needed to implement it.

Figure 28 illustrates the points at which data is available for the mid-air collision model. This is just sufficient to obtain the other events.

Figure 28: Quantification Approach for Mid-Air Coll ision Model

Mid-air collision

Imminent collision Ineffective airborne collision avoidance

Ineffective sector planning

Strategic conflict


Tactical conflict

Ineffective demand/capacity

balancing

Separation infringement Ineffective ATC collision avoidance

Ineffective conflict management

AND

AND

AND

Avoidance essential

AND

ANDFrequency data

Causal data

Influences

11.3.2 Event Presentation

The fault tree is formed using the data from Section 11.2, following the approach described in Section 11.3.1. Figure 29 shows an example part of the fault tree for mid-air collisions. The ∆ symbol indicates events developed further in other sections of the fault tree. Figure 30 shows selected base events, corresponding to the data in Table 26 and the event tree in Figure 27The bottom row links the tree to influencing tasks as discussed in Section 2.6.

Each event is presented with the following information:

• Event code (see below)

• Name - a brief description of the event.

Episode 3


of 240


• Value - either a frequency (number of events per unit exposure) or a probability (chance of the event occurring per demand). The difference is minor, except that the frequency may exceed 1 whereas the probability cannot.

• Units - a brief indication of the units (for a frequency) or conditionality (for a probability).

• Contribution - a measure of importance of the event for the overall frequency of the accident category (see Section 2.5.5 below).

Each causal factor is given a unique identification code. In the mid-air collision fault tree, all begin with M. Other types of events are distinguished as follows:

MFxx Frequencies of collision precursors

MBxx Causes of barrier failures

MCxx Circumstantial factors

CCFxx Common cause failures

Circumstantial factors are not strictly causal factors, but are matters of chance that are necessary to model in order to obtain the correct accident frequencies from the measured precursors.

The numbers xx follow a decimal system that indicates the causal hierarchy. For example, event MB3.2.1 is causative of event MB3.2 and barrier failure MB3.

Episode 3


of 240


Figure 29: Fault Tree for Mid-Air Collision for 200 5 Baseline

Episode 3


of 240


Figure 30: Fault Tree for STCA Warning

11.3.3 Logic Gates

Figure 31 shows the different types of logic gates used in the IRP. They are explained in turn below.

Figure 31: Schematic Fault Tree Logic Gates

A

B

AND

C

A

B2B1

OR gateAND gate

BN

OR

A

B2B1

MOR gate

BN

OROR

A

B

X

C

UNIT gate

AND Gates

If a causal factor A has two independent, necessary causes B and C, these are represented as inputs to an AND gate (Figure 31), and the probability is:

P(A) = P(B) x P(C)

Similarly, if A is an event frequency, B a precursor event and C a barrier, the frequency of A is:

F(A) = F(B) x P(C)

In top-down quantification, once A is known, B can be estimated from C or vice versa.

Episode 3


of 240


OR Gates

If a causal factor A may result from N alternative causes Bi these are represented as inputs to an OR gate (Figure 31), and the probability is:

( )∏=

−−=N

iiBPAP

1

11 )()(

In top-down quantification using causal data, it is convenient to define the causes as a sequence, which can be illustrated on an event tree (Figure 32). This makes the probabilities P(Bi) conditional on occurrence of all previous events in the tree. Then, provided the total number of demands N(T), including both failures N(A) and successes, is known, P(Bi) can be estimated from:

∑−

=

−=

1

1

i

jj

ii

BNTN

BNBP

)()(

)()(

Figure 32: Event Tree Equivalence of OR Gate

A

B2B1 B3

N(B3)

N(B1)

N(B2)

P(B3)

1-P(B3)1-P(B2)

P(B2)1-P(B1)

P(B1)

Demands N(T)

Failures N(A)

Successes

N(B3)

N(B1)

N(B2)

P(B3)

1-P(B3)1-P(B2)

P(B2)1-P(B1)

P(B1)

Demands N(T)

Failures N(A)

SuccessesOR gate Event tree

OR

In some cases, independent sources are available for some P(Bi), or changes have occurred between the dataset collection and the baseline year for the model, represented by judgemental adjustments. For consistency in such cases, compensating adjustments must be made to other probabilities so that the correct probability is retained for P(A). This adjustment is most conveniently made to the largest probability, which is recalculated as follows:

∏−

=

−

−−=1

1

1

11

N

ii

N

BP

APBP

)(

)()(

MOR Gates

The calculations above for OR gates assume that the input events are independent (i.e. there is a small possibility of them occurring simultaneously). If the events are mutually exclusive (i.e. only one can occur at once by definition), the combined probability is obtained as:

)()( ∑=

=N

iiBPAP

1

In top-down quantification, if P(A) is known, P(Bi) can be estimated from the number of such failures with cause i, N(Bi) within a dataset of failures N(A):

)(

)()()(

AN

BNxAPBP i

i =

Mutually exclusive events are not used in conventional fault tree quantification, as so the symbol shown in Figure 31 and the name MOR (mutually-exclusive OR) has been newly defined for them. However, they provide a simple approximation for independent events with small probabilities, and are also valid for events A and Bi expressed as frequencies.

Episode 3


of 240


UNIT Gates

Mid-air collision risks are most conveniently calculated in units of collision accidents per flight hour. For comparison with other accident categories, they need to be converted to collision involvements17 per flight.

If A is an event frequency, B the frequency in other units and C a conversion factor, the frequency of A is:

F(A) = F(B) x C

This is equivalent to an AND gate, but a separate symbol is used (Figure 31) to acknowledge that the conversion factors are not causes or even probabilities, and a name UNIT (unit conversion) has been chosen.

11.3.4 Common Causes

The calculations above for AND gates assume that the input events are independent. In reality, common-cause failures (CCFs) may exist (see Figure 33a). These will introduce errors in the top-down calculation of contributions and in the bottom-up calculation of probabilities.

For example, the causes of two pilots, B and C, failing to see each other’s aircraft may be lack of vigilance or lack of visibility. The vigilance of the two pilots are independent failures (ICFB and ICFC), whereas lack of visibility is common (CCF). As an extreme illustration, if the pilots were always vigilant (i.e. P(ICFB) = P(ICFC) = 0), the combined probability should be P(A) = P(CCF). However, if the AND gate was quantified as above, the calculation would give P(A) = P(CCF)2, which may be significantly in error.

The ideal treatment of CCFs is to identify them explicitly and represent them through OR gates that separate the common from independent causes (Figure 33b). Each CCF then only appears once. The disadvantage of this is that it produces a list of CCFs combined through an OR gate at the top level of the model, and reduces the explanatory power of the causal hierarchy shown in the fault tree.

17 Collision “involvements” count each aircraft involved in a collision separately.

Episode 3


of 240


Figure 33: Common-Cause Failures in AND Gates

(a) Required form for IRP

(b) Required form for calculation

(c) Chosen form for Display in the IRP

Alternatively, if the structure of the tree is retained so that CCFs are shown in the tree as repeated events (Figure 33a), this requires solution using an automated identification of cut sets rather than the gate-by-gate approach. The disadvantage of this is that it is difficult to show the frequencies and probabilities of individual events within the tree, and hence it reduces the clarity of the approach.

The solution adopted here is to calculate the probabilities on a gate-by-gate basis according to the correct form (b), while displaying the fault tree in the convenient form (c). This shows two versions of the second input event C:

• The probability for the event C considered in isolation, as calculated bottom-up.

• The probability of the event C conditional on the failure of the preceding event B. This is calculated by taking account of CCFs, and can then be multiplied by B to obtain A.

The probability of the output event A is calculated as shown in Figure 33b:

P(A) = 1 - (1-P(CCF)) (1 - P(ICFB) x P(ICFC))

Where the independent cause failures of each input are:

)()(

)(CCFP

BPICFP B −

−−=1

11

)()(

)(CCFP

CPICFP C −

−−=1

11

If the probabilities are small, the three equations above may be approximated as:

Episode 3


of 240


P(A) = [P(B)-P(CCF)] x[P(C)-P(CCF)] + P(CCF)

The conditional probability after CCFs is found from:

P(B|C) = P(B) / P(C)

The importance of CCFs is indicated by the Beta factor, defined as:

BetaA = P(CCF) / P(A)

This approach is only valid if the events B and C are fully independent (apart from the CCFs), and have the same units. In many cases, fault tree barriers C are inherently conditional on precursors B, as well as having CCFs. This is impossible to solve exactly in top-down quantification, but is approximated by the above approach.

In top-down quantification, once A and CCF are known, B can be estimated from C or vice versa, by reversing the equations above. CCF is obtained using the Beta factor from the historical causal data (Section 11.2.4). The causes of each pair of barrier failures joined through an AND gate are evaluated as either common (CCF) or independent (ICF) for each accident. Then the Beta factor is obtained from the numbers of events in the available dataset:

)()()(CCFNICFN

CCFNBetaA

+=

For bottom-up quantification, the CCF is assumed to comprise a given proportion S(Bi) of one or more base events Bi. The CCF is then obtained from:

)()()( i

N

ii BSBPCCFP ∑

=

=1

The proportion S(Bi) is adjusted so the P(CCF)/P(A) matches the Beta factor obtained from the top-down approach. In the absence of an analytical solution, the Solver add-in for Excel is used.

Figure 34 shows an example CCF model for visual warning failure in mid-air collisions. Two base events have been identified as contributing to CCFs. One is always a CCF by definition; and it has been estimated using Solver that 35% of the other one is sufficient to obtain the Beta factor of 33% shown in the historical data in Table 28. The result is that while the two aircraft both have independent failure probabilities of 0.69, the conditional probability of failure on one given failure on the other is 0.71. This higher value results from the CCFs, primarily the likelihood that if one aircraft is invisible to the other, then probably the other aircraft will suffer the same failure.

Episode 3


of 240


Figure 34: Fault Tree for Visual Warning Showing Co mmon Cause Failures

MB1 Ineffective visual warning

CCF7 Common causes of MB1

Event Value Prop'n CCF Cont'n4.9E-01 1.5E-01 MB1.1.1 Other aircraft effectively invisible3.7E-01 35% 1.3E-01 90%

per imminent collision BetaA 0.299MB1.1.4 Visual avoidance invalidated by other aircraft1.5E-02 100% 1.5E-02 10%

Contribution 1.0000 IndepB 6.4E-01 Total 3.9E-01 38% 1.5E-01 100%IndepC 6.4E-01

After CCFs In isolation

MB1.1 Ineffective visual warning on

commercial aircraft


other aircraft


other aircraft

6.9E-01 7.1E-01 6.9E-01per involvement per ineffective

warning on CATper involvement

Contribution 1.0000

MB1.1.1 Other aircraft effectively invisible

MB1.1.2 Flight crew failure to observe

visible aircraft in time

MB1.1.3 Pilot failure to take avoidance

action in time

MB1.1.4 Visual avoidance invalidated

by other aircraft

3.7E-01 4.7E-01 4.7E-02 1.5E-02per involvement per involvement per involvement per involvement

Contribution 0.5571 Contribution 0.3645 Contribution 0.0363 Contribution 0.0421CCF7 CCF7

Direct input Pilot visual mid-air collision avoid'ce



A

OR

AND

11.3.5 Contributions of Fault Tree Events

The contribution of individual causal factors to the occurrence of the top event is one of the main types of output that can be obtained from the causal model (Section 2.8.2). This can be calculated with precision by systematic sensitivity testing of all the factors in the tree. For convenience it is desirable to have a simpler measure of the causal contribution, which can be calculated instantaneously as the fault tree is developed. This section explains how this is obtained.

Section 2.8.2 distinguishes two type of contribution - positive and negative. Only the negative contribution has different values for each event, and so this section only addresses this type of contribution. It is an approximation to the non-dimensional risk reduction worth (NRW) defined in Section 2.8.2.

The contribution is calculated following a top-down approach, beginning from the top event (i.e. the fatal accident frequency), which is given a contribution of 1.

At an AND gate, the contribution of input events B and C is taken as the same as the output event A, i.e. C(B) = C(C) = C(A). This is the same as in the Fussell-Vesely importance measure (Ref 8), reflecting the fact that the output changes in direct proportion to changes in either input.

At an OR gate, the contribution of input events Bi is taken as:

Episode 3


of 240


∑=

×=

N

jj

ii

BP

BPACBC

1

)(

)()()(

This is the Differential Importance Measure assuming a uniform change for all inputs (Ref 8).

At a MOR gate, this simplifies to :

)(

)()()(

AP

BPACBC i

i

×=

This combined measure has the property of being additive within each OR (or MOR) gate:

)()( ∑=

=N

iiBCAC

1

This allows the results to be summed in a table of causal factors for each barrier, and displayed as a pie chart or a stacked bar chart. Except where additional AND gates are used, the contributions sum to 1 for each barrier.

The contribution as defined above gives a simple estimate of the maximum benefit, expressed as a fraction of the top event frequency, which could be achieved by improvements in each specific factor. However, it should be noted that, where the fault tree is non-linear (i.e. involving large probabilities or CCFs), as with any single measure of causal contributions, this may be a crude approximation to the results that can be obtained through more thorough sensitivity testing. In future work, it would be desirable to adjust the contributions to reflect the impact of CCFs using the gate-by-gate approach above. At present this is omitted for simplicity.

The contributions shown in the fault trees are the contributions towards the frequency of the accident category (e.g. mid-air collisions in the case of Figure 30 and Figure 34). When the risk pictures for the different accident categories are combined, the contributions are combined, using the equations above, to show the contribution towards the combined fatal accident frequency.

11.3.6 Uncertainties

Type of Uncertainty

Two fundamental types of uncertainty are distinguished, because they require different treatment in the risk model:

• Variability (also known as aleatory uncertainty, random uncertainty, inherent uncertainty or Type A uncertainty). This is due to natural randomness, e.g. the fact that low visibility may occur on some days but not on others, and at some locations more than others.

• Epistemic uncertainty (also known as Type B uncertainty). This is due to lack of knowledge, e.g. statistics on the probability of low visibility may not be available for the required location.

Epistemic uncertainties include:

• Uncertainty in the model structure. This is uncertainty about which modelling approach to use, and whether the model is appropriately formulated. Risk models are a simplified representation of accident causation, and the simplifying assumptions make a large contribution to the overall uncertainty.

• Uncertainty in the model parameters (parametric uncertainty). This includes uncertainties due to:

Episode 3


of 240


• Data quantity. This uncertainty arises from the fact that only relatively small data sets are available (and sometimes no accident experience at all).

• Data representativeness. This uncertainty arises from the fact that the data may be drawn from a situation that does not match the problem of interest. In particular, IRP uses data from the past to predict risks in future concepts of operation. In addition, IRP uses data from a few countries to estimate ECAC average risks.

• Data understanding. This uncertainty arises from the fact that events are not always clearly understood. IRP makes extensive use of accident and incident investigations, which vary in quality, and which in some cases are unable to establish the true causal factors.

• Data interpretation. This uncertainty arises from the fact that events are always not clearly linked to particular parts of the model. IRP forms data counts by relating the accident and incident investigations to the causal model. This is a judgemental step, and different results could be obtained by different analysts.

Uncertainty due to data quantity is relatively easy to evaluate, and to reduce through gathering more data. The other types of parametric uncertainty are difficult to evaluate, although they can be explored using alternative data choices. They are therefore described as ‘data choice uncertainty’ below.

Figure 35 summarises the types of uncertainties addressed in the methodology.

Figure 35: Types of Uncertainties

Quantification of Uncertainties

The approach to quantifying uncertainties depends on the uncertainty type:

• Variability can be defined accurately, given sufficient data. In the IRP it is relevant for many parameters, including the operating environment (traffic levels, weather, terrain,

Episode 3


of 240


airspace quality etc), human performance, safety management and regulatory environment. This is quantified through the influence model in Section 2.6 below.

• Uncertainty in the model structure is particularly difficult to evaluate unless alternative models are available. In the case of IRP there are no comparable alternatives, although the CATS model might eventually provide one. Some indication of the importance of model uncertainty may be obtained by comparing results from successive versions of IRP in cases where the structure has changed.

• Uncertainty due to data quantity. Statistical techniques are appropriate for the problem of small data sets. Two cases are used in IRP:

For frequency data, events are assumed to follow a Poisson distribution. Confidence limits on event frequencies can be obtained from the number of events alone, using a chi-squared distribution.

For probability data, confidence limits can be obtained from the number of failures and demand using a beta distribution.

• Uncertainty due to data choices. This is defined using alternative data choices. The largest and smallest values from plausible alternative choices are used to define the confidence limits from this source. The uncertainty distribution is assumed to be triangular between these values, with a peak at the best-estimate.

Propagation of Uncertainties

In order to quantify the uncertainty in the results of a model, it is necessary to show how uncertainty in the parameters propagates through the model. This is achieved in IRP by Monte Carlo simulation using the @Risk add-in for the Excel spreadsheet implementation of the fault tree model.

Uncertainties are defined for all the inputs to the top-down version of the fault tree (based on the sources considered above) and for all the OI effects (based on judgement in the absence of any alternative source). The spreadsheet calculates the generic base event probabilities from these, and adds the OI effects and other case-specific inputs, to determine the resulting risk picture. The Monte Carlo simulation samples from the defined uncertainty distributions and automatically compiles the uncertainty distributions in selected outputs.

11.4 QUANTIFICATION OF THE INFLUENCE MODEL

11.4.1 Quantification approach

The connection between the influence model and the base events of the fault tree is expressed as a modification factor, which is less than 1 for influences reducing the event probability compared to generic average, greater than 1 for influences increasing the event probability, and equal to 1 in the generic average case:

iiGi MFBPBP ×= )()(

Where:

P(Bi) = case-specific probability of base event i

PG(Bi) = generic probability of base event i

MFi = modification factor for base event i

The modification factors are defined as:

)(

)|(

iG

jiij BP

IBPMF =

Episode 3


of 240


Where:

MFij = modification factor for influence j on base event i

P(Bi|Ij) = probability of base event i given influence j

Where there is more than one influence acting on an event, their effects are combined as follows:

∏=

=Q

jiji MFMF

1

Where:

MFi = overall modification factor for event i

Q = number of influences

To simplify the matrix Mij, most base events are linked to a specific task (Figure 25). Each task is assumed to produce the same MF on all base events that it influences.

The influence model represents the effects of differences in performance for specific cases, compared to the baseline for 2005. Therefore, it needs to represent ways in which performance may change compared to the current condition.

Two alternative approaches are used to quantify the influence model, applying to the following groups of influences:

• Performance-based influences. These are influences without established measures of their performance (e.g. human performance and equipment quality). They are represented by performance scores, with an assumed correlation to MF.

• Stratified influences. These are influences with established measures of their severity (e.g. ambient conditions). They can be stratified according to this measure, and MFs obtained for each case.

These approaches are described in turn below.

11.4.2 Performance-Based Influences

Performance Scores

The modification factors for most influences (e.g. human performance and equipment quality) depend on the quality of performance of the influences. For example, a pilot’s competence may range from poor to excellent; similarly STCA quality may range from primitive to optimal; airport safety management may range from basic to world-class. There are no suitable existing quantitative measures of performance for such a wide range of influences. Therefore, a performance score has been created for the present study, as follows.

The performance score (PS) for any influence lies on a scale from 0 to 100, benchmarked as follows:

• PS = 0 represents a hypothetical absence of activity in the area.

• PS = 40 represents a more realistic minimum performance level that is legally compliant.

• PS = 70 represents average performance in ECAC in 2005.

• PS = 100 represents perfect performance, i.e. the maximum beneficial influence.

“Perfect performance” means that no further reduction in failure events could be achieved by improvements in performance. Using the examples above, further pilot training would not reduce errors; no STCA failures would occur; airport safety management would be beyond

Episode 3


of 240


criticism. Since these relate to current standards, it is possible that in the future influences may score above 100 (due to performance enhancements not imagined at present), but it is expected that the scale would be redefined or replaced before then.

Maximum Effects

The effects of influences are difficult to predict, as there are no suitable quantitative models or existing data. The effects are necessarily based mainly on judgement, but it is possible to use accident and incident data to bound them, by identifying the maximum effect that could be expected from any influence.

The maximum effect of an influence is found from the proportion of accident and incident events in which it is judged that perfect performance of the task (PS = 100) would have prevented the event:

∑=

=A

kjkij PI

AME

1

1

Where:

A = number of accidents/incidents

PIjk = probability that influence j could have prevented accident/incident k

For simplicity, PIjk is taken as either 1 where it is judged that the influence would have prevented the accident/incident, or 0 where it would not.

In principle, ME should be estimated for each combination of base event and task. In practice, this would require very extensive accident/incident datasets. Therefore, at present ME is estimated only for each task or (in the case of human factors fundamentals) for each actor. The same proportion is then applied to all base events associated with that task or actor.

Effects of Influences

The effects of each influence are defined at two points:

• Average performance, where PS=70 and MF = 1.

• Perfect performance, where PS=100, and MF = 1-ME. This is the maximum (i.e. smallest) modification factor, denoted MMF.

In order to make consistent predictions for intermediate values, and for PS less than 70, a log-linear relationship is assumed (Figure 36), defined as:

−

−

=)log( ij

j MEPS

ijMF1

30

70

10

Episode 3


of 240


Figure 36: Conversion from Performance Score to Mod ification Factor

Performance score (linear scale)

Modification factor

(log scale)

1

70 100

ME

MMF

This can be inverted in order to express any given modification factor as a performance score:

)log(

log

ij

ijj ME

MFPS

−+=

13070

The value of ME is constrained to be at most 0.95 in order to prevent instability of this function. In future work, other relationships could be investigated.

Although the relationship is clearly judgemental, the maximum effect is based on data. This approach has the advantage of being able to quantify any influence whose effects are visible in the causal data.

Influences on Tasks

The influence model links each base event to a task, and each task to 4 component influences (Figure 25). Since some communication tasks may involve two actors, the general version has 5 generic influences. Hence, the influence model can be expressed as follows:

TiGi MFBPBP ×= )()(

and:

ICEBAT MFMFMFCMFCMFMF ××××=

Where:

MFT = modification factor for task T

CMFA = correlated modification factor for actor A

CMFB = correlated modification factor for actor B

MFE = modification factor for task equipment

MFC = modification factor for task constraints

MFI = modification factor for task inputs

Correlations are considered further under negative interactions below.

For clarity, it is desirable to display the overall task performance as separate PS and ME. In order to do this, the ME is combined using:

)()()()()( ICEBAT MEMEMEMEMEME −×−×−×−×−−= 111111

The equivalent PS for the task as a whole is then obtained using the relationship in Figure 36.

Episode 3


of 240


Influence of Human Factors Fundamentals

Because human errors dominate accident and incident causation, there is sufficient data to divide the influence of actors into the separate influence of each human factors fundamental. The maximum effects for each fundamental on each task are obtained from historical data (see Section 11.2.5). Performance scores are allocated by the user. These are then converted to modification factors using the relationship in Figure 36. The modification factors are combined as follows:

∏=

=6

1FAFA MFMF

Where:

MFA = modification factor for actor A

MFAF = modification factor for fundamental F of actor A

In order to express this as a performance score for the actor overall, the maximum effects of the fundamentals are combined to give the overall actor maximum effect as follows, which is equivalent to using an OR gate:

∏=

−−=6

1

11F

AFA MEME )(

Where:

MEAF = maximum effect for fundamental F of actor A

The equivalent PS for the actor is then obtained using the relationship in Figure 36.

This approach delivers an overall PS for each actor that is a weighted average of the individual PS for each fundamental, with weighting equal to his or her maximum effects. This is appropriate for combining influences acting on a single individual. For example, an ATCO with good teamwork but average in all other fundamentals, will be only slightly above average in overall performance, and will only achieve good performance when all fundamentals are rated good.

Influence of Task Inputs

The influences of task inputs are combined in the same way as the human factors fundamentals. The maximum effects of these inputs are derived from incident data or judgements. The performance scores are in some cases obtained from other modelled tasks, and otherwise from user inputs.

Where there is more than one constraint modelled on a task, the influences of the constraints are also combined in the same way.

Influence of Safety Management

The influence of safety management on the human factors fundamentals and the task equipment is not shown explicitly at present. However, it can be represented by the user by setting the PS for all affected fundamentals and equipment to a value representing the overall management system quality. In effect, this assumes an ME of 1, so that a safety management system with a PS of, for example, 75, is assumed to produce the same PS of 75 for all actors and equipment for which it is responsible.

Negative Interactions

Based on previous hazard identification work, one key category of negative interactions is represented in the influence model. This is the potential for improvements in the quality of equipment and systems to be followed by deterioration in the performance of the actors,

Episode 3


of 240


associated with loss of vigilance or reduction of traditional skills. This may result in the overall safety benefit from technical improvements being less than expected.

This is modelled as a negative correlation between task equipment and actor’s performance:

AECEAA MFMFCMF ×=

Where:

CAE = correlation factor between actor and task equipment.

In the absence of any data on this correlation, the correlation factor is tentatively assumed to be -0.2.18

Contributions

The contribution of influence acting through a single base event is defined as:

Cij = C(Bi) x MEij

where:

Cij = contribution of influence j to event Bi

MEij = maximum effect of influence j on event Bi

Where influences act through several bottom events, the overall contribution is estimated by summing the individual contributions:

∑=

=N

jijj CC

1

Where interdependencies act through AND gates, this summation over-estimates the contribution, and in some cases, the contributions may exceed 1. Clearly it is physically impossible for any influence to exceed a 100% reduction in the top event frequency. Such obvious errors can therefore be prevented by limiting the contributions to a maximum of 1. However, in the case of CCFs, certain interventions may be highly effective in preventing accidents and incidents, as a result of improvements in more than one barrier. The over-estimation of the contributions serves to highlight such situations.

In future work, it would be desirable to estimate the contribution more accurately by systematic sensitivity testing of each influence. This could be achieved using the @Risk program. Due to the uncertainty in the influence estimates, the effort in doing this is not considered justified at present.

Uncertainties

The range of possible performance scores contributes to the variability in the risks due to the influence, but these are at present impractical to define. The uncertainty due to data quantity in ME is readily obtained from the number of events, but the uncertainty in PS is only available from judgement. Uncertainty due to the model structure is likely to be significant but is difficult to quantify. In future work, comparison with other influence models might be possible. The key choice for any influence is whether or not to quantify it in the model. This

18 Potential negative interactions have been identified in previous hazard identification work. This suggested that over-confidence in the effectiveness of improved technical safeguards might reduce the effectiveness of human monitoring. Any such effect would appear as a negative correlation between actor’s performance and ATC systems. Analysis of incident data does show negative correlations, but investigation of the incidents suggests that in many cases actor performance and ATC systems are considered alternative explanations of failure events. Again, this does not imply that improvements to one would lead to deterioration of the other. It is tentatively concluded that the accident and incident data is not yet sufficiently thorough to support the derivation of correlation factors. Hence, the correlation factors are at present based on judgements.

Episode 3


of 240


gives one confidence limit, but at the other extreme the effect could be much greater than modelled. Hence a simple estimate of the confidence range due to data choice uncertainty is a lognormal distribution between 1 and MF2.

User Inputs

The model allows the user to represent any specific operational case through the following inputs:

• The performance score PSAF for each actor (as defined in Table 23), which can be defined in terms of a PS for each human factors fundamental individually, or taken from the PS for the applicable management system.

• The performance score PSE for each element of ATM-related equipment (as defined in Table 24).

• The performance score PST for other ATM tasks that are not explicitly modelled.

• The performance score PSC for other inputs or constraints ATM tasks that are modelled as performance-based influences.

11.4.3 Stratified Influences

Influence States

Some influences have established definitions or measures of severity, which allow the influences to be stratified (i.e. grouped into states of increasing severity). If both accident/incident and exposure data can be stratified in the same way, then modification factors can be calculated for each influence state.

Example stratified influences include:

• Business demand:

Aircraft type - large jet, small jet or turboprop. Large is defined as >27,000kg MTOW as used by Boeing.

Aircraft size - large heavy, small heavy, large medium, medium or small. The size boundaries are defined as 300,000kg, 136,000kg, 75,000kg and 27,000kg MTOW respectively.

Service type - passenger, cargo or non-revenue.

Other traffic type - commercial, military or GA.

Traffic density - high, medium or low. In the absence of an established definition, these are defined respectively as <75%, 25-75% and <25% of capacity for the airport or sector.

Winglet type - none, wingtip fences or winglets. This influence is used for taxiway collision.

• Physical environment:

Airport region - Europe, North America, Latin America, Africa, Middle East or Asia/Pacific (ICAO statistical regions).

Airspace type - airport control zone, TMA, lower airspace, upper airspace or unmanaged airspace.

• Ambient conditions:

Light condition - daylight or darkness (including dawn/dusk/moonlight).

Visibility restrictions (at airport) - unrestricted or restricted (including fog/mist/haze/dust/smoke/low sunlight, as defined by ADREP).

Visibility conditions (en route) - VMC or IMC.

Cloud amount - clear, few, scattered, broken, overcast (as defined by ADREP).

Episode 3


of 240


Precipitation intensity - none, light, moderate or heavy (as defined by ADREP).

Risk Ratios

To quantify stratified influences, it is necessary to have a substantial accident/incident dataset with sufficient information to determine the state of relevant influences, together with a realistic estimate of the distribution of influences in the complete exposed population.

Some influence states can be obtained from existing accident/incident databases (e.g. ADREP). In other cases it is necessary to consult the investigation reports for each accident/incident. This can be part of the causal investigation. To simplify the task, influences are only analysed when there is an expectation that they would have a significant effect.

The corresponding exposure for some influences can be obtained from ICAO or other industry statistics. In other cases, it is necessary to use incidents in which the influence is not expected to have any effect. For example, system/component failure data can be used to indicate distributions of light conditions and visibility restrictions, since it is expected to be independent of them. In future work, it would be desirable to obtain exposure distributions independently of incident data.

The effects of particular states of each influence are quantified in terms of a risk ratio, equal to the case-specific risk expressed as a fraction of the generic risk:

G

kkj R

SRSRR

)()( =

Where:

RRj(Sk) = risk ratio when influence j is in state Sk

R(Sk) = overall accident/incident frequency in state Sk

RG = generic accident/incident frequency

This is expanded as:

EA

SESASRR kk

kj /

)(/)()( =

Where:

A(Sk) = accidents/incidents in state Sk

E(Sk) = exposure in state Sk

A = total accidents/incidents

E = total exposure

Table 31 shows example stratified influences, consisting of the influence of visibility restrictions on taxi collision risk. Figure 37 plots the risk ratios, and includes 90% confidence ranges. This shows that, although the risk appears to be higher in restricted visibility, this is not statistically significant. Nevertheless, since the difference conforms to expectation, it is retained in the model to illustrate the methodology.

Table 31: Effect of Visibility Restrictions on Taxi way Collisions

VISIBILITY RESTRICTIONS

TAXI COLLISION

EVENTS

% OF KNOWN EVENTS EXPOSURE

% OF KNOWN

EXPOSURE RISK

RATIO

Unrestricted 18 90% 97 92% 0.97

Restricted 2 10% 8 8% 1.31

Total known 20 100% 105 100% 1.00

Episode 3


of 240


Figure 37: Effect of Visibility Restrictions on Tax iway Collision Risk

0.0 0.5 1.0 1.5 2.0

Unrestricted

Restricted

MODIFICATION FACTOR (Case-specific risk/generic risk)

Conversion of Risk Ratios to Modification Factors

The risk ratios estimated from overall accident/incident data, as above, are different from the modification factors required for the model. The difference is due to the way the fault tree processes the base events to obtain the accident risks. If the risks were proportional to the base event probability P(Bi), the MFs would be the same as the RRs. In fact, since each influence affects only some of the base events, and these affect only part of the overall risk, the risks are less than proportional to P(Bi). However, in cases where influences are common causes of several base events combined through AND gates, the risks may be more than proportional to P(Bi). As a result, a modification factor MFij must be defined, which gives the required RRj when processed through the model. This is difficult to define analytically, but is readily obtained by iteration from the model. Meanwhile, the simplifying assumption is made that MFij = RRj.

Modelling of Influences

If the modelled case consists of a mixture of influence states, the combined MF is a probability-weighted sum of all M states that are modelled:

∑=

=M

kkkijij SpSMFMF

1

)( )(

Where:

MFij = modification factor for event i due to influence j

MFij(Sk) = modification factor when influence j is in state Sk

p(Sk) = probability of influence j being in state Sk

M = number of states for influence j

This may then be combined with other influences as above.

Contributions

The positive and negative contributions (as defined in Section 2.8.2) for a stratified influence are readily obtained from the largest and smallest risk ratios:

( ))( kjkjj SRRMinNRWC −== 1

( ) 1−= )( kjkj SRRMaxNAW

Where:

NRWj = non-dimensional risk reduction worth for influence j

NAWj = non-dimensional risk achievement worth for influence j

Episode 3


of 240


Uncertainties

The range of risk ratios between different cases is also a measure of the variability in the risks due to the influence. The uncertainty due to data quantity is readily obtained from the number of events, as illustrated in Figure 37. In future work, it would be desirable to model uncertainty due to data choices. In general, the key choice for any influence is whether or not to quantify it in the model. Hence a simple estimate of the confidence range due to data choice uncertainty is a lognormal distribution between 1 and MF2.

11.4.4 Overall Influence Model

Figure 38 illustrates an example influence model in which the two types of influences are combined. At present, most of the influences are performance based (indicated by PS and ME for each input). The two relevant stratified influences are airspace type and traffic density. The influence model is for the generic case, and so all PS=70 and MF=1.

Figure 38: Example Influence Model for Conflict Man agement

11.4.5 Interdependencies

The influence model represents common-cause failures in a generic way, gathering together all possible underlying causes of accidents/incidents into a single hierarchy. This contains the specific CCFs (e.g. actor performance, equipment quality, constraints, common inputs etc) that are represented through Beta factors in the fault tree.

The modelling of interactions in this approach can be summarised as follows:

• Positive interactions (synergies), where improvement in one influence leads to improvement in other influences, are modelled directly through the causal relationships expressed in the task network.

• Negative interactions, where improvement in one influence leads to deterioration in other influences, are represented through negative correlation factors between selected pairs of influences.

• Migration of risk is represented through the task inputs, which depend on the performance of other tasks (Figure 25).

Specific examples of interdependencies modelled within IRP include:

Episode 3


of 240


• Co-ordination between actors. Some cases of loss of co-ordination are so distinct that they can be represented in the fault tree (e.g. ATCO co-ordination, MB5.1.4). In most cases, this is a less distinct influence, and is represented through the human factors fundamental “teamwork”.

• Interaction between ATCOs and ATC system. This influence is represented through the human factors fundamental “technology interface”, and also as a negative interaction between ATC system performance and ATCO performance.

• Down linked aircraft parameters. Aircraft derived data is an input to the traffic picture for ATC, but is also the same information as provided to the flight crew for navigation. This is one of the causes of CCFs in the fault trees, and is also an input to the tasks in the influence model.

11.5 MODEL IMPLEMENTATION

11.5.1 IRP Main Model

The IRP is implemented as an Excel spreadsheet. This was chosen in preference to a specialist fault tree package because it allows the integration of fault trees, influence models, user inputs and all results plotting within a single package, together with non-standard fault tree features such as top-down quantification. The fault trees are quantified on a gate-by-gate basis (Section 11.3.1), and special attention has been paid to verification of these models (Section 2.8.5). The fault trees for each accident category are implemented on separate worksheets for the generic and predictive versions.

User inputs define the specific cases for the predictive mode. The user has control over all parameters defining traffic levels, safety net coverage, actor performance, equipment quality etc. For convenience, these are normally selected from a library of previously defined cases, which minimises the need to enter new parameter values.

The following input cases have been defined:

• ECAC average conditions in 2005. This is the base case, whose parameters are estimated as the basis of the model.

• ECAC average conditions in 1990. This case has been used to validate the results against the recorded accident trend between 1990 and 2005.

• ECAC average conditions in 2020. This represents the future case with SESAR implemented.

The model is also capable of predicting the risks and causal breakdown for any specific situation (airport, flight, ATC sector) represented through the user inputs (Ref 3).

The spreadsheet calculates all results described in Section 2.8 for the user-defined case, and compares them to the generic case. The results plots are also updated.

At present, it is also possible to adjust the parameter values or even the model structure directly, but due to the complexity of the model and the potential pitfalls it is recommended that this should only be done by adequately trained developers.

11.5.2 STAR Tool

One of the planned uses of the IRP is to help create a Safety Target Achievement Roadmap (STAR), which would predict how the risks will evolve as SESAR OIs are implemented. This is intended to allow the OI effectiveness and implementation sequence to be adjusted to maximise the risk reduction, and to ensure that the SESAR safety target is met throughout the process.

Episode 3


of 240


To support this process, a STAR tool has been created, which comprises a special version of IRP including Visual Basic for Applications (VBA) programs, which provide the following capability:

• Recalculation of IRP results for each year between 2005 and 2020, during which time any user-defined selection of OIs can be progressively introduced (see Section 2.7.4).

• Calculation of the effects of user-defined dependencies, which limit the effectiveness of certain (“child”) OIs depending on the implementation of other (“parent”) OIs (see Section 2.7.4).

• Presentation of the risk profile expressed in any user-selected risk metric. The available metrics are (see Section 2.8):

Total frequency of or

Frequency of direct ATC contribution to

ICAO-defined accidents

or

fatal accidents

per flight or

per year

for all accident categories or

any individual accident category

• Calculation of the effects on risk of individual OIs. These effects are measured using the metric known as NRW (see Section 2.8.2).

11.5.3 Uncertainty Model

The uncertainty model is implemented in IRP using the @Risk add-in to Excel.

The uncertainty model begins with the defined uncertainty for the parameters of the generic fault tree. The @Risk model uses Monte Carlo simulation to sample from these input distributions recalculates the IRP, which propagates the inputs through the IRP into corresponding selected outputs, and stores them to create the uncertainty distributions for user-selected results.

11.5.4 OI Modelling

General approach

The STAR tool allows the user to select any combination of the OIs that have been defined for IRP (see Section 3.4). The STAR tool enables the user to add new OIs. In order to add new OIs or modify the existing ones, it is necessary to understand how they have been modelled. The following sections explain this in detail.

There are three ways that OIs can be modelled (termed OI effect types):

• Changing the coverage of a system that is already modelled in the fault trees (FTs).

• Direct adjustment of base event probabilities in the FTs.

• Changes to the performance of elements modelled in the influence model.

All three ways produce changes to the probabilities of one or more base events in the FTs (P(Bi)), and through this to the risk results and causal breakdowns.

The changes in the base events compared to the baseline year (2005) are monitored as modification factors (MF) where:

yearbaseline in )P(B

yearcurrent in )P(BMF

i

ii =

Episode 3


of 240


Safety improvements imply MF<1. In the baseline year, MF=1 for all base events.

OI Definition

Each OI is defined by:

• Start year (Y1) - when the OI begins to take effect. If the OI is already part implemented, the start year is taken as 2005.

• End year (Y2) - when the OI effects are complete. Note that effects beyond 2020 are not modelled.

• Parent - the ID of another OI whose implementation is required for the current (child) OI to take effect.

• Parent type - the type of dependency between parent and child OI (see below)

• Start effect (E1/EF) - the effect in the start year, expressed as a percentage of the full effect. “Effect” is defined as “coverage” or “reduction” (depending on the OI effect type - see below).

• End effect (E2/EF) - the effect in the end year.

The effect profile (i.e. the effect in any given year) is assumed to vary linearly between the start and end effect. Hence the current effect EC in year YC is defined by:

EC/EF = E1/EF + (E2/EF - E1/EF) x (YC - Y1)/(Y2 - Y1)

This can be replaced by any analytical function. In future work, a program could be used to accept a directly entered profile. The profile could be adjusted if implementation dependencies are violated.

For historical OIs (i.e. OIs implemented between 1990 and 2005), no effect profile is modelled, and if YC<2005 then EC = E1. In future work, a historical profile could be modelled.

Each OI can have effects of different types on different parameters. Each effect is defined using the following benchmarks:

• The maximum effect (EM). This is the maximum effect that is possible from all currently envisaged improvements.

• The full effect (EF). This is the maximum effect that is expected from the OI once fully implemented (or in conditions for which it was designed).

• The current effect (EC). This is the actual effect predicted for the current year (YC), taking account of realistic implementation and ECAC-average conditions.

Definition of the OI effects profile also refers to the following:

• The historical effect (E-1). This is the actual effect estimated for the earliest historical year modelled (Y-1=1990).

• The baseline effect (E0). This is the actual effect estimated for the baseline year (Y0=2005).

• The start effect (E1). This is the actual effect estimated for the year when the OI begins to take effect (Y1).

• The end effect (E2). This is the actual effect estimated for the year when the OI effects are complete (Y2).

OIs Changing System Coverage

OIs consisting of systems with complex effects on risks (e.g. new barriers, reducing several failure types while introducing new hazards) are best modelled explicitly in the FTs. Their

Episode 3


of 240


effect can then be controlled by adjusting their coverage (a specific instance of the “effect” defined above).

In IRP, “coverage” is defined as the fraction of events for which a system is installed. This is expressed as the fraction of all events involving IFR traffic in the ECAC region, for which the system is expected to provide a safety benefit. A system is considered to be “installed” when it is present and operational for most of the time (i.e. occasional downtime and failures are not excluded). The relevant “event” is the precursor in the IRP barrier model immediately before the system is intended to take effect, and hence depends on the system in question (e.g. for STCA the event is “separation infringement”).

In the case of coverage, the maximum coverage (EM) and full coverage (EF) are both 1; and the possible range is between 0 and 1, i.e. 0≤EC≤1 (Figure 39).

Coverage is linked to the probability of a base event “System not installed”:

PNot installed = 1 - EC

The corresponding MF on this event is:

MFNot installed = (1 - EC)/(1 - E1)

Figure 39: Effects of OI Changing System Coverage

Coverage

E-1

1990

E0

2005

E1

Y1

EC

YC

E2

Y2

EM EF

Time

1

0

OIs with Direct Effects on Base Events

OIs affecting the probability of individual base events may be modelled by adjusting these probabilities directly. Their effect can be controlled by adjusting the percentage reduction in the base events (a specific instance of the “effect” defined above).

In this case, the maximum reduction (EM) is 100% by definition. The full reduction (EF), taking account of realistic OI performance, may be less than this. For OIs that increase base event probabilities (e.g. reversing historical changes), EF is entered as negative. There is no limit to any possible increase. Hence, the possible range is -∞≤EC≤1.

Figure 40: Direct Effects of OI on Base Events

Episode 3


of 240


Direct effect on base events

E-1

1990

E0

2005

E1

Y1

EC

YC

E2

Y2

EM

Time

1

0

EF

The MF of the corresponding event is:

MFBi = 1 - (EC/EF) EF

This approach allows the effect profile to be normalised by an arbitrary full effect, which may refer to any condition that can be quantified (through models or judgement).

Since E1=0 for effects of this type, this is a special case of the equation for coverage above.

OIs with Indirect Influences

OIs affecting elements of the influence model, with effects on the probability of multiple base events may be modelled by adjusting the performance score for these influences. Their effect can be controlled by adjusting the percentage reduction in errors that they influence (a specific instance of the “effect” defined above).

In this case, the maximum effect (denoted EM here, although it is the same as ME in Section 0.0.0) has been estimated from data for each influence. The full reduction (EF), taking account of realistic OI performance, may be less than this, and is entered as a fraction (EF/EM). There is no limit to any possible increase, i.e. -∞≤EC≤EM.

The MF of the corresponding event is:

MFBi = 1 - EC = 1- (EC/EF) (EF/EM) EM

To quantify the effects of OIs on influences, it is necessary to judge the fractional reduction of error types affected by that influence, which would be achieved by full implementation of the OI. For example, if an OI affects teamwork, its full effect is entered as the expected percentage reduction in errors influenced by teamwork. Other errors are assumed to be unaffected. This gives a larger percentage reduction than considering all errors together.

In fact, in the model the influences are controlled by performance scores. Therefore it is necessary to convert the effects above to changes in performance scores. The relationship is (Figure 41):

)log(log

MEMF

PS−

+=1

3070

Hence the change in performance score resulting from an effect EC is:

( ))log(

log

M

C

E

EPS

−−

=∆1

130

Where:

MM

F

F

CC E

E

E

E

EE =

Episode 3


of 240


Figure 41: Effects of OI on Influence Performance

Modification factor (MF)

(log scale)

E-1

70 PSC

EC

PS2

E2

100

EM

Performance score (linear scale)

1

EF

PSF

∆PS

Since E1=0 for effects of this type, this is again a special case of the equation for coverage above. However, for OIs entered using coverage, which also affect influences, the effect progress must be adjusted to ensure that ∆PS=0 in 2005. In these cases:

MM

F

F

CC E

E

E

EE

EEE

)(

)(

0

0

−−

=

Where influences are affected by several OIs, the ∆PS values must be added, whereas MF values would be multiplied together (because the relationship is log-linear).

Dependency Between OIs

Dependency between the current OI (child) and any other OIs (parent) requires the STAR tool to modify the input effects profile (EC/EF) for the child. The following types of dependency between OIs are implemented:

• Type 1 - effect profile of child cannot exceed that of parent:

EC/EF(child) ≤ EC/EF(Parent)

• Type 2 - no effect of child until parent complete:

EC/EF(child) = 0 if EC/EF(Parent) < 1

• Type 3 - child and parent must be simultaneous:

EC/EF(child) = EC/EF(Parent)

• Type 4 - no effect of child until parent substantially complete:

EC/EF(child) = 0 if EC/EF(Parent) ≤ 0.7

EC/EF(child) ≤ (EC/EF(Parent) - 0.7)/0.3 if EC/EF(Parent) > 0.7

This gives the child no effect until the parent has achieved 70% of its effect. For example, datalink communications might need widespread implementation before datalink clearances could be given to any aircraft. In future work, the 70% value could become a user input.

• Type 5 - enhanced effect of child once parent substantially complete:

EC/EF(child) ≤ 0.3 + 0.7 EC/EF(Parent)

This allows the child to have up to 30% of its full effect without the parent being in place, while making the remaining 70% dependent on implementation of the parent. For example, APW

Episode 3


of 240


(Airspace Proximity Warning) might be possible without datalink, but much more effective with it. In future work, the 70% value could become a user input.

These dependencies only refer to those resulting from the implementation sequence (i.e. that some OIs will not work or will be ineffective unless others are implemented). Other types of interdependencies represented in IRP are explained in Section 11.1.9.

11.6 FORM OF RESULTS

11.6.1 Available Results

The following types of results are available from the risk model:

• Frequencies of fatal accidents, ICAO accidents and precursor incidents. These are available in the form of involvement frequencies per flight, obtained direct from the fault trees (or by simple conversion from frequencies per flight hour). They may be used for accident/incident monitoring. They can be broken down by accident category.

• Expected annual numbers of fatal accidents, ICAO accidents and precursor incidents in the ECAC region. These are readily obtained from the frequencies per flight above, by multiplying by the traffic level, but due to traffic growth they produce different patterns of results. They are more relevant for demonstrating compliance with the SESAR safety target, and may be easier to understand for readers not familiar with frequencies and probabilities.

• Probabilities of fault tree events and barrier failures. These are obtained direct from the fault trees. In most cases they are conditional on precursor events, and so are difficult to interpret in isolation. However, they may be used to apportion overall safety targets into individual failure events.

• Modification factors and performance scores for individual influences. These are obtained direct from the influence model. In the generic case, the MF is always 1 and the PS is always 70, but these results become more interesting for specific cases (see below).

• Causal contributions. These show the relative importance of causal factors (i.e. fault tree events or modelled influences) to the overall accident frequencies. This is the main type of result available from the IRP, and is described in more detail below. It can be broken down into negative and positive contributions, and related to individual ATM elements, accident categories and accident frequency results.

11.6.2 Contributions

Definition of Contributions

The “contribution” of causal factors in IRP represents their relative importance to the overall risk. Contributions can be obtained from IRP for individual causal factors (i.e. fault tree events and modelled influences). They can be combined to show the contributions of barriers or ATM elements (e.g. traffic separation, surveillance etc) and combined to give results for ATM as a whole.

Two key types of contribution are distinguished (Figure 42):

• Negative contribution - the risk caused by unsuccessful ATM, representing the times when ATM failures (including technical failures, ineffective human performance or non-availability of equipment) have contributed to the causes of an accident. This contribution could be reduced through improvements in ATM performance. It is therefore an appropriate measure when trying to improve the performance of ATM. The maximum potential improvement would be the difference between current ATM

Episode 3


of 240


and a hypothetical future in which ATM was “perfect”, i.e. never suffered any failures. This is the contribution shown in the fault trees.

• Positive contribution - the existing benefits of ATM in preventing accidents. This consists of the numerous times when ATM successfully ensures a safe flight. The positive contribution is embedded in the risk results, but is not made explicit by the negative contribution above. The positive contribution would be revealed through the risk increase that would occur if ATM deteriorated; for example, if safety nets were not used or ATCO competence was neglected. The maximum potential deterioration would be the difference between current ATM and a hypothetical case in which ATM did not exist, i.e. never made any successful contribution.

Figure 42: Positive and Negative Contribution of AT M

ATM quality/performance

No ATM

Negative contribution: Risk caused by

unsuccessful ATM

Positive contribution:Risk prevented by

ATM success

Perfect ATM

Current ATM

ATM deterioration

ATM improvement

Risk

Measures of Contribution

In IRP, the contribution of an ATM element is measured using the relative change in accident frequency that would result if that element had the maximum possible negative or positive performance. Two measures are used, corresponding to the two type of contribution:

• Risk reduction worth is the change in risk that results when a base event changes from its baseline probability Bo to a “perfect” state where the failure probability is zero, i.e. P(B)=0. In IRP terminology, this is a measure of negative contribution, and is defined in non-dimensional form as:

)(

)()(

o

oB BR

RBRNRW

0−=

Where:

NRWB = non-dimensional risk reduction worth of event B to risk R

R(Bo) = risk with P(B)=Bo

R(0) = risk with P(B)=0

• Risk achievement worth is the change in risk that results when a base event changes from its baseline probability Bo to a “non-existent” state where the failure probability P(B)=1. In IRP terminology, this is a measure of positive contribution, and is defined in non-dimensional form as:

)(

)()1(

o

oB BR

BRRNAW

−=

Where:

Episode 3


of 240


NAWB = non-dimensional risk achievement worth of event B to risk R

R(1) = risk with P(B)=1

NRW is always in the range 0 to 1, because risk cannot be reduced by more than 100% of itself. It is equal to the Fussell-Vesely (FV) importance measure used in fault tree analysis, and is also equal to the maximum effect (ME) in the influence model. Hence it is potentially a useful measure of negative contribution. However, it has some significant limitations. In particular, it is not “additive”. In other words the contribution of an output event from an OR gate is not equal to the sum of the contributions of the inputs. It also depends on the risks that result when the inputs take their extreme values, which may be the least reliable parts of a model.

Therefore IRP uses a measure of negative contribution that is calculated on a gate-by-gate basis and is additive at OR gates (Section 11.3.5). This is equivalent to NRW but more convenient to present.

In future work, it would be possible to calculate NRW directly by systematic adjustment of each causal factor in turn. For fault tree base events, adjusting them to 0 and 1 would give NRW and NAW respectively. For stratified influences, selecting the cases with maximum and minimum MFs would have the same effect. For performance-based influences, setting PS to 100 would give NRW, while a PS of 40 is judged equivalent to NAW, although this is very speculative. These sensitivity tests could be achieved using the @Risk program.

Pattern of Contributions

The positive contribution is different for each barrier, but the same for all causes of failure of the barrier. This is because, since the various barrier failure causes (Bi) are alternatives joined by OR gates, failure of any one of them causes failure of the barrier. Hence their positive contributions (the risk increase that would occur if P(Bi)=1) are all the same. Hence, positive contributions are only required for the small set of barriers, not for the large set of fault tree base events or influences.

The negative contribution is the same for each barrier (except where scenarios result in some barriers being by-passed), but different for each cause of failure of the barrier. This is because, since the various barrier failure causes (Bi) are alternatives joined by OR gates, success of any one of them causes a different improvement of the barrier. Hence their negative contributions (the risk reduction that would occur if P(Bi)=0) are all different. However, all the accidents would be eliminated if any barrier never failed, so their contribution is 1. Hence, negative contributions are easily obtained for the small set of barriers, but must be calculated individually for the fault tree base events or influences.

Criticality of OIs

OIs may have both positive and negative contributions, resulting from their safety hazards and benefits (identified in Section 11.1.9). The contribution may be measured using the NRW and NAW measures above. The NRW for each OI in turn is available from the STAR tool.

Safety-critical OIs, can be considered to have a combination of:

• Large effects (or large uncertainty) of the OI on parameters in the risk model. These would be as judged by experts in the review of OIs.

• Large contribution (positive or negative effects on overall risk) of the affected parameters. These would be estimated through the risk model.

The combination of these is in fact the contribution estimated by the STAR tool for each OI. Hence, this measure may be used to indicate the criticality of each OI, and to indicate the level of assurance required from its safety assessment process.

In some cases, OIs may be judged to have zero effects on parameters that have a large contribution to the overall risk. This may give a misleading indication that the OI is not safety critical. This potential error can be avoided by taking account of uncertainty when estimating

Episode 3


of 240


the contribution of each OI, and using a measure such as its modulus or root-mean-square to ensure that equal possibilities of large positive and negative contributions are not allowed to cancel each other out. Hence, within the Monte Carlo calculation, the criticality of an OI should be measured as the absolute value (positive or negative) of:

)(

)()(

o

oOI BR

OIRBRNRW

−=

Where:

NRWOI = non-dimensional risk reduction worth of OI to risk R



ATM Contributions

The SESAR safety target refers to accidents with an ATM contribution. This is interpreted as including direct or indirect contributions from any person or system (whether ground-based, space-based or airborne) performing an ATM function (Section 3.6)19. ATM functions include all conflict management activities, whether performed by a flight crew, ground crew or controllers.

The impact of this definition on the different accident categories is as follows:

• Mid-air, runway and taxiway collisions involve ATM contributions by definition, since all pilot, ATC or technical causes occur while performing an ATM function. Even taxi collisions caused solely by ground crew or pilot misjudgement occur while they are responsible for separation.

• Wake turbulence accidents involve ATM contributions if they are due to separation infringements. If they are due to inadequacies in the separation criteria (SESAR will change wake vortex separation in some wind conditions), this is considered an indirect ATM contribution. If they occur in unmanaged airspace, where no separation standards are defined, they could be considered to be without any ATM contribution. Although within SESAR there appears to be no ATM function to prevent wake accidents, there are OIs intended to achieve this. Hence wake accident prevention is implicitly an ATM function, and any pilot management of separation must also take account of this. Therefore it is concluded that any wake accident implies an ATM contribution.

• CFIT accidents involve ATM contributions if they are due to inappropriate vectoring commands. If they are due to inappropriate pilot or FMS commands, this would not normally be an ATM contribution. However, all CFIT accidents involve a possibility of detection by ATC, and so they could be considered to have an indirect ATM contribution. Although within SESAR there appears to be no ATM function to prevent CFIT accidents, one OI (MSAW) is intended to achieve this. Hence CFIT prevention is implicitly an ATM function. Therefore it is concluded that any CFIT accident implies an ATM contribution.

Therefore, it appears that all accidents modelled in IRP involve at least an indirect ATM contribution, and therefore should be included in the risk measure when comparing with the SESAR target.

All the negative contributions shown by the IRP indicate potential improvements if the relevant aspect of ATM could somehow be made perfect. They do not take account of practical

19 The SESAR safety KPA focus area is restricted to “occurrence and prevention of accidents.... with a direct and/or indirect ATM contribution” (D2 p55). See as well section 5.6 in (Ref. 4).

Episode 3


of 240


limitations, such as technical feasibility, cost-effectiveness or competing constraints (capacity, environment etc). Hence the improvements that could be achieved in reality may be much smaller than IRP predicts. Nevertheless, in the absence of detailed cost-effectiveness studies of each area, they show the maximum potential benefits of ATM improvements.

Types of ATM Contributions

The risk model provides a relatively detailed representation of the role of ATM in accident causation. This makes it difficult to extract a single result summarising what ATM’s contribution is. Therefore, several different types of results are presented, gathering different types of ATM (negative) contribution to overall accident frequencies:

• Direct causes - where errors by ATCOs or pilots (mainly errors of commission) or failures of ATM systems result in an accident that would not otherwise have happened. Failures of communication, navigation and surveillance equipment are included as ATM causes, but not failures in flight planning and ACAS, which are considered to be primarily the responsibility of aircraft operators.

• Prevention failures - where ATM has the capability to prevent the accident but fails to give effective warning, due to errors by ATCOs or pilots (mainly errors of omission) or failures of ATM safety nets. Communication and information transfer problems, where ATCOs and pilots share responsibility for the direct cause, are also included in this group.

• Prevention opportunities - where extended coverage of safety equipment or introduction of new ATM layers would have the potential to prevent accidents, although they would not be regarded as “failures” in an accident investigation. This group covers failures of barriers that are represented in the fault tree but were not present in reality, e.g. where safety nets are not fitted or planning is not undertaken.

• Indirect influences - where more beneficial ATM influences could have reduced the likelihood of the accident to a greater extent than the sum of the three contributions above. This includes improved AO&M, ATFCM, ATC, information management and ATM-related avionics such as ACAS, to the extent that they are represented in the influence model.

The SESAR safety target implies that all ATM contributions should be included, but the breakdown above allows a more detailed exploration of what this might mean in practice (Ref 4).

ATM Elements

In order to give a breakdown of the ATM contribution, ATM is divided into the following main elements:

• Airspace Management (ASM) - the airspace and TMA design.

• Demand-capacity balancing (DCB) - including flight planning and the future production of the NOP.

• Air Traffic Control (ATC). This is sub-divided as:

ATC planning - the task performance by the planning controller, excluding communications.

Conflict management - the task performance by the tactical controller, excluding communications.

ATC collision avoidance - the task performance by the tactical controller, excluding communications.

ATC systems - controller displays and associated safety nets. This excludes infrastructure for communications, navigation and surveillance.

Episode 3


of 240


Communications - the task of communications between controllers and pilots, including communications infrastructure (VHF and datalink).

Surveillance - primary and secondary surveillance radar coverage and performance.

ATC as defined in the risk results includes ATC en-route and in the terminal manoeuvring areas (TMA) around airports. ATC on the runway and taxiways is included under airport operations.

Airport operations, including airport ATC, and the infrastructure for ground navigation, including runway and taxiway lights and markings.

ATM avionics - airborne systems for air traffic management, notably ACAS and SSR (Secondary Surveillance Radar) transponders. This is the only modelled aspect of aircraft operations other than flight planning. GPWS is excluded from the present study.

Information management - including aeronautical information (AIS, NOTAM and airport charts).

At present, navigation infrastructure is not modelled because it would require a more detailed analysis of pilot errors in CFIT and landing accidents, which has been omitted for simplicity in the present study. Further study of this element would be desirable in future work.

11.6.3 Uncertainties

All results could be expressed as probability distributions representing uncertainty about their true values. For simplicity, these are summarised as best-estimates (resulting from point estimates in the spreadsheet model) and confidence limits (the 5%ile and 95%ile from the Monte Carlo analysis of uncertainties). Where available, they are illustrated on plots using I-shaped bars.

11.6.4 Comparison

Available Benchmarks

Case-specific results, such as predictions for the SESAR ConOps, introduce further options in all the above results. They can be compared against benchmarks, such as:

• Generic risks for the 2005 baseline. This is implied by the SESAR safety target, which requires no increase in the number of events. This is discussed further below (section 4).

• Predicted risks for a “do-nothing” scenario. This can be considered a better measure of what SESAR actually achieves. It is defined as a scenario where traffic and consequent delays increase, without any compensating improvement in the ConOps. This is discussed further below (section 5).

The comparison is presented as:

• Absolute values of the results for the specific case, RC, as well as the generic case, RG.

• Absolute changes in the results between the generic and specific cases, defined as RG-RC (thus obtaining positive results for risk reductions).

• Relative changes in the results between the generic and specific cases, defined as (RG-RC)/RG.

Results of this type can be obtained for the SESAR ConOps as a whole, and for individual OIs. This can be obtained using the STAR tool.

Episode 3


of 240


Compliance with SESAR Target

The SESAR safety target permits no increase in the expected annual number of accidents with an ATM contribution. This is interpreted as including any involvement of an IFR aircraft over 2250kg MTOW, in any airport or airspace in the ECAC region, in any ICAO-defined accident involving a contribution from any person or system (whether ground-based, space-based or airborne) performing an ATM function. There should be no increase in any year between 2005 and 2020, during which commercial traffic is assumed to grow at 3.7% per year (Section 3.6).

In order to demonstrate compliance with this target, it is necessary to ensure that the absolute reduction in risk between the generic case (RG) and the SESAR case (RC) is no less than zero for each year during the implementation of SESAR up to 2020. The necessary risk measure is the expected annual number of accidents with an ATM contribution, covering the scope defined above. This prediction will be made by the STAR tool. The present report considers the choices in approach.

Target compliance is considered to occur when the best-estimate for SESAR is no greater than the best-estimate for the generic case. Because of uncertainties, this in effect gives only a 50% confidence in target compliance. In future work it might be desirable to use the uncertainty calculated in the key result RG-RC to ensure target compliance with a defined level of confidence. At present there is no basis for selecting such a confidence level.

In order to apportion this target to different causal factors and ATM elements, the IRP event probabilities, performance scores and assumed OI effects for the target compliance case can be treated as performance targets. In future work, it would be desirable to develop IRP to distinguish between design, implementation and in-service causes of each type of failure, so that appropriate design targets could be developed (section 7.4).

11.6.5 Validation

“Validation” of IRP is the process of checking that it is sound, defensible, well-grounded, meets its specification and produces the required results. On a complex model, such as IRP, there are many different types of check that could be performed to show whether it is valid in different respects. Comprehensive validation ideally requires many different checks, covering the complete range of possibilities. To date, validation has been pursued in each respect to the extent that was judged appropriate for the stage of development of the model (Ref 5). In future work, each type of validation could be extended.

The model development process has been fully validated by ensuring adequacy in the following aspects

• Specification - ensuring that the specification on which the model has been based reflects the needs of the users.

• Resources - ensuring that the budget for model development has been appropriate for the demands implied by the specification.

• Competence - ensuring that the model has been developed by people with appropriate skills.

• Technical quality - ensuring that the model achieves an appropriate balance between technical sophistication and practicality.

• Verification - checking that the model was constructed “correctly”, and contains no unintended errors.

• Peer review - checking that the model has an appropriate degree of scientific rigour, as judged by independent experts.

• Compliance - checking that the model meets its specification and delivers the required results.

Episode 3


of 240


The usability of the model has been validated through:

• Sensitivities - ensuring that the relationships between user inputs, model parameters and results are fully understood. These are represented by the positive and negative contributions described in Section 2.8.2.

• Confidence ranges - showing the ranges of uncertainty attached to the model results, as described in Section 2.8.3.

• Ranges of validity - in future work it would be desirable to define the ranges of user inputs that the model is able to accept.

The results of the model have been validated to the extent that is practical at present through:

• Calibration against the known overall effects of historical ATM changes during the period 1990-2005.

• Empirical validation against independent estimates of ATM overall contribution.

• Convergent validity against available statistics on ATM-related incident rates.

• Face validity through acceptance of the model by a limited group of stakeholders.

In future work, further validation would be desirable. It is recommended that this should include:

• Updating of previous validation work to cover the current model of SESAR.

• Documentation of convergent validity as accident and incident datasets are enlarged.

• Monitoring of accident and incident experience as it accumulates, and progressive calibration against it.

• Calibration of risks for specific regions or units for which there is suitable accident or incident data.

• Collection of in-service performance and actual design targets for ATM elements, in order to check achievability of safety requirements.

• Review of the face validity of IRP and its conclusions with progressively wider groups of stakeholders during the SESAR Development Phase (WP16.1.1.1).

12 ANNEX II. PLANNED AIR TRAFFIC MANAGEMENT CHANGES

12.1 INTRODUCTION

12.1.1 Objective

This appendix presents a high-level review of the ATM changes that are expected to be implemented in the SESAR Concept of Operations in the period up to 2020. Its purpose is to establish how to model them in the Integrated Risk Picture (IRP), in order to represent SESAR and form the Safety Target Achievement Roadmap (STAR).

Most of the ATM changes are Operational Improvements (OIs) defined in SESAR. In a few cases, other ATM changes have been defined, where these result from SESAR but do not follow automatically in IRP (e.g. increased traffic). In future work, it may be appropriate to define enablers of the SESAR OIs in the same way.

Episode 3


of 240


12.1.2 Grouping

The grouping of the ATM changes is defined by the needs of the IRP risk model. In most cases, an ATM change is either an OI, an OI step as defined by SESAR, or a component of an OI step. These can be recognised by 2-digit, 4-digit or 6-digit suffices on code numbers respectively. In future work, it may prove necessary to refine the list by grouping similar changes or splitting ones with large, diverse impacts.

The ATM changes are grouped according to the main elements of ATM used in early versions of the OI list. These are airspace management (Section12.2), network management (Section 12.3), queue management (Section 12.4), conflict management (Section 12.5), airport operations (Section 12.6), aircraft operations (Section 12.7) and information management (Section 12.8). The OI step code numbers prefixes AOM, DCB, TS, CM, AO, AUO and IS correspond to these groups. However, SESAR has renumbered the OIs themselves as “lines of changes”, with the prefix L. This labelling scheme is followed in the present work.

At present the appendix also provides further initial details on certain OI steps. Those are:

1. IS-0401 and IS-0402;

2. AO-0203, AO-0204, AO-0205, AO-0206, and AO-0207; and

3. AUO-0501 and AUO-0502.

Currently, they are represented in the IRP under

1. L1-02;

2. L10-02; and

3. L10-07 respectively.

12.1.3 Review Topics

In order to model the OIs in IRP, the following information is required for each OI step:

OI Definition

1 ID No. The OI number (or step number) from the OI list

2 Title The OI title.

3 Description The OI description and rationale.

4 Timescale Information on extent of current and future implementation.

5 Further information Other documents with more detailed descriptions and the top-level safety claims for the OI.

Hazard identification

6 Benefit focus The main aim of the OI (e.g. safety, capacity, efficiency, environment or security).

7 Safety benefits The key anticipated improvements in safety resulting from the OI.

8 Safety hazards The possible adverse impacts on safety resulting from the OI.

9 Overall effects The overall expected effect on accident risks (in the absence of traffic changes). (This is given at the end of each ATM change, because it also serves as a qualitative summary)

Modelling in IRP

10 Representation in IRP Parameters in IRP used to model the OI.

11 Quantitative effect of full implementation

The expected range of impact on the modelling parameter once the OI is fully implemented. This is given as a best estimate and a confidence range.

Episode 3


of 240


12 Effects profile The expected pattern of growth of the modelled effect over the implementation timescale.

13 Interactions Any other OIs that must be implemented before the present OI (enablers) or otherwise influence the effect of the OI (interactions).

12.1.4 Sources

The SESAR OIs list provides information for items 1-6 and sometimes 7 and 9. It also includes implementation dates (item 12) and predecessor OIs (item 13).

Where a safety case or safety assessment is available, this should identify hazards for items 7-9. However, at present such studies are only available for very few OIs.

All other information have been obtained from expert inputs from EP3 Safety study team and with multi-disciplinary groups, with knowledge of SESAR and IRP. Hazard identification (HAZID) workshops have been conducted (5 in 2007, 3 in 2008), and used to address selected key parameters. In order to complete the work, all other necessary modelling parameters have been selected by the team. These represent preliminary assumptions, for which validation further validation in the course of the SESAR Development Phase would be highly desirable.

Where information has been obtained from safety assessments or safety cases, the source is given under “further information”.

Validation of draft results has been performed by the modelling team and ATM specialists (3 sessions in 2008).

Verification that the assumed effects of ATM changes are modelled as intended by IRP is a complex task, because of the inherent complexity of the model itself and the various possible ways in which an ATM change could be added to the risk picture. Verification was undertaken as each ATM change was added, but because the IRP model continues to develop in a complex way, it would be desirable to update this verification in future work.

12.1.5 Results

Results for each ATM change have been calculated by the STAR tool, and are included as part of the overall effects below with the prefix “STAR 2008”. These results are the changes in the frequency of fatal accidents in the 5 modelled accident categories that occur when the ATM change is implemented. The accident categories are abbreviated as MAC (mid-air collision), runway, taxi, CFIT (controlled flight into terrain) and wake. The results are expressed as a non-dimensional risk reduction worth (NRW), defined as:

)(

)()(

o

oOI BR

OIRBRNRW

−=

Where:



The chosen risk unit is the ATM contribution to fatal accident frequency in each accident category.

In order to obtain a meaningful comparison, each OI is applied to the 2005 base case. Each OI is also applied in full, assuming the maximum implementation represented below, and ignoring any restrictions from interactions with other OIs.

Episode 3


of 240


12.2 AIRSPACE ORGANIZATION AND MANAGEMENT

ID No. AOM-0101

Title Harmonised airspace classification

Harmonised ICAO airspace classification at FL195 and below.

Description The airspace below FL195 and associated traffic handling are reorganised in each State to ensure common adoption and uniform application of ICAO ATS Classification in the ECAC Region.

Ensure common adoption and uniform application of airspace classes in the ECAC region. Airspace classification should be appropriate to the traffic operating in the airspace. Move towards a continuum of airspace not constrained by national boundaries, making the transition from the airspace of one State to that of another transparent to the flight-crew, together with a reduction in the complexity of associated operational procedures.

Timescale Harmonisation of airspace classes has been achieved above a common division level FL195.

Further information

Benefit focus Capacity

Safety benefits Reduced complexity of airspace design. Hence:

� Simplification of flight planning. Hence reduced planning errors.

� Reduction in AIS data. Hence reduced AIS data problems.

� Standardisation of flight operations and procedures.

� Reduction of ambiguity and confusion about service provision resulting from multiple airspace classifications.

� Reduction of ATCO and pilot workload due to simplification of coordination procedures

Safety hazards Confusion during changeover - possible temporary increase in errors.

Representation in IRP Increase in quality of airspace design.

Quantitative effect of full implementation

10% reduction (Confidence range: 1% to 20%) in ATCO/pilot errors influenced by airspace design (IRP 2005 Methodology Report App III.8.3). ME=13%, hence ∆PS=30log(1-0.1x0.13)/log(1-0.13)=3 for airspace design.

Effects profile Between 2008 and 2011.

Interactions

Overall effects Safety + (Enhanced through use of common criteria for the same types of airspace (e.g. CTR, TMA) and by the reduced number of ICAO ATS airspace classes in use.)

STAR 2008: 1.3% reduction in MAC; 1.4% in wake

ID No. AOM-0102

Title Three categories of airspace

Episode 3


of 240


Description The current airspace classification is replaced by a new model consisting of 3 airspace categories

� N iNtended Traffic Environment within which all traffic is known to ATS, both with position and with flight intentions,

� K Known Traffic Environment within which all traffic is known to ATS either with position only or with flight intentions as well,

� U Unknown Traffic Environment within which not all traffic is known to ATS.

The objective is to have an airspace organisation transparent and as simple as possible for users' perception while permitting unambiguous rules for ATS service provision and describing in an easy way the flight planning, communication actions and minimum equipment required through the use of the three environments (N, K, U).

Timescale

Further information


Safety benefits As for AOM-0101 plus:

Increased protection against VFR-IFR conflicts in cases where classification is in effect upgraded.

However, benefits may be negated if additional local requirements introduced to manage concerns about VFR-IFR conflicts.

Safety hazards As for AOM-0101 plus:

Reduced protection against VFR-IFR conflicts in cases where classification is in effect downgraded.



Assumed as for AOM-0101


Interactions Required predecessor AOM-0101 (Type 2 - must be 100% complete)

Overall effects Safety + (Enhanced through use of common criteria for same type of airspace, transparent and as simple as possible for users perception).


Episode 3


of 240


ID No. AOM-0103

Title Two categories of airspace

Description Gradual removal of Category K airspace to be changed into:

� Category N, when ATS systems are capable of providing real-time data on the position and intentions of all aircraft within the applicable airspace;

� Category U, in other cases.

Timescale

Further information


Safety benefits As for AOM-0102 plus:

Increased ATC knowledge of flight intentions when reduced to 2 airspace categories (5A) - general reduction in ATC errors.

Safety hazards As for AOM-0102



Assumed as for AOM-0101


Interactions Required predecessor AOM-0102 (Type 1 - % implementation cannot be exceeded).

Overall effects Safety + (no justification).


ID No. L2-02

Title Optimising airspace allocation

Optimising airspace allocation and usage

Description OI steps included:

� AOM-0201: Moving airspace management into day of operation

� DCB-0203: Enhanced ASM/ATFCM coordinated process

Hazid 8Nov07: Intended to avoid reserving airspace until it is actually needed. Equivalent to FUA extended to the day of operation

Timescale

Further information

Benefit focus Capacity & efficiency

Safety benefits Hazid 8Nov07: Improved airspace allocation removes constraints and reduces conflicts (for constant traffic). If it allowed airspace users to make more realistic plans, this would help remove discrepancies between ground and air plans.

Safety hazards Extra complexity of airspace design, more critical for ATCO to understand, hence possible extra errors.

Representation in IRP Reduction in plannable conflicts.

Reduction in quality of airspace design (inverse of AOM-0101).

Episode 3


of 240



Assumed 20% reduction in ineffective DCB for regions constrained by military airspace, assumed 4% overall (confidence range 0.2 to 5xBE).

10% increase in ATCO/pilot errors that are influenced by airspace design (as assumed in IRP 2005 Methodology Report App III.8.3) (confidence range 0.1 to 2xBE). ME=13%, hence ∆PS=30log(1-0.1x0.13)/log(1-0.13) =3 for airspace design.


Interactions

Overall effects Hazid 8Nov07: A significant safety benefit


ID No. L2-03

Title Advanced FUA

From flexible use of airspace (FUA) to Advanced FUA,


� AOM-0202: Enhanced real-time civil-military coordination of airspace utilisation

� AOM-0203: Cross-border operations facilitated through collaborative airspace planning with neighbours

� AOM-0204: Europe-wide shared use of military training areas

� AOM-0205: Modular temporary airspace structures and reserved areas

� AOM-0206: Flexible military airspace structures

� AOM-0208: Dynamic mobile areas (mobile airspace exclusion areas)

Hazid 8Nov07: Extends FUA to the execution phase, which is later in the G2G cycle than L2-03

Timescale

Further information


Safety benefits As L2-02

Safety hazards Hazid 8Nov07: As L2-02 but dynamic airspace may confuse controllers and is difficult to show on a display.

Hazid 20Nov08: AOM-0206 and 0208 will increase potential for military penetration of controlled airspace, but these only apply from 2017.


Reduction in quality of airspace design.


Assumed 2% reduction in ineffective DCB (0.5xL2-02) (confidence range 0.2 to 5xBE).

10% increase in ATCO/pilot errors that are influenced by airspace design (as L2-02) (confidence range 0.1 to 2xBE). ME=13%, hence ∆PS=30log(1-0.1x0.13)/log(1-0.13)=3 for airspace design.


Episode 3


of 240


Interactions

Overall effects Hazid 8Nov07: A slight safety benefit

STAR 2008: 1.2% increase in MAC; 1.4% in wake [because design effect outweighs DCB]

ID No. L2-04

Title Facilitating OAT Transit

Facilitating operational air traffic (OAT) transit.


� AOM-0301: Harmonised EUROCONTROL ECAC area rules for OAT-IFR and GAT interface

� AOM-0302: Harmonised OAT flight planning

� AOM-0303: Pan-European OAT transit system

� AOM-0304: OAT trajectories (interfacing military mission and business trajectories)

Hazid 8Nov07: OAT in transit would use the same flight plans as IFR.

Timescale

Further information

Benefit focus Safety & efficiency

Safety benefits Harmonised OAT flight planning may improve quality of flight planning information for OAT.

Harmonised OAT handling reduces complexity of OAT procedures, and may reduce ATC errors in OAT-GAT interface.

Safety hazards

Representation in IRP Improved flight planning information.

Reduction in plannable conflicts involving military aircraft - neglected.


10% reduction in errors due to flight planning information. ME=38%, hence ∆PS=30log(1-0.1x0.38)/log(1-0.38)=2 for flight planning.


Interactions

Overall effects OI: Safety + (no justification).

Hazid 8Nov07: Although some military aircraft will not comply, there is a safety benefit from those that do.

STAR 2008: 0.5% reduction in MAC; 1.7% in runway; 2.5% in taxiway; 0.1% in CFIT; 3.7% in wake [because IRP models flight planning information as a common effects on all accident types]

Episode 3


of 240


ID No. L2-05

Title Flexibility of route network

Increasing flexibility of route network.


� AOM-0401: Multiple route options & airspace organisation scenarios

� AOM-0402: Further optimisation of route network

� AOM-0403: Pre-defined ATS routes only when and where required

Timescale

Further information

Benefit focus Efficiency

Safety benefits Flexibility of airspace removes constraints and gives greater freedom in preventing conflicts, reducing ATCO task load (for constant traffic).

Safety hazards Increase in airspace complexity.

Reduction in ability of ATCO to detect conflicts based on experience.

Confusion during changeover - possible temporary increase in errors.

Representation in IRP Reduction in ATCO task load - part of STAR-03.

Assumed no other change in probability of unsuccessful conflict management.

Assumed no overall change in quality of airspace design.


Assumed 25% reduction in ATCO communications en-route (25% of communications) (Hazid 15Oct08) - modelled by STAR-03.


Interactions

Overall effects OI: Safety + (no justification).

Hazid 8Nov07: Marginal safety benefit

STAR 2008: 1.2% reduction in MAC; 0.7% in CFIT; 1.9% in wake [depends on STAR-03]

ID No. L2-06

Title Free Routes

Use of free routes/4D trajectories.


� AOM-0501: Use of Free Routing for Flight in Cruise Inside FAB

� AOM-0502: Use of Free Routing from ToC to ToD

� AOM-0503: Use of Free Routing from TMA-exit to TMA-entry

Timescale

Further information


Episode 3


of 240


Safety benefits More efficient use of airspace, hence fewer conflicts (if implemented in low density areas).

Reduced communications and co-ordination - reduced errors and ATCO task load (for constant traffic).

Safety hazards More complex traffic pattern, hence more difficult conflict identification (without more advanced controller tools).

Route structures will not help separate free route traffic (Hazid 18Sep08).

Possible confusion at point of transition from free route airspace to fixed route airspace.


Reduction in ATCO task load - part of STAR-03.

Change in ATCO role - part of STAR-04.

Reduction in conflict identification performance.

Reduction in route separation barrier.

Reduction in quality of airspace design.


Assumed 20% of conflicts are in low density en-route airspace suitable for free routing.

Assumed 50% reduction in MF5.3 strategic conflicts for free-route airspace, i.e. 10% overall (confidence range 0.2 to 5xBE).

Assumed 30% increase in MB5.1.2 ATCO failure to identify conflict for free-route airspace, i.e. 6% overall (confidence range 0.2 to 5xBE).

Assumed 100% MB11 ineffective route separation for free-route airspace, i.e. (1x20%+0.1*80%)/0.1 = 2.8x increase overall (confidence range 0.2 to 5xBE).

Assumed 50% increase in ATCO/pilot errors that are influenced by airspace design for free-route airspace, i.e. 10% overall (confidence range 0.1 to 2xBE). ME=13%, hence ∆PS=30log(1-0.1x0.13)/log(1-0.13) =3 for airspace design.

Assumed 25% reduction in ATCO communications en-route (25% of communications) in isolation, or 30% in combination with L2-05 (Hazid 15Oct08) - modelled by STAR-03.

Assumed 10% reduction in actively managed conflicts (for consistency with the above) - modelled by STAR-04.


Interactions Enabled by CM-0401 (Type 1 - needed for individual aircraft using free routes).

Overall effects STAR 2008: 5.0% increase in MAC; 0.8% in CFIT; 0.9% increase in wake [dominated by effect on route separation]

ID No. L2-07

Title Enhanced Terminal Airspace


� AOM-0601: Terminal airspace organisation adapted through use of best practice, PRNAV and FUA where suitable

� AOM-0602: Enhanced terminal route design using P-RNAV capability

Episode 3


of 240


Timescale Based on current technology and on the application of enhanced RNAV, mandating RNAV SIDs/STARs can be implemented between 2008 and 2010 in specific Terminal Airspace and in all Terminal Airspace post 2010. 4D RNAV aircraft capability will then offer potential further benefits by allowing 4D departure and arrival management to minimise environmental impact and to ensure efficient timing and accurate approach sequencing.

Further information


Safety benefits Improved airspace removes constraints and reduces conflicts, reducing ATCO task load (for constant traffic).

Improved navigation accuracy reduces collision/CFIT risk in isolation, but route design is expected to exchange this for extra capacity.

Safety hazards Extra complexity of separation based on performance capability may increase errors.

Representation in IRP Reduction in approach/departure ATCO task load - part of STAR-03.

Assumed no other significant change in safety. Safety benefits absorbed by extra traffic.


Assumed 10% reduction in ATCO communications in TMA, or 7.5% overall - modelled by STAR-03.


Interactions

Overall effects Safety + (no justification).

STAR 2008: 1.5% reduction in MAC; 0.8% in CFIT; 2.2% in wake

ID No. L2-08

Title Optimising climb/descent


� AOM-0701: Continuous descent approach (CDA)

� AOM-0702: Advanced continuous descent approach (ACDA) (harmonised CDA procedures from IAF)

� AOM-0703: Continuous climb departure

� AOM-0704: Tailored arrival (CDA mainly on idle power from top of descent)

Timescale DSNA is conducting experiments at Marseille airport; experiments at CDG have been proposed during night hours.

Further information

Benefit focus Environment

Safety benefits Simpler approach may reduce pilot errors.

Large reduction in ATCO-pilot communications (Hazid 15Oct08)

Safety hazards Mixed approach types causes extra procedural complexity and may increase ATCO errors.

Representation in IRP Reduction in approach/departure ATCO task load - part of STAR-03.

Episode 3


of 240



Assumed 20% reduction in ATCO communications in TMA, i.e. 15% overall (Hazid 15Oct08) - modelled by STAR-03.


Interactions

Overall effects STAR 2008: 3.0% reduction in MAC; 1.7% in CFIT; 4.5% in wake

ID No. L2-09

Title Flexible airspace configuration

Increasing flexibility of airspace configuration


� AOM-0801: Flexible sectorisation management

� AOM-0802: Modular sectorisation adapted to variations in traffic flows

� CM-0102: Automated support for dynamic sectorisation and dynamic constraint management

� SDM-0201: Remotely Provided Aerodrome Control Service

� SDM-0202: Transfer of area of responsibility for trajectory management

� SDM-0203: 'Generic' (non-geographical) controller validations

Timescale

Further information


Safety benefits Improved airspace removes constraints and reduces conflicts, reducing ATCO task load (for constant traffic).

Safety hazards Extra complexity of sectorisation, and sustained high workload may increase errors.

Representation in IRP Assumed no significant net change.


N/A


Interactions

Overall effects Safety + (CM-0102: Early management of constraints allows for pre-deconfliction and more effective application of separation provision)

STAR 2008: Safety neutral

12.3 NETWORK MANAGEMENT

ID No. L3-01

Title Network operations plan (NOP)

Collaborative layered planning supported by network operations plan

Episode 3


of 240



� DCB-0101: Enhanced seasonal NOP elaboration

� DCB-0201: Interactive network capacity planning

� DCB-0102: Interactive rolling NOP

� DCB-0103: SWIM-enabled NOP

Timescale

Further information


Safety benefits Improved quality of information about flights.

Enables better demand-capacity balancing - see L4-01.

Includes shared 4D trajectories based on SBTs - see L3-03 and CM-0401.

Safety hazards Inadequate NOP will disable DCB, sector planning and conflict management.

SWIM failures - see L1-04.

Change in ATCO role - see STAR-04.

Representation in IRP NOP is an enabler, so its benefits are modelled under the other OIs above.



Interactions

Overall effects

ID No. L3-02

Title User-driven prioritisation

Introducing user-driven prioritisation process


� AUO-0101: ATFM slot swapping

� AUO-0102: User-driven prioritisation process (UDPP)

Hazid 8Nov07: A process managed by airlines to adapt demand to network capacity by adjusting sequences.

Timescale

Further information


Safety benefits None

Safety hazards Late adjustment will increase controller task load and may introduce hazards that the controller may not identify.

Representation in IRP Reduction in quality of traffic sequence.


10% increase in ATCO errors influenced by traffic sequence (confidence range 0.2 to 5xBE). ME=10%, hence ∆PS=30log(1-0.1x0.1)/log(1-0.1)=-3 for traffic sequence.


Episode 3


of 240


Interactions

Overall effects STAR 2008: 0.3% increase in MAC; 0.4% increase in wake

ID No. L3-03

Title Shared business trajectory (SBT)

Planning of shared business trajectory


� AUO-0201: Enhanced flight plan filing facilitation

� AUO-0203: Shared business/mission trajectory (SBT)

� AUO-0204: Agreed reference business/mission trajectory (RBT) through collaborative flight planning

Timescale

Further information


Safety benefits Better flight planning.

This OI only covers flight planning benefits. Benefits of RBT to ATCO are covered under CM-0401.

Safety hazards

Representation in IRP Improved quality of flight planning information


Assumed 20% reduction in errors due to flight planning information (confidence range 0.2 to 1.5x BE) with ME=95%, hence ∆PS=30log(1-0.2x0.95)/log(1-0.95)=2 for flight plan.


Interactions

Overall effects Hazid 8Nov07: Major safety improvement in combination with CM-0401.

STAR 2008: 0.4% reduction in MAC;1.5% in runway; 2.1% in taxiway; 0.1% in CFIT; 3.2% in wake

ID No. L4-01

Title Network capacity management

Improving network capacity management processes


- DCB-0204: ATFCM scenarios

- DCB-0205: Short-term ATFCM measures

- DCB-0206: Coordinated network management operations extended within day of operation

- DCB-0207: Management of critical events

- DCB-0303: Improved operations at airport in adverse conditions using ATFCM techniques

- DCB-0208: Dynamic ATFCM (i.e. during the flight)

- DCB-0305: Network management function in support of UDPP

Episode 3


of 240


Timescale Netherlands AFMU for coordinated ASM/ATFCM planned for 2008

Further information


Safety benefits Improved demand-capacity balancing. Hence:

� Reduced traffic complexity

� Reduced delays

� Reduced congestion at bottlenecks and in critical events

� Reduced communications at sector entry from pilots wanting to change trajectory

� Reduced ATCO task load (for constant traffic).

Safety hazards Reversed effects above if operational benefits not achieved through data errors (e.g. misleading data, inaccurate predictions) or airspace user adjustments.

Severe reduction in ability of ATCO to detect conflicts based on experience (Hazid 15Oct08).


Reduction in delays - see STAR-02.

Reduction in ATCO task load - past of STAR-03.

Reduction in ATCO reliability.


Assumed 50% reduction in ineffective DCB, represented in the model by DCB coverage = 90% (compared to 80% in 2005).

Assumed 20% reduction in ATCO communications en-route and 8% in terminal, i.e. 11% overall - modelled by STAR-03.

Assumed 20% increase in ATCO errors (tactical and planning) due to reliability. ME=46% for separation, hence ∆PS=30log(1+0.2x0.46)/log(1-0.46)=-4 for ATCO reliability.


Interactions Required predecessor L3-01 (Type 1 - % implementation cannot be exceeded).

As traffic increases, the benefits will be lost (Hazid 15Oct08). [Not yet modelled]

Overall effects Safety + for management of critical events (no justification).

STAR 2008: 1.8% reduction in MAC; 1.2% in CFIT; 11.3% increase in wake

ID No. L4-02

Title Monitoring ATM performance


� SDM-0101: Network Performance Assessment

� SDM-0102: Civil-Military Cooperation Performance Assessment

� SDM-0103: Sustainability Performance Management of the ATM Network

Timescale

Further information

Episode 3


of 240



Safety benefits

Safety hazards

Representation in IRP Assumed to be risk neutral


N/A


Interactions

Overall effects Hazid 8Nov07: No significant safety impact


12.4 QUEUE MANAGEMENT

ID No. L7-01

Title Arrival traffic synchronisation


� TS-0102: Arrival Management Supporting TMA Improvements (incl. CDA, P-RNAV)

� TS-0103: Controlled Time of Arrival (CTA) through Use of Datalink

� TS-0104: Integration of Surface Management Constraint into Arrival Management

� TS-0106: Multiple Controlled times of Over-fly (CTOs) through use of data link

� TS-0303: Arrival Management into Multiple Airports

� TS-0305: Arrival Management Extended to En Route Airspace

FI 28Oct08: AMAN will provide automated optimal sequences based on expected arrival times and wake categories, allowing aircraft to reduce speed earlier and reducing airborne holding.

Timescale FI 28Oct08: AMAN will be used in London TMA from 2009.

Further information


Safety benefits Reduced airborne holding and other delays.

Reduced approach controller task load associated with manual sequencing (for constant traffic).

Reduced mid-air conflicts associated with traffic peaks in manual sequencing

Reduced complexity of trajectory compared to vectored approach.

Safety hazards Increased en-route controller task load (unless automatic).

Increase in approach controller task load if system fails.

Reliance on automatic sequencing reduces skills and may result in excessive holding if system unavailable.

Increased movements in adverse weather (low visibility & crosswind).

Mid-air conflicts may be created to optimise runway throughput.

Episode 3


of 240


Representation in IRP Reduction in holding manoeuvres

Changes in ATCO task load - neglected.


Assumed 40% reduction in airborne holding (confidence range 10 to 90%)

Effects profile Between 2007 and 2023

Interactions

Overall effects Hazid 8Nov07: Safety beneficial

STAR 2008: 2.5% reduction in MAC (by 2020) [NB airspace type must be generic in UserInf]

ID No. L7-02 (part of STAR 2006 ID33)

Title Departure traffic synchronisation


� TS-0201: Basic Departure Management (DMAN)

� TS-0202: Departure Management Synchronised with Pre-departure Sequencing

� TS-0203: Integration of Surface Management Constraint into Departure Management

� TS-0302: Departure Management from Multiple Airports

� TS-0306: Optimised Departure Management in the Queue Management Process

Timescale

Further information


Safety benefits Reduced ground controller task load and taxiway conflicts associated with re-sequencing during taxi (for constant traffic).

Safety hazards Increase in ATCO workload if system fails.

Representation in IRP Reduced taxiway conflicts.


Assumed 50% reduction in taxi conflicts due to resequencing (confidence range 10 to 90%)


Interactions

Overall effects Hazid 8Nov07: Small safety improvement

STAR 2008: 10% reduction in taxi

ID No. L7-03

Title Managing interactions

Managing interactions between departure and arrival traffic

Episode 3


of 240



� TS-0301: Integrated Arrival / Departure Management for full traffic Optimisation, including within TMA Airspace

� TS-0304: Integrated Arrival / Departure Management in the Context of Airports with Interferences (other local/regional operations)

Timescale

Further information


Safety benefits As TS-01 and TS-02.

Safety hazards As TS-01 and TS-02

Representation in IRP Assumed to be risk neutral.


N/A


Interactions Presumed predecessor L7-01 (Type 1 - % implementation cannot be exceeded)

Overall effects Safety + (No justification)


12.5 CONFLICT MANAGEMENT

ID No. L5-02

Title Managing air traffic complexity

Description SESAR: Ensure that ATCO’s mental/cognitive limits are not exceeded.

OI steps included:

� CM-0101: Automated support for traffic load (density) management

� CM-0103: Automated support for traffic complexity assessment

� CM-0104: Automated controller support for trajectory management

Hazid 7Nov07: At present, a traffic/capacity manager decides on sectorisation to optimise ATCO workload using simple measures, e.g. number of aircraft. CM-0103 will predict a measure of traffic complexity, providing a better guide to ATCO workload, 20-40 minutes ahead. CM-0103 will support the planning controller or multi-sector planner intervening to reduce complexity

Timescale Only applicable in high density airspace (e.g. MUAC + London).

Further information


Safety benefits Prediction of complexity improves optimisation of ATCO workload, reducing errors, including:

� Reducing workload peaks and hence errors due to cognitive overload.

� Reducing workload troughs and hence errors due to loss of attention.

Episode 3


of 240


Safety hazards Optimisation of workload reduces safety margins, leaving ATCO with less scope for managing unexpected problems.

Representation in IRP Workload changes assumed to be safety neutral.

Complexity reduction - see L5-03.


N/A


Interactions Supports L5-03

Overall effects Safety + (CM-0104: Minimised risks through complexity reduction; Human capabilities are not exceeded; Early detection of traffic bunching and having lead time for interventions)


ID No. L5-03

Title Enlarging ATC planning horizon

Description SESAR: Traffic planning is extended over two or more ATC sectors and synchronisation of traffic flows is performed in collaboration with other traffic management roles. Multi-sector planning enables also to balance the 'constraints' put on flights by various nearby destination airports.

OI steps included:

� CM-0301: Sector team operations adapted to new roles for tactical and planning controllers

� CM-0302: Ground based automated support for managing traffic complexity across several sectors

Hazid 7Nov07: At present, planning occurs within a sector. MSP, which may be a system not a person, will identify conflicts from 4D trajectories before sector entry, and advise an upstream sector (currently controlling the aircraft) to modify the trajectory, hence avoiding the conflict.

Timescale

Further information

Benefit focus Capacity & safety

Safety benefits Earlier planning intervention gives greater scope for conflict reduction, provided predicted trajectories are accurate.

Communications for conflict reduction are by planning controller not tactical, and hence simpler.

Reduction in tactical ATCO task load (for constant traffic)

Increase in planning ATCO task load (not safety critical)

Safety hazards Possible confusion of responsibility for separation.

Reversed benefits if system fails.


Increased coverage of sector planning (for simplicity, instead of modelling as an extra barrier).

Episode 3


of 240



Assumed 30% reduction in ATCO communications en-route, i.e. 8% overall - modelled by STAR-03.

Assumed 75% reduction in no sector planning (confidence range 50 to 95%).


Interactions Requires shared 4D trajectories (CM-0401) to implement effectively (Type 5).

Overall effects Safety + (Potential conflicts within a medium-term time horizon will be identified and resolved. Minimised need for tactical intervention)


ID No. CM-0201

Title Coordination support

Automated assistance to controller for seamless coordination, transfer and dialogue

Description SESAR: The system permits controllers to conduct screen to screen coordination between adjacent ATSUs / sectors reducing workload associated with coordination, integration and identification tasks. The system supports coordination dialogue between controllers and transfer of flights between ATSUs, and facilitates early resolution of conflicts through inter ATSU/sector coordination. This automation alleviates controller's workload. Electronic coordination capabilities are a pre-requisite to further automation of controllers' tasks.

Hazid 7Nov07: At present, coordination is often by telephone, by the planning controller, and automation support to coordination (SYSCO - limited to 2 parties) has been slow to be deployed because of its complexity. Given shared 4D trajectories, automated coordination will be practical on a wider scale

Timescale DSNA implementation planned in Coflight as 2011 support

Further information

Benefit focus Safety

Safety benefits Reduced communication on sector entry.

Reduced ATCO task load (for constant traffic).

Reduced coordination errors.

Reduced system complexity (coordination requirements strongly influence ATC system complexity).

Safety hazards Reversed benefits if system fails. However, aircraft can follow the agreed trajectories stored in their FMS.

Reduced vigilance in new role of monitoring automatic system.

Representation in IRP Reduction in coordination errors.

Reduction in ATCO task load - part of STAR-03.

Dependency of ATCO workload on system reliability - unchanged. Could increase HMI score, but assume this does not in fact increase.

Changed ATCO role - part of STAR-04.

Episode 3


of 240



Assumed 50% reduction in MB9.3 Inadequate planning controller coordination (confidence range 10 to 75%)

Assumed 20% reduction in ATCO communications en-route and 8% in terminal, i.e. 11% overall - modelled by STAR-03.

Assumed 10% reduction in actively managed conflicts - modelled by STAR-04.


Interactions

Overall effects Safety + (no justification)


Episode 3


of 240


ID No. CM-0202

Title Conflict prevention support for ATC planning

Automated assistance to ATC planning for preventing conflicts in en-route airspace

Description The system assists the controller in conflict identification and planning tasks by providing automated early detection of potential conflicts; facilitating identification of flexible routing/conflict free trajectories; identifying aircraft constraining the resolution of a conflict or occupying a flight level requested by another aircraft.

Conflict detection in current systems is basically a manual task, performed on the basis of paper or electronic flight strips. Planning controllers prepare separation at hand-over sector boundary points, while tactical controllers are responsible for maintaining the separation along the entire flight path within the sector. The heavy workload of tactical controllers is one of the reasons for performance shortfall resulting in capacity problems.

Timescale MTCD is already implemented in some centres (Sweden, Denmark, France) and works best with stable en-route trajectories.

Further information


Safety benefits Early detection of conflicts at planning stage

Reduced tactical controller workload

Safety hazards Conflict identification failure or increase in ATCO workload if system fails.

Reduced vigilance in new role of monitoring automatic system.

Representation in IRP Reduction in conflict detection failures.

Reduction in ATCO workload - part of STAR-03.

Dependency of ATCO workload on system reliability - unchanged.



Assumed 75% reduction in MB9.2.2 Planning controller failure to identify conflict, once accurate 4D trajectories available (confidence range 20 to 95%). [This has little effect because of high CCF1]

Assumed 30% reduction in ATCO communications - modelled by STAR-03.


Effects profile Between 2007 and 2015. Could be implemented in most centres once trajectory information available.

Interactions Improved given shared 4D trajectories (CM-0401) (Type 5).

Overall effects SESAR: Safety + (Early conflict detection, more decision support and less tactical interventions will add to safety)

Hazid 15Oct08: 2 out of 3 plannable conflicts expected to be removed by MTCD if combined with enlarged planning horizon (L5-03).

STAR 2008: 5.4% reduction in MAC; 5.4% in wake; 0.9% increase in CFIT [because STAR-03 outweighs STAR-04]

Episode 3


of 240


ID No. CM-0203

Title Flight path monitoring

Automated flight conformance monitoring

Description SESAR: The system provides the controller with warnings if aircraft deviate from a clearance or plan, and reminders of instructions to be issued. The objective of this automation is to assist the controller in maintaining situational awareness and relieving him from some routine tasks. Conformance monitoring is also essential for triggering trajectory re-calculation for the detection of potential conflicts.

Hazid 7Nov07: Flight path monitoring should be seen as an extension to Conformance Monitoring in support of MTCD with Intent Monitoring (checking that the ATC clearance has been correctly interpreted and accepted by the FMS) as an added feature.. FPM is very dependent on accurate 4D trajectories.

Hazid 15Oct08: Valid for approach as well

Timescale

Further information


Safety benefits Early detection of deviations (e.g. level busts) before conflicts occur

Possible detection of terrain conflicts


Reduced vigilance due to automatic monitoring.

Representation in IRP Improved detection of conflicts due to unplanned deviation.




Assumed 25% reduction in MB6.1.2 ATCO failure to identify conflict due to pilot deviation, once accurate 4D trajectories available (confidence range 5 to 50%).

Assumed 25% reduction in CB3.2.2.1.2 ATCO failure to detect terrain conflict with radar (confidence range 5 to 50%).

Assumed negligible change in actively managed conflicts.


Interactions Improved given shared 4D trajectories (CM-0401) (Type 5).

Overall effects SESAR: Safety + (No justification)

OATA FHA: 75% reduction in ATC system failures overall

STAR 2008: 3.2% reduction in MAC; 2.2% in CFIT

Episode 3


of 240


ID No. CM-0204

Title Near-term conflict detection

Automated support for near-term conflict detection & resolution and trajectory conformance monitoring

Description SESAR: The system provides assistance to the Tactical Controller to manage traffic in his/her sector of responsibility and provides resolution advisory information based upon conflict alert tool information within the tactical ATC environment. The objective is to provide some support the controller in order to bridge the 'automation gap' between the MTCD tool and the safety alert.

Hazid 7 Nov 07: Near term conflict detection (such as TCT) will provide about 5 minutes warning of a conflict with resolution advice if requested. It is under evaluation – the main design issue is to ensure that this is helpful and not distracting.

Hazid 20Nov08: It is not clear how CM-0203 and 0204 differ from CM-0404. Possibly it does not require RBT, but if so it could be implemented before 2016.

Timescale NATS intends to deploy operationally a tactical conflict detection and resolution tool in 2009; the resolution part is only at CORA 1 level (context information to support controller resolution).

Further information


Safety benefits Hazid 10Jul08: Improved identification of conflicts (between MTCD and STCA), including conflicts missed by MTCD/planning, conflicts due to pilot lateral deviations (but not level busts), airspace penetrations, and conflicts caused by ATCO incorrectly identifying conflicts in MTCD-based plan and unsuccessfully trying to remove them. Improved resolution of conflicts once later phases of TCT introduced by 2020.

Hazid 15Oct08: Reduces ATCO task load but not communications, and no effect on ATCO role.


Representation in IRP Improved identification of plannable, unplannable and ATCO-induced conflicts.

Improved resolution of plannable conflicts.



35% reduction in MB5.1.2/MB6.1.2 ATCO failure to identify conflict (confidence range 10 to 50%).

10% reduction in MB7 Ineffective separation of ATCO induced conflict (confidence range 1 to 50%).

10% reduction in MB5.1.3.1/MB5.1.3.2 Inadequate ATCO conflict management (confidence range 1 to 50%).


Interactions Required predecessor CM-0401 (Type 1 - % implementation cannot be exceeded)

Overall effects SESAR: Safety + (Fill the gap between MTCD and STCA).

OATA FHA: 75% reduction in ATC system failures overall.

Hazid 10Jul08: 35% improvement in conflict identification.

STAR08: 3.6% reduction in MAC

Episode 3


of 240


ID No. CM-0401

Title Shared 4D trajectory

Use of shared 4D trajectory as a mean to detect and reduce potential conflicts

Description The use of shared trajectory (RBT/4DT) will increase the performance of conflict detection tools, reduce the number of false conflicts and reduce the controller workload. This application will reduce the uncertainty of the trajectory, allow better conflict detection, increase safety by air-ground common trajectory, and reduce controller workload routine to monitor the trajectory and to detect conflict.

Timescale The downlink of onboard computed Predicted Trajectory (PT) to help ground system conflict detection and resolution will be available from 2013 onwards.

Further information


Safety benefits Reduced user requests to ATCOs, because users will be following their own trajectories, hence reduced ATCO task load and improved situation awareness. At present, 35% of aircraft have diverged from their trajectories. Major safety improvement (Hazid 8Nov07).

Improved pilot-ATCO coordination through common trajectory information.

This OI covers benefits to ATCO. Benefits from flight planning are modelled under L3-03. Improved detection of conflicts and reduction in false conflicts are modelled under CM-0202 and CM-0204. Benefits for ATC and pilot workload are modelled under AUO-0302 and 0303.

Safety hazards Conflict identification failure if system fails or data corrupted.


Change in ATCO role - part of STAR-04.


Assumed 40% reduction in ATCO communications en-route, i.e. 10% overall - modelled by STAR-03.

Assumed 10% reduction in actively managed conflicts (for consistency with the above) - modelled by STAR-04.


Interactions Hazid 15Oct08: Required predecessor AUO-0302 (Type 1 - % implementation cannot be exceeded)

As traffic increases, ability to accommodate user trajectories will be constrained, so benefits will be lost (Hazid 15Oct08). [Not yet modelled]


STAR 2008: 1.7% reduction in MAC; 1.7% in wake; 0.4% increase in CFIT

Episode 3


of 240


ID No. CM-0402

Title Coordination-free Transfer of Control

Coordination-free Transfer of Control through use of Shared Trajectory

Description A single version of the current aircraft clearance and its RBT is simultaneously available at all sectors. The aircraft's current trajectory when down linked permits the each receiving ATCO to identify any inconsistencies between the expected (as per flight plan) aircraft performance and its actual.

Common trajectory information equally available to all sectors permits the validation of proposed sector entry and initial trajectory and flight plan information: removing requirements to verify clearance and routing information on handoff between adjacent sectors. Coordination is required in non-nominal situations and when either time critical information or trajectory changes must be communicated.

Timescale

Further information


Safety benefits As CM-0201, but coordination completely removed

Safety hazards As CM-0201, but system errors still possible

Representation in IRP As CM-0201


Assumed 95% reduction in MB9.3 Inadequate planning controller coordination (confidence range 50 to 99%)

Assumed 20% reduction in ATCO communications - modelled by STAR-03.





STAR08: 3.8% reduction in MAC; 0.8% in MAC; 4.7% in wake

Episode 3


of 240


ID No. CM-0403

Title Conflict dilution by upstream action on speed

Description SESAR: The system - through use of better navigation accuracy, FMS performance and air/ground communication facilities - is able to 'dissolve' conflicts by minor adjustments of flight parameters (vertical/horizontal speed, rate of climb/descent) not directly perceivable by the controller and not conflicting with their own action and responsibility. The objective is to reduce the number of residual conflicts, thus increasing sector safety and productivity while maintaining controllers in the decision-making loop. This air-ground cooperative and human-centred ATC automation allows transition towards further automation while respecting the operator cognitive processes and taking account the fact that only part of aircraft will be equipped.

Hazid 7Nov 07: This needs further research and has important HF issues (subliminal aspects). It would also need very precise trajectories

Timescale

Further information SESAR Conops TC-SA (Trajectory Control Through Ground Based Speed Adjustments).


Safety benefits Reduction in conflicts.

Safety hazards Confusion of ATCO

Representation in IRP Neglected


N/A





Episode 3


of 240


ID No. CM-0404

Title Enhanced conflict detection

Enhanced tactical conflict detection/resolution and conformance & intent monitoring

Description SESAR: Advanced automation support for controllers including conflict detection and resolution, conformance monitoring (CM), intent monitoring (INT) and complexity monitoring. In combination these tools detect almost all aircraft/aircraft conflicts, aircraft penetrations of segregated airspace and potential task overloads with sufficient time to allow an orderly resolution. The tools also effectively monitor the ATM system for human error.

Hazid 7Nov 07: This is an automated version of TCT/CORA in CM-0204.

Hazid 20Nov08: It is not clear how this OI differs from CM-0203 and 0204.

Timescale

Further information


Safety benefits Improved identification of conflicts

Improved resolution of conflicts

Reduced tactical controller workload (for constant traffic)


Extra complexity of information.

Reduced redundancy through interconnections

Representation in IRP Duplicates CM-0204


N/A




STAR 2008: Not modelled

Episode 3


of 240


ID No. CM-0405

Title Preventing conflicts in terminal areas

Automated Assistance to ATC Planning for Preventing Conflicts in TMA

Description SESAR: Ground system route allocation tools that automatically select the optimum conflict-free route when triggered by a specific event are implemented to assist the ANSP in managing the potentially large number of interacting routes. In the most complex TMAs it is assumed that many of the pre-defined arrival and departure routes (2D and 3D) will interact. To assist with the efficient utilisation of this route network an MTCD-based tool will be required to allocate flights to routes in real time ensuring that each flight remains conflict-free.

Hazid 7Nov 07: Because departure routes interact, conflict detection must be updated once the take-off time is known, and a conflict-free trajectory can be agreed and up-linked at this point

Timescale

Further information


Safety benefits Improved conflict detection in TMA.

Automatic separation planning in TMA.

Safety hazards Conflict identification failure if system fails

Representation in IRP Improved identification of conflicts and separation planning



20% reduction in MB5.1.2 ATCO failure to identify conflict (confidence range 1 to 50%) in terminal areas (70% of conflicts).

20% reduction in MB5.1.3.1 Misjudgement in separation planning (confidence range 1 to 50%) in terminal areas (70% of conflicts)



Overall effects STAR08: 0.9% reduction in MAC

ID No. CM-0406

Title Detecting conflicts in terminal areas

Automated Assistance to ATC for Detecting Conflicts in Terminal Areas Operations

Description SESAR: Ground system situation monitoring, conflict detection and resolution support is deployed to ensure safety and assist with task identification in the TMA. Even if conflict-free route allocation is deployed, there will still be circumstances when flights have to deviate from their clearance. This tool will assist the ANSP in detecting and assessing the impact of such deviations.

Hazid 7Nov 07: If aircraft deviate from the agreed trajectory (e.g. due to slower than intended climb), the system will detect any resulting conflicts.

Timescale

Further information


Episode 3


of 240


Safety benefits Improved conflict detection in TMA.

Safety hazards Conflict identification failure if system fails

Representation in IRP Improved identification of conflicts.



10% reduction in MB6.1.2 ATCO failure to identify conflict due to pilot deviation (confidence range 1 to 50%) in terminal areas (70% of conflicts).



Overall effects STAR08: 0.9% reduction in MAC

ID No. L8-02

Title Precision trajectory clearances

Dynamic allocation of 2D/3D routes


� CM-0601: Precision Trajectory Clearances (PTC)-2D Based On Pre-defined 2D Routes

� CM-0602: Precision Trajectory Clearances (PTC)-3D Based On Pre-defined 3D Routes

� CM-0603: Precision Trajectory Clearances (PTC)-2D On User Preferred Trajectories

� CM-0604: Precision Trajectory Clearances (PTC)-3D Based On User Preferred Trajectories (Dynamically applied 3D routes/profiles)

Hazid 7Nov07: Specifies containment to a higher standard than at present.

Timescale

Further information


Safety benefits Hazid 7Nov07: Dramatic reduction in uncertainty about aircraft trajectory. Hence reduced controller task load (for constant traffic).

Safety hazards Aircraft technical failure may cause inability to follow agreed trajectory.

Conflict management relies on automated support, and if systems fail it would be very difficult for the ATCO to revert to traditional separation provision.

Mixed equipment types may increase procedural complexity for ATCO.

Representation in IRP Reduction in plannable conflicts - modelled as reduction in ATCO misjudgement of separation.

Increase in wrong separation mode [to add]



30% reduction in MB5.1.3.1 ATCO misjudgement in separation (confidence range 10 to 50%).

Effects profile Between 2013 and 2025. Maximum coverage assumed 30% of aircraft.

Interactions Required predecessor L2-07 (Type 1 - % implementation cannot be exceeded)

Episode 3


of 240



STAR08: 0.2% reduction in MAC

ID No. TS-0105

Title ASAS spacing in TMA

ASAS Sequencing and Merging (S&M) as Contribution to Traffic Synchronization in TMA (ASPA-S&M)

Description SESAR: The flight crew ensures a spacing from designated aircraft as stipulated in new controller instructions for aircraft spacing. The spacing could be in time or space. The controller remains responsible for providing separation between aircraft. The crew is assisted by ASAS and automation as necessary. The benefits is to decrease controllers workload, and to allow more regular flow to the runway, and increase the runway throughput.

Hazid 7Nov07: TS-0105 (ASAS spacing) makes the flight crew responsible for in-trail spacing (e.g. 90 sec), while the ATCO remains responsible for separation (e.g. 5 nm) from other aircraft.

Hazid 20Nov08: The controller will decide on the necessary spacing. The pilot will maintain this by manual monitoring and speed adjustments (TS-0107) or automatic spacing alarms (TS-0105). The controller will continue to monitor through STCA.

Timescale SESAR: ASPA-S&M will be available onboard potentially before 2013 if ADS-B IN requirements expressed for ATSA applications are sufficient for spacing applications and SPR/INTEROP requirements are being met by current ADS-B implementations.

Hazid 7Nov07: ASAS spacing is currently being implemented by UPS.

Further information


Safety benefits Transfer of responsibility reduces communication and associated errors.

Reduction in controller task load (for constant traffic). Experiments showed reduction of 67% compared to P-RNAV approaches in complex terminals, but the benefit would be less compared to vectoring (Hazid 20Nov08).

Reduction in flight crew communication workload, but this is offset by extra monitoring, but should still be beneficial for TS-0105 (Hazid 20Nov08).

Safety hazards Extra complexity of mixed mode operations may cause errors.

Separation distances may be reduced to more consistently near separation standards, increasing collision and wake vortex risk (as for TBS). STCA may need to be detuned to prevent false alarms.

Unplanned disruption (e.g. from incursions, missed approach etc) may affect entire chains of aircraft, which may then overload controller.

Representation in IRP ASAS spacing instructions are still issued by ATCOs and executed by pilots, so modelled as plannable conflicts.

Reduction in ATCO task load - see STAR-03.

Reduction in flight crew workload.

Reduction in STCA effectiveness.

Increase in controller errors in unplannable conflicts.

Episode 3


of 240



Assumed 50% reduction in ATCO-pilot communications in TMA, i.e. 38% overall (Hazid 20Nov08) - modelled through STAR-03.

Assumed 10% reduction in flight crew errors due to resources in TMA, i.e. 7.5% overall. ME=5% hence ∆PS=30log(1+0.075x0.05)/log(1-0.05)=2 for flight crew.

Assumed 3-fold increase in MB3.2.2 STCA technical failure in TMA, i.e. 225% overall.

Assumed 50% increase in MB6.1.2 ATCO failure to identify unplannable conflict in time in TMA, i.e. 38% overall.

Effects profile Between 2013 and 2017. Maximum coverage 25% of conflicts in 30% of fleet, as for ATSAW. STCA and ATCO degradation affects all TMA conflicts.

Interactions Required predecessor AUO-0402 (Type 1 - in individual aircraft)

Overall effects Hazid 15Oct08: Expected negative impact in approach.

Hazid 20Nov08: Expected negative impact due mainly to degradation of STCA.

STAR08: 2.9% increase in MAC; 0.1% reduction in runway; 0.1% in taxiway; 1.4% in CFIT; 3.4% in wake

ID No. CM-0702

Title ASAS crossing and passing

Ad Hoc Delegation of Separation to Flight Deck - Crossing and Passing

Description SESAR: The Crossing and Passing applications (incl. Lateral crossing and passing; Vertical crossing and passing) allow an aircraft to cross or pass a 'target' aircraft using ASAS. Controllers are able, under defined conditions, to delegate the responsibility for specific separation tasks to the flight deck of suitably-equipped aircraft. Such delegations will be part of the clearance resulting from mutual agreement between controllers and pilots. It is cooperative separation. The benefits will be to discharge the controller, by delegation of tasks to the flight crew and to minimise the impact of conflict resolution on trajectory.

Hazid 7Nov07: ASAS separation transfers all separation responsibility to flight crew.

Timescale ASEP-C&P available onboard potentially from 2020.

Further information


Safety benefits Transfer of responsibility reduces communication and associated errors.

Reduction in controller task load (for constant traffic). Benefit would be smaller than TS-0105 because communication is less en-route (Hazid 20Nov08).

Reduction in flight crew communication workload, but this is offset by extra monitoring.

Safety hazards Extra complexity of mixed mode operations may cause errors.

Separation distances may be reduced to more consistently near separation standards, increasing collision and wake vortex risk (as for TBS). STCA may need to be detuned to prevent false alarms.

Episode 3


of 240


Representation in IRP ASAS separation instructions are still issued by ATCOs and executed by pilots, so modelled as plannable conflicts.

Reduction in ATCO task load - see STAR-03.

No change in flight crew workload.

Reduction in STCA effectiveness.


Assumed 50% reduction in ATCO-pilot communications en-route, i.e. 13% overall (Hazid 20Nov08) - modelled through STAR-03.

Assumed 2-fold increase in MB3.2.2 STCA technical failure en-route, i.e. 50% overall.

Effects profile Between 2020 and 2030. Maximum coverage 30% of fleet, as for ATSAW.

Interactions Required predecessor AUO-0402 (Type 1 - in individual aircraft)

Overall effects Hazid 15Oct08: Expected to be safety neutral en-route.

STAR08: 0.1% increase in MAC; 0.4% reduction in CFIT; 1.1% in wake

ID No. CM-080101

Title Short term conflict alert (STCA)

Description STCA in all ECAC airspace where radar services are provided.

Timescale Assumed continuous extensions during 2005-2012.

Further information


Safety benefits Independent barrier to alert ATCO to imminent separation infringement.

Safety hazards Misuse of STCA as an operational aid would reduce its independence as a safety net, and may undermine separation skills.

Representation in IRP Increase in STCA coverage.


STCA to cover all managed conflicts (1-CMF8), i.e. 82% by 2020 (compared to 78% in 2005).


Interactions STCA improvements covered by CM-0807

Overall effects Safety is the only direct impact of this OI.

STAR 2008: 1.6% reduction in MAC

Episode 3


of 240


ID No. CM-080102

Title Airspace proximity warning (APW)

Description SESAR: APW in all ECAC airspace to GAT from civil or military ATS Units where radar services are provided.

Hazid 7Nov07: In principle, APW covers both civil penetrations of military airspace and military penetrations of civil airspace, but in practice the latter will not be practicable within 2012 due to the lack of predictability of military trajectories. APW software is limited to warning about civil penetration of military or restricted airspace and not the inverse situation. Civil controllers are responsible for the civil flights but only military controllers know the intention of military aircraft of leaving its assigned airspace.

Hazid 20Nov08: APW may provide protection against VFR traffic if it has Mode C and is in VHF contact.

Timescale Hazid 20Nov08: Most current APW implementations do not cover VFR traffic, but this is done at Dublin.

Further information


Safety benefits Independent barrier to alert ATCO to imminent entry of aircraft into restricted area.

Safety hazards Airspace separation may distract from aircraft separation.

VFR vertical rates may vary much more than CAT, so false alarms are more likely if APW addresses them.

Representation in IRP Reduced probability of airspace penetration by CAT and VFR.


10% reduction in MF6.1.1.2 Airspace penetration by VFR aircraft (confidence range 1 to 30%).

30% reduction in MF6.1.1.3 Airspace penetration by CAT aircraft (confidence range 10 to 50%).


Interactions APW benefit improvements covered by CM-0807

APW benefit increased by AFUA (L2-03)



Episode 3


of 240


ID No. CM-080103

Title Minimum safe altitude warning (MSAW)

Description SESAR: MSAW where the potential for infringement exists.

Hazid 7Nov07: MSAW will give an alarm if the minimum safe altitude is violated. Improved systems might use a terrain database and identify unsafe clearances.

Timescale Assumed continuous extensions during 2005-2012.

Further information


Safety benefits Independent barrier to alert ATCO to imminent flight towards terrain.

Safety hazards

Representation in IRP Increase in MSAW coverage.


MSAW coverage 40% (compared to 20% in 2005) (IRP 2005 Methodology Report Section V.8.5).


Interactions


STAR 2008: 0.5% reduction in CFIT [because ATCO warning failure is dominated by CCFs]

ID No. CM-080104

Title Approach path monitor (APM)

Description APM where the potential for deviations from the glidepath exists.

Timescale

Further information


Safety benefits Independent barrier to alert ATCO to imminent flight towards terrain or separation infringement.

Safety hazards

Representation in IRP Increase in MSAW coverage for final approach?


[Needs new model]


Interactions



Episode 3


of 240


ID No. CM-0802

Title ACAS RA Downlink

ACAS Resolution Advisory Downlink

Description Controllers are automatically informed when ACAS (airborne collision avoidance system) generates an RA (resolution advisory). This improvement is intended to complement the voice report by the pilot.

The objective is to inform controllers of an RA event faster, more reliably and in a structured way, and hence increase controller's situational awareness in critical situations.

Timescale

Further information http://www.eurocontrol.int/ra-downlink/index.html


Safety benefits Increased situational awareness of controller, with better understanding of reasons for aircraft departing from clearance. Improved potential to prevent knock-on effects.

Reduced need for VHF communication (pilots informing ATCO of RA, ATCO questioning pilot divergence).

Safety hazards Loss of independence of ACAS and controller.

Representation in IRP Reduction in pilot failure to respond to RA due to incorrectly prioritising conflicting ATC instructions. Could be neglected if assumed to be a small effect.


90% reduction in MB2.1.3.2 Pilot incorrectly prioritises ATC instructions.


Interactions



ID No. CM-0803

Title Enhanced ACAS

Enhanced ACAS through Use of Autopilot or Flight Director

Description ACAS is combined with Auto Pilot (automatic control of aircraft) or Flight Director (display of commands to assist the flight crew in controlling the aircraft) in order to provide a vertical speed guidance using ACAS target. This would be an automatic manoeuvre if the autopilot is on (or a manual manoeuvre through flight director cues if autopilot is off). Monitoring is ensured through the display of the vertical speed indicator and at any moment the pilot can override the automatism.

The objective is to operate the ACAS RA with a simple procedure that minimizes the deviation from the initial trajectory and leaves the aircraft in a safe configuration after "clear of conflict".

Timescale Automatic ACAS (AP/FD TCAS) will be available onboard from 2008 onwards.

Further information


Episode 3


of 240


Safety benefits Increased effectiveness of ACAS warning

Reduced ACAS causes of secondary conflicts

Safety hazards

Representation in IRP Reduction in ACAS response failure

Reduction in level bust due to ACAS


30% reduction in MB2.1.3.1 Pilot fails to respond to ACAS in time (confidence range 5 to 60%).

30% reduction in MF6.1.3.5 ACAS RA causes level bust (confidence range 5 to 60%).


Interactions



ID No. CM-0804

Title ACAS adapted to new separation modes

Description The ACAS function is adapted to new separation modes, in particular if lower separation minima is considered.

In part as a result of the introduction of the delegation of the role of separator, aircraft may fly in close proximity to each other with geometries that would trigger ACAS as we know it to-day unless the system is made capable of recognising situations where such new separation modes are being applied

Timescale

Further information


Safety benefits Avoids false ACAS warnings

Safety hazards Complexity of system changes may cause system failures or response errors. Adaptations may undermine the simplicity and effectiveness of ACAS.

Representation in IRP Assumed no significant change in safety.


N/A



Enabler for new separation modes (L8-02)



Episode 3


of 240


ID No. CM-0805

Title STCA adapted to new separation modes

Description The STCA is adapted to new separation modes, in particular if lower separation minima is considered.

In part as a result of the introduction of the delegation of the role of separator, aircraft may fly in close proximity to each other with geometries that would trigger STCA as we know it to-day unless the system is made capable of recognising situations where such new separation modes are being applied

Timescale

Further information


Safety benefits Avoids false STCA warnings

Safety hazards Complexity of system changes may cause system failures or response errors

Representation in IRP Assumed no significant change in safety.


N/A



Enabler for new separation modes (L8-02)



ID No. CM-0806

Title Safety net compatibility

Improved Compatibility between Ground and Airborne Safety Nets

Description SESAR: ACAS and STCA are and need to stay independent at functional level. There is a need to have better procedures to avoid inconsistent collision detection and solution. Information sharing is to be considered cautiously, to avoid common mode of failure. In part as a result of the introduction of the delegation of the role of separator, aircraft may fly in close proximity to each other with geometries that would trigger STCA as we know it to-day unless the system is made capable of recognising situations where such new separation modes are being applied.

Hazid 15Oct08: STCA would incorporate the ACAS model to ensure that STCA alerts occur before the RA, and warn the ATCO that an RA is expected. STCA would also give the ATCO instructions to separate laterally. If no response, there would be forced STCA giving voice instructions to the pilot. If no response, there would be automatic ACAS response.

Timescale

Further information


Safety benefits Avoids ACAS and STCA failures due to system incompatibility

Safety hazards Loss of vigilance in automatic system - see STAR-04.

Episode 3


of 240


Representation in IRP Assumed 100% reduction in MB2.1.3.1 Pilot failure to respond to RA in time; MB2.1.3.2 Pilot incorrectly prioritises ATC instructions; and MB2.1.4 ACAS avoidance invalidated by other aircraft.


N/A


Interactions Required predecessors CM-0804 and CM-0805 (Type 1 - % implementation cannot be exceeded)


STAR 2008: 10.6% reduction in MAC (if applied in 2005)

ID No. CM-0807

Title Information sharing

Enhanced Ground-based Safety Nets Using System Wide Information Sharing

Description System Wide Information Sharing, in particular through new surveillance means like ADS-B which provides both the aircraft computed position and its trajectory intent, is used to improve the safety net performance, e.g. to detect that the separation mode has been compromised and to provide/propose resolution action. The safety nets must remain robust against information error or missing.

The objective is to provide controllers with a reliable alerting system based upon all the surveillance information available.

Timescale

Further information


Safety benefits Use of aircraft-derived data (ADD) produces:

� Increased effectiveness of safety net warnings for curved trajectories.

� Reduced false alarms due to inaccurate data

Safety hazards Possible common cause of failure of ground-based and airborne safety nets

Representation in IRP Reduction in STCA warning failures.


STCA warning failures reduced by 20% (MB3.2) (confidence range 5 to 50%). ME= 95%, hence ∆PS=30log(1-0.2x0.95)/log(1-0.95)=2 for STCA ) (IRP 2005 Methodology Report Section III.8.6)



Overall effects STAR 2008: 1.4% reduction in MAC

Episode 3


of 240


12.6 AIRPORT OPERATIONS

ID No. AO-0101

Title Runway incursion prevention

Reduced risk of runway incursions through improved procedures and best practices on the ground.

Description ECAC airports and aircraft operators develop procedures and apply recommendations contained in the EAPPRI (e.g. compliance of infrastructure with ICAO provisions, best practices on flight deck procedures for runway crossing, while taxiing; assessment for pilots regarding aerodrome signage, markings and lighting)

Timescale EAPPRI based on existing best practice (e.g. already implemented at Schiphol). Over 70% of EAPPRI recommendations are fully or partly implemented at more than 100 airports (D2 p69) covering 95% of traffic (Hazid 19Oct07).

Further information Runway Safety Initiative - European Action Plan for the Prevention of Runway Incursions (EAPPRI).

Safety Assessment of Runway Safety (RWY SAF), Dec 2006.


Safety benefits “Significant reduction” in runway incursion frequency and hence collision. Main impacts:

� Improved communication procedures and common frequencies.

� Runway inspection vehicles facing runway movements.

� Protected runway sight lines from tower.

� Improved flight deck procedures (sterile cockpit).

� Improved flight crew planning of ground movements.

� En-route clearances received before taxi.

� Consequent reduction in rejected take-off and brake fires.

� Reduction in use of wrong taxiway, and hence obstacle collision.

� Reduction in use of wrong runway, and hence obstacle collision or over-run.

Safety hazards

Representation in IRP Increase in quality of airport communications

Increase in quality of taxi competence and procedures

Reduction in restricted view affecting conflict detection


30% reduction in ATCO/pilot errors influenced by Airport communications. ME=80%, hence ∆PS=30log(1-0.3x0.8)/log(1-0.8)=5 for airport communications.

30% reduction in pilot errors influenced by runway/taxi procedures. ME=5%, hence ∆PS=30log(1-0.3x0.05)/log(1-0.2)=9.

10% reduction in RB1.1.1.3 Restricted view from tower prevents conflict detection.

Effects profile Hazid 19Oct07: 70% implemented in 2007. Remainder between 2007 and 2013.

Representation in STAR: 60% implemented in 2005; remainder between 2005 and 2013 (gives continuous growth with 70% in 2007).

Episode 3


of 240


Interactions

Overall effects SESAR: Safety +

Safety assessment: Expected 20% reduction in runway collision frequency

STAR 2008: 6.4% reduction in runway; 1.6% in taxi (compared to 60% implementation in 2005)

ID No. AO-0201

Title A-SMGCS Level 1 (or equivalent)

Enhanced ground controller situation awareness in all weather conditions

Description OI: The system provides the controller with the position and automatic identity of all relevant aircraft and all relevant vehicles on the movement area (incl. apron). The improvement of this service lies in expediting the arrival and departure flows on the runway system and the movement of taxiing aircraft and other vehicles on the manoeuvring area, while reducing the potential for loss of separation. I.e. ground traffic throughput improvements (all vehicles with two-way communication means, e.g. aircraft, including towed a/c, and service vehicles).

A-SMGCS Level 1: Based upon improved surveillance (cooperative independent, dependent or multilateration) and procedures (identification, issuance of ATC instructions & clearances)

Timescale Currently implemented at 5 major airports (CDG, Heathrow, Frankfurt, Vienna, Zurich). Multilateration system implemented at Schiphol (2005).

Further information A-SMGCS Levels 1 & 2 Preliminary Safety Case, October 2005.

A-SMGCS Generic CBA, October 2006.


Safety benefits Improved monitoring aircraft and vehicle positions for ground and runway controllers, resulting in:

� Better situation awareness.

� Anticipation, earlier detection and recovery of navigation and clearance errors, including runway incursions and conflicts.

� Reduced ground controller workload associated with position monitoring and communication.

� Reduced effects of low visibility.

� Detection of non-cooperative vehicles incursions within manoeuvring area.

Safety hazards System total failure, partial loss, corruption.

Possibly decreased performance of ground controllers due to over-reliance on A-SMGCS.

Severity of risks increases as more traffic is managed in Low Visibility Conditions, especially in case of deficient AO-0103 implementation.

Representation in IRP Reduction in ground and runway control errors due to ineffective use of ground radar and due to inadequate co-ordination with ground controller.

Increased operations in low visibility.

Episode 3


of 240



30% reduction in RB4.1.1.1.1.3 Ineffective ATCO use of ground radar (modelled by A-SMGCS coverage)

50% reduction in errors influenced by Airport ATC system quality. For ground control, ME=30%, hence ∆PS=30log(1-0.5x0.3)/log(1-0.3)=14.

50% reduction in ground controller errors influenced by Resources. ME=22%, hence ∆PS=30log(1-0.5x0.22)/log(1-0.22)=14.

The fraction of runway conflicts outside the range of visibility from the tower (i.e. RB1.1.1) is judged to increase from 28% (with 2005 A-SMGCS coverage) to 35% (with A-SMGCS Level 1 full implementation). Modelled as a 27% increase in restricted visibility.

Effects profile A-SMCGS Level 1 coverage estimated as 20% in 2005. Remainder between 2007 and 2016. Assumed maximum implementation 50% (confidence range 40-60%) of movements.

Interactions Precursor AO-0103 required to balance Ground Controller enhanced awareness and pilot reduced visibility.

Overall effects SESAR: Safety + (Improved situational awareness for aerodrome controllers, particularly during periods of reduced visibility and darkness will enhance safe operations).

CBA: However, safety benefits will be traded for capacity increases in low visibility, so no net safety benefit from Level 1. Implies 50% improvement before traffic increase.

Hazid 19Oct07: Large improvement, greater than Level 2, even in good visibility.

STAR 2008: 0.8% reduction in runway; 1.7% in taxi (for 30% extra implementation. Benefits outweighed by increased operations in low visibility)

ID No. AO-0102

Title A-SMGCS Level 2 (RIMCAS or equivalent)

Automatic alerting of controller in case of runway incursion or intrusion into restricted areas.

Description OI: The system detects conflicts and infringements of some ATC rules involving aircraft or vehicles on runways, and provides the controller with appropriate alerts. Whereas the detection of conflicts identifies a possibility of a collision between aircraft and/or vehicles, the detection of infringements focuses on dangerous situations because one or more mobiles infringed ATC rules. This improvement addresses also incursions by an aircraft into an area where the presence of an aircraft (or vehicle) is temporarily restricted or forbidden (e.g. closed taxiway, ILS or MLS critical area).

A-SMGCS Level 2: Safety nets (runway, ‘restricted’ areas) and associated procedures.

Timescale Available in the 2013 time frame although may only be deployed at major airports (SESAR W2.4 source). Runway Incursion Alerting System Schiphol (RIASS), phase 1 will be implemented in Nov 2007.

Further information A-SMGCS Levels 1 & 2 Preliminary Safety Case, October 2005.

A-SMGCS Generic CBA, October 2006.


Episode 3


of 240


Safety benefits Provision of a safety net for runway operations, capable of detecting and preventing most dangerous hazards resulting from deviations or errors, and decreasing ATCO workload associated to potential conflict identification.

Shortens ATCO reaction time.

Safety hazards Possibly decreased monitoring by ground controllers due to over-reliance on RIMCAS.

False conflict alerts due to unforeseen movements (no Flight Plan data during taxi), may lead to untrusting system perception (implementation phase).

Representation in IRP Increased proportion of conflicts covered by RIMCAS.


The fraction of runway conflicts covered by RIMCAS (i.e. 1-RB2.1) is judged to increase from 8% (with 2005 A-SMGCS coverage) to 50% (with A-SMGCS Level 2 full implementation).

Effects profile A-SMCGS Level 2 coverage estimated as 8% in 2005. Remainder between 2008 and 2016. Assumed maximum implementation 50% of movements (i.e. same as Level 1).

Interactions Required predecessor AO-0201 (Type 1 - % implementation cannot be exceeded).

Overall effects SESAR: Safety + (Diminishes risk of collision).

CBA: 50% increase in collision detections from Level 2.

Hazid 19Oct07: 90% reduction in collisions when combined with Level 1.

STAR 2008: 3.5% reduction in runway (for 42% extra implementation, excluding benefits of AO-0201).

ID No. AO-0103

Title Airport layout

Improved runway-taxiway lay-out, signage and markings to prevent runway incursions.

Description Improvements in lay-out of taxiway system as well as location of runways with respect to the terminal/apron, incl. Better placed runway crossings, use of additional perimeter taxiways, avoiding alignment of the main taxiways with entries or exits, use of perpendicular intersections. Include also enhanced signage and markings and use of Red Stop Bars best practices.

Timescale Already various actions are taken by Schiphol in 2006. Completion will be in 2008.

Further information


Safety benefits Reduction in runway crossing movements.

Reduction in airport complexity, hence reduction in pilot errors during taxi.

Safety hazards

Representation in IRP Increase in quality of airport design and visual aids


3% reduction in runway crossings (confidence range 1 to 5%) (Hazid 19Oct07).

30% reduction in pilot errors influenced by Airport visual aids. ME=33%, hence ∆PS=30log(1-0.3x0.33)/log(1-0.33)=8 for airport visual aids.

10% reduction in ATCO/pilot errors influenced by Airport design. ME=22% (for taxi), hence ∆PS=30log(1-0.1x0.22)/log(1-0.22)=3 for airport design.

Episode 3


of 240



Interactions This OI Step is required for related OI Steps within L10-01 (but they are not consider successor OI Steps), mainly AO-0201.

Overall effects Safety + (Reduces risk of runway incursions).

STAR 2008: 8.7% reduction in runway; 13.5% in taxi

ID No. AO-0104

Title Taxiway deviation alert

Airport safety nets including taxiway and apron.

Description SESAR: The systems detect potential conflicts/incursions involving mobiles (and stationary traffic) on runways, taxiways and in the apron/stand/gate area. The alarms are provided to controllers, pilots, and vehicle drivers together with potential resolution advisories (depending on the complexity of resolution possibilities). The systems also alert the controller in case of unauthorized / unidentified traffic.

Current automated alerting system is limited to the runway and is based upon a set of rules that assist controllers in detecting the most serious conflicts. This system has no knowledge of aircraft intent and in some cases the time window to determine and communicate a solution may be very limited.

Hazid 19Oct07: The system may be able to detect route deviations, excess speed or failure to stop at a hold point, and hence is better described as a deviation alert. It will be viable on taxiways but not the apron. It will be used only at complex airports. Since there are no separation standards for taxiways, it will not be able to give conflict alerts.

Timescale

Further information


Safety benefits Warning for ATCO of pilot deviations in taxi.

Improve decision making (ATCO and specially Flight Crew)

Safety hazards Reliance on system may reduce ATCO monitoring.

Excess of information may compromise ATCO or Flight Crew attention.

Representation in IRP Extra barrier against pilot deviations in taxi - applies to runway and taxiway collisions. For simplicity, modelled as improved pilot taxi performance.


Assumed 60% reduction in ground control errors influenced by ATC system. ME=30%, hence ∆PS=30log(1-0.6x0.3)/log(1-0.3)=17 for airport ATC system. Maximum coverage 30% of taxiway conflicts.


Interactions Required predecessor AO-0102 (Type 1 - % implementation cannot be exceeded)

Overall effects Safety + (No justification).


ID No. AO-0202

Title FOD Detection

Detection of FOD (Foreign Object Debris) on the Airport Surface

Episode 3


of 240


Description The system provides the controller with information on FOD detected on the movement area. Micro-wave systems can detect small objects on the movement area.

Timescale

Further information See “A new Paragon of Airside Safety: Runway FOD Detection Radar” by Craig Richmond and Brett Patterson (Vancouver Airport) – October 2006


Safety benefits Reduced FOD incidents and consequent take-off/landing accidents

Reduced need for RWY inspection; may reduce ATCO workload.

Safety hazards As AO-0201

Representation in IRP Take-off/landing accidents not modelled at present




Overall effects Safety + (to avoid accidents like the Concorde crash in Paris).


ID No. L10-02

Title A-SMGCS Level 3 (or equivalent)

Improving Traffic Management on the Airport Surface


� AO-0203: Guidance Assistance to Airport Vehicle Driver

� AO-0204: Airport Vehicle Driver's Traffic Situational Awareness

� AO-0205: Automated Assistance to Controller for Surface Movement Planning and Routing

� AO-0206: Enhanced Guidance Assistance to Airport Vehicle Driver Combined with Routing

� AO-0207: Surface Management Integrated With Departure and Arrival Management

� A-SMGCS Level 3: Detection of all conflicts on manoeuvring area, improved guidance & planning (for controllers)

Hazid 19Oct07: Guidance for vehicle drivers could be as simple as voice warning when approaching a runway. A-SMGCS level 3 provides assistance to the controller using a routing function.

Timescale

Further information


Episode 3


of 240


Safety benefits Reduced vehicle driver errors (including aircraft under tow)

Reduced ground controller errors

Hazid 19Oct07: System knowledge of aircraft/vehicle intentions reduces false alarms from safety net (Level 2), and so makes it more effective. Potentially a large benefit because entering runway without clearance is a major cause of runway incursions. However, the effect is likely to be smaller than Level 2 alone.


Representation in IRP Reduced vehicle driver errors during tow. Other vehicles not yet modelled.

Reduced ground and runway control errors due to ATC system.

Reduced controller failures to respond to RIMCAS.



20% reduction in ground controller errors influenced by Airport ATC system quality. ME=30%, hence ∆PS=30log(1-0.2x0.3)/log(1-0.3)=5.

This is in addition to the benefit from AO-0201.

50% reduction in RB2.3 ATCO failure to respond to RIMCAS warning

Effects profile Between 2009 and 2018. Assumed maximum implementation 50% of movements (i.e. same as Level 1).


Overall effects Safety + (No justification).


ID No. AO-0203

Title Guidance Assistance to Airport Vehicle Driver

Description The system provides vehicle drivers with an airport moving map showing taxiways, runways, fixed obstacles, and their own mobile position.

Timescale 01/01/2009 to 01/01/2014

Further information The objective is to reduce navigation mistakes that may occur especially in low visibility conditions.

Ongoing business at Schiphol airport based on the multilateration system.

Benefit focus Safety+++

Safety benefits Reduced ATCO workload


Representation in IRP


Effects profile

Interactions Required for AO-0206 Enhanced Guidance Assistance to Airport Vehicle Driver Combined with Routing

Overall effects

Episode 3


of 240


ID No. AO-0204

Title Airport Vehicle Driver's Traffic Situational Awareness

Description Information regarding the surrounding traffic (incl. Both aircraft and airport vehicles) during taxi and runway operations is displayed in the vehicle driver's cockpit.

Timescale 01/01/2013 to 01/01/2017

Further information

Benefit focus Safety+++

Safety benefits Reduce risks of errors / collision especially in all weather conditions.

Reduced ATCO workload

Safety hazards Vehicle driver over-confidence may lead to overriding ATCO instructions.

Increase of distraction by vehicle driver in case of single occupant (head-down, head-up between display and out-of-the-window).

Over-confidence in vehicle position accuracy.



Effects profile

Interactions

Overall effects

ID No. AO-0205

Title Automated Assistance to Controller for Surface Movement Planning and Routing

Description SESAR: The system provides the controller with the best route calculated by minimising the delay according to planning, ground rules, and potential conflicts with other mobiles. The system informs the ground controller of any deviation from route/plan it has detected.

Timescale 01/01/2013 to 01/01/2017

Further information SESAR Rationale: This improvement is applicable to airports with a complex layout.

SESAR Comments: Not available in the 2013 time frame according to SESAR W2.4 architecture. Need to be considered with SMAN. Not yet planned at sampled airport (Schiphol).

Benefit focus Predictability+++ (Safety+ )

Safety benefits Reduced ATCO workload

Increases ATCO reaction-time in case of conflicts.

Safety hazards ATCO over-confidence



Effects profile

Episode 3


of 240


Interactions Required for AO-0207 Surface Management Integrated With Departure and Arrival Management

Overall effects

ID No. AO-0206

Title SESAR: Enhanced Guidance Assistance to Airport Vehicle Driver Combined with Routing

Description The system displays dynamic traffic context information including status of runways and taxiways, obstacles, and an airport moving map.

Timescale 01/01/2013 to 01/01/2017

Further information Efficiency benefit thanks to improved situational awareness and actions in accordance with traffic conditions, especially in low visibility

Benefit focus Efficiency+++ (Safety+ )

Safety benefits Vehicle Control Improvement in manoeuvring area in Low Visibility Conditions (essential maintenance, lighting, runway inspection,…)

Safety hazards Increment of target information (vehicle and aircrafts) on ATCO display (Clutter).



Effects profile

Interactions Predecessor AO-0203 Guidance Assistance to Airport Vehicle Driver

Overall effects

ID No. AO-0207

Title Surface Management Integrated With Departure and Arrival Management

Description The taxiing process is considered as an integral part of the process chain from arrival to departure and AMAN / DMAN is integrated with CDM processes between airport operator, aircraft operators and air traffic service provider at the same airport.

Timescale 01/01/2013 to 01/01/2017

Further information DOD Rationale: To improve the aerodrome throughput, Arrival and Departure Management need to be considered as a combined entity, itself closely linked to surface movement especially at airports with runways used for both arriving and departing flights.

SESAR Comments: A project is started together with EUROCONTROL (CISS, Central Information System Schiphol). The first phase will be implemented in the beginning of 2008.

Benefit focus Capacity+++

Safety benefits

Safety hazards


Episode 3


of 240



Effects profile

Interactions Predecessor OIs

AO-0205 Automated Assistance to Controller for Surface Movement Planning and Routing

AUO-0603 Enhanced Guidance Assistance to Aircraft on the Airport Surface Combined with Routing

Overall effects Safety Neutral

ID No. AO-0301

Title Crosswind reduced separation

Crosswind reduced separations for departures and arrivals

Description Under certain crosswind conditions it may not be necessary to apply wake vortex minima.

The objective is to reduce dependency on wake vortex operations which under suitable weather conditions, will lead to reduced arrival / departure intervals, with a positive effect on delays and runway throughput.

Timescale

Further information


Safety benefits See below

Safety hazards Reduction in aircraft separation (distance and time) in cross-wind conditions, matching current separation (distance) in still-air. The reduction in separation only results from increased traffic.

Changes in wind direction may cause reductions in separation below still-air conditions.

Reduced time separation causes:

� Reduced time for ATCO transmission of clearances/instructions

� Reduced time for ATCO/pilot collision avoidance (mid-air and runway)

� Reduced time for ATCO monitoring terrain clearance

Increased proportion of aircraft landing in cross-wind, and hence more landing accidents.

Reduced separation increases likelihood of wake encounter (compared to DBS in head-wind), but effects are small (compared to still-air), as wake encounters are unlikely in crosswind conditions.

Representation in IRP Change in collision risk from increased traffic and reduced delays - modelled separately.

Increased proportion of landings in cross-wind - no model available.

Otherwise assumed to be risk neutral.


N/A


Episode 3


of 240


Interactions N/A

Overall effects SESAR: No expected effect on safety

Hazid 13Aug07: Less effect on wake risks than AO-0302


ID No. AO-0302

Title Time-based separation (TBS) for arrivals

Description Constant time separations independent of crosswind conditions and wake vortex existence are introduced. Time based separation is an option to replace the distance criteria currently used to separate trailing aircraft on the approach beyond the wake vortex of the leading aircraft.

The intent is to mitigate the effect of wind on final approach sequencing so as to achieve accurate and more consistent final approach spacing, and recover most of the capacity lost under strong headwind.

Timescale

Further information www.eurocontrol.int/eec/public/standard_page/APT_time_based.html


Safety benefits See below

Safety hazards Reduction in aircraft separation (distance and time) in head-wind conditions, matching current separation (time) in still-air. The reduction in separation only results from increased traffic in head-wind conditions.

Sudden variations of strength and direction with location and time may cause reductions in separation below still-air conditions.

Reduced time separation causes:

� Reduced time for ATCO transmission of clearances/instructions.

� Reduced time for ATCO/pilot collision avoidance (mid-air and runway).

� Reduced time for ATCO monitoring terrain clearance.

Approach traffic is well organised, so effects of reduced separation on mid-air collisions may be small, and more critical in multiple missed approaches.

Increased proportion of aircraft landing in head-wind is not expected to affect landing accidents.

Reduced separation increases likelihood of wake encounter (compared to DBS in head-wind), but effects are small (compared to still-air), as strong head-wind tends to keep the wake below aircraft following a standard glideslope.

Representation in IRP Increase in wake encounters [Not clear that this is different to increase from traffic]

Change in collision risk from increased traffic and reduced delays - modelled separately.


5-10% increase in wake encounters per approach in head-wind. This is for traffic increased to still-air capacity. Corresponding capacity increase not clear, but may be similar.

Effects profile Between 2012 and 2015. Only likely to be used at capacity-limited airports, assumed to handle 50% of landings.

Episode 3


of 240


Interactions Needs better ATCO support tools to display time separation [Not clear which OI]

Precision vertical guidance (e.g. ILS) is not assumed (but a safety analysis may show that it is required for TBS to be acceptably safe, especially for major airports).


Hazid 13Aug07: Slight increase in wake risks

STAR 2008: 3.8% increase in wake

ID No. AO-0303

Title Wake vortex prediction

Fixed reduced separations based on wake vortex prediction

Description In the applicable situations, the controller uses reduced aircraft separations derived from forecasted wake vortex behaviour.

Separation standards are too conservative for a variety of meteorological situations. Use of a statistical model giving wake-vortex behaviour with fixed aircraft separations - e.g. from collection of all relevant combinations of wake vortex behaviours in meteorological situations - could be an intermediate step towards individual wake-vortex forecasting.

Timescale

Further information


Safety benefits Mitigation of wake turbulence hazard (better determination of hazard area)

Potential to reduce risks by increasing separation in high wake vortex conditions?

Safety hazards Reduction in aircraft separation (distance and time) in low wake vortex conditions (e.g. high turbulence, strong wind). The reduction in separation only results from increased traffic.

Effects of reduced time separation:


� Reduced time for ATCO/pilot collision avoidance (mid-air and runway)

� Reduced time for ATCO monitoring terrain clearance

Increased proportion of aircraft landing in turbulent conditions may affect landing accidents and the proportion of missed approaches.

Errors in vortex prediction or changes in turbulence may increase wake risks. Vortex predictions could be incorrect 50% of the time (Hazid 15Oct08)

Effects on wake accidents likely to be small, as predicted effects of turbulence on wake encounters are small.

Representation in IRP Increased traffic and reduced delays - modelled separately.

Increased proportion of landings in turbulence - no model available.



N/A

Episode 3


of 240


Effects profile Between 2012 and 2015. Only likely to be used at capacity-limited airports, assumed to handle 50% of landings.

Interactions N/A




ID No. AO-0304

Title Wake vortex detection

Dynamic adjustment of separations based on real-time detection of wake vortex

Description SESAR: The controller optimises aircraft separations taking account of the actual wake-vortices strength.

STAR 2006: Ground-based LIDAR to monitor wake vortex extents near runway threshold. Relaxation of wake-related spacing when LIDAR shows weather conditions (i.e. turbulence) suppressing wake vortices.

Hazid 15Oct08: Airborne lidar for pilot visualisation of wake would only be available after 2020.

Timescale

Further information

Benefit focus Safety & capacity

Safety benefits Reduces wake accidents by increasing separation in high wake vortex conditions (for constant traffic)

Safety hazards As AO-0304, except reduced vulnerability to errors in predictions or changes in conditions.

Lidar may be unreliable in thunderstorms.

Representation in IRP Reduction in wake vortex encounter probability


Effects profile Between 2015 and 2019. Only likely to be used at airports handling heavy aircraft, assumed to handle 50% of landings.

Interactions Required predecessor AO-0303 (Type 1 - % implementation cannot be exceeded) [Not clear why this dependency arises]



STAR 2008: 2.5% reduction in wake

Episode 3


of 240


ID No. AO-0305

Title Rapid exit taxiways (RET)

Additional rapid exit taxiways (RET) and entries

Description Appropriate runway exits are provided for the aircraft mix using the runway. The Runway Occupancy Time (ROT) as well as the predictability is based on the number of exits, the design/shape of the exit, the location with respect to the landing threshold as well as pilot/airline behaviour policy. Finding a well accepted balance between number, shape and location is necessary. Multiple runway entries and a wide holding area can help to optimize the sequencing process for departing aircraft and can generate significant operational benefits during periods of traffic congestion.

In some cases, where for example backtracking after landing is required or new aircraft types at an airport cannot use existing high-speed exits, infrastructure improvements may be needed.

Timescale Implemented in 2006 at Schiphol airport

Further information


Safety benefits Wider holding areas reduce taxi collision risk (unless more resequencing occurs there).

Better designed runway exits reduce landing accident risk.

Safety hazards More runway exits increase opportunities for runway incursion. However, airport procedures now usually forbid runway entry via RETs.

Higher proportion of rapid exits increase potential for landing accidents.

Representation in IRP Hazid 19Oct07: Assumed risk neutral.


N/A


Interactions

Overall effects Safety - (An important aspect with the construction of new exits and entries is the runway incursion risk. Every new taxiway connected to the runway will add to the risk of runway incursions. Special attention should be given to mitigate the risk)


ID No. AO-0402

Title Interlaced take-off and landing

Mixed mode of operations

Description In order to provide mitigation for the inherent delays/queuing associated with capacity constrained airports and to gain a significant capacity enhancement without impacting the overall queue management concepts, interlaced take-off and landing procedures instead of segregated use of multiple runways can be envisaged.

Timescale Used at Gatwick. Planned for Heathrow.

Further information


Episode 3


of 240


Safety benefits Reduced delays (as above)

Ability to minimise wake vortex encounters (for constant traffic)

Safety hazards Difficulty of separating accelerating and decelerating aircraft, hence increased potential for runway entry error and hence runway collisions.

Extra missed approaches due to aircraft delays on runway, causing mid-air collision risks.

Representation in IRP Increased use of alternating take-off and landing (existing parameter).


40% increase in RB5.3 Alternating take-off and landing, i.e. from 20% to 28%.

Effects profile Between 2007 and 2015. Only likely to be used at capacity-limited airports, assumed to handle 50% of movements.

Interactions


Hazid 19Oct07: Significant increase in runway collision risk

STAR 2008: 5.1% increase in runway

ID No. AO-0403

Title Optimised dependent parallel operations

Description Capacity gains can be achieved by increased utilisation of the combined runways. Reducing dependencies between runways by implementing more accurate surveillance techniques and controller tools as well as advanced procedures, will enlarge the capabilities of existing runway configurations (like closely spaced parallel runways).

Dependencies between multiple runways determine the practical runway capacity which in most cases is lower than the combined single runway capacities.

Timescale

Further information



Safety hazards Reduction in aircraft separation (distance) in parallel operations.

Effects of reduced separation:


� Reduced time for ATCO/pilot collision avoidance (mid-air)

� Increased potential for wake encounters

The reduction in separation only results from increased traffic.

Representation in IRP Increased potential for mid-air collisions and wake encounters and reduced delays - modelled separately.




Episode 3


of 240


Interactions

Overall effects No expected effect on safety


ID No. L10-06

Title Low visibility operations

Improving operations under adverse conditions incl. low visibility


� AO-0502: Improved Operations in Low Visibility Conditions through Enhanced ATC Procedures

� AO-0503: Reduced ILS Sensitive and Critical Areas

� AO-0504: Improved Low Visibility Runway Operations Using Alternative Landing Systems (i.e. MLS)

Other OIs modelled separately

Timescale CDM already implemented for de-icing at Schiphol airport.

Further information



Reduced ATCO errors in low visibility

Safety hazards Increased operations in low visibility and icing.



Reduction in runway control errors due to procedures.


10% reduction in errors influenced by ATC procedures. ME=15%, hence ∆PS=30log(1-0.1x0.15)/log(1-0.15)=3 for ATC procedures.

Assumed 20% increase in restricted visibility


Interactions Depends on A-SMGCS?


STAR 2008: 7.4% increase in runway; 0.5% in taxi

Episode 3


of 240


ID No. L10-03

Title Airport collaboration

Improving airport collaboration in the pre-departure phase


� AO-0601: Improved Turn-Round Process through Collaborative Decision Making

� AO-0602: Collaborative Pre-departure Sequencing

� AO-0603: Improved De-icing Operation through Collaborative Decision Making

� AO-0501: Improved Operations in Adverse Conditions through Airport Collaborative Decision Making

� DCB-0304: Airport CDM extended to Regional CDM

Timescale

Further information



Reduced resequencing at taxi hold point

Improved de-icing performance

Safety hazards


Reduced taxi collisions due to resequencing

Improved de-icing performance - no model yet


10% reduction in XF5.5 Resequencing during runway holding


Interactions


STAR 2008: 2.0% reduction in taxi

Episode 3


of 240


ID No. L10-08

Title Sustainable operations

Implementing sustainable operations at airport


� AO-0701: Effective Collaboration between ATM Stakeholders Supported by Environmental Management Systems

� AO-0702: Improved Relations to Neighbours

� AO-0703: Noise Management to Limit Exposure to Noise on the Ground

� AO-0704: Optimised Design and procedures for Airport Manoeuvring Areas to Reduce Gaseous Emissions and Noise Disturbance

� AO-0705: Reduced Water Pollution

� AO-0706: (Local) Monitoring of Environmental Performance

� AUO-0801: Environmental Restrictions Accommodated in the Earliest Phase of Flight Planning

� AUO-0802: Ground Movement Techniques to Reduce Gaseous Emissions and Noise Disturbance

� AUO-0803: Reduced noise footprint on departure

Timescale

Further information


Safety benefits Better planning may reduce last-minute runway changes for environmental reasons, hence better preparation for landing

Safety hazards Possible conflict of safety and environmental goals:

� CFIT hazards due to use of noise-preferential approaches with poorer navaids or lower terrain clearance.

� Wake vortex encounters due to aircraft using continuous descent approach being above following aircraft on conventional approach.

� Runway incursions through elimination of runway entry queues.

Representation in IRP Reduced TMA design quality

Increased runway incursions - assumed negligible

Reduction in landing risk - no model available.


10% increase in flight crew errors due to TMA design. ME=11%, hence ∆PS=30log(1-0.1x0.11)/log(1-0.11) = 3 for TMA design.


Interactions


STAR 2008: 1.4% increase in CFIT

Episode 3


of 240


12.7 AIRCRAFT OPERATIONS

ID No. AUO-0301

Title Datalink communications

Voice controller-pilot communications (en route) complemented by data link

Description SESAR: Voice communications are complemented (not replaced) by services allowing flight crews and controllers to conduct operational exchanges through datalink. Data communications are intended for use in non-time critical situations and may be applied instead of or in combination with voice communications.

Hazid 20Nov08: Non-time-critical communications include instructions intended to maintain capacity by organising traffic, as opposed to separation instructions. If incorrect, these can create conflicts. At MUAC datalink reduced instructions by 10 to 60% in different sectors, typically 40% overall, and this may be applicable to other ACCs.

Timescale CPDLC supporting ATC applications via ATN for continental areas (Link 2000+ pioneer phase) already exists. Link 2000+ mandate (2009/2014) has been launched.

Further information www.eurocontrol.int/eatm/public/standard_page/link2000.html


Safety benefits Reduced VHF workload for controller.

Reduced communication errors due to non-standard phraseology, poor English, VHF congestion (fast transmissions) .

Reduced communication loss due to blocking by stuck microphone buttons and simultaneous transmissions.

Reduced flight crew fatigue from listening to all sector ATC transmissions.

Safety hazards Loss of information to pilots from communications to other aircraft, i.e. traffic awareness.

Loss of verbal cues to stress and confusion.

Representation in IRP Improved communications system quality.

Reduced task load - see STAR-03.


Assumed 40% reduction in voice communications en-route, i.e. 10% overall - modelled using STAR-03.

40% reduction in ATC-pilot communication errors due to communication system en-route, i.e. 10% overall. ME= 80%, hence ∆PS = 30log(1-0.1x0.8)/log(1-0.8)=2 due to communications.

Effects profile Between 2007 and 2016. 100% fitment is mandated by 2016.

Interactions


Hazid 20Nov08: Expected to be a large benefit.


Episode 3


of 240


ID No. AUO-0302

Title Datalink RBT clearances

Successive authorisation of RBT segments using datalink

Description SESAR: Controller's clearances are sent to the pilot by datalink for the successive segments of the Reference Business/Mission Trajectory (RBT) along the flight progress (this includes taxi route in case of surface operations). Pilot's requests to controller for start-up, push back, taxi, take-off clearances, etc. are also transmitted by datalink. The SESAR concept of operations utilises digital data communication applications and services as the main means of communication even though there will remain circumstances in which clearances and instructions are issued by voice. In the shorter term, datalink will be used in non-time critical situations and may be applied instead of or in combination with voice communications.

Hazid 20Nov08: Radar vectoring will still be done by voice communication.

Timescale

Further information


Safety benefits This OI covers the benefits to the controller of clearance of RBT segments instead of flight levels and headings.

Simplifies communications and improves situation awareness, resulting in reduced ATCO task load, especially in busy sectors.

Use of datalink would increase reliability of communication, but RBT segments would not normally be used for clearances without datalink.

Safety hazards If datalink fails, clearance of RBT segments by voice would be much more complex, increasing task load and errors.

Representation in IRP Reduced task load - see STAR-03.



Assumed 10% reduction in voice communications in all flight phases in addition to AUO-0301 (totalling 50% compared to baseline) - modelled using STAR-03.


Interactions Requires AUO-301 (Type 4 - at least 70% implementation required).


Hazid 20Nov08: Expected to be a small additional benefit to AUO-0301.


Episode 3


of 240


ID No. AUO-0303

Title Datalink RBT revision

Revision of RBT using datalink

Description The pilot is automatically notified by datalink of trajectory change proposals (route including taxi route, altitude, time and associated performance requirements as needed) resulting from ATM constraints arising from, for example, ad hoc airspace restrictions or closing of a runway. ATM constraints may also be expressed in terms of requests such as RTA in support of AMAN operation or runway exit in support of BTV operation. On the other hand, the controller is notified by datalink of aircraft preferences in terms of STAR, ETA, ETA min/max, runway exit, etc.

This improvement may be in two steps starting with the uplink of simple flight specific constraints displayed on a dedicated cockpit screen as any datalink message. In a next stage, more complex constraints can be automatically generated by ground tools (incl. MTCD, AMAN, DMAN) and proposed to the controller for approval; on the cockpit side, the agreed constraints may be automatically loaded into the FMS, leading to a new trajectory computed and proposed to the flight crew.

Timescale

Further information


Safety benefits This OI covers the benefits to the pilot of clearance and if necessary revision of RBT segments instead of flight levels and headings.

Pilot communication workload reduced.

Pilot FMS management errors reduced once instructions are transferred directly into the FMS.

Safety hazards Increased workload if system fails or is corrupted.

Representation in IRP Reduction in pilot workload

Reduction in pilot FMS vertical and lateral management errors.



Assumed 10% reduction in pilot workload. ME=5%, hence ∆PS = 30log(1-0.97x0.05)/log(1-0.05)=1.

Assumed 95% reduction in MF6.1.3.2 Pilot handling error causing level bust.

Assumed 30% reduction in MF6.1.2.3 Pilot lateral deviation and CF6 Flight towards terrain commanded by FMS


Interactions Requires AUO-301 (Type 4 - at least 70% implementation required).

Overall effects Safety + (reduction of communication errors)

STAR 2008: 10.0% reduction in MAC; 1% in runway; 1.1% in taxi; 12.2% in CFIT; 0.3% in wake

Episode 3


of 240


ID No. AUO-0304

Title Cruise-climb trajectories

Initiating Optimal Trajectories through Cruise-Climb Techniques

Description SESAR: An optimal thrust setting is selected for the climb and the aircraft climbs as weight is decreased though fuel burn. Aircraft fly their individual optimum trajectories to the maximum extent possible, minimising fuel burn.

Hazid 7Nov07: This is likely to be mainly business jets operating above FL390.

Timescale

Further information


Safety benefits Simpler control settings reduce pilot workload.

Safety hazards More complex trajectories increase controller task load, but systems would be adapted to offset this.

Representation in IRP Effects on ATCO and pilot resources assumed negligible.


N/A


Interactions

Overall effects STAR 2008: Safety neutral

Episode 3


of 240


ID No. AUO-0401

Title ATSAW on the airport

Air Traffic Situational Awareness (ATSAW) on the airport surface

Description Information regarding the surrounding traffic (incl. both aircraft and airport vehicles) during taxi and runway operations is displayed in the cockpit. The electronic flight bag is extended with a moving map and other traffic (aircraft+vehicles) information.

The objectives are to improve safety (e.g. at taxiways crossings, before entering an active runway, before take-off, etc) and to reduce taxi time in particular during low visibility conditions and by night.

Timescale DS-B IN (via Mode S ES 1090) to support ATSA potentially available from 2009/2010. ATSA-SURF and some alerts (Runway Incursion) will be available onboard from 2009

Further information CRISTAL ATSAW project Final Report (CRISTAL-ATSAW/D4.1 Version 1.0 16-11-2007)

Improve Runway Safety is a top NTSB MOST WANTED Transportation Safety Improvements in Aviation Issue Area.


Safety benefits Improved situation awareness during taxiing. Reduced possibility of flight crew becoming lost and inadvertently entering runway.

Ease A/C identification & decrease risk of confusion between traffic.

Anticipation of potential conflicting situations (esp. Low Visibility).

Safety hazards Possible distraction of pilot during take-off.

Possible over-reliance during Taxi leading to reduction in visual awareness or excessive speeds in low visibility.

Risk of conflicting Aircraft Identification (ADS-B vs. R/T call-sign for unusual airlines)

Representation in IRP Increased quality of aircraft design


90% reduction in pilot errors in taxi influenced by aircraft design. ME=44%, hence ∆PS = 30log(1-0.9x0.44)/log(1-0.44)=26 due to aircraft design for taxi (from expert judgement in IRP 2005 App IV.8.3)

Effects profile Between 2010 and 2016. Maximum coverage 30% of conflicts. This represents an assumption that only 30% of the fleet will have moving map displays (from expert judgement in IRP 2005 App IV.8.3)

Interactions



ID No. AUO-0402

Title ATSAW in flight

Air Traffic Situational Awareness during flight operations

Description SESAR: Surrounding traffic position is displayed in the cockpit. The objective is to provide the flight crews with an "enhanced traffic situational awareness" irrespective of visual conditions, in order to improve safety of flight and efficiency of air traffic control. In all airspace, the flight crews will be better able to detect an unsafe situation.

Episode 3


of 240


Timescale

Further information CRISTAL ATSAW project Final Report (CRISTAL-ATSAW/D4.1 Version 1.0 16-11-2007)

FALBALA Project Dissemination Forum – 8th July 2004 (WP3 EUROCONTROL)


Safety benefits Improved situation awareness in flight. Reduced possibility of flight crew errors in separation or ACAS response.

For ATCO:

� Slight positive effect on providing control information.

� Allowed controller to call traffic earlier than normal.

� Moderately positive effect on communicating (less pilot requests on the traffic).

� Reduce the uncertainties related to visual acquisition.

For Flight Crews:

� Increased flight crew confidence in their ability to maintain awareness of the exact position of traffic even when traffic transitioned in and out of obscuration.

� Aided in planning and workload management, and intra-cockpit communication.

� Increased pilots’ ability to detect unsafe situations and appropriately handle such situations. (e.g. TCAS alerts)

Safety hazards Possible unauthorised early avoidance manoeuvres by flight crew.

Possible over-reliance leading to reduction in visual awareness.

Possible confusion caused by mixed fleet equipage.

Display clutter is an issue in high density areas, where most needed.

Pilot hesitation over controller’s instruction.

Representation in IRP Reduction in pilot controlled conflicts.

Increase in pilot deviations in controlled airspace.


Assumed 10% reduction in MB8.4 Inadequate separation in pilot controlled conflicts (confidence range 2 to 20%)

Assumed 10% increase in MF6.1.3.2 Pilot handling error causing level bust and MF6.1.2.3 Pilot lateral deviation (confidence range 5 to 50%)

Effects profile Between 2010 and 2017. Maximum coverage 30% of conflicts.

Interactions

Overall effects SESAR: Safety +? (Safety issues related to mixed fleet equipage)

Hazid 7Nov07: Overall negative impact on safety

STAR 2008: 0.3% increase in MAC

Episode 3


of 240


ID No. AUO-0403

Title Enhanced vision

Enhanced Vision for the Pilot in Low Visibility Conditions

Description The pilot gets an enhanced outside vision through use of airborne imaging sensors such as forward looking infrared (FLIR) and millimetre-wave radar.

Timescale

Further information


Safety benefits Improved situation awareness on ground during taxi and in final approach. Reduced possibility of flight crew failing to see terrain or other aircraft.

Safety hazards Possible lack of clarity of display leading to overconfidence in low visibility.

Greater focus on displays inside flight deck.

Representation in IRP Reduced effects of restricted visibility and darkness


50% reduction in RB1.1.2.1 Restricted visibility and RB1.1.2.2 Darkness hides other aircraft.

10% reduction in pilot errors in taxi influenced by aircraft design. ME=44%, hence ∆PS = 30log(1-0.1x0.44)/log(1-0.44)=2 due to aircraft design for taxi

Effects profile Between 2013 and 2018. Maximum coverage 30% of fleet.

Interactions

Overall effects SESAR: Safety neutral

Hazid 7Nov 07: Probably small safety improvement


ID No. AUO-0404

Title Synthetic vision

Synthetic Vision for the Pilot in Low Visibility Conditions

Description The system in the cockpit provides the pilot with a synthetic/graphical view of the environment using terrain imagery and position/attitude information.

Timescale

Further information


Safety benefits As AUO-0403

Safety hazards As AUO-0403

Representation in IRP As AUO-0403


90% reduction in RB1.1.2.1 Restricted visibility and RB1.1.2.2 Darkness hides other aircraft



Interactions Assumed different aircraft to AUO-0403, and hence additive

Episode 3


of 240




ID No. L10-07

Title Visual approaches

Visual conducted approaches


� AUO-0501: Visual Contact Approaches When Appropriate Visual Conditions Prevail

� AUO-0502: Enhanced Visual Separation on Approach (ATSA-VSA)

Support for visual acquisition of the preceding aircraft and procedures to maintain visual separation in VMC instead of IFR separation.

Timescale

Further information


Safety benefits Improved procedures and guidance for delegated separation.

Safety hazards

Representation in IRP Improved pilot separation


10% reduction in MB8.4 Inadequate separation by pilot in approach (70% of conflicts) (confidence range 2 to 30%)


Interactions

Overall effects VSA: Safety + (Positive effect on maintaining a safe and efficient traffic flow. NUPII experiments showed that controllers felt more certain that flight crews were following the correct traffic, and pilots were better able to maintain their own spacing.)

STAR 2008: Safety neutral (in 2005)

Episode 3


of 240


ID No. AUO-0501

Title Visual Contact Approaches When Appropriate Visual Conditions Prevail

Description Visual contact approaches are applied instead of IFR operations when appropriate visual conditions prevail. The legally approval of this type of VFR procedure for IFR traffic in Europe is a prerequisite.

Timescale 2009 to 2015

Further information SESAR Rationale: A significant benefit in declared capacity can only be achieved at airports with a low probability of Instrument Meteorological Conditions (IMC) and Low Visibility Procedures (LVP).


Safety benefits

Safety hazards Improved procedures and guidance for delegated separation.

Increased ATCO workload (closer traffics, risk of go-around)



Effects profile

Interactions


ID No. AUO-0502

Title Enhanced visual separation on approach (ATSA-VSA)

Description The application (ATSA-VSA) helps crew to achieve the visual acquisition of the preceding aircraft and then to maintain visual separation from this aircraft.

Timescale 01/01/2010 to 01/01/2015

Further information SESAR Rationale: The objective is to facilitate successive approaches for aircraft cleared to maintain visual separation from another aircraft on the approach. However, applicability within core European airspace appears to be very limited and for airports that do not currently use visual separation on approach, there is unlikely to be a case to introduce Enhanced Visual Separation.

SESAR Comments: ATSA-VSA will be available onboard from 2009. ATSA-VSA standard expected mid 2008.

FALBALA Project Dissemination Forum (WP3 EUROCONTROL 8th July 2004). OpEval 1 shows 15% reduction in Mean Approach Time.

“Airbus Status on ADS-B In / Out Update” by Stéphane Marché (ASAS TN Paris April 2008)


Episode 3


of 240


Safety benefits Reduction of Flight Crew workload following traffic (visual acquisition, maintaining visual contact, gauging distance and closure rates).

Increased situational awareness in busy traffic pattern (useful for acquiring and re-acquisition of traffic, re-checking the position of traffic without consulting ATC, improved awareness of ATC traffic pattern objectives).

Safety hazards Possible distraction of pilot due to Clutter in busy traffic pattern and excessive head-down time.

Increased ATCO workload (closely spaced traffics, risk of go-around,…).

Risk of conflicting Aircraft Identification:

ADS-B vs R/T call-sign for unusual airlines.

CDTI vs out-of-the-window (changes in aircraft / air carrier paintings).



Effects profile

Interactions


ID No. AUO-0602

Title Guidance assistance to aircraft on the airport surf ace

Description SESAR: The system provides the pilot with an airport moving map showing taxiways, runways, fixed obstacles and own aircraft position.

Hazid 20Nov08: This is a basic map of the airport, showing aircraft location but not route. This is more basic than AUO-0401.

FI 16Sep08: Runway Awareness Advisory System (RAAS) is an EGPWS upgrade comparing GPS position to a runway database, providing audible alerts when approaching runways and taxiways; announcing runway identification on ground and on final approach; and issuing an alert if the aircraft accelerates for take-off on a taxiway.

Timescale FI 16Sep08: 1600 RAAS units are delivered during 2005-08, including fleets of FedEx, Air France and Alaska Airways.

Further information L01-02 ATM SERVICE LEVEL 1

FI 16Sep08: 1600 RAAS units are delivered during 2005-08, including fleets of FedEx, Air France and Alaska Airways.

RAAS in service on Lufthansa (Flight International 27-03-2007) and United Airlines, Emirates, Condor and Malaysia too (Honeywell 2008). Current fleet of 1200 commercial jets and 1500 business jets at Feb 2008 “Honeywell Aerospace Before U.S. House Of Representatives”. RAAS is sold as a software upgrade for Honeywell EGPWS, not as new avionics hardware LRU.


Safety benefits Improved situation awareness during taxi, especially in low visibility. Reduced possibility of flight crew becoming lost and inadvertently entering runway.

Safety hazards Possible over-reliance leading to reduction in visual awareness or excessive speeds in low visibility.

Episode 3


of 240


Representation in IRP Increased quality of aircraft design (as AUO-0401)




Interactions

Overall effects STAR 2008: 0.7% reduction in runway; 1.1% in taxi

ID No. AUO-0603

Title Airport surface routing assistance

Enhanced Guidance Assistance to Aircraft on the Airport Surface Combined with Routing

Description SESAR: The system displays dynamic traffic context information including status of runways and taxiways, obstacles, route to runway or stand. Ground signs (stop bars, centreline lights, etc.) are triggered automatically according to the route issued by ATC.

Hazid 20Nov08: The agreed taxi route is (a) used to control the airport taxiway lights; and (b) displayed to the pilot on a moving map if fitted.

Timescale Hazid 20Nov08: Some airports already have this.

Further information


Safety benefits Reduced possibility of flight crew becoming lost and inadvertently entering runway.

Safety hazards Possible over-reliance leading to reduction in visual awareness or excessive speeds in low visibility.

Reduction in ATCO reaction time in case of conflicts due to taxi speed increase. Mitigated if AUO-0401 is implemented.

Representation in IRP Increased quality of airport charts and visual aids


(a) 20% reduction in pilot errors in taxi influenced by airport visual aids. ME=33%, hence ∆PS = 30log(1-0.2x0.33)/log(1-0.33)=5 due to airport visual aids.

(b) 50% reduction in pilot errors in taxi influenced by airport charts. ME=11%, hence ∆PS = 30log(1-0.5x0.11)/log(1-0.11)=15 due to airport charts.

Effects profile Between 2010 and 2014. Maximum coverage 30% of fleet for (b) only.

Interactions AO-0101 is a predecessor but not enabler. Required predecessor AUO-0602 (Type 1 - % implementation cannot be exceeded), but for (b) only. [This OI should be split into 2 to represent dependencies accurately]

Non required OI Step AUO-0401 mitigates some safety hazards, due to vastly improvements in situation awareness.


Hazid 20Nov08: Large effect expected.


ID No. AUO-0604

Episode 3


of 240


Title Taxi automation

Enhanced Trajectory Management through Flight Deck Automation Systems

Description SESAR: Use of advanced aircraft automated systems such as e.g. auto-brake (making it impossible for an aircraft to cross a lit stop bar) and auto-taxi (optimising speed adjustment).

Hazid 20Nov08: The agreed taxi route is followed automatically.

Timescale

Further information SESAR Comments: Aircraft capabilities potentially available from 2013.

SESAR Safety Rationale: Flight crew supported by advanced tool for ground operations.


Safety benefits Reduced possibility of runway incursion.

Safety hazards Possible over-reliance leading to reduction in manual observation of stop bars.

Uncertainties between systems automated response and standard procedures (for ATCO). ATCO’s perception of loss of control in case of automated response without alerting ATC in-time.

Representation in IRP Increased quality of aircraft design


95% reduction in pilot errors in taxi influenced by aircraft design. ME=44%, hence ∆PS = 30log(1-0.5x0.44)/log(1-0.44)=13 due to aircraft design for taxi (Hazid 20Nov08)

Effects profile Between 2018 and 2023. Only likely at busy airports. Maximum coverage 30% of movements.

Interactions Auto-taxi requires increased surface navigation accuracy. Required predecessor AUO-0603 (Type 1 - % implementation cannot be exceeded

Overall effects SESAR: Safety + (Diminish risk of collision.)

Hazid 20Nov08: Very large effect expected.


Episode 3


of 240


ID No. AUO-0605

Title Pilot alerting for runway incursion

Automated Alerting of Runway Incursion to Pilots (and Controller)

Description SESAR: The system detects potential and actual runway incursions and simultaneously transmits alerts to controllers and the pilots of the potentially affected aircraft.

Currently, surveillance detection equipment notifies air traffic controllers of potential incursions and then controllers must relay the information to pilots via voice, resulting in less than optimal response time.

Hazid 19Oct07: Alerting needs to be sequential (i.e. ATCO first, then pilot if no response). In order to maintain independence, it might be preferable to have an independent pilot alarm, downlinked to the ATCO.

Timescale

Further information NTSB have found that Airport Movement Area Safety System, “AMASS is not adequate to prevent serious runway collisions because too much time is lost routing valuable information through ATC”; “simulations of AMASS performance using data from actual incursions show that alerts may occur as little as 8 to 11 seconds before a potential collision. In recent incidents, AMASS did not alert controllers in time to be effective, and the situations were instead resolved by flight crew actions that sometimes bordered on heroics or simple luck.”


Safety benefits More rapid alerting of pilots to imminent runway incursion.

Safety hazards Possible over-reliance leading to reduction in visual checks on runway entry.

Possible distraction of pilot in cases where ATCO is aware.

False conflict alert due to unforeseen movements (no Flight Plan data during taxi), may lead to untrusting system perception, mainly during implementation phase.

Representation in IRP Improved performance in collision avoidance


Assumed 30% reduction in pilot errors influenced by aircraft design. ME=11%, hence ∆PS = 30log(1-0.5x0.11)/log(1-0.11)=13 due to aircraft design for runway collision avoidance (confidence range 5% to 50%)



Overall effects STAR 2008: 0.2% reduction in runway; 0.8% in taxi

Episode 3


of 240


ID No. L10-04

Title Minimising runway occupancy time (ROT)


� AUO-0701: Use of Runway Occupancy Time (ROT) Reduction Techniques

� AUO-0702: Brake to Vacate (BTV) Procedure

� AUO-0703: Automated Brake to Vacate (BTV) using Datalink

FI 16Dec08: BTV shows the minimum stopping distance for dry or contaminated runway on the airport navigation display. Pilots can select the desired turnoff point. The system calculates the auto-brake deceleration profile to minimise brake wear. If the stopping point passes the runway end due to unstable approach, the system gives a warning and applies maximum braking.

Timescale FI 16Dec08: BTV will be certificated in 2009 as a software upgrade for A320, A330, A340 and A380.

Further information


Safety benefits Reduced ROT slightly reduces runway collision risk from premature landings (for constant traffic).

BTV gives earlier warning of runway excursion (not ATM related).

Safety hazards Reduced ROT may enable reduced spacing on approach, increasing wake and mid-air collision risks (negligible for constant traffic)

Representation in IRP Hazid 19Oct07: No significant safety effect



Interactions


12.8 INFORMATION MANAGEMENT

ID No. L1-01

Title Flight data consistency

Improving Flight Data Consistency and Interoperability


� IS-0101: Improved Flight Plan Consistency Pre-Departure (Reprocessing and effective dissemination of flight plan amendments before EOBT)

� IS-0102: Improved Management of Flight Plan After Departure

� DCB-0301: Improved consistency between airport slots, flight plans and ATFCM slots

� DCB-0302: Collaborative management of flight updates

Timescale

Further information

Benefit focus Interoperability

Episode 3


of 240


Safety benefits Eliminates inconsistencies between flight data used by different stakeholders, and improves problem solving.

Improves controller decision-making, with minor safety benefits.

Enables improved ATC planning and earlier resolution of conflicts.

Safety hazards Data integrity failures may not be detected, but impacts expected to be minor.

Representation in IRP Improved quality of flight planning information


10% reduction in ATCO errors due to flight planning information. ME=6%, hence ∆PS=30log(1-0.1x0.06)/log(1-0.06)=3 for flight plans.


Interactions [Must enable something]


STAR 2008: 0.6% reduction in MAC; 2.0% in runway; 2.9% in taxi; 0.1% in CFIT; 4.4% in wake

ID No. L1-03

Title From AIS to AIM

From aeronautical information services to aeronautical information management

Description This series of steps involve the progressive European wide dissemination and use of common data exchange models supported by a networking of interactive databases.

OI steps included:

� IS-0202: Improved Supply Chain for Aeronautical Data through Common Quality Measures

� IS-0203: Harmonised Aeronautical Information through Common Data Model

� IS-0204: Facilitated Aeronautical Data Exchanges through Digitalised Information

Timescale

Further information

Benefit focus Interoperability

Safety benefits Reduces the likelihood of airborne navigation errors related to erroneous data (less interpretation and transformation of data ).

Eliminates inconsistencies between data used by different stakeholders, and improves decision-making.


Safety hazards Data integrity failures may not be detected, but impacts expected to be minor.

Representation in IRP Improved quality of AIS information


10% reduction in pilot errors due to AIS information. ME=2% for MAC, hence ∆PS=30log(1-0.1x0.02)/log(1-0.02)=1 for AIS information.


Interactions

Episode 3


of 240


Overall effects Safety + (Improved, standardised flight preparation and planning ensures consistent, timely and complete provision of required pre-flight information.)

STAR 2008: 0.1% reduction in MAC; 0.4% in runway; 0.5% in taxi; 0.1% in wake

ID No. L1-05

Title Airspace user data to improve ground tools performa nce


� IS-0301: Interoperability between AOC and ATM Systems (FDPS)

� IS-0302: Use of Aircraft Derived Data (ADD) to Enhance ATM Ground System Performance

� IS-0303: Use of Predicted Trajectory (PT) to Enhance ATM Ground System Performance

� IS-0305: Automatic RBT Update through Trajectory Management Requirements (TMR) logic

Timescale

Further information


Safety benefits Increased accuracy of ground computed trajectory, improves ATM support tools and safety nets.

Eliminates inconsistencies between air and ground systems, and reduces errors due to conflicts.

Safety hazards Data integrity failures will be shared, but quality management can be more concentrated.

Representation in IRP Improved quality of ATC system performance


20% reduction in ATCO errors due to ATC systems. ME=28% for MAC, hence ∆PS=30log(1-0.2x0.28)/log(1-0.28)=5 for ATC systems.


Interactions Enabled by Datalink

[Must enable something]

Overall effects Safety + (Increased air-ground consistency; increased accuracy of ground computed trajectory, better ATM decision support tools performance, especially for short term prediction (safety nets).)


Episode 3


of 240


ID No. L1-02

Title Information provision

Improving aeronautical and weather information provision


� IS-0201: Integrated Pre-Flight Briefing (relevant information integrated into one package)

� IS-0401: Automatic Terminal Information Service Provision through Use of Datalink

� IS-0402: Extended Operational Terminal Information Service Provision Using Datalink

Timescale

Further information http://www.eurocontrol.int/aim/public/subsite_homepage/homepage.html


Safety benefits Increased accessibility of relevant current AIS and MET data.

Safety hazards Vulnerability to datalink failures

Representation in IRP Improved quality of AIS data


10% reduction in pilot errors due to AIS information. ME=2% for MAC, hence ∆PS=30log(1-0.1x0.02)/log(1-0.02)=1 for AIS information.



Overall effects Safety + (No explanation)

STAR 2008: 0.1% reduction in MAC; 0.4% in runway; 0.5% in taxi; 0.1% in wake

ID No. IS-0401

Title Automatic Terminal Information Service Provision through Use of Datalink

Description Compiled ATIS information specifically relevant to the departure, approach and landing phases of flight (such as runway in use, current weather, airport and facility conditions) is transmitted to the aircrew by datalink. ATIS messages (synthesised voice) can be generated fully automatically or at the controller's request.

Timescale 01/01/2007 to 01/01/2011

Further information L01-02 ATM Service Level 0

Benefit focus Safety +++

Safety benefits More reliable Information (reduced human error, reading instead of listening).

Flight Crew: Increases focus and reduces stress (information when needed).

Safety hazards



Effects profile

Episode 3


of 240


Interactions

Overall effects

ID No. IS-0402

Title Extended Operational Terminal Information Service Provision Using Datalink

Description Current meteorological and operational flight information derived from ATIS, METAR and NOTAMs/SNOWTAMs, specifically relevant to the departure, approach and landing flight phases is transmitted to pilots by datalink. The flight crew has real-time access to the relevant airport operational parameters applicable to the most critical phases of flight (ATIS, METAR

Timescale 01/01/2011 to 01/01/2016

Further information L01-02 ATM Service Level 1

Benefit focus Safety +++

Safety benefits Better information and real-time updated (even further than IS-0401)

Safety hazards



Effects profile

Interactions

Overall effects

ID No. L1-06

Title Enhanced weather forecast

Use of airborne weather data by meteorological service to enhance weather forecast

Description Specified weather data are captured by airborne aircraft and downlinked to the meteorological service in support of forecasting, significant weather reporting and data collection. (This may be "contract" or "event" driven).

The objective is the provision of meteorological products which are more informed and accurate.

Timescale

Further information http://www.eurocontrol.int/aim/public/standard_page/met.html


Safety benefits Improved MET predictions enable

� Better arrival planning, reducing diversions and weather-related accidents.

� More accurate trajectory prediction.

� Airport capacity optimisation in adverse weather.

� Weather avoidance, reducing weather-related accidents.

Safety hazards

Episode 3


of 240


Representation in IRP Improved quality of MET data


10% reduction in pilot errors due to MET data. ME=2% for MAC, hence ∆PS=30log(1-0.1x0.02)/log(1-0.02)=1 for MET data.



Overall effects STAR 2008: 0.1% reduction in MAC; 0.1% in wake

ID No. L1-04

Title Implementing SWIM

Implementing system wide information management (SWIM)


� IS-0701: Expand the scope of Aeronautical Information (to include MET, flight and trajectory data)

� IS-0702: Transition from the product centric provision of aeronautical information to a data centric one covering the complete expanded scope

� IS-0703: Develop and implement all the required exchange models to support the expanded information scope

� IS-0704: Agree data quality requirements for the different partners and different data types/elements

� IS-0705: Define and implement SWIM rules, roles and responsibilities

� IS-0706: Define and implement the logical information pool and SWIMNet to enable common data reference for all partners and all applications

� IS-0707: Commence and gradually extend information sharing with a view to supporting applications making use of shared information (e.g. NOPLA, CDM applications, etc.)

� IS-0708: Develop and implement the applications enabling generalised access to trajectory management

� IS-0709: Implement reception/generation of E-FPL into/from SESAR trajectory/flight data

Timescale

Further information


Safety benefits Eliminates inconsistencies between data used by different stakeholders, and hence improves decision-making.


Safety hazards Data integrity failures will be shared, but quality management can be more concentrated.

Representation in IRP SWIM is an enabler for other OIs, and is not explicitly represented.



Episode 3


of 240


Interactions

Overall effects STAR 2008: Not modelled

12.9 OTHER CHANGES MODELLED IN STAR

ID No. STAR-01

Title Increased traffic

Description Enabling traffic growth without increases in delays or risks is intended to be the result of the combined set of OIs.

Timescale

Further information Long-term forecast Scenario A


Safety benefits

Safety hazards Increased traffic (without compensating changes) may result in:

� Increased conflicts.

� Increased controller workload.

� Increased delays.

Representation in IRP Increased CAT movements result in increased conflicts (mid-air, runway, taxiway and wake).

Increased military/GA movements result in increased airspace penetrations.

Reduced ATCO resources - assumed runway controller resources can be increased, but not en-route or approach sectors.

Increased delays - could be included in STAR-02 but needs non-linear model.


Increased CAT movements (3.7% per year), giving 72% increase by 2020.

No change in military or GA movements

72% increase in ATCO errors (tactical and approach/departure) due to resources (modelled in STAR-03)

Effects profile Exponential growth

Interactions Enabled by other changes. No specific interaction modelled.

Overall effects STAR 2008: 73% increase in MAC; 73% in runway; 73% in taxi; 7% in CFIT; 110% in wake by 2020. Excluding workload effects: 52% increase in MAC; 72% in runway, taxi and wake; 0% in CFIT.

Episode 3


of 240


ID No. STAR-02

Title Reduced delays

Description Reduced delays are intended to be the result of the combined set of OIs.

Timescale

Further information


Safety benefits Reduced delays (at constant traffic) may result in:

� Reduced airborne holding manoeuvres and associated collision/fuel exhaustion risks.

� Reduced pressure on ATCO and flight crew to recover delays.

� Reduced fatigue due to extended duty time.

Safety hazards

Representation in IRP Reduced holding manoeuvres.

Increased flight crew resources


40% reduction in holding manoeuvres in flight.

20% reduction in flight crew errors due to resources. ME=5% [seems low], hence ∆PS=30log(1-0.2x0.05)/log(1-0.05)=6 for flight crew resources



Overall effects STAR 2008: 3.0% reduction in MAC; 1.9% in runway; 1.7% in taxi; 4.4% in CFIT; 0.7% in wake [because MAC is dominated by reduced holding; others by flight crew effects]

ID No. STAR-03

Title Reduced ATCO task load

Description Reduced task load (i.e. workload per flight) for tactical controller is the intended result of many of the OIs, allowing sector capacity to be increased. The change in task load is mainly a reduction in voice communications.

Timescale

Further information


Safety benefits Reduced task load (at constant traffic) may reduce errors due to

� -Reduced opportunities for error

� improved information reliability due to data link

� Extra time for traffic monitoring, separation planning, transmission of instructions, traffic information, co-ordination, monitoring of terrain clearance, collision avoidance warnings etc.

� Reduced stress on ATCO.

� Greater flexibility to manage fatigue.

� Reduced variation in controller workload, with fewer, less intense peaks, due to reduction in traffic upsets and better planning of re-routing, sector or airspace reorganisation.

Episode 3


of 240


Safety hazards Reduced workload (i.e. if not compensated by increasing traffic) may result in:

� Lack of attention, including focus on non-essential tasks

� Loss of motivation

Representation in IRP Increased ATCO resources. This is distributed between the various OIs causing this change according to the fractional reduction in communication load, measured as minutes of VHF communication per sector transit. Communication load is assumed to be 75% in TMA and 25% en-route (Hazid 15Oct08). Sum of task load effects in other OIs (excluding STAR-01) is 96% en-route and 74% in TMA, i.e. 79% overall.


79% reduction in ATCO errors (tactical and approach/departure) due to resources. ME=46% for separation, hence ∆PS=30log(1-0.79 x 0.46)/log(1-0.46)=22 for ATCO resources.



Overall effects STAR 2008: 16% reduction in MAC; 10% in CFIT; 24% in wake by 2020.

ID No. STAR-04

Title Changed ATCO role

Description Changed role for tactical controller towards monitoring compliance with plan rather than issuing instructions is a result of many of the OIs - change from active separator to overseer.

Timescale

Further information


Safety benefits Changed role (at constant traffic) may reduce errors due to:

� Less complex task demands.

� Reduced stress on ATCO.

� Reduced opportunities for errors caused by unnecessary interventions.

Safety hazards Changed role (at constant traffic) may increase errors due to:

� Lack of attention, including focus on non-essential tasks

� Loss of motivation

� More complex teamwork, dependent on electronic data exchange between controllers

Representation in IRP Reduced ATCO reliability. This is distributed between the various OIs causing this change according to the fractional reduction in active separation, measured as the fraction of sector transits actively managed, as opposed to monitored. Sum of effects in other OIs is 54%.

Reduced ATCO-induced conflicts.


Assumed 50% x 54% = 27% increase in ATCO errors due to reliability. ME=46% for separation, hence ∆PS=30log(1+0.27x0.46)/log(1-0.46)=-5 for ATCO reliability.

54% reduction in MF7.1 Trajectory instructions result in conflict.


Episode 3


of 240



Overall effects STAR 2008: 1.6% increase in MAC; 8.4% in CFIT; 7.6% in wake by 2020.

ID No. STAR-05

Title Larger aircraft

Description A greater proportion of larger aircraft (e.g. A380) may be expected to meet passenger growth where aircraft traffic growth is constrained.

Timescale

Further information


Safety benefits

Safety hazards � Increased aircraft size may result in:

� More critical wake separation standards.

� Greater energy in collisions.

� More delays due to baggage or passenger issues.

Representation in IRP Assumed no significant changes



Interactions Larger aircraft may have more modern equipment, e.g. AUO-0401. No modelling necessary.


ID No. STAR-06

Title Additional runways

Description Some new runway construction will be used to achieve traffic growth.

Timescale

Further information


Safety benefits Increased separation on runways.

Potential to separate arriving and departing traffic.

Reduction in crosswind operations if runways are not parallel.

Safety hazards Greater complexity of surface movements.

Potential conflicts (including wake encounters) between traffic on different runways.

Potential for confusion between runways at runway entry.

Possible increase in need for runway crossing operations.

Representation in IRP Increased crossing of active runway

Reduction in quality of airport design

Episode 3


of 240



Increase in RB5.1 runway crossing movements per flight equal to CAT traffic growth (STAR-01).

10% increase in ATCO/pilot errors due to airport design. ME=22% for taxi, hence ∆PS=30log(1-0.1x0.22)/log(1-0.22)=3 for airport design


Interactions

Overall effects STAR 2008: 2.5% increase in runway; 4.1% in taxi (with 2005 traffic)

ID No. STAR-07

Title Growth of medium-sized airports

Description Growth of medium-sized airports will be needed to achieve traffic growth, since the capacity of larger airports is more constrained.

Timescale

Further information


Safety benefits Possible reduction in need for runway crossing operations, if traffic is moved away from airports with multiple runways.

Safety hazards Better airport layout possible at less constrained airports.

Possible less experience of controllers and less familiarity of pilots.

Representation in IRP Reduced crossing of active runway

Increase in quality of airport design


Assumed reduction in runway crossing equal to growth from additional runways (STAR-06).

10% reduction in ATCO/pilot errors due to airport design. ME=22% for taxi, hence ∆PS=30log(1-0.1x0.22)/log(1-0.22)=-3 for airport design


Interactions

Overall effects STAR 2008: 2.4% reduction in runway; 3.9% in taxi (with 2005 traffic)

No effect on safety in combination with STAR-06

13 ANNEX III. MODELLING THE INFLUENCE LAYER & COMMON CAUSE IN THE IRP THROUGH

NETWORKS – A FEASIBILITY STUDY

13.1 INFLUENCE LAYER

13.1.1 Introduction

Underlying the direct human and technical causes of accidents are various factors which cannot be represented satisfactorily in a fault tree. Examples are organisational and cultural factors. In the IRP, the influence of these factors is represented via the influence layer as described in section 11.1.8. Quantification of the influence model is described in section 11.4. This appendix presents an assessment of the feasibility and added value of modelling during

Episode 3


of 240


future work (e.g. SESAR WP16.1.1.1) the influence layer in IRP through a network, e.g. with a Bayesian Belief Network (BBN) as a potential implementation medium. In order to assess the possible benefit of using a network, it is first necessary to describe some fault tree fundamentals. This is followed by a general overview of Bayesian Belief Nets. The section concludes with an overview of advantages and disadvantages of using a network to represent the influences.

13.1.2 Current IRP Influence Model

In the current IRP influence model, the connection between the influence model and the base events of the fault tree is expressed as a modification factor. In the case of multiple influencing factors acting on a base event, the overall modification factor is obtained by multiplying all individual modification factors. Two types of influences are distinguished; performance based influences and stratified influences. They differ in the way in which the value of the influence factor is determined. For performance based influences this is done by expert judgement, for stratified influences this is done from accident and incident data.

13.1.3 Fault Trees and Networks

A fault tree20 is a graphic model of the various parallel and sequential combinations of faults that will result in the undesired event. The undesired event constitutes the top event in the fault tree diagram. The logical flow in the diagram is from basic events to a ‘top event’. A node in a fault tree can have only two states, true or false. The state of a node with parents is completely determined by the state of the parents and the type of gate in which they combine.

The great advantage of a fault tree is that a very simple set of rules and symbols provides the mechanism for analyzing very complex systems.

Fault trees are used to identify combinations of component failures or human errors that can lead to an undesired event (top event), which can be a system failure, a component failure (if regarded as a subsystem), a loss (degradation) of function, a human error, etc. The logic in fault trees is binary. Events (faults) either occur or not and the mathematical operations are in essence very simple.

In many real systems the logic is not as straightforward; what goes on in one branch of a tree may influence what goes on in another branch, for instance due to a common cause. Whereas hardware common causes can in principle be identified and modelled with engineering knowledge of the system, with other common causes this is more problematic. Examples are the effect of training and safety culture. Dependence modelling in fault trees works well when dependencies can be associated with failures of the support system hardware components. Such support systems might include the power supply system, or the software control system. In such cases, the failure of the support system causes the failure, or unavailability, of multiple components. Other dependencies however do not express themselves directly by causing simultaneous component failures. Rather, they simultaneously influence the probability of failure of multiple components. Examples include maintenance, operator training, safety culture, etc. Fault tree modelling cannot readily capture dependencies that influence the probability of failure. Influences acting on the probability of failure, rather than on failure itself, must be captured in the uncertainty analysis of fault trees. Therefore IRP has introduced the influence layer model using modification factors as described above. One of the characteristics of this influence model, is illustrated in Figure 24 and Figure 25, is that a single factor or event can influence multiple other factors or events. In addition, each factor or event can be influenced by more than one single factor or event. This is different from a fault tree, where each event only influences one other event. The structure

20 See Vesely et al (1981) for a comprehensive description of fault tree analysis (Ref. 20).

Episode 3


of 240


of the model therefore resembles a network, in stead of the main part of the IRP which is a tree structure.

Because of the resemblance of the influence layer to a network structure, a next logical step in the development is to investigate if the model would improve if a formal network structure for representation and quantification of influences is selected. To answer this question, the analysis focuses on a specific type of network structure: a Bayesian Belief Net.

13.1.4 Bayesian Belief Nets

A Bayesian Belief Net (BBN) is an acyclic directed graph in which nodes represent variables and connecting arcs represent conditional dependence. Acyclic means that it contains no path from a variable back to itself. ‘Bayesian’ refers to Bayesian probability theory which is used to explore causal relations. BBNs are a more general structure than either event or fault trees. The point in using BBNs is the fact that they can capture probabilistic influences between random values which cannot be modelled functionally.

The advantages of a BBN over a fault tree are that local dependencies among components instead of the classical assumption on fault trees that events are statistically independent and soft interactions among component behaviour instead of deterministic AND/OR interactions as in a fault tree. In addition, a BBN allows multi valued variables instead of binary events as in a fault tree,

One of the advantages of a BBN is that it represents the probability of a child node for each possible combination of the values of the parents. This is different from the approach in the current influence model, where combined influences are described by multiplying the individual modification factors. For illustration, consider the following human performance example21. Human performance can be influenced by the use of alcohol and the use of medication. These are largely independent: the use of alcohol does not influence the use of medication, and the use of medication does not influence the use of alcohol. It is also known that the combined effect of alcohol and medication can significantly impair human performance. The combined effect of alcohol and medication can be much stronger than the multiplication of the individual effects. The influence can be represented in the following simple Bayesian Belief Network:

Figure 43: Simple BBN

Human performance

Use of alcohol

Use of medication

Suppose that each of the nodes in this model has two possible states. For ‘human performance’ these are ‘good’, and ‘poor’, for ‘use of alcohol’ and ‘use of medication’ these are ‘yes’ and ‘no’. The BBN represents the probability of the human performance node by the following table:

21 This is a generic human performance example. It is not specifically aviation related.

Episode 3


of 240


Table 32: Probabilities of human performance in BBN – an example

Human performance

Use of alcohol Use of medication

Good Poor

Yes No P1 P2

Yes Yes P3 P4

No Yes P5 P6

No No P7 P8

P1 to P8 are conditional probabilities which determine the likelihood that human performance is good or poor given the use of alcohol and/or medication. The combined effect of use of alcohol and medication is represented by the probabilities P3 and P4 (with P3+P4 = 1). If we consider P7 and P8 the baseline values, than in the IRP representation of influences, P2=P8*Ma and P6=P8*Mm, with Ma = modification factor for use of alcohol and Mm = modification factor for use of medication. P4 would then be P8*Ma*Mm. In the BBN however we can set P8 at a higher value, which in this example would be a better representation of reality.

Similarly, one could think of cases where the combined effect of certain factors is much less than what would follow from multiplication of the individual influences.

13.1.5 Types of BBN

There are several ‘types’ of BBN. The most widely used is a ‘discrete’ BBN in which the nodes represent discrete variables, e.g., ‘true’ and ‘false’ or ‘bad’, ‘medium’, ‘good’, or ‘1’, ‘2’, ‘3’, ‘4’, and ‘5’. The simple example above is a discrete BBN. Conditional probability tables specify the dependencies between nodes. They specify the distribution over the child node’s possible values, conditional on each possible combination of values of the parents. The main drawback of discrete BBNs is the heavy assessment and maintenance burden. The number of probabilities that must be assessed and maintained for a child node is exponential to the number of parents. If a given node X has K parent ‘influences’ where each influence originates from a chance node with M possible outcomes, then the conditional distribution of X must be assessed for each of the MK input influences. This heavy burden can only be reduced by grossly coarse-graining the outputs from nodes and /or introducing simplifying assumptions for the compounding of influences. In practice, chance nodes are often restricted to two possible values, just like in fault trees (Ref. 23). But even then the relevant multivariate data for quantification is often lacking, especially when the number of parent nodes for a single child node is more than (typically) 3 or 4. This drawback is already apparent from the simple example provided above. Full quantification of this model requires 4 values (p2, p4, p6 and p8), whereas in the IRP way of representing the influence only 3 values need to be determined (baseline and the two modification factors).

Discrete BBNs are not very flexible with respect to changes in modelling. If we add one parent node, then we must do again all previous quantification for the children of this node. In a fluid modelling environment this is a serious drawback. We would much prefer to be able to add a new node by adding one number for each child node, indicating influence, without re-doing the previous quantification, particularly in cases where data are sparse and expert judgement is needed to quantify the influences. A discrete BBN would only be of added value to IRP is it only includes child nodes that each have not more than 3 to 4 parent nodes.

As a solution to the problem of the heavy assessment burden for discrete BBNs, Delft University of Technology (DUT) has developed a method to represent probabilistic influence by conditional rank correlations. In Kurowicka and Cooke (2004) the authors introduced an

Episode 3


of 240


approach to continuous BBNs using vines (Ref. 21) together with copula22 that represent (conditional) independence as zero (conditional) rank correlation. A copula is a distribution on the unit square, with uniform marginal distributions; and vines are graphical models that represent multivariate distributions using bivariate and conditional bivariate pieces. In the procedure proposed in Kurowicka and Cooke (2004), nodes in the BBN are associated with arbitrary continuous invertible distributions and arcs with (conditional) rank correlations, which are realized by the chosen copula. No joint distribution is assumed, which makes the BBN non-parametric. In order to quantify BBNs using this approach, one needs to specify all one dimensional marginal distributions and a number of (conditional) rank correlations equal to the number of arcs in the BBN. These assignments together with the BBN structure, the choice of the copula, and the marginals uniquely determine the joint distribution. The (conditional) rank correlations assigned to the arcs of a BBN are algebraically independent. The dependence structure is meaningful for any such quantification, and need not be revised if the univariate distributions are changed. Moreover if a parent node is added or removed, after quantification, then the previously assessed (conditional) rank correlations need not be re-assessed.

Conditional rank correlations are not elicited directly or estimated from data directly. Rather, given a copula, these can be obtained from conditional exceedance probabilities. DUT developed a method to represent probabilistic influence by conditional rank correlations, that is, by rank correlation in a conditional distribution, according to a protocol based on an indexing of the parents. Influence of the first parent on the child is unconditional rank correlation, influence of the second parent on the child is the conditional rank correlation given the first parent, etc. The conditional rank correlations are algebraically independent, that is, previously chosen values do not constrain future choices. One of the main advantages of this approach is that the number of rank correlations to be assessed equals the numbers of arcs in the model; hence the assessment burden is significantly reduced. As a drawback, the value of the conditional rank correlations that describe dependencies between nodes is not a direct measure for the ‘strength’ of the dependencies. Another drawback of the DUT solution is that, due to the introduction of copula, it becomes mathematically quite complex and may overwhelm those accustomed to the engineering approach of fault trees.

13.1.6 Types of BBN

It is technically feasible to model the influence layer in IRP through a network, e.g. with a Bayesian Belief Network (BBN) as a potential implementation medium. The added value is that such a representation allows a better representation of combinations of influences and potentially a more straightforward representation of dependencies than by means of the modification factors that are currently used in the IRP. If the BBN is a conventional discrete BBN, the disadvantages are that it requires more data for quantification and that it is not very flexible; a change in the model structure requires complete reassessment of all (conditional) probabilities. If the BBN is built according to the approach developed in Delft, the data need is similar to that required for the current influence layer of the IRP and the model is flexible in use because a modification of the model does not require re-quantification of the complete model. However, the disadvantage of this approach is the mathematical complexity.

22 The copula of two continuous random variables X and Y is the joint distribution of FX(X) and FY (Y ), where FX; FY are the cumulative distribution functions of X; Y respectively. The copula of (X; Y) is a distribution on [0; 1]2 = I2 with uniform marginal distributions.

Episode 3


of 240


13.2 FEASIBILITY OF REPRESENTING COMMON CAUSES IN BBNS

13.2.1 The Study

The way common-causes failures (CCFs) are currently treated in the IRP is explained in Section 11.3.4. In that section, an example corresponding to Figure 44 below, identical to Figure 33a, is treated to explain the approach. The accident A results if the barrier B and C are both ineffective. Several causes can make those barriers ineffective. Some of those causes are common (CCF; e.g., low visibility makes that pilots of both aircraft will not see each other) while the occurrence of some other causes are independent (ICFB and ICFC respectively; e.g., the reduced vigilance of pilots on aircraft B and C respectively).

Figure 44: Common-Cause Failures in AND Gates

As explained in section 11.3.4, the difficulty of the representation shown above is the calculation of the probability of Accident A in the AND gate. This calculation should not use the standard formula which assumes that the ineffectiveness of barrier B and the ineffectiveness of barrier B are independent; they are not. In stead, the approach chosen in the IRP is based on Beta factors.

A Bayesian Belief Network (BBN) can be used to represent the influence of common cause factors. This approach is different from the combination of FT and Beta factors in several aspects. These differences are described in this section, which concludes with an overview of advantages and disadvantages of using BBNs to represent common causes.

In terms of a BBN, the causal structure of Figure 44 might be represented as in the Figure 45 below.

Figure 45: Simple representation of the causal stru cture of accident A by a BBN.

Accident A

ICFB ICFCCCF

Episode 3


of 240


This graphical representation does not reveal the precise logic as indicated by the AND and OR gates as in the Fault Tree representation. This logic follows from the underlying Conditional Probability Table (CPT):

Table 33: Conditional Probability Table for the BBN of Figure 45

ICFB ICFC CCF P(A=1)

0 0 0 0

0 0 1 1

0 1 0 0

0 1 1 1

1 0 0 0

1 0 1 1

1 1 0 1

1 1 1 1

It follows from this table and the independence of the nodes ICFB, ICFC and CCF that:

( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )

( ) ( ) ( ) ( ) ( ) ( )( )( ) ( ) ( )( )ICFICFCCF

ICFICFCCFICFICFCCFCCFICFICFCCFICFICFCCFICFICFCCFICFICF

CCFICFICF

CB

BBBB

CB

CB

CB

CB

CB

PPP

PPPPPP

PPP

PPP

PPP

PPP

PPPAP

×−×−−=

××−×+=

=×=×=+

=×=×=+

=×=×=+

=×=×=+

=×=×==

111

111

011

101

110

100)(

This is indeed exactly the same equation as in section 11.3.4.

However, this BBN representation suffers the same lack of explanatory power of the causal hierarchy as Figure 44b in the main text: mathematically correct, but not appealing to the intuition of the reader and not in line with the causal structure of the model: Figure 45 does not show the probabilities of barriers B and C being ineffective. The BBN in Figure 46 below does not suffer from this drawback.

Episode 3


of 240


Figure 46: Representation of the causal structure o f accident A by a layered BBN

Accident A

Ineffective barrier B

Ineffective barrier C

ICFB ICFCCCF

Accident A



ICFB ICFCCCF

The CPTs for the nodes “Ineffective Barrier B”, “Ineffective Barrier C”, and “Accident A” read respectively:

Table 34: Conditional Probability Tables for the BB N of Figure 46

ICFB CCF P(B=1) ICFC CCF P(C=1) B C P(A=1)

0 0 0 0 0 0 0 0 0

0 1 1 0 1 1 0 1 0

1 0 1 1 0 1 1 0 0

1 1 1 1 1 1 1 1 1

The last CPT shows that the accident A only occurs if the barriers B and C are both ineffective, corresponding to an AND-gate:

0)001(;1)111( ==∨====∧== CBAPCBAP ;

This should not be interpreted as if the ineffectiveness of the barriers is independent. As an extreme illustration, if P(ICFB) = P(ICFB) = 0, then A only occurs if the CCF common-cause Failure CCR occurs. The evaluation of the BBN would then lead to P(A) = P(CCF) (and not P(A)= P(CCF)2 as would be the appropriate formula if the nodes Ineffective barrier B and Ineffective barrier C would not have been connected indirectly).

The representation can be compared with the representation chosen in the IRP as shown in

Figure 47 below (which is identical to Figure 44c).

Episode 3


of 240


Figure 47: Chosen form for Display in the IRP

The advantages of the BBN representation are:

• The representation is symmetric, in accordance with the model,

• The CCF is only represented once, at the lowest layer in this case, in accordance with the model,

• The feature of CCF being a common cause is graphically very clear.

The disadvantage of the BBN representation is that it does not reveal the structure of the dependencies (i.e. the AND and OR gates). As a matter of fact, a BBN is much more powerful and is not limited to AND and OR –like combinations of influences. If this (computational) power is not needed, the BBN’s advantage turns into a disadvantage. This might not be a severe drawback as the logic might appear from the names in the nodes. If this is nevertheless not convincing, a renewed graphical representation of the BBN can be adopted by putting in some additional symbols as in Figure 48 below, which are mathematically meaningless in this context but do have some explanatory power.

Figure 48: Illustrative representation of the causa l structure

Accident A



ICFB ICFCCCF

AND

OR OR

In conclusion, there is not much added value in having a BBN instead of a FT with Beta factors if the BBN just replaces the FT.

Episode 3


of 240


The more powerful properties of BBNs however reveal itself in the following situations which cannot be represented in a FT:

• The set of causes is not completely known, although it is known that there are some common causes. In that case, some of the underlying structure is just omitted and the presentation is as in Figure 49 below. The evaluation of that BBN would assume that the barriers B and C being ineffective are independent apart from the occurrence of the CCF.

Figure 49: Concise representation of the causal str ucture

Accident A



CCF

The CPTs for the nodes “Ineffective Barrier B”, “Ineffective Barrier C”, and Accident A now read respectively:

Table 35: Conditional Probability Tables for BBN in Figure 49

CCF P(B=1) CCF P(C=1) B C P(A=1)

0 P(ICFB) 0 P(ICFC) 0 0 0

1 1 1 1 0 1 0

1 0 0

1 1 1

• The set of causes is not known at all or considered out of scope, but there is statistical evidence that two variables are somehow dependent. Examples of such barriers are presented in 11.2.4 “Common Cause Data Analysis”. In such cases, the causes are just omitted in the model and the dependency between the dependent variables is indicated by an arrow which represents a causal relation that can be quantified by means of a CPT. It is noted that dependency is a symmetric relation (“A depends on B” implies that “B depends on A”) while causality is not (“A causes B” does not imply that “B causes A”). The BBN formalism assumes causal relations. In graphical terms, this implies that the network is acyclic and this means that arrows are uni-directional, thus breaking the symmetry. (In Figure 50 below, the ineffective barrier B seems to partially cause the barrier C to be ineffective, while the opposite might be stated as well. Mathematically however, the probabilities that barrier B is or is not effective, under the condition that barrier B is or is not effective follows from the Bayesian theorem and the probabilities that barrier C is or is not effective under conditional effectiveness of barrier B, given by the CPT corresponding to arrow

Episode 3


of 240


pointing from B to C). However, one may again just step outside the strict formalism by adding meaningless graphical signs such as a line with little arrows at both sides.

Figure 50: Further limited representation of the ca usal structure

Accident A



The CPTs for the nodes “Ineffective Barrier C”, and Accident A now read respectively:

B P(C=0) P(C=1) B C P(A=1)

0 (1-P(ICFB))x

(1-P(ICFC))x

(1-P(CCF))

(1-P(ICFB))x

(P(ICFC)x

(1-P(CCF))

0 0 0

1 P(CCF) +

P(ICFB)xP(ICFC)

P(ICFB)x

(1-P(ICFC))x

(1-P(CCF))

0 1 0

1 0 0

1 1 1

• The underlying contributing factor is not a deterministic cause but just an influence. In the example used so far, the two aircrew in different aircraft can or cannot see each other is also depending on whether the aircraft fly in clouds or not. However, the quantity “cloudiness” is not considered an appropriate element in the IRP for several reasons, for example as it can not be influenced. At the other hand, statistics might prove that simultaneous failures of visual acquisition occur more often in TMAs than in En Route airspace. The mechanism is that the relation between flight level and cloudiness makes that the probability of not being able to identify another aircraft visually while flying IFR depends on the flight phase (but is certainly not just 0 or 1, given the flight phase)23. The flight phase or the airspace is therefore not to be considered as a deterministic cause but as a common influence, which can perfectly taken into account as an underlying factor in a BBN. Other examples of such common influences are working conditions (which influence fatigue of for example pilots, and therefore several elements in the model) and selection criteria for Air Traffic Controllers (which influences the minimal capability level, and therefore again several elements in the model).

23 This is covered in IRP through the stratified influence ‘visibility’ in the Unit Specific IRP methodology

Episode 3


of 240


13.2.2 Conclusions

A BBN can be used to represent common mode influences in a risk model. If the risk model is represented as a fault tree, there is no real added value of introducing a BBN representation. Moving the entire IRP into a giant BBN is a big effort, and the only real benefit would be in the representation as the calculations would remain the same. A BBN becomes only advantageous if the properties of BBNs are exploited. This can be the case in the following situations:

• The set of causes is not completely known

• The set of causes is not known, but there is a statistical evidence of dependence

• The underlying factor is not a deterministic cause but an influence.

The disadvantage of a BBN is that it is mathematically more complex and in general it requires more data for quantification.

14 ANNEX IV. MODELLING OF ANOTHER ACCIDENT CATEGORIES: LOSS OF CONTROL DURING

LANDING

14.1 PRESENTATION

Figure 51: Overarching aircraft accident fault tree (Baseline – see Table 1)

Aircraft accident3,6E-07per flight

Contribution 1,000

Accident in flight Accident at airport2,2E-07 1,3E-07per flight per flight

Contribution 0,623 Contribution 0,377

Controlled flight into terrain

Loss of control in flight

Mid-air collision Structural accident Wake turbulence accident

Fire/explosion Take-off/landing accident

Taxiway collision

3,9E-08 1,3E-07 1,3E-08 1,6E-08 3,2E-09 2,2E-08 1,3E-07 4,9E-10per flight per flight per flight per flight per flight per flight per flight per flight

Contribution 0,110 Contribution 0,359 Contribution 0,037 Contribution 0,045 Contribution 0,009 Contribution 0,063 Contribution 0,376 Contribution 0,001

Runway collision Loss of control in take-off

Loss of control in landing

2,2E-08 4,8E-08 6,4E-08per flight per flight per flight

Note Contribution 0,062 Contribution 0,135 Contribution 0,1791. All frequencies are number of fatal accidents divided by numbers of flights.2. Frequencies refer to commercial flights within ECAC region in 2005

M W

R

C X

OR

OR OR

OR

The most important group of accidents scenarios of the ‘other’ accident categories is loss of control during landing. Of particular importance is the role of ANS in assisting the flight crew to maintain the correct approach path and of providing the flight crew with adequate information for the landing, including. Within the ‘loss of control in landing’ group the following general accident categories can be defined: ‘runway veer-off during landing’, runway overrun during landing’, ‘hard landing’ and runway undershoot.

The following pages present the associated fault tree models for these accidents and describe their quantification for the baseline scenario (i.e. 2005). Quantification was done on the basis of readily available material, in particular data that was derived for the CATS model as described in (Ref. 24). Data inclusion criteria are Western-built turboprop or jet heavier

Episode 3


of 240


than 5700 kg MTOW in commercial operations. The time frame ranged from 1985 to 2005. The top event of each fault tree represents an ICAO accident, this is not necessarily a fatal accident.

The accident frequencies are summarised in the table below.

Runway veeroff during landing 4.32x10-7

Runway overrun during landing 4.18x10-7

Hard landing accident 2.08x10-7

Runway undershoot 3.00x10-7

Total ‘loss of control in landing’ 1.36x10-6

The total probability for loss of control in landing accidents is 1.36x10-6 per flight. This is in line with Table 5 of the main report, which lists of probability of occurrence of 1.30x10-6 per flight for loss of control in landing accidents in 2005 for ECAC states. Given the fact that the fault trees were quantified from a different dataset, and taking into account that some assumptions had to be made, the difference of approximately 4% is negligible.

Episode 3


of 240


14.2 RUNWAY VEER-OFF DURING LANDING

14.2.1 Fault Tree

Figure 52: Fault Tree for Runway veer-off during la nding (baseline scenario)

Runway veer-off during landing

4.32E-07per landing

Loss of control potential

Flight crew not able to restore control

1.55E-03 2.78E-04per landing per loss of control

occurrence

Aircraft encounters weather beyond operational limits

Flight crew operation of equipment / aircraft

handling error

Directional control related system failure

1.21E-03 2.86E-04 5.67E-05per landing per landing per landing

Adverse weather Flight towards adverse weather

continued1.00E-02 1.21E-01

per landing per adverse weather occurrence

Inappropriate weather briefing

Weather briefing ignored by flight crew

6.05E-02 6.05E-02per adverse weather

occurrenceper adverse weather

occurrence

AND

OR

AND

OR

ANS contributes to the base event ‘inappropriate weather briefing’.

14.2.2 Quantification

Runway veer-off during landing

This probability is derived by adding all the landing veer-off probabilities from the CATS model (Ref. 24):

Windshear encounter during approach/landing 1.55x10-8

Inappropriate handling during flare 3.26x10-8

Inappropriate handling during the landing roll 1.55x10-7

Directional control related system failure 1.10x10-7

Single engine failure 7.52x10-9

Episode 3


of 240


Thrust reverser failure 5.31x10-8

Encounter with unexpected wind 5.76x10-8

Total 4.31x10-7

Loss of control potential

This probability is derived by adding all the landing roll loss of control probabilities from the CATS model:

Windshear encounter during approach/landing

5.01x10-8



Directional control related system failure 6.79x10-6




Total 1.55x10-3

Flight crew not able to restore control

This probability follows directly from the fault tree events ‘runway veer-off during landing’, ‘loss of control potential’ and the AND gate: 4.31x10-7 / 1.55x10-3 = 2.78x10-4 per loss of control potential.

Directional control related system failure

This probability is derived by adding the probabilities of ‘directional control system failure’, ‘single engine failure during landing’ and ‘thrust reverser failure during landing’ from the CATS model:

6.79x10-6+4.89x10-5+1.01x10-6=5.67x10-5.

Flight crew operation of equipment error

This probability is derived by adding the probabilities of ‘inappropriate aircraft handling during flare’ and ‘inappropriate aircraft handling during landing roll’ from the CATS model:

7.35x10-5+ 2.13x10-4=2.86x10-4

Aircraft encounters weather beyond operational limi ts

This probability is derived by adding the probabilities of ‘windshear encounter during approach/landing’ and ‘encounter with unexpected wind’ from the CATS model:

5.01x10-8+1.21x10-3=1.21x10-3.

Adverse weather

This probability is estimated at 1.00x10-2 per landing

Flight towards adverse weather continued

This probability follows directly from the fault tree events ‘aircraft encounters weather beyond operational limits’, ‘adverse weather’ and the AND gate: 1.21x10-3 / 1.00x10-2=1.21x10-1 per adverse weather encounter during approach/landing.

Episode 3


of 240


Inappropriate weather briefing

Due to lack of data, it is estimated that ‘flight toward adverse weather continued’ is apportioned equally between inappropriate weather briefing’ and ‘weather briefing ignored by flight crew’. This probability then becomes 1.21x10-1 / 2 = 6.05x10-2 per adverse weather encounter during approach/landing.

Weather briefing ignored by flight crew

Due to lack of data, it is estimated that ‘flight toward adverse weather continued’ is apportioned equally between inappropriate weather briefing’ and ‘weather briefing ignored by flight crew’. This probability then becomes 1.21x10-1 / 2 = 6.05x10-2 per adverse weather encounter during approach/landing.

14.3 RUNWAY OVERRUN DURING LANDING

14.3.1 Fault Tree

Figure 53: Fault Tree for Runway Overrun during lan ding (baseline scenario)

Runway overrun during landing

4.18E-07per landing

Failure to achieve sufficient braking

Landing on runway without excessive

length3.17E-02 1.32E-05

per landing per failure to achieve sufficient braking

Landing on slippery runway

Flight crew operation of equipment / aircraft

handling error

Braking system failure

8.10E-03 2.35E-02 7.56E-06per landing per landing per landing

Slippery runway Landing continued

8.18E-03 9.90E-01per approach per approach to

slippery runway

Inappropriate ANSC information

ANS information ignored by flight crew

5.00E-03 5.00E-03per approach to slippery runway

per approach to slippery runway

5.17E-05

Landing long and fast

Flight crew fails to execute missed

approach

Aircraft high and fast on approach

2.37E-03per approach

per landing


2.18E-02per unstable

approach

Adverse weather

7.90E-04per approachper approach to

slippery runway

Runway condition within aircraft

performance limits9.80E-01

Flight crew non-adherence to procedures7.90E-04

per approach

Incorrect or inadequate ANS

instruction / service

AND

OR

AND

OR

AND

OR

ANS contributes to the base events ‘inappropriate ANS information’ and ‘incorrect or inadequate ANS instruction / service’.


Runway overrun during landing

This probability is derived from all the landing overrun probabilities from the CATS model:

Unstable approach 1.98x10-7

Windshear exnounter 6.63x10-9


Episode 3


of 240






Total 4.18x10-7

Landing on slippery runway

This probability is estimated from information in (Ref. 25). According to this report, the probability of landing on a runway that is covered with snow, slush or ice is 8.10x10-3 per landing. This probability is assumed to be an accurate estimate of the probability of landing on a slippery runway.

Landing continued

Because of lack of data, this probability is arbitrarily estimated to be 9.90x10-1 per approach to a slippery runway.

Slippery runway

This probability follows directly from the probabilities for ‘landing on a slippery runway’, landing continued’ and the AND gate: 8.10x10-3 / 9.90x10-1 = 8.18x10-3 per approach.

Runway condition within aircraft performance limits

It is arbitrarily assumed that in 98 out of 100 approaches to a slippery runway the runway condition is within the performance limits of the aircraft.

Inappropriate ANS information

It is arbitrarily assumed that in 1 out of 200 approaches to a slippery runway, ANS provides inappropriate information on the runway condition to the flight crew.

ANS information ignored by the flight crew

It is arbitrarily assumed that in 1 out of 200 approaches to a slippery runway, the flight crew ignore the information provided by ANS on the condition of the runway.

Flight crew operation of equipment / aircraft handl ing error

This probability is derived by adding the probability for inappropriate aircraft handling during the flare and inappropriate aircraft handling during the landing roll from the CATS model:

2.33x10-2 + 2.13x10-4 = 2.35x10-2.

Braking system failure

This probability is derived by adding the probability of a failure of the landing gear (ATA code 3200) and failure of the thrust reverser. According to data from the CATS model the associated probability is 6.56x10-6 + 1.01x10-6 = 7.57x10-6 per landing.

Flight crew fails to execute missed approach

This probability is taken from the CATS scenario of unstable approach: 8.35x10-5 per unstable approach.

Aircraft high and fast on approach

According to the CATS model, the probability of an unstable approach is 5.26x10-3 per approach. It is arbitrarily assumed that 45% of unstable approach are due those where the aircraft is too high and fast, 45 % are cases where the aircraft has a sink rate that is too high, and the remaining 10 % are cases where the aircraft’s configuration is not correct (e.g. incorrect flap setting, landing gear deployed too late, etc). This results in a probability of aircraft being high and fast on the approach of 2.37x10-3 per approach.

Episode 3


of 240


Flight crew non-adherence to procedures

It is assumed that the cause of the aircraft being too high or fast on the approach is equally distributed amongst ‘flight crew non-adherence to procedures’, ‘incorrect or inadequate ANS instruction / service’ and ‘adverse weather’. The probability of occurrence is 7.90x10-4

Incorrect or inadequate ANS instruction / service


Adverse weather


Landing long and fast

The probability of landing long and fast follows directly from multiplying the probabilities of ‘flight crew fails to execute missed approach’ and ‘aircraft high and fast on approach’: 8.35x10-5 x 2.37x10-3 = 5.17x10-5 per landing.

Failure to achieve maximum braking

The probability of failure to achieve maximum braking follows directly from adding the probabilities of ‘landing on slippery runway’, ‘flight crew operation of equipment / aircraft handling error’, ‘braking system failure’ and ‘landing long and fast’:

8.10x10-3+2.35x10-2+7.57x10-6+5.17x10-5 = 3.17x10-2 per landing.

Landing on runway without excessive runway length

This probability follows directly from the fault tree events ‘runway overrun during landing’, ‘failure to achieve sufficient braking’ and the AND gate:

4.18x10-7 / 3.17 x 10-2 = 1.32x10-5 per failure to achieve sufficient braking.

Episode 3


of 240


14.4 HARD LANDING

14.4.1 Fault Tree

Hard landing accident


Hard landing due to inappropriate flare

Hard landing due to unstable approach

1.43E-07 6.51E-08per approach per approach

High sinkrate on flare initiation

High sink rate not corrected during flare

5.17E-05 1.26E-03per continued

unsttable approachper continued

unstable approach

High sinkrate Flight crew fails to execute missed

approach2.37E-03 2.18E-02

per approach per unstable approach


Incorrect or inadequate ANS

instruction / service / advice

7.90E-04 7.90E-04per approach per aproach

Adverse weather


AND

OR

AND

OR

ANS contributes to the base event ‘incorrect or inadequate ANS instruction / service / advice’.


Hard landing due to inappropriate flare

This probability follows directly from the CATS model: 1.43x10-7 per landing.

Hard landing due to unstable approach.

This probability follows directly from the CATSD model: 6.52x10-8 per landing.

High sink rate

According to the CATS model, the probability of an unstable approach is 5.26x10-3 per approach. It is arbitrarily assumed that 45% of unstable approach is due those where the aircraft is too high and fast, 45 % are cases where the aircraft has a sink rate that is too high, and the remaining 10 % are cases where the aircraft’s configuration is not correct (e.g. incorrect flap setting, landing gear deployed too late, etc). This result in a probability of aircraft having a high sink rate during the approach of 2.37x10-3 per approach.

Flight crew fails to execute a missed approach

Episode 3


of 240


This probability is taken from the CATS scenario of unstable approach: 8.35x10-5 per unstable approach.


It is assumed that the cause of the high sink rate during the approach is equally distributed amongst ‘flight crew non-adherence to procedures’, ‘incorrect or inadequate ANS instruction / service’ and ‘adverse weather’. The probability of occurrence is 7.90x10-4

Incorrect or inadequate ANS instruction / service

It is assumed that the cause of the high sink rate during the approach is equally distributed amongst ‘flight crew non-adherence to procedures’, ‘incorrect or inadequate ANS instruction / service’ and ‘adverse weather’. The probability of occurrence is 7.90x10-4

Adverse weather

It is assumed that the cause of the high sink rate during the approach is equally distributed amongst ‘flight crew non-adherence to procedures’, ‘incorrect or inadequate ANS instruction / service’ and ‘adverse weather’. The probability of occurrence is 7.90x10-4.

High sink rate on flare initiation

This probability follows from multiplying the probabilities for ‘high sink rate’ and ‘flight crew fails to execute missed approach’:

2.37x10-3x2.18x10-2 = 5.17x10-5.

High sink rate not corrected during flare

This probability follows directly from the probabilities for ‘hard landing due to unstable approach’, ‘high sink rate on flare initiation’ and the AND gate:

6.52x10-8 / 5.17 x 10-5 = 1.26 x 10-3 per approach.

Hard landing accident

This probability follows from adding the probabilities for ‘hard landing due to inappropriate flare’ and ‘hard landing due to unstable approach’:

1.43x10-7+6.52x10-8 = 2.08x10-7 per landing.

14.5 RUNWAY UNDERSHOOT

14.5.1 Fault Tree Undershoot accident


Aircraft below glide path

Ineffective terrain warning

1.60E-04 1.87E-03per approach per aircraft below

glide path

Ineffiective visual warning

Ineffective GPWS warning

Ineffecctive ATCO warning

4.50E-01 5.20E-03 8.00E-01per aircraft below

glide pathper aircraft below

glide pathper aircraft below

glide path

Pilot commands aircraft below

glidepath

FMS commands aircraft below glide

path

per approach per approach1.40E-04 2.00E-05

AND

AND

OR

ANS contributes to the event ‘ineffective ATCO warning’.

Episode 3


of 240



The scenario for ‘runway undershoot’ has similarities to the scenario for CFIT. The estimates for the base event frequencies are derived from the IRP CFIT scenario.

Pilot commands aircraft below glide path

It is (arbitrarily) assumed that the probability of the pilot commanding the aircraft below the glide path is twice as high as the probability of the pilot commanding the aircraft towards terrain in a CFIT scenario. The probability of ‘flight commanded towards terrain by pilot’ is taken from the IRP model for CFIT. The probability of occurrence is 2x7.00x10-5 = 1.40x10-4.

FMS commands aircraft below glide path

It is assumed that the probability of the FMS commanding the aircraft below the glide path is identical to the probability of the FMS commanding the aircraft towards terrain in a CFIT scenario. The probability of ‘flight commanded towards terrain by FMS’ is taken from the IRP model for CFIT.

The probability of occurrence is 2.00x10-5.

Ineffective visual warning

It is assumed that the probability of ineffective visual warning is identical to the probability of ineffective visual warning in a CFIT scenario. The probability is taken from the IRP model for CFIT.


Ineffective GPWS warning

It is assumed that pilot are less likely to respond to a ‘sinkrate’ or ‘glideslope’ warning than to a ‘terrain’ or ‘pull up’ warning. Therefore, it is assumed that the probability of ineffective GPWS warning is twice as high the probability of ineffective GPWS warning in a CFIT scenario. The probability for ineffective CFIT warning is taken from the IRP model for CFIT.

The probability of occurrence is 2x2.60x10-3=5.20x10-3.

Ineffective ATCO warning

It is assumed that the probability of ineffective ATCO warning is identical to the probability of ineffective ATCO warning in a CFIT scenario. The probability is taken from the IRP model for CFIT.


Aircraft below glide path

This probability follows directly from the fault tree events ‘pilots commands aircraft below glide path’, ‘FMS commands aircraft below glide path’ and the OR gate: 1.40x10-4+2.00x10-

5=1.60x10-4.

Ineffective terrain warning

This probability follows directly from the fault tree events ‘ineffective visual warning’, ‘ineffective GPWS warning’, ‘ineffective ATCO warning’ and the AND gate:

4.40x10-1x5.20x10-3x8.00x10-1=1.87x10-3.

Undershoot accident

This probability follows directly from the fault tree events ‘aircraft below glide path’, ‘ineffective terrain warning’ and the AND gate:

1.60x10-4x1.87x10-3=3.00x10-7.

Episode 3


of 240


END OF DOCUMENT

episode 3 - eurocontrol.int · episode 3 d2.4.3-02 - sesar top-down systemic risk assessment...

Documents