Ella Pinska-Chauvin, Anthony Smoker, Filip Denoulet and Tom Laursen, SESAR 16.06.01b

INTRODUCTION AND SETTING THE SCENE ON RESILIENCE ENGINEERING IN SESAR

16.06.01b Partners

2

• Partners

• Collaboration/ supporting contracts

SESAR Challenges

3

An augmented safety framework as per

SESAR Safety Approach SESAR

Highly demanding Safety Target

Radical changes to ATM (incl. Roles & Responsibilities)

SESAR: 3 types of project

Safety Neutral Safety ‘criteria’: ATM to ‘safety’ compensate for permitted traffic increase

Impacting the Safety buffer

Safety ‘criteria’: ATM to cap safety

weakening

Net safety benefits provider

ATM to maximize safety contribution

Safety in SESAR

SRM - Four fundamental components

5

System engineering approach

Considering Resilience in design

HF integration in safe(r) design

Broader success-based approach

Success based view of safety

– Understanding why things go right – Noticing the un-noticable – When something goes wrong we should also study when it

went right – Thin red line is the probability of failure. – The 9,999 events are largely ignored

• Habituation – if it works well I don’t need to give it anymore thought.

Resilience Target

Source: NATS

SSEs, LOS, RIs

14 14

Helping operational staff understand how performance relates to safety and efficiency

Safety Intelligence & People Create Safety

Resilience Engineering Principles

8

Principles of RE in design

1. Work-as-done 2. Varying conditions 3. Signals and cues 4. Goal trade-offs 5. Margins & Adaptive capacity 6. Coupling & interactions 7. Timing, SYNCH., & time scales 8. Under-specifications &

approximate adjustments

Safety Methodological developments in SESAR

9

16.1.1 AIM

16.1.3 DRM

16.1.2 RE – spade work

16.6.1b Moving it forward

16.1.4 PoC

(VLD)

P16.06.01 - SESAR Safety Reference Material The Safety Assessment Methodological framework

for current SESAR and forthcoming SESAR 2020

3 Step Cyclical Process

10

Methodological developments

Case Studies Multiple Remote Tower

ASAS S&M

Enriching the success-approach of the SRM

Why are we doing all this?

11

Interactions

–Between different projects –With other users

Why are we doing all this ?

12

Example 1

Commander’s responsibilities: •The commander shall ensure that all operational procedures and checklists are complied with

•The commander shall -in an emergency situation – take any action he considers necessary under the circumstances. In such case, he may deviate from rules, operational procedures and methods in the interest of safety

13

Controllers interest vs. Pilots interest

Example 2: Vectoring to final

14

10 secs = ½ NM

Example 3: TCAS training

Preparing the approach

15

Example 3: TCAS training

16

Example 3: TCAS training

17

Example 3: TCAS training

18

Success and mistakes come from the same place

12-03-2015 20 © Tom Laursen, mettom@email.dk

Everyday work

Success

Mistake

Acceptable outcomes

Unacceptable outcomes

Erik Hollnagel 2013

Success and mistake ratio 1:10.000

Erik Hollnagel

21

When it was said, in Resileince Engineering ’that ‘failure is the flip side of success’ the intention was not to propose a binary universe, but rather to point out that things that go wrong happen in (more or less) the same way as things that go right Resilience is not just to be able to recover from threats and stresses, but rather to be able to perform as needed under a variety of conditions – AND TO RESPOND APPROPRIATELY TO BOTH DISTURBANCES AND OPPORTUNITIES.

Technology changes

12-03-2015 22 © Tom Laursen, mettom@email.dk

Complexity increase and tractability decrease

Graceful extensibility

23

♫♬♬♫♬ + = graceful extensibility

Recipe +

+ = graceful extensibility

= graceful extensibility

Variability and graceful extensibility

24

The 16.6.1B method

25

Preparation phase Data Collection Phase (workshop)

Data Analysis

•Familiarisation with new concept •Identify services/functions affected •Map services to RE principles •Prepare template to structure data

•Introduce RE principles •Describe work-as-done in current and envisaged operations •Elaborate work-as-done through other principles •Describe the change (delta) in w-a-d from current to envisioned design

•Qualitative analysis of raw data •Produce conclusions •Formalise conclusions to : Safety Acceptance Criteria, Safety Requirements, Safety objectives,…

Work-as-done and the RE principles

27

Example of spacing between two aircrafts (i4D)

Progress to data - 1

• Review of WP 16.06.02 Method for inclusion in SRM V3.0

• Used RE Method in three case studies: – Sundsvall (Sept. 2014), Bodo (Feb. 2015), Rome (March 2015)

• Theoretical evolution of the RE method

– Adaptive capacity – Stress/strain Operationalising of RE Capacities

28

Progress to date - 2

• Sundsvall Remote Twr Centre

29

• Applied the RE methodology ‘as is’ • Workshop, using field experts, was held in Stockholm

September 2014 • Proved the importance of training, the need to limit the

use of RE language – KISS principle • Project manager found results useful • Added value was percieved to be found, not easy to

present

Progress to date-3

30

P1 Work as Done ATM Service Phase of

Flight/ Ops

Service

Description of Current

Description of Change

Issues/ Assumptions/

Limitations

Opportunities

Traffic Planning and Sequencing

Arrivals/ Departures

Traffic in a small airport plans itself, the ATCO knows the day‘s traffic, VFR flights occur depending on MET, you fit VFR traffic in, planning is done while you work, you are always 2-3 steps ahead, in case things come along (e.g. medical) you solve it on the spot and make a gap (…)

It is harder to spot small a/c in the vicinity, no difference in planning with 2 airports, if 2 a/c depart on 2 airports at the same time, regulations say you should focus and watch the a/c taking off, try to create overlaps- time gaps, rearrange taskload to cater for spare capacity (…)

Have PTZ, tracking and RDR label overlay function available to spot aircraft (also related to P3 Signals and Cues) Adopt Working Procedures with respect to timing/ workload/ divided attention and prioritisation (also related to P7 Timing/ Synchronisation and P8 Under-specification)

Tracking function helps to detect small a/c and traffic in in low visibility conditions more easily (also related to P3 Signals and Cues)

Progess to date - 4

• Bodo RVT (AFIS)

• Remote AFIS Vaeroy ENVR, Rost, ENRS

31

• Different RE method that built on the lessons learnt from Sundsvall • Structured workshop around a normal watch • Included aircrew • Deeper preparatory phase before workshop • Graphic visusalisation of work as done • Explored Competence envelope and escalations in response to challenge • events – Adaptive capacity

Progress to date - 5

• Rome January/February 2015 – ASAS – S&M • Use the RE method, building on Sundsvall and Bodo • RE method employed by NLR with support of core

16.06.01b members

32

Future Work - 1

33

• New theoretical approach to exploring RE

• Systems ability to adapt and gracefully extend

• Identify and explore ‘challenge events’

• Do the current and new system designs have the same resilience

Woods, Jie Chan, Wreathall (2006),

Future work - 2

34

What does the method provide?

• A description of how a system functions • Talk about how organizational issues, not about the

technology • A description of how the system adapt to create

graceful extensibility • An insight to emergent properties

35

Next steps in the project

• To provide guidance material for people who have to apply the method

• Further development of the method in light of our experience

• Developing the toolset that allows the methodology to be performed

• To integrate into the SRM • To further develop the training material

36

Potential and wider issues

• Observation from SAAB: – This workshop did not focus on technical issues, it covered

the wider organisational context

• Exploring wider issues than safety • Possible benefit of more efficiency • More confidence in the hypothesis that safety

assessment can be made more effective

37

Thanks for your attention

38