introduction and setting the scene on resilience ... · introduction and setting the scene on...
TRANSCRIPT
Ella Pinska-Chauvin, Anthony Smoker, Filip Denoulet and Tom Laursen, SESAR 16.06.01b
INTRODUCTION AND SETTING THE SCENE ON RESILIENCE ENGINEERING IN SESAR
16.06.01b Partners
2
• Partners
• Collaboration/ supporting contracts
SESAR Challenges
3
An augmented safety framework as per
SESAR Safety Approach SESAR
Highly demanding Safety Target
Radical changes to ATM (incl. Roles & Responsibilities)
SESAR: 3 types of project
Safety Neutral Safety ‘criteria’: ATM to ‘safety’ compensate for permitted traffic increase
Impacting the Safety buffer
Safety ‘criteria’: ATM to cap safety
weakening
Net safety benefits provider
ATM to maximize safety contribution
Safety in SESAR
SRM - Four fundamental components
5
System engineering approach
Considering Resilience in design
HF integration in safe(r) design
Broader success-based approach
Success based view of safety
– Understanding why things go right – Noticing the un-noticable – When something goes wrong we should also study when it
went right – Thin red line is the probability of failure. – The 9,999 events are largely ignored
• Habituation – if it works well I don’t need to give it anymore thought.
Resilience Target
Source: NATS
SSEs, LOS, RIs
14 14
Helping operational staff understand how performance relates to safety and efficiency
Safety Intelligence & People Create Safety
Resilience Engineering Principles
8
Principles of RE in design
1. Work-as-done 2. Varying conditions 3. Signals and cues 4. Goal trade-offs 5. Margins & Adaptive capacity 6. Coupling & interactions 7. Timing, SYNCH., & time scales 8. Under-specifications &
approximate adjustments
Safety Methodological developments in SESAR
9
16.1.1 AIM
16.1.3 DRM
16.1.2 RE – spade work
16.6.1b Moving it forward
16.1.4 PoC
(VLD)
P16.06.01 - SESAR Safety Reference Material The Safety Assessment Methodological framework
for current SESAR and forthcoming SESAR 2020
3 Step Cyclical Process
10
Methodological developments
Case Studies Multiple Remote Tower
ASAS S&M
Enriching the success-approach of the SRM
Why are we doing all this?
11
Interactions
–Between different projects –With other users
Why are we doing all this ?
12
Example 1
Commander’s responsibilities: •The commander shall ensure that all operational procedures and checklists are complied with
•The commander shall -in an emergency situation – take any action he considers necessary under the circumstances. In such case, he may deviate from rules, operational procedures and methods in the interest of safety
13
Controllers interest vs. Pilots interest
Example 2: Vectoring to final
14
10 secs = ½ NM
Example 3: TCAS training
Preparing the approach
15
Example 3: TCAS training
16
Example 3: TCAS training
17
Example 3: TCAS training
18
Success and mistakes come from the same place
12-03-2015 20 © Tom Laursen, [email protected]
Everyday work
Success
Mistake
Acceptable outcomes
Unacceptable outcomes
Erik Hollnagel 2013
Success and mistake ratio 1:10.000
Erik Hollnagel
21
When it was said, in Resileince Engineering ’that ‘failure is the flip side of success’ the intention was not to propose a binary universe, but rather to point out that things that go wrong happen in (more or less) the same way as things that go right Resilience is not just to be able to recover from threats and stresses, but rather to be able to perform as needed under a variety of conditions – AND TO RESPOND APPROPRIATELY TO BOTH DISTURBANCES AND OPPORTUNITIES.
Technology changes
12-03-2015 22 © Tom Laursen, [email protected]
Complexity increase and tractability decrease
Graceful extensibility
23
♫♬♬♫♬ + = graceful extensibility
Recipe +
+ = graceful extensibility
= graceful extensibility
Variability and graceful extensibility
24
The 16.6.1B method
25
Preparation phase Data Collection Phase (workshop)
Data Analysis
•Familiarisation with new concept •Identify services/functions affected •Map services to RE principles •Prepare template to structure data
•Introduce RE principles •Describe work-as-done in current and envisaged operations •Elaborate work-as-done through other principles •Describe the change (delta) in w-a-d from current to envisioned design
•Qualitative analysis of raw data •Produce conclusions •Formalise conclusions to : Safety Acceptance Criteria, Safety Requirements, Safety objectives,…
Work-as-done and the RE principles
27
Example of spacing between two aircrafts (i4D)
Progress to data - 1
• Review of WP 16.06.02 Method for inclusion in SRM V3.0
• Used RE Method in three case studies: – Sundsvall (Sept. 2014), Bodo (Feb. 2015), Rome (March 2015)
• Theoretical evolution of the RE method
– Adaptive capacity – Stress/strain Operationalising of RE Capacities
28
Progress to date - 2
• Sundsvall Remote Twr Centre
29
• Applied the RE methodology ‘as is’ • Workshop, using field experts, was held in Stockholm
September 2014 • Proved the importance of training, the need to limit the
use of RE language – KISS principle • Project manager found results useful • Added value was percieved to be found, not easy to
present
Progress to date-3
30
P1 Work as Done ATM Service Phase of
Flight/ Ops
Service
Description of Current
Description of Change
Issues/ Assumptions/
Limitations
Opportunities
Traffic Planning and Sequencing
Arrivals/ Departures
Traffic in a small airport plans itself, the ATCO knows the day‘s traffic, VFR flights occur depending on MET, you fit VFR traffic in, planning is done while you work, you are always 2-3 steps ahead, in case things come along (e.g. medical) you solve it on the spot and make a gap (…)
It is harder to spot small a/c in the vicinity, no difference in planning with 2 airports, if 2 a/c depart on 2 airports at the same time, regulations say you should focus and watch the a/c taking off, try to create overlaps- time gaps, rearrange taskload to cater for spare capacity (…)
Have PTZ, tracking and RDR label overlay function available to spot aircraft (also related to P3 Signals and Cues) Adopt Working Procedures with respect to timing/ workload/ divided attention and prioritisation (also related to P7 Timing/ Synchronisation and P8 Under-specification)
Tracking function helps to detect small a/c and traffic in in low visibility conditions more easily (also related to P3 Signals and Cues)
Progess to date - 4
• Bodo RVT (AFIS)
• Remote AFIS Vaeroy ENVR, Rost, ENRS
31
• Different RE method that built on the lessons learnt from Sundsvall • Structured workshop around a normal watch • Included aircrew • Deeper preparatory phase before workshop • Graphic visusalisation of work as done • Explored Competence envelope and escalations in response to challenge • events – Adaptive capacity
Progress to date - 5
• Rome January/February 2015 – ASAS – S&M • Use the RE method, building on Sundsvall and Bodo • RE method employed by NLR with support of core
16.06.01b members
32
Future Work - 1
33
• New theoretical approach to exploring RE
• Systems ability to adapt and gracefully extend
• Identify and explore ‘challenge events’
• Do the current and new system designs have the same resilience
Woods, Jie Chan, Wreathall (2006),
Future work - 2
34
What does the method provide?
• A description of how a system functions • Talk about how organizational issues, not about the
technology • A description of how the system adapt to create
graceful extensibility • An insight to emergent properties
35
Next steps in the project
• To provide guidance material for people who have to apply the method
• Further development of the method in light of our experience
• Developing the toolset that allows the methodology to be performed
• To integrate into the SRM • To further develop the training material
36
Potential and wider issues
• Observation from SAAB: – This workshop did not focus on technical issues, it covered
the wider organisational context
• Exploring wider issues than safety • Possible benefit of more efficiency • More confidence in the hypothesis that safety
assessment can be made more effective
37
Thanks for your attention
38