Risk modelling:

from safety data to a risk picture

16 March, 2017 SAFETY | FUTURE SKY

Marta Llobet Lopez

EUROCONTROL - FSS P4

Models within the Risk Observatory

16 March, 2017 SAFETY | FUTURE SKY 2

.

.

.

.

Prototype risk observatory

Exposure data

Radar data

FDM data

Occurrence data

Exposure data

....

Structuring of safety data

Feed into integrated risk assessment framework

Acquire safety information

Acquire safety information

User: Analyst

Manager

Domain: Operator

ANSP Manufacturer

Airport Authority

Currently available ….

16 March, 2017 SAFETY | FUTURE SKY 3

Different types of models, with different scope and purpose, using different type of data …

barriers based,

event sequence diagrams,

physical models,

safety models for design, …

Barrier Model

16 March, 2017 SAFETY | FUTURE SKY 4

MAC

Strategic

Pre-Tactical

Tactical

Imminent infringement

Imminent Collision

Near Collision

Providence

STCA

Strategic Pln

Planning

DCB

Tactical

ACAS

Airside Induced

Groundside Induced

Accident risk

AND

OR

Cont Cont

Cont Cont Cont Cont

OR

Causal elements

Barriers

Precursors

Induced Events

Event Sequence Diagram

16 March, 2017 SAFETY | FUTURE SKY 5

roo

t ca

use

s

root causes

root causes

root causes

Initiating event Pivotal event 1

Pivotal event 3

Pivotal event 2 fault tree

fault tree fault tree

fault tree

Accident or serious

incident

Accident or serious

incident

Incident or occurrence

Incident or occurrence

Physical Models

16 March, 2017 SAFETY | FUTURE SKY 6

Contributing Factors

Incident Probability

Fre

qu

en

cy

Incident metric

Source: The Aviation Herald / AP / Kyodo News

Landing distance available

Landing distance

…

Incident Model

Start of

Braking

Weight

Speed

Wind

Flaps Image: IATA

Runway overrun

Safety Models for design

Flight Phases

Cruise

Descent

Approach

Landing

Pilot Abnormal ProceduresAircraft Functions & Systems

Cockpit HMI :PFD/ND …

parameters, CAS alerts, Control

Panels, etc.

Cockpit effects

Transition level

Go-Around

500 ft

DH/MDA

100 ft

Influencing factors (environmental events, runway characteristics & condition, …)

A/C FunctionsSystem Breakdown &

Dependencies

Observations

System controls

Actions on systems

Crew abnormal procedure :- triggered by an alert

or others cockpit effets

FHA - System Failure Conditions

Observations

Procedure inhibit or customization

A/C initial state(s)

External events / factors

FC initiation

16 March, 2017 7 SAFETY | FUTURE SKY

From ‘piecemeal’ view to the full picture …

16 March, 2017 SAFETY | FUTURE SKY 8

Barrier Models

ESD

Safety Models

Physical Models

RISK OBSERVATORY

Structuring the Risk Observatory

Need for a Risk Observatory structured in a way allowing to ‘plug’ different types of models in order to provide

• a full risk picture

• the risk associated to the several contributors of the different domains

16 March, 2017 SAFETY | FUTURE SKY 9

BackBone Model

Backbone models

16 March, 2017 SAFETY | FUTURE SKY 10

MAC ER

RWY EXC

BACKBONE MODELS RO INTERFACE DOMAIN / SPECIFIC MODELS

Safety Indicators

Contributing Factors Influencing Factors

MB3.2

STCA tool fails to give

effective warning in time

OR

Incorrect input data

provided to STCA tool

Incorrect STCA

processing

OR

Incorrect on-board

transponder data (3D

position, ID, DAPS)

Surveillance

technical failure

Insufficient

STCA Tool

configuration

integrity

OR

Insufficient

STCA Tool

reliability

Sensor(s)

Technical

failure

Incorrect data

emitted by on-

board

transponder to

ATM Ground

systems

Corruption

or loss of

transponder

data by CEM

perturbation

OR

Incorrect STCA

display

MAC (EnRoute) Backbone model

Short Term Conflict Alert (STCA) functional chain

STCA

processing

Sensor tracks

acquisition

STCA configuration

STCA

display

Tracking

processing

Sensor messages

acquisition

Tracking configuration

External SMS

SPI 1 - Occurrence dashbord of loss

of separation: compare on X years the

contribution of:

- ground equipment (ex: STCA);

- on-board equipment (ex: transponder);

- operations (procedures, HF).

SPI 2 - What-if: compute the risk

reduction in case of introduction of a

new equipment (ex: STCA tool).

FSS Risk Observatory Dashboard

FSS Risk Observatory

Backbone

multi-

domain

model for

STCA

contributor

factor

Sensor configuration

Network

zoom

Altarica

model of

transponder

CEM

Adapation

model to

link

backbone

model to

domain

specific

models

Domain-

specific

model

Multi-

Tracker

equipmen

t failure

OR

Radar

failure

OR

Ins

uff

icie

nt

rad

ar

relia

bilit

y (

HW

)

Ins

uff

icie

nt

rad

ar

so

ftw

are

in

teg

rity

Ins

uff

icie

nt

rad

ar

co

nfi

gu

rati

on

in

teg

rity

OR

Radar

reliability

modelRadar

Tuning

model

Radar

Sw integrity

model

Ins

uff

icie

nt

rad

ar

ma

inte

na

nc

e

Sensor

X

Sensor

Y

Ins

uff

icie

nt

tra

ck

er

relia

bilit

y (

HW

)

Ins

uff

icie

nt

tra

ck

er

so

ftw

are

in

teg

rity

Ins

uff

icie

nt

tra

ck

er

co

nfi

gu

rati

on

in

teg

rity

OR

Tracker

reliability

modelTracker

Tuning

model

Tracker

Sw integrity

model

Ins

uff

icie

nt

tra

ck

er

ma

inte

na

nc

e

Radar

Maintenance

Tracker

Maintenance

Incorrect

operational

configuration

of STCA Tool

(filtering in

inhibition

zones)

OR

Insufficient

Display

hardware

reliability

(sreen, graphic

card, …)Insufficient

STCA Tool

software

integrity Insufficient

HMI software

integrity

FTA

model of

STCA Tool

Display

reliability

modelSTCA

Tuning

model

HMI

Sw integrity

model

Hardware

Maintenance

How it looks like …

Ground equipment models

Airborne equipment models

Contributing Factors - Influencing Factors

16 March, 2017 SAFETY | FUTURE SKY 12

Mainly one to one

Mainly many to many

Mainly many to many

Generic Contributing Factors

Specific Contributing Factors per domain: • ANSP • AC manufacturer • Airborne SYS

manufacturer • Operator • Ground SYS manufacturer

Influencing Factors

Dashboard from P5

16 March, 2017 SAFETY | FUTURE SKY 13

Risk Overview for current situation

16 March, 2017 SAFETY | FUTURE SKY 14

Mid-Air Collision Near Mid-Air Collision Separation Minima Infringement Tactical Conflicts Overloads

Safety Indicators

Occurrences and Risk

Risk impact assessment for a specific change or situation

16 March, 2017 SAFETY | FUTURE SKY 15

Risk Impact when modifying:

Contributing factors

Influencing factors

P4 - Total system risk assessment

Providing a full risk picture

Showing the contribution to risk from the several domains

Supporting the safety impact assessment of changes within one or several domains

16 March, 2017 SAFETY | FUTURE SKY 16

P4 will deliver a Proof of concept, including the modelling part. Implementation, maintenance and operational use aspects

in a real environment are beyond the timeframe of P4.

Models

http://www.futuresky-safety.eu