24
UPDATED ISSUE – 21 MAY 2011
UPDATED ISSUE – 21 MAY 2011
© 2012 European Organisation for the Safety of Air Navigation (EUROCONTROL) This document is published by EUROCONTROL in the interests of exchange of information. It may be copied in whole or in part, providing that the copyright notice and disclaimer are included. The information contained in this document may not be modified without prior written permission from EUROCONTROL. EUROCONTROL makes no warranty, either implied or express, for the information contained in this document, neither does it assume any legal liability or responsibility for the accuracy, completeness or usefulness of this information.
PURPOSE OF THIS GUIDE
A call for action Shortly after the Überlingen midair collision, the High Level European Action Group for Air Traffic Management (ATM) Safety carried out a rapid and impartial assessment and identified priority actions to improve ATM safety across Europe. The Group recommended, amongst others, that it is imperative that safety nets (system safety defences) be implemented. This marked the start of a considerable community effort to prepare for Europe-wide implementation of effective safety nets by developing the prerequisites for successful implementation. The development work is complete and the implementation work must now begin.
A tool for getting started Effective implementation of safety nets requires management commitment and a team effort. The people involved will include: technical managers, safety managers, operational managers and air traffic controllers in ANSPs, working together with Industry and Regulators. These people have all been represented on the multinational working groups that have developed the specifications and guidance materials for safety nets. These are the resources for getting started and they are contained in this guide and on the enclosed CD.
A roadmap for effective safety nets Not only are safety nets inherently complex, they also have to operate in an increasingly complex environment. This calls for sustained effort to optimise and improve safety nets. New technological developments need to be exploited. This guide explains how to go about implementing and enhancing safety nets.
A total life cycle approach The implementation of safety nets is mandated by four Objectives contained in the European Single Sky Implementation (ESSIP) documents. These Objectives refer to four high-level EUROCONTROL Specifications, which in turn call up some 2000 pages of detailed guidance material. This volume of information illustrates the inherent complexity of safety nets, necessitating a structured, total life cycle approach towards implementation and operational use. This guide introduces some newly developed awareness material that explains safety nets and the life cycle approach.
A companion to the CD At the back of this document you will find a CD containing all the most recent guidance materials, specifications and the latest user-friendly training resources for safety nets, called: Awareness Package.
TABLE OF CONTENTS
CALL FOR ACTION 1
What are safety nets? 1 Why are safety nets needed? 1 Which safety nets must be implemented? 2 Where and when? 2 Who is responsible for implementation? 3 Safety benefits 3
GETTING STARTED 4 Thirty years of operational experience 4 Areas of concern 4 Community effort 5 Documentation packages 5 International clarity 6
ROADMAP FOR EFFECTIVE SAFETY NETS 7 Policy 7 Organisational clarity 7 Begin with the end in mind 8 A structured, total life cycle approach 8 Safety nets in SESAR 9
THE SAFETY NET LIFE CYCLE 11 Defining safety nets 11 Implementing safety nets 11 Optimising safety nets 12 Operating safety nets 12
ANNEXES Terms used in the EUROCONTROL Specifications 14 Acronyms 16 What is on the CD 17
BOXES EUROCONTROL Safety Regulation Commission (SRC) Policy 7 Safety Culture Ladder – An Analogy 9 The Boy Who Cried Wolf 13
1
CALL FOR ACTION This section explains the need for safety nets, and introduces the four ground-based safety nets covered by this Guide, as well as the ESSIP Objectives for each of them.
What are safety nets?
Even the safest systems fail. Safety nets help prevent imminent or actual hazardous situations from developing into major incidents or even accidents. In doing so, they provide a “comfort zone” for the human actors in the overall system. In addition, they help keep the societal outcome of aviation operations within acceptable limits.
In Professor James Reason’s Swiss cheese model, safety nets are the last system safety defences against accidents. They are intended to provide timely alerts to air traffic controllers or pilots of an increased risk to flight safety. As the impact of accidents in aviation is high, multiple system safety defences are provided, including redundant safety nets. Safety nets are either ground-based or airborne: � Ground-based safety nets are an integral part of the ATM system.
Using primarily ATS surveillance data, they provide warning times of up to two minutes. Upon receiving an alert, air traffic controllers are expected to immediately assess the situation and take appropriate action.
� Airborne safety nets provide alerts and resolution advisories directly to the pilots. Warning times are generally shorter, up to 40 seconds. Pilots are expected to immediately take appropriate avoiding action.
This Guide focuses on improving the effectiveness of ground-based safety nets. However, as ground-based safety nets do not exist in isolation, relevant airborne safety nets are also covered to the extent required.
Why are safety nets needed? Safety is paramount in aviation; under the Chicago “Convention on Civil Aviation”, States are required to provide a safe Air Traffic Service (ATS) within their defined airspace. Although requiring sophisticated technical infrastructure
and automation, the provision of ATS is a human-centred activity and will remain so for many years. Air traffic controllers must acquire situational awareness and build a mental model of the airspace and traffic pattern. To control the situation and make decisions, the air traffic controller has to establish a plan, which includes strategies and tactics to handle traffic flows and conflicts. While executing the plan, the air traffic controller must deal with errors, exceptions, changes, emergencies and distractions. Without an alert by a safety net hazardous situations can remain undetected by air
traffic controllers and pilots. Safety nets should not change the normal way of working of air traffic controllers or pilots. Safety nets are there to provide an additional safety margin on top of the inherently safe provision of ATS and aviation operations. They have been demonstrated to deliver additional risk reduction up to a factor ten.
It is important that air traffic controllers and pilots are aware of how safety nets interact. Contrary to expectations, ground-based and airborne safety nets do not always alert in sequence. They operate independently. For some situations, in particular in the case of sudden or unexpected manoeuvres, they will alert at about the same time or in an unexpected sequence.
“A true sign of commitment to safety would be that safety, and hence safety nets, are improved before capacity is increased.”
ANSP Safety Manager during Safety Team briefing
2
Which safety nets must be implemented? Four ground-based safety nets must be implemented for airborne phases of flight. Safety nets for surface movements are beyond the scope of this Guide. The covered safety nets are: � Short Term Conflict Alert (STCA) assists the
controller in preventing collision between aircraft by generating, in a timely manner, an alert of a potential or actual infringement of separation minima.
� Area Proximity Warning (APW) warns the controller about unauthorised penetration of an airspace volume by generating, in a timely manner, an alert of a potential or actual infringement of the required spacing to that airspace volume.
� Minimum Safe Altitude Warning (MSAW) warns the controller about increased risk of controlled flight into terrain accidents by generating, in a timely manner, an alert of aircraft proximity to terrain or obstacles.
� Approach Path Monitor (APM) warns the controller about increased risk of controlled flight into terrain accidents by generating, in a timely manner, an alert of aircraft proximity to terrain or obstacles during final approach.
Ground-based and airborne safety nets operate independently, often within the same airspace. The ground-based safety nets STCA and APW work alongside their airborne equivalent Airborne Collision Avoidance System (ACAS), also known as Traffic alert & Collision Avoidance System (TCAS). STCA directly assists in preventing collision between aircraft whilst APW does so indirectly by predicting or detecting violations of traffic segregation rules. Both MSAW and APM assist in preventing controlled flight into terrain accidents, and should work in concert with their airborne equivalent (Enhanced) Ground Proximity Warning System ((E)GPWS), also known as Terrain Awareness and Warning System (TAWS).
Where and when? Implementation of these safety nets is mandated by Objectives contained in the ESSIP documents. These Objectives refer to EUROCONTROL Specifications, which contain minimum requirements for their development, configuration and use.
Safety net ESSIP Objective
Requiring implementation and operational use in line with the EUROCONTROL Specification and related guidance material in airspace …
Scope and implementation completion date
STCA ATC02.2 …in the ECAC area in which ATS surveillance services are provided
All ECAC States by December 2013
APW ATC02.5 …where ATS surveillance services are provided to General Aviation Traffic (GAT) from civil or military ATS Units
MSAW ATC02.6 …where ATS surveillance services are provided and where the risk of controlled flight into terrain exists
APM ATC02.7 …in which ATS surveillance services are provided and where the risk of controlled flight into terrain exists
All ECAC States by December 2016
3
The Objectives ATC02 apply to civil service providers. Military ATC units are invited to consider implementation of STCA, APW, MSAW and APM when providing control service. Further information on the terms and definitions used in the Specifications as well as an explanation of acronyms can be found in the ANNEXES of this Guide.
Who is responsible for implementation? According to the conditions of their certification, ATS Providers are obliged to provide a safe Air Traffic Service (ATS) within their allocated area of responsibility. First and above all, ATS Providers have to assure themselves that all obligations are satisfied. As a matter of principle, compliance with EUROCONTROL Specifications is always voluntary. They reflect recognised, good practices and, as such, provide a sound basis for enhancing the high levels of safety of ATS provision.
Safety benefits Common, quantified performance characteristics for safety are not (yet) established. However, several ATS providers report significant reductions in the number of incidents observed after introducing or improving STCA in particular. For example, the Maastricht Upper Area Control Centre annual report shows that in 2007 there were three Category B incidents with ATS contribution compared to eight in each of the three preceding years. The annual report states that this: “significant improvement is mainly due to the implementation of an enhanced short-term conflict alert system, and improvements in the process for incorporating recommendations resulting from operational incident investigations”. In subsequent years the improvement was sustained and consequently the ceiling for the number of incidents was lowered from 10 to five. Regardless of whether there is an ATS contribution to an incident or accident, ATS providers have a societal responsibility to do what is reasonably practicable to prevent them. Safety is the raison-d’être of ATS.
4
GETTING STARTED This section explains the early studies that established a need for ground-based safety net specifications. It also covers what’s in the final specifications and guidance material and how it was developed.
Thirty years of operational experience It is now over thirty years since the first ground-based safety nets came into operation. Operational experience has been gained and technological advances have been made. Nevertheless, serious incidents and even accidents happen from time to time, and investigations often show that the safety nets were either not implemented in the airspace concerned, or that the safety nets were not as effective as they could have been.
Areas of concern In 2004 and 2005 a number of surveys were conducted to investigate current practices in the design, deployment, use, and maintenance of ground-based safety nets. The purpose was to identify and understand the main problems and weaknesses associated with ground based safety nets in both civil and military arenas. The surveys also identified local best practices which could potentially provide improvements at the pan European level. In addition, the surveys analysed: � the most recent studies and R&D actions concerning existing and new ground-based safety nets; � existing practices in the airborne domain regarding safety nets and their possible applicability for ground-
based safety nets; and � available industry products and support services. Surveys found different levels of maturity between ATS providers in ECAC States with regard to adopting and using safety nets. Some aspects were identified as particularly critical for a full exploitation of the potential benefits offered by safety nets. The following table lists all identified areas of concern.
Area of Concern Applies to Relevance to Civil ATM
Relevance to Military ATM
1. Common vision on purpose of Safety Nets STCA, MSAW, APW Yes Yes
2. Harmonization within and between countries STCA, MSAW, APW Yes No info
3. Review of relevant regulations and documents STCA, MSAW, APW Yes Yes
4. Validation criteria and validation processes STCA, MSAW, APW Yes Yes
5. Human Machine Interface of STCA STCA Yes Yes
6. Optimization of STCA STCA Yes Yes
7. Consistent implementation of MSAW and APW MSAW, APW Yes Yes
8. Management of interactions between STCA and ACAS STCA Yes No
9. Civil-Military interoperability STCA, APW Yes Yes
10. Consideration of Safety Nets by regulators STCA, MSAW, APW Yes No info
11. Information and training for air traffic controllers STCA, MSAW, APW Yes Yes
12. Use of CFL as data source for STCA STCA Yes Yes
13. Organisational roles and management involvement STCA, MSAW, APW Yes Yes
14. Use of STCA alerts record as safety indicator STCA Yes Yes
15. MSAW role in Military ATM MSAW No Yes
16. APW role in Military ATM APW No Yes
Note: In the survey no distinction was made between MSAW and APM
5
Community effort In 2005 a Task Force was created to address the identified areas of concern. Representatives of 11 ATS providers, 5 industrial suppliers and the EUROCONTROL Agency developed and validated EUROCONTROL Specifications and comprehensive guidance material for each of the four ground-based safety nets. The Task Force completed its work on the guidance material and Specification for STCA in December 2006. Two months earlier, the first Safety Nets Workshop was organised. The focus was on STCA and the motto of the workshop was “Are you ready for action?” In 2008 the need for a more permanent working arrangement was recognised and the Task Force was transformed into a Sub-Group. The Sub-Group is tasked to maintain the documentation for STCA, MSAW, APW and APM. Furthermore the Sub-Group serves as an expert forum for sharing experience and for initiating further improvements to safety nets. The first meeting of the SPIN Sub-Group, in May 2008, was preceded by the second Safety Nets Workshop. Again, speakers from several stakeholder organisations freely shared their expertise and experience with the participants. The presentations and documentation from both Safety Nets Workshops can be found on the CD enclosed with this Guide.
Documentation packages The picture to the right illustrates the documentation packages that are developed and maintained for each of the ground-based safety nets. These can all be found on the enclosed CD. The core document is the EUROCONTROL Specification. If implemented correctly, most of the areas of concern identified in the “SPIN” Surveys should be sufficiently addressed. The supporting documents provide the following: Economic Assessment: the rationale for the governing ESSIP Objective, in particular pointing out the benefits of a community approach to ensuring effectiveness of safety nets. EUROCONTROL Guidance Material: a comprehensive overview of the safety net life cycle. It provides guidance for the activities to be performed in each life cycle phase, and points at more detailed information in Appendices (for convenience published as separate documents). Appendix A: Reference System: a detailed insight into the complexity of a typical implementation. In particular the parameterisation required for optimisation in a demanding environment and typical optimisation processes are explained. Appendix B: Safety Assurance: a set of three documents that can be used to get a head start with the required safety assurance activities in an implementation project. These are i) safety argument ii) generic safety plan and iii) outline safety case.
“SPIN”, a reusable acronym 2004: Survey of Practices In safety Nets 2005: Safety nets: Planning Implementation and eNhancements (Task Force) 2008: Safety nets Performance Improvement Network (Sub-Group)
Appendices
A B C D
“SPIN”surveys
Reference System
Safety Assurance
Cost Framework
Case Studies
EUROCONTROL Guidance Material
Economic Assessment
ESSIP Objective
EUROCONTROL Specification
6
Appendix C: Cost Framework: a checklist of activities and guidance regarding required resources in all life cycle phases. It can serve as a planning tool. Appendix D: Case Study: an illustration of how the guidance material can be applied in practice.
International clarity Improved clarity and recognition at the international level has been an important step forwards for safety nets, enabling clear specifications and guidance materials to be developed and published. Up until November 2007 there existed several definition-like statements concerning safety nets in general, or specific safety nets. This, and the convergence achieved in the mean time, is illustrated for STCA in the following table.
Before November 2007 November 2007 onwards
SRC Policy Document 2:
“Safety Nets are engineered systems (…) which are designed and operated for the purpose of collision avoidance. This can apply to collision between aircraft, or between aircraft and other objects, including the ground.”
SRC definition:
“A ground-based safety net is functionality within the ATM system that is assigned by the ANSP with the sole purpose of monitoring the environment of operations in order to provide timely alerts of an increased risk to flight safety which may include resolution advice.”
ICAO PANS-ATM §15.7.2 Note 1:
“The objective of the STCA function is to assist the controller in maintaining separation between controlled flights by generating, in a timely manner, an alert of a potential infringement of separation minima.”
ICAO PANS-ATM §15.7.2 Note 1:
“The objective of the STCA function is to assist the controller in preventing collision between aircraft by generating, in a timely manner, an alert of a potential or actual infringement of separation minima.”
EATCHIP ORD:
“Ground-based Safety Nets are intended to alert controllers to potentially hazardous situations in an effective manner and with sufficient warning time for appropriate instructions to be issued by ATC to resolve the situation, allowing for appropriate avoiding action to be taken by the pilot.”
EUROCONTROL Specification for STCA:
“[STCA:] A ground-based safety net [conform SRC definition] intended to assist the controller in preventing collision between aircraft by generating, in a timely manner, an alert of a potential or actual infringement of separation minima.”
7
ROADMAP FOR EFFECTIVE SAFETY NETS This section stresses the importance of the correct policies, organisational clarity and planning in the effective use of ground-based safety nets. It also introduces the safety net life cycle.
Policy The importance of safety nets must be recognised by senior management of ATS providers and by National Supervisory Authorities. Too often, safety net implementation or improvement projects have been initiated following major incidents or accidents. This reactive approach has not always been sustained and has then resulted in partially or even completely ineffective safety nets. A proactive attitude towards safety nets on the other hand, founded in a mature safety culture, leads to effective safety nets. Explicit local policies are needed for each safety net. This will lead to effective safety nets that are fostered by everybody in the organisation concerned.
EUROCONTROL Safety Regulation Commission (SRC) Policy In 2001 the SRC published EUROCONTROL Safety Regulatory Requirement (ESARR) 4: Risk Assessment and mitigation in ATM. In 2003 ESARR 4 was complemented by SRC Policy Document 2: Use of Safety Nets in Risk Assessment and mitigation in ATM, stating amongst others “(…) safety nets are considered to be in the collision avoidance layer outside the scope of ESARR 4”. In 2007 the SRC endorsed working paper SRC28.06 and initiated the process of transposing the contents of this working paper into ESARR 4 guidance material and to subsequently withdraw SRC Policy Document 2. This process was completed in 2010. The new policy introduces a process (assignment) that aims to ensure sufficient transparency and traceability in the decision making process on the use of a ground based safety net while establishing accountability for its use. The policy contains twelve recommendations in the following areas: � Assignment; � Capacity and Efficiency; � Risk Assessment and Mitigation; � Training and Awareness; � Reduced Modes of Operation; and � Achieved Level of Safety.
Organisational clarity Roles and responsibilities for all aspects of safety nets must be clear. Introducing and improving safety nets is a team effort, which involves balancing operational needs with safety considerations and engineering constraints. Too often, safety nets have been introduced in a technology-driven manner. An engineering approach tends to result in partial or complete rejection of safety nets by air traffic controllers. Clear allocation of roles and responsibilities will create the conditions for successful teamwork to perform the required actions in the other areas: Training, Procedures and Capabilities.
8
Begin with the end in mind All projects benefit from good planning from the outset. Safety nets are no exception, and for safety nets it is particularly important to address the needs and expectations of all users: air traffic controllers, maintenance engineers, analysts and managers alike. The devil is in the detail - the meaning and implications
of details for specialists in one area are not always fully appreciated by specialists in other areas. Equally important is the likely evolution of the operational environment; possible implications of traffic increase, more complex airspace and new concepts for safety nets need to be taken into account from the beginning. Some real life examples illustrate the point:
“Yes, we understand that monitoring [STCA] is needed, but we did not specify that alerts need to be recorded.”
“The supplier proposed a grid size [for MSAW] of 4 NM times 4 NM, which seemed reasonable at that time. But now we see that this unworkable because of an obstacle at 12 NM aligned with our main runway.”
“We re-implemented our existing STCA in our new system and copied some no longer relevant limitations. We only found out after a major incident that was alerted very late.”
“We believed that safety nets do not change the way of working of air traffic controllers and therefore did not do a safety case and did not provide training.”
A structured, total life cycle approach The picture to the right illustrates a structured, total life cycle approach for ensuring the effectiveness of STCA. The same approach is recommended for APW, MSAW and APM as well. Driven by long-lasting management commitment, a team starts work on defining, implementing, optimising and then operating the safety net. But, most important, it doesn’t stop there. Experience gained during operations and also continuing changes to the operating environment the life cycle phases need to be repeated. The result is an ongoing, positive attitude of air traffic controllers towards the safety net. This, in turn, leads to tangible safety benefits. This life cycle approach is described in more detail in the following pages, and in the Awareness Package on the enclosed CD.
Controllerattitude
Managementcommitment
Safetybenefits
+
+
+
Controllerattitude
Managementcommitment
Safetybenefits
+
+
+
9
The Safety Culture of an organisation can be described in terms of an evolutionary ladder. Each level has distinct characteristics and is a progression on the one before. Looking at it like this provides a roadmap, where every organisation has a certain level of cultural maturity and can see which rung of the ladder the organisation is on, where it has been and what the next step looks like. The range runs from the Pathological, through the Reactive to the Calculative and then on to Proactive and the final stage, that is called the Generative. Pathological is where people don’t really care about Safety and are only driven by regulatory compliance or not getting caught. By contrast, Generative organisations set very high standards and attempt to exceed them rather than be satisfied with compliance. They are brutally honest about failure, but use it to improve, not to blame. They don’t expect to get it right; they just expect to get better. Management knows what is really going on, because the workforce is willing to tell them and trusts them not to over-react on hearing bad news. When drawing an analogy for Safety Nets, at the lowest rung of the ladder Safety Nets are taken for granted if present at all. Air traffic controllers consider them useless and fear that they serve as a “snitch” for management. On the highest rung of the ladder the reverse is true: air traffic controllers, the safety nets support team and management are committed and engaged in ensuring the continuing effectiveness of safety nets.
Safety nets in SESAR The ATM Master Plan that was established in 2008 in the context of SESAR identifies seven operational improvement steps for airborne and ground-based safety nets. Two of these provide the baseline for further operational improvement steps developed in SESAR and should be realised by 2013: 1. Ongoing deployment of best practices for ground-based safety nets, which corresponds with the actions described in this Guide; and 2. Enhanced ACAS through use of Autopilot/Flight Director, which corresponds with features offered by Airbus on new aircraft. SESAR research will lead to two further improvement steps in the 2013-2020 timeframe: 3. Display of ACAS Resolution Advisories on air traffic controller working positions (known as RA Downlink); and 4. Enhancement of ground-based safety nets by making use of improved surveillance infrastructure and down linked aircraft parameters.
10
And beyond 2020 three further operational improvement steps will follow: 5. Adaptation of ACAS to new separation modes; 6. Adaptation of STCA to new separation modes; and 7. Improvement of compatibility between airborne and ground-based safety nets. It is safe to assume that some of these developments will find their way into the “Level 2” safety nets, or that “Level 3” safety nets will become available around 2015. In any case, the SPIN Sub-Group will continue to be a driving force for ensuring effectiveness of safety nets.
11
THE SAFETY NET LIFE CYCLE This section provides a bird’s eye view of the safety net life cycle. No attempt has been made to be complete and references to STCA in the pictures serve only as examples; the key messages apply to all safety nets.
Defining safety nets Once a safety net implementation or improvement project has been planned and kicked off, the first life cycle phase is the definition phase. It is good practice in any project to spend sufficient time and resources in this phase. In this phase mistakes can be simply corrected by a revision of a document. In later phases the cost of correcting mistakes will increase exponentially and may even be impossible to correct. It is particularly important to fully grasp the complexity of the current and future operational environment in which the safety nets are intended to work. Familiarisation with the Reference Systems described in the guidance material will help. Similarly, representation in the SPIN Sub-Group can be exploited by building on the experience and even the products of other organisations. Safety Assurance is needed throughout the project and should start at the beginning of this phase. If following the recommended EUROCONTROL Safety Assurance Methodology (SAM), the first task will be to construct an initial safety argument. This argument is then used to draft the safety plan. Reusable versions of both are included in the documentation packages. The key activity in this phase is capturing the operational requirements. Because of the need to take local factors fully into account, no generic operational requirements are included in the guidance material. Instead, a detailed check is included which covers aspects to address.
Implementing safety nets The detailed activities in the implementation phase depend very much on the outcome of a make-or-buy decision and the related standard practices of the organisations concerned. In many cases safety nets implementation will be an integral part of a complete ATS system implementation. Irrespective of the implementation model it is imperative that fitness-for-purpose is ensured through appropriate verification activities (reviews, inspections, tests, etc.) throughout this phase. Seemingly trivial choices will have to be made, for example the number of distinct airspace volumes for which parameters can be defined, but informed decisions are needed because changes at a later stage will be expensive.
12
Optimising safety nets If safety nets are externally procured, the initial optimisation may be performed by the supplier. However, optimisation is not a one-off activity. It is therefore essential that transfer of ownership is preceded by appropriate staff training and familiarisation. Since optimisation is a recurring process, investment in a safety net “testbed” is worthwhile. A complete “testbed” will include tools to capture relevant encounters from surveillance data, encounter categorisation tools, an accurate fast-time simulation model of the relevant safety net, and tools to capture and visualise relevant metrics from fast-time simulations. Note that encounter categorisation in particular will always be a labour-intensive activity that requires active involvement of operational users.
Operating safety nets Before starting first operations, air traffic controllers must receive training, aimed at creating an appropriate level of trust in the concerned safety net. The time-criticality of alerts and the need for immediate attention or action must be well understood, but also the situations in which safety nets are less effective. Safety nets performance must be monitored and regularly analysed, not only to improve the safety nets but also to identify other safety improvement opportunities. For example, “hot spots” could be identified and removed by making changes to airspace structure or procedures. In order to avoid the “Cry Wolf” syndrome, the number of nuisance and false alerts must be reduced to a minimum. Air traffic controllers should be encouraged to report unexpected and unwanted safety nets behaviour and feedback should always be provided.
13
The Boy Who Cried Wolf (Also known as The Shepherd’s Boy and the Wolf)
There once was a shepherd boy who was bored as he sat on the hillside watching the village sheep. To amuse himself he took a great breath and sang out, "Wolf! Wolf! The Wolf is chasing the sheep!" The villagers came running up the hill to help the boy drive the wolf away. But when they arrived at the top of the hill, they found no wolf. The boy laughed at the sight of their angry faces. "Don't cry 'wolf', shepherd boy," said the villagers, "when there's no wolf!" They went grumbling back down the hill. Later, the boy sang out again, "Wolf! Wolf! The wolf is chasing the sheep!" To his naughty delight, he watched the villagers run up the hill to help him drive the wolf away. When the villagers saw no wolf they sternly said, "Save your frightened song for when there is really something wrong! Don't cry 'wolf' when there is NO wolf!" But the boy just grinned and watched them go grumbling down the hill once more. Later, he saw a REAL wolf prowling about his flock. Alarmed, he leaped to his feet and sang out as loudly as he could, "Wolf! Wolf!" But the villagers thought he was trying to fool them again, and so they didn't come. At sunset, everyone wondered why the shepherd boy hadn't returned to the village with their sheep. They went up the hill to find the boy. They found him weeping. "There really was a wolf here! The flock has scattered! I cried out, "Wolf!" Why didn't you come?" An old man tried to comfort the boy as they walked back to the village. "We'll help you look for the lost sheep in the morning," he said, putting his arm around the youth, "Nobody believes a liar...even when he is telling the truth!"
Attributed to Aesop (620-563 BC)
14
ANNEX: Terms and definitions used in the EUROCONTROL Specifications (cont.)
STCA MSAW APM APW Source
Alert. Indication of an actual or potential hazardous situation that requires particular attention or action.
� � � � -
Altitude. The vertical distance of a level, a point or an object considered as a point, measured from mean sea level (MSL).
� � Doc 4444
Approach path monitor. A ground-based safety net intended to warn the controller about increased risk of controlled flight into terrain accidents by generating, in a timely manner, an alert of aircraft proximity to terrain or obstacles during final approach.
� Change proposal for Doc 4444
§15.7.4 Note 1
Area proximity warning. A ground-based safety net intended to warn the controller about unauthorised penetration of an airspace volume by generating, in a timely manner, an alert of a potential or actual infringement of the required spacing to that airspace volume.
� -
ATS surveillance service. Term used to indicate a service provided directly by means of an ATS surveillance system.
� � � � Doc 4444
Conflict. Converging of aircraft in space and time which constitutes a predicted violation of a given set of separation minima.
� Derived from Doc 9426
Elevation. The vertical distance of a point or a level, on or affixed to the surface of the earth, measured from mean sea level.
� � Doc 4444
False alert. Alert which does not correspond to a situation requiring particular attention or action (e.g. caused by split tracks and radar reflections).
� � � � -
Final approach. That part of an instrument approach procedure which commences at the specified final approach fix or point, or where such a fix or point is not specified,
a) at the end of the last procedure turn, base turn or inbound turn of a racetrack procedure, if specified; or
b) at the point of interception of the last track specified in the approach procedure; and
ends at a point in the vicinity of an aerodrome from which:
1) a landing can be made; or
2) a missed approach procedure is initiated.
� Doc 4444
Flight level. A surface of constant atmospheric pressure which is related to a specific pressure datum, 1 013.2 hecto-pascals (hPa), and is separated from other such surfaces by specific pressure intervals.
Note 1.– A pressure type altimeter calibrated in accordance with the Standard Atmosphere:
a. when set to a QNH altimeter setting, will indicate altitude;
� � Doc 4444
15
Terms and definitions used in the EUROCONTROL Specifications (cont.)
STCA MSAW APM APW Source
Flight level. (cont.)
b. when set QFE altimeter setting, will indicate height above the QFE reference datum;
c. when set to a pressure of 1 013.2 hPa, may be used to indicate flight levels.
Note 2.– The terms "height" and "altitude", used in Note 1 above, indicate altimetric rather than geometric heights and altitude.
Ground-based safety net. A ground-based safety net is functionality within the ATM system that is assigned by the ANSP with the sole purpose of monitoring the environment of operations in order to provide timely alerts of an increased risk to flight safety which may include resolution advice.
� � � � -
Height. The vertical distance of a level, a point or an object considered as a point, measured from a specified datum.
� � Doc 4444
Human performance. Human capabilities and limitations which have an impact on the safety and efficiency of aeronautical operations.
� � � � Doc 4444
Level. A generic term relating to the vertical position of an aircraft in flight and meaning variously, height, altitude or flight level.
� � Doc 4444
Minimum safe altitude warning. A ground-based safety net intended to warn the controller about increased risk of controlled flight into terrain accidents by generating, in a timely manner, an alert of aircraft proximity to terrain or obstacles.
� Change proposal for Doc 4444
§15.7.4 Note 1
Nuisance alert. Alert which is correctly generated according to the rule set but is considered operationally inappropriate.
� � � � -
Separation. Spacing between aircraft, levels or tracks. � Doc 9426
Short term conflict alert. A ground-based safety net intended to assist the controller in preventing collision between aircraft by generating, in a timely manner, an alert of a potential or actual infringement of separation minima.
� Derived from Doc 4444
§15.7.2 Note 1
Warning time. The amount of time between the first indication of an alert to the controller and the predicted hazardous situation.
Note.– The achieved warning time depends on the geometry of the situation.
Note – The maximum warning time may be constrained in order to keep the number of nuisance alerts below an acceptable threshold.
� � � � -
16
ANNEX: Acronyms
ACAS
ANSP
APM
APW
ATC
ATM
ATS
CD
CIP
CFL
EATCHIP
ECAC
(E)GPWS
ESARR
ESSIP
FR
GAT
hPa
Airborne Collision Avoidance System
Air Navigation Service Provider
Approach Path Monitor
Area Proximity Warning
Air Traffic Control
Air Traffic Management
Air Traffic Service
Compact Disk
Convergence and Implementation Programme
Cleared Flight Level
European ATC Harmonisation and Integration Programme
European Civil Aviation Conference
(Enhanced) Ground Proximity Warning System
EUROCONTROL Safety Regulatory Requirement
European Single Sky Implementation
France
General Air Traffic
hecto-pascals
ICAO
MSAW
NM
NL
PANS
PC
QFE
QNH
R&D
SAM
SESAR
SPIN (2004)
SPIN (2005)
SPIN (2008)
SRC
STCA
TAWS
TCAS
International Civil Aviation Conference
Minimum Safe Altitude Warning
nautical mile
Netherlands
Procedures for Air Navigation Services
Personal Computer
Atmospheric pressure at aerodrome elevation (or at runway threshold)
Altimeter sub-scale setting to obtain elevation when on the ground
Research & Development
Safety Assurance Methodology
Single European Sky ATM Research
Survey of Practices In safety Nets
Safety nets: Planning Implementation and eNhancements (Task Force)
Safety nets Performance Improvement Network (Sub-Group)
Safety Regulation Commission
Short Term Conflict Alert
Terrain Awareness and Warning System
Traffic alert & Collision Avoidance System
17
ANNEX: What is on the CD The CD contains the most recent Safety Nets documentation available at the time of publication. The CD is intended for use on a modern PC with Microsoft Office, Adobe Acrobat and Adobe Flash software or viewers installed. The root directory of the CD contains a PowerPoint slideshow file named index.pps – double-click this file to view a master presentation that contains links to other presentations and the documentation.
The following sets of documentation are included: � An Awareness Package for use as a training aid or
presentation aid � The complete document hierarchy (see page 5 of this
Guide) for each of the Safety Nets (STCA, APW, MSAW and APM), including selected presentations for some of the documents
� A “Master Presentation” which also provides access to
additional resources
More information, questions or feedback: www.eurocontrol.int/safety-nets [email protected]
© 2012 European Organisation for the Safety of Air Navigation (EUROCONTROL) This document is published by EUROCONTROL in the interests of exchange of information. It may be copied in whole or in part, providing that the copyright notice and disclaimer are included. The information contained in this document may not be modified without prior written permission from EUROCONTROL. EUROCONTROL makes no warranty, either implied or express, for the information contained in this document, neither does it assume any legal liability or responsibility for the accuracy, completeness or usefulness of this information.
