Whole Airspace ATM System Safety Case - Preliminary...

AEAT LD76008/2 Issue 1

Whole Airspace ATM SystemSafety Case - PreliminaryStudy

A report produced for EUROCONTROL

by AEA Technology

Steve Kinnersly

November 2001


AEA Technology ii

Title Whole Airspace ATM System Safety Case - Preliminary Study

Customer EUROCONTROL

Customer reference C/1.125/HQ/EC/01

Confidentiality,copyright andreproduction

This document has been prepared by AEA Technology plc inconnection with a contract to supply goods and/or services. Thecontents must not be disclosed to third parties other than inaccordance with the terms of the contract.

File reference

Report number AEAT LD76008/2

Report status Issue 1

AEA TechnologyTelephone +44 (0)1305 202039Facsimile +44 (0)1305 202075

AEA Technology is the trading name of AEA Technology plcAEA Technology is certificated to BS EN ISO9001: (1994)

Name Signature Date

Author Steve Kinnersly

Reviewed by

Approved by


AEA Technology iii

Executive Summary

A preliminary study has been carried out into the possibility of developing a Whole AirspaceATM System Safety Case for airspace belonging to EUROCONTROL member states. Thestudy was carried out by AEA Technology on behalf of EUROCONTROL under the CAREInnovative Action programme. The focus is on generic issues so that it will be applicable tosystems that may be developed and introduced on a 10 – 20 year timescale. It is timely toconsider this now in order to ensure that whole-airspace safety does not limit future safedevelopment of the ATM system.

The preliminary study addresses :

• Institutional issues affecting a Whole Airspace ATM System Safety Case• Technical issues affecting a Whole Airspace ATM System Safety Case• The concepts, structure, logic, language and methodology for building a Whole Airspace

ATM System Safety Case• Recommendations for future work

The first three topics were considered in a specialist Workshop that aimed to identify wherework in other areas could contribute to the development of novel aspects of a whole-airspacesafety case. The results of the Workshop were then developed further during the study. Theoverall conclusions are that :

• Institutional and technical change is leading to increasing integration of ATM systemsthroughout airspace

• Integration means that the ATM safety must be addressed and demonstrated at a whole-airspace level

• Technical tools (in particular, Goal Structuring Notation) are available for developing andfacilitating large, complex safety cases including interfacing with and re-use of existingsafety cases, safety arguments and justifications

• A Whole-Airspace ATM System Safety Case will be a valuable tool for safetymanagement as well as a demonstration of whole-airspace ATM system safety

It is therefore recommended that :

• A high-level Whole-Airspace ATM System Safety Case is developed• The Safety Case should interface with and make maximum use of existing safety cases,

safety arguments and justifications• Development should establish links with, and use outputs from, related studies such as the

JAA Future Aviation Safety Team (FAST) study• Development should be completed within 2 years


AEA Technology iv


AEA Technology v

Contents

1 Introduction 1

2 Workshop 1

3 Institutional Issues 2

3.1 POTENTIAL STAKEHOLDERS 23.2 ATM INSTITUTIONAL CONTEXT AND CHANGE 3

3.2.1 EATMP Safety Policy And Implementation 33.2.2 Single European Sky 43.2.3 Safety Regulation 53.2.4 ATM Service Provision 6

3.3 INSTITUTIONAL CHANGE AND SAFETY 63.4 SAFETY CASE OWNERSHIP 6

4 Technical Issues 7

4.1 TECHNICAL CHANGE AND SAFETY 84.2 IMPLICATIONS OF INTEGRATION 10

5 Safety Case Structure 13

5.1 WHY IS STRUCTURE IMPORTANT? 135.2 HOW IS THE STRUCTURE BEST REPRESENTED? 14

5.2.1 Goal Networks 155.2.2 Goal Structuring Notation 155.2.3 Modules, repeated structures 185.2.4 External Referencing 185.2.5 Previous Use of GSN 18

6 Whole Airspace ATM System Safety Case Structure - Example 19

6.1 SYSTEM DESCRIPTION 196.2 TOP-LEVEL SAFETY GOAL 196.3 ALTERNATIVE STRATEGIES 206.4 GEOGRAPHICAL AREA STRATEGY 20

6.4.1 Top-level Structure 206.4.2 Lower-level Structure 206.4.3 The Complete Structure 22

6.5 BASIC ATM RULES STRATEGY 246.5.1 Top-Level Structure 246.5.2 Lower-level Structures 246.5.3 The Complete Structure 26


AEA Technology vi

6.6 COMPARISON AND IMPLICATIONS 28

7 Conclusions 28

8 Recommendations for Further Work 29

8.1 PURPOSE 298.2 SCOPE 298.3 INTERACTIONS 298.4 TASKS 308.5 SCHEDULE 30

References

Glossary

ACRONYMS AND ABBREVIATIONS

Appendices

APPENDIX 1 FAST STUDY – ANS CHANGES


AEA Technology vii


AEA Technology 1

1 Introduction

A preliminary study into a future Whole Airspace ATM System Safety Case has been carriedout on behalf of EUROCONTROL. The focus is on generic issues so that it will be applicableto systems that may be developed and introduced on a 10 – 20 year timescale. It is timely toconsider this now in order to ensure that whole-airspace safety does not limit future safedevelopment of the ATM system.

The study addresses :

• Institutional issues affecting a Whole Airspace ATM System Safety Case (Section 3)• Technical issues affecting a Whole Airspace ATM System Safety Case (Section 4)• The concepts, structure, logic, language and methodology for building a Whole Airspace

ATM System Safety Case (Sections 5 and 6)

Each of these was considered in a specialist Workshop that aimed to identify where work inother areas could contribute to the development of novel aspects of a whole-airspace safetycase. The main conclusions of the Workshop are given in Section 2.

Finally, recommendations have been developed for a work programme to produce a WholeAirspace ATM System Safety Case. These are given in Section 8 in a format suitable fordefining a future EUROCONTROL Innovation project.

2 Workshop

A specialist Workshop was held at EUROCONTROL, Brussels, on 24-25 September 2001.The aim of the workshop was to identify where work in other areas could contribute to thedevelopment of novel aspects of a whole-airspace safety case. A report of the Workshop hasbeen issued as (Ref 1).

Specific points highlighted during the Workshop included :

• Institutional issues had a significant impact on safety of the UK railway network during atime of major change in the industry.

• One of the reasons for the impact of institutional issues on railway safety was the lack of awhole-network safety case that could have been used to assess and manage theconsequences of change. The rail regulator now requires comprehensive top-down safetycases as a matter of urgency.

• The structure of the safety argument is as important as technical content in a safety case,particularly for complex safety cases involving many organisations.

• Goal Structuring Notation (GSN) is a mature and flexible tool for developing andexpressing the structure of a safety case. In particular, it facilitates the use of existing sub-system safety cases within an overall system safety case.


AEA Technology 2

• GSN is being developed further in directions that will assist a Whole Airspace ATMSystem Safety Case (e.g. re-use of modular structures)

• Computerised tools have been developed to assist the development of safety cases usingGSN

• In packet-switched communications network design, simulation is a mature technique forverifying whole-network metrics such as capacity and resilience with respect to failures.Simulation as a means of calculating whole-system metrics for ATM, including bothcapacity and safety resilience, is currently being investigated in the CARE/INTEGRAproject. Analogies can be drawn between the two types of system which suggest thatfurther development of ATM simulations for whole-system metrics may be able to benefitfrom on network simulation experience.

These are discussed further in later sections of this report.

3 Institutional Issues

This section reviews the institutional aspects of a Whole Airspace ATM System Safety Case.It considers :

• The potential stakeholders• ATM institutional context and changes• Institutional change and safety• Safety case ownership

The significance of institutional issues for a Whole Airspace ATM System Safety Case aresummarised.

3.1 POTENTIAL STAKEHOLDERS

This Section considers who the potential stakeholders are for a Whole Airspace ATM SystemSafety Case. Potential stakeholders are organisations and social groups that could provideinputs to, affect, be affected by, use or otherwise have a legitimate interest in the safety case.The wide scope of a Whole Airspace ATM System Safety Case and the fundamentalimportance of safety means that the number of potential stakeholders is correspondingly large.

Identification and review of stakeholders in aviation safety has been carried out previously forother projects so has not been repeated here. A recent study of target levels of safety (TLS)carried out for the European Commission – the ASTER Project (Ref 2) – identified ahierarchy of classes of stakeholder for target levels of safety for aviation (Table 3-1).Stakeholders were categorised as Core (i.e. directly involved with setting or achieving targetlevels of safety) or secondary (i.e. indirectly involved, for instance as an externalcomparison). Core stakeholders were then categorised as Institutional (typically involved insetting the TLS or monitoring compliance) or Solution Providers (contributing to achievementof the TLS).


AEA Technology 3

Core SecondaryInstitutional Solution Providers Society & Other IndustriesRegulatory Commercial Airlines PublicMilitary Other Aircraft Operators PassengersEuropean Union Airport authorities Family Members (of

passengers)Trade Unions Contractors MediaInternational Bodies Crew Rail transport industryLegal Owners (Shareholders) Nuclear industryEconomic Manufacturers (aircraft and

systems)Biotechnology industry

ATM Providers

Table 3-1 : Stakeholders In Aviation Safety (From ASTER Project)

The stakeholder hierarchy identified in the ASTER project also applies to a Whole AirspaceATM System Safety Case. However, their individual significance must be tailored to theATM, rather than generic aviation, scope of the safety case. A representative list of specificorganisations corresponding to each category was produced for ASTER (not reproducedhere). This will need to be reviewed and updated for a Whole Airspace ATM System SafetyCase.

3.2 ATM INSTITUTIONAL CONTEXT AND CHANGE

This Section summarises the broad institutional safety context within which a Whole AirspaceATM System Safety Case would be produced. It is not intended to be a complete or detailedsummary, but rather to give the main contextual headings and trends. The focus is on plannedor potential changes as experience in other sectors (notably rail transport) has shown thatchange can have a significant impact on safety.

3.2.1 EATMP Safety Policy And ImplementationEUROCONTROL, through its EATMP Safety Policy (Ref 3) has adopted a safety policy thatis determined by four EATMP Policy Statements :

Safety ManagementThe ECAC States participating in EATMP should adopt an explicit, pro-active approach tosafety management in the air navigation services.

Safety ResponsibilityEveryone has an individual responsibility for their own action and managers are responsiblefor the safety performance of their own organisations.


AEA Technology 4

The Priority of SafetyThe achievement of satisfactory safety in the Air Navigation Services should be afforded thehighest priority over commercial, operational, environmental or social pressures.

The Safety Objective of Air Navigation ServicesWhile providing an expeditious service, the principal safety objective is to minimise the airnavigation services’ contribution to the risk of an aircraft accident as far as reasonablypossible.

In addition, the EATMP Safety Policy lays down Safety Management Principles that reflectbest practices. They define the scope of the Safety Management Programme, provide aframework for process to identify safety shortcomings so that remedial action can be taken,and provide an assurance that safety levels are being maintained or improved. They addressthree main issues :

• Safety achievement, specifying the means for achieving high safety standards. Includescompetency, safety occurrences, quantitative safety levels and safety system assessment.

• Safety assurance, specifying the means for providing assurance that risks are beingmanaged. Includes safety surveys, safety monitoring and system safety assessmentdocumentation.

• Safety promotion, specifying the means by which safety issues are communicated toensure a culture of safe working within the organisation. Includes lesson disseminationand safety improvement.

The EATMP Safety Policy is supported by Implementation Guidance Material (Ref 4). Theobjective of this guidance is to support States in their development of Safety ManagementProgrammes by stressing issues that need to be considered and by providing examples ofimplementation.

The guidance is supported by the development of an Air Navigation System safetyAssessment Methodology (Ref 5). This describes the underlying principles of a safetyassessment process that satisfies the EATMP Safety Policy. It applies, in the first instance, toground-based components of Air Navigation Systems. The integration of airborne andsatellite systems will be included in the future.

Safety management systems complying with the EATMP Safety Policy will be implementedby all ECAC States participating in EATMP.

Implementation of the EATMP Safety Policy and use of the ANS safety assessmentmethodology (or equivalent) within relevant states will provide a level of consistency that willgreatly facilitate the development of a Whole Airspace ATM System Safety Case.

3.2.2 Single European SkyThe European Commission has recently (10 October 2001) adopted a package of proposals onair traffic management designed to create a Single European Sky by 31 December 2004 (Ref6). The objectives of the Single European Sky and its operating principles are based on sixlines of action:


AEA Technology 5

1. Joint management of airspace2. Establishment of a strong Community regulator3. Gradual integration of civilian and military management4. Institutional synergy between the EU and EUROCONTROL5. Introduction of appropriate modern technology6. Better coordination of human resources policy in the air traffic control sector

(Ref 6, clause 2.5) notes that ‘Safety is one imperative which must be maintained andreinforced in the regulatory approach put into place. All the measures proposed hereinaftertake account of this absolute constraint to sustaining and fortifying safety standards.’ Thesafety issue is addressed at three distinct levels:

1. the definition of safety requirements;2. the assessment of the proper implementation of such requirements;3. the exercise of the necessary preventive and corrective function on the basis of the safety

performance of service providers, including the implementation of safety nets.

Institutional links between EUROCONTROL and the European Commission are planned andforeseen that will ensure consistency, avoidance of duplication and the use ofEUROCONTROL expertise in facilitating the single European sky.

Maintaining safety during the integration of airspace and introduction of new technicalsystems together with the corresponding institutional changes requires a complete andconsistent understanding of the reasons why the airspace is currently safe and the impact ofthe changes. A Whole Airspace ATM System Safety Case would be a basis for managingsafety through the changes.

3.2.3 Safety RegulationSafety regulation of air navigation services is currently the responsibility of each individualstate.

The Safety Regulation Commission, set up under the auspices of EUROCONTROL, isdeveloping common EUROCONTROL safety regulatory requirements (ESARRs). Theserequirements apply to all providers of ATM services in respect of those parts of theATM/CNS System and supporting services for which they have managerial control. They areto become effective within three years from the date of adoption by the EUROCONTROLCommission. National regulators will implement the ESARRs in their national regulatorysystems.

Under the Single European Sky proposals of the European Commission, a single regulator forthe European Union would be established – the European Aviation Safety Agency (EASA)(Ref 7). Air traffic management is not within the initial scope of the EASA, but is envisagedat a later stage. With regard to the definition of safety requirements, initially the Commissionproposes to implement safety measures based on the ESARRs drawn up by the SRC, wherethey are suitable to support binding regulations (Ref 8).


AEA Technology 6

3.2.4 ATM Service Provision

ATM services providers vary in their institutional status from state to state. The situation forEU countries is given in Table 3-2 (Source: Eurocontrol Performance Review CommissionReport PRR 3. 1999).

The organisation providing air traffic control is: CountryCorporatised Austria, Belgium, Germany, Spain,

Ireland, Netherlands, Portugal, UKTo be corporatised Denmark, ItalyGovernment department FranceState or ‘semi-State’ enterprise Sweden, Finland

Table 3-2 : Status of ATM Service Providers

Service provider status has recently changed in the UK. Change is intended in two other stateswithin the EU.

3.3 INSTITUTIONAL CHANGE AND SAFETY

Institutional change is a known factor affecting safety. Change within an organisation canaffect levels of safety achieved by that organisation. Change in the institutional structure of anindustry can affect the level of safety achieved by the industry as a whole. It is recognised thatforthcoming changes within the ATM sector must not compromise safety. Indeed, safety mustif possible be enhanced.

The extensive institutional changes in the UK railway system over recent years provide aclear example of how change can compromise safety in spite of public assurances that safetywould not be compromised. One of the reasons for this is that a safety case for the wholerailway network did not exist prior to the changes. Thus, while safety responsibilities were re-allocated, the safety impact of the changes could not be properly assessed and managed. Therailways regulator now requires comprehensive, top-down safety cases as a matter of urgency.

A general lesson from UK railway experience is that the existence of a trustworthy safety caseat or above the level at which change is intended is a potentially valuable tool for managingsafety during the change. In particular, it permits interactions to be identified and assessed,makes assumptions explicit so they can be maintained or modified and allows the safetyimpact of change to be followed upwards and downwards.

3.4 SAFETY CASE OWNERSHIP

Ownership of safety case is an important institutional issue. The owner is responsible for thecorrectness of the safety case – in other words, that the safety claims made by the safety casecan be trusted. If the ownership of a safety case is not appropriate or is confused (perhaps byshared ownership) then the safety case may not be correct or trustworthy.


AEA Technology 7

It is not immediately obvious who should own a Whole Airspace ATM System Safety Case.Ownership will therefore be considered with respect to three different viewpoints on end use.

The first viewpoint is that of a unit or service safety case. A unit or service safety case isowned by the organisation that is directly responsible for the unit or service that may causethe potential hazards. In the case of a Whole Airspace ATM System Safety Case, no singleorganisation is responsible for the whole airspace. Thus, there is no natural institutional ownerfrom this viewpoint.

The second viewpoint is that of an organisation that submits a safety case to a regulator inorder to obtain a permit to operate. For a complex system, the top-level safety case submittedto a regulator may include or depend on subsidiary safety cases that are the responsibility ofother organisations. Thus, the submitting organisation need not necessarily be directlyresponsible for all the causes of potential hazards. Such cascaded safety cases are necessitatedwithin the UK railway industry. However, this viewpoint cannot be the basis of ownership fora Whole Airspace ATM System Safety Case since it is not intended for submission to aregulator in order to obtain a permit to operate.

The third viewpoint for establishing ownership is that of use of a safety case as a tool formanaging safety. The owner is the organisation that develops the safety case in order to assisttheir management of safety. This is quite independent of whether the safety case is aregulatory requirement and must be submitted to a regulator. The third viewpoint is the mostappropriate with respect to ownership of the Whole Airspace ATM System Safety Case.

When seen as a tool for safety management rather than for regulatory use, it is clear thatownership is not restricted to ATM service providers. It is therefore recommended that theWhole Airspace ATM System Safety Case should be owned and developed byEUROCONTROL on behalf of the end users in ECAC states. This would ensure that :

• The Whole Airspace ATM System Safety Case benefits ATM safety throughEUROCONTROL’s safety management and coordination roles

• EUROCONTROL knowledge and expertise is incorporated• ECAC Member State interests can be properly represented• Inputs from the European Commission and other international organisations can be

obtained via institutional links with EUROCONTROL

4 Technical Issues

This Section considers how technical factors in the ATM system, particularly planned andpossible changes, may affect the argument for the safety of the system.


AEA Technology 8

4.1 TECHNICAL CHANGE AND SAFETY

Technical changes are underway, planned or being considered that are likely to result in thetechnical basis for the safety of air traffic management in 10 – 20 years time differingconsiderably from what it is today. These changes, whether with respect to operations or theengineered systems, must be managed so that the overall safety of ATM is maintained and, ifpossible, improved. In order to achieve this, all the safety impacts and interactions oftechnical changes must be assessed and managed.

Areas of change affecting the safety of aviation in the future have been identified by theJAA’s Future Aviation Safety Team (FAST). Each area of change identified in the FASTstudy represents a number of specific technical changes that may take place. 145 areas ofchange were identified by FAST. These were organised into eleven different categories asfollows :

Category (abbreviation) Number of changes percategory

Air Navigation System (ANS) 23Aircraft (AC) 27Maintenance, Repair & Overhaul 6Operations (OP) 12Crew (C) 18Passenger (P) 7Organisation (O) 6Authority (AUTH) 4Airport (AP) 7Environment (E) 31Space Operations (S) 4Total 145

23 out of 145 areas of changes (i.e. 16%) are in the category ‘Air Navigation System’. Manychanges identified in other categories have implications for ATM. The areas of changeassigned to Air Navigation System are given in Table 4-1 (note that the list is not in priorityorder). The full table from the FAST study, including explanatory comments, is given inAppendix 1.

ChangeANS 1 Emergence of new concepts for airspace management.ANS 2 Increasing number of aviation operations.ANS 3 Increase in air traffic flow management (ATFM) technology development

activities.ANS 4 Increased requirements for centralised control of ATM.ANS 5 Decreased separation standards.ANS 6 Increasing operations of low-technology aircraft in ATM environments

featuring advanced capabilities.ANS 7 Introduction of new technologies with unforeseen human factors aspects.


AEA Technology 9

ChangeANS 8 Increased level of information inequality in shared decision making contexts.ANS 9 Increasing amount of information available to ATM personnelANS 10 Decreasing ATM equipment design and operational expertise.ANS 11 Gap between skills, abilities, and attitude toward technology and automation of

future air traffic controllers and the past design philosophies used in thedevelopment of present ATM systems.

ANS 12 Increasing variation of sophistication of hardware and software within the ANSsystem.

ANS 13 Increasing need for maintenance of complex, integrated ANS systems.ANS 14 Decreasing maintenance expertise required for state-of-the-art ANS systems.ANS 15 Increasing reliance on out dated equipment.ANS 16 Increasing reliance on satellite-based systems for CNS functions.ANS 17 Increasing dependence on secure data links for performing ATM/CNS

functions.ANS 18 Increasing use of ATM warning and alert systems.ANS 19 Increasingly complex interactions among highly automated ground-based and

flight deck systems.ANS 20 Introduction of artificial intelligence.ANS 21 Discrepancies in the pace and direction of development of ground versus in-

flight CNS systems.ANS 22 Evolution of Flight management System databases.ANS 23 Increased requirement for co-ordination with military flight operations.

Table 4-1 : Areas Of Change In Air Navigation System Identified By FAST

The FAST study has prioritised areas of change according to their impact on safety. The topnine areas are given in Table 4-2. Three of the top nine areas (i.e. 33%) are in the ANScategory. Others (e.g. AC11 - Proliferation of heterogeneous aircraft with widely-varyingequipment and capabilities) have implications for ATM safety.

Rank Code Description

1 AC13 Reliance on flight deck management2 ANS1 Emergence of new concepts for airspace management3 C1 Introduction of new technologies with unforeseen human factors

aspects4 AC11 Proliferation of heterogeneous aircraft with widely-varying equipment

and capabilities5 OPS5 Discrepancies in pace and approach in development and

implementation of airborne vs. ground-based technology systems6 ANS2 Increasing number of aviation operations7 ANS7 Introduction of new technologies with unforeseen human factors

aspects8 AC10 Variation of sophistication of hardware and software within an

individual aircraft type9 AC26/M Ageing avionics, powerplants, electrical and mechanical systems, and


AEA Technology 10

Rank Code DescriptionRO9 structures, moved from AC26

Table 4-2 : Areas Of Change With Most Safety Significance (FAST Study)

The presence of 3 ANS areas of change in the top 9 indicates the importance of ATMtechnical change for future aviation safety.

FAST will shortly start a detailed analysis of the two highest ranked areas of change, whichincludes ANS1 ‘Emergence of new concepts for airspace management’. The other areas in thetop 9 will be analysed later.

The importance of assessing the safety impact of technical change within the context of awhole-system safety case is illustrated by recent experience in the UK railway industry.Engineering changes must be supported by a safety case. However, the safety case isdeveloped independently of other changes and in a local, rather than whole-system, context.Furthermore, each safety case is developed on a ‘needs’ basis, so there are no safety cases forareas where no changes have been made or are planned. Thus, wider implications of theproposed change (including interactions with other changes and consistency with whole-network safety) may not be identified, to the detriment of safety. The situation is made evenmore complex by the increasing requirement for rail industry compatibility throughout theEuropean Union. The UK railway regulator has recently taken steps towards a whole-networksafety case by requiring all Train Operators, Station Operators and Infrastructure Operators tosubmit comprehensive safety cases which will be assessed by the regulator.

Technical changes in the ATM system can also have far-reaching and unexpected safetyimpacts and interactions. For instance, GPS allows aircraft to fly planned trajectories withmuch higher precision than previously. This means that two aircraft that should pass over thesame point close in time are much more likely to do so when using GPS navigation than whenimprecisions in navigation lead to significant scatter about the planned trajectories. The effectof more precise navigation is to bring the two aircraft closer together. Thus, the use of GPSnavigation interacts with the both trajectory planning process (which is responsible fordeciding whether the two aircraft should be over the same point close in time) and the basicprinciples underlying separation rules. As with the railways example, a Whole Airspace ATMSystem Safety Case would be a tool for determining the wider safety implications of aproposed change and ensuring that these are all taken into account to ensure the overall safetyof the system.

4.2 IMPLICATIONS OF INTEGRATION

A complete and consistent assessment of the safety impact of proposed technical changeswould be facilitated by a Whole Airspace ATM System Safety Case. The safety case wouldallow the impact of proposed changes to be assessed by following the logical implications ofthe changes through to the top-level safety claim. It would help to :

• Minimise the possibility of some safety impacts being missed• Identify and resolve interactions between proposed changes


AEA Technology 11

• Identify the prior assumptions that must be taken into account

Historically, ATM in European airspace was based on local systems with only limitedhorizontal integration, particularly across national boundaries. ATM safety was mainly a localmatter. However, technical changes within ATM are leading to significant increases in bothhorizontal system integration and dependence on system-wide services. Examples ofhorizontal system integration include integration of radar data to provide a single, consistentradar picture across national boundaries. System-wide services include satellite navigation(e.g. EGNOS) and trajectory planning (e.g. current flow control, or future 4-D trajectoryplanning). Both horizontal system integration and system-wide services have safetyimplications and interactions that affect the whole airspace to which they apply. Safety impactis therefore no longer just local, it has a significant whole airspace aspect.

The whole airspace safety impacts of increasing integration means that the argument for thesafety of the ATM system becomes considerably more complex. There are two genericreasons for this. Firstly, the apportionment of safety goals among a mix of system-wide andlocal services, and the demonstration that they will be and have been achieved, is notstraightforward. Secondly, integration introduces or strengthens coupling between otherwiselargely independent part of the system (in particular, geographical areas) so that safety in onearea depends more strongly on system behaviour in other areas. Again, this complicates theapportionment of safety goals and demonstration of their achievement.

As an example of how a system-wide service can impact a whole-airspace safety argument,consider the introduction of 4-D trajectory planning together with the ability to fly thetrajectories accurately. Currently, uncertainties in planned (non-4-D) trajectories andnavigational accuracy means that a major part of the safety for aircraft flying their plannedtrajectories comes from the air traffic service providers managing the effects of thoseuncertainties on separation between aircraft. With non-conflicting 4-D trajectories that areaccurately flown, the major sources of potential conflicts becomes those factors that cannot beplanned or controlled : unexpected weather, late departure due to passenger not at the gate,technical system failures etc. 4-D trajectory planning and accurate navigation will be aprimary means of ensuring safe separation. Air traffic services will then, in effect, deal withthe safety impact of unplanned and uncontrollable externally generated noise in the system.All this has implications for the safety argument for the whole airspace. Firstly, the increasedsafety significance of trajectory planning and the changed safety significance of the air trafficcontrol service imply a high level change in approach to the argument for safety. Secondly,the safety significance of 4-D trajectory planning means that it should have safety goals thatare necessarily system-wide. How should they be expressed, what should they be and how canthey be shown to be achieved? Thirdly, the whole-system scope of 4-D trajectory planningimplies interactions with other parts of the system and their safety arguments. For instance,how should the safety goals for 4-D trajectory planning relate to safety goals for the wholeairspace and for individual states?

Developing this further leads to an example of the impact of increased coupling on the safetyargument. 4-D trajectory planning is seen as an important factor in enabling the expectedsubstantial increased number of flights in European airspace. (Although the September 11thterrorist incidents in the USA have caused a fall in the number of flight, it is assumed that thiswill only delay rather than prevent the longer term growth in air traffic.) During busy times,


AEA Technology 12

trajectories in some areas will be more tightly packed than now. There will therefore be less‘buffer’ available to absorb the effect of unplanned events (the uncontrollable noise) whichgives the potential for greater propagation through the system (in time as well as space). Ineffect, tighter packed trajectories may make the system less resilient to unplanned events. Thesafety implications of a change in the resilience of the whole system with respect tounplanned events may therefore need to be considered and demonstrated more rigorously thanat present. Since the degree of resilience will depend on the planned trajectories, a futuresafety argument might require explicit evidence that the level of resilience is adequate as partof the safety goals for 4-D trajectory planning. How might this be provided and what isadequate?

Experience of packet-switched communications network design may provide some potentiallyhelpful insights. A packet-switched network consists of a number of connected nodes withmessages (packets) sent from across the system from node to node according to some rules.Each node has a maximum receive/transmit rate. If packets arrive at a node faster than theycan be dealt with, they are queued at input. An analogy (admittedly loose) can be drawn withthe air traffic network. Packets correspond to aircraft. Communications nodes correspond topinch-points in the air traffic network (e.g. airports, or major route crossings). Queuing atnodes corresponds to action taken to limit the arrival of aircraft at pinch-points (e.g. stacking,or slowing down to delay arrival).

The total throughput of a packet-switched communications network is found to depend on theloading. At low loading, throughput increases with loading. At high loading, throughput startsto decrease. Failure or degraded capability at nodes affects the whole-system capability. It isfound that resilience with respect to failures is usually least when loading is highest and thatresilience varies with network design. The optimum network is one that has an appropriatebalance between network capability when no faults are present and resilience with respect tofailures, particularly at high loading.

Of course, resilience in a communications network is, in some respects, a simpler conceptthan for ATM. In particular, it is concerned only with throughput rather than having anadditional safety dimension. However, safety and capacity are clearly linked in ATM. With 4-D trajectory planning and the ability to fly the trajectories accurately, safety will be related todeviations from planned trajectories (assuming that the planned trajectories are themselves‘safe’). An analogue in packet-switched communications networks is packets that are queuedbecause nodes are busy (c.f. stacking or slowing down aircraft) or are re-sent by another routeto avoid delays (c.f. re-routing aircraft to avoid a busy sector).

In general, the behaviours of packet-switched communications networks are not amenable totheoretical analysis. Networks are therefore assessed by means of simulation. In particular,simulation is used to assess the resilience with respect to failure or degraded capability atnodes. Just as simulation provides the argument for resilience in a communications network,so simulation might have a significant or even essential role in demonstrating safety resiliencein the ATM system. For a safety case, it would then be necessary to justify that the simulatedsafety resilience is an adequate representation of the safety resilience of the real system.

It is therefore clear that the technical changes underway, planned and being considered meanthat the overall safety of ATM will only be justified by an interacting mixture of local andwhole-airspace safety arguments. This is considerably more complex than the historical


AEA Technology 13

situation. The consistent integration of local and whole-airspace safety arguments would be asignificant feature and benefit of a whole-airspace safety case.

5 Safety Case Structure

A safety case requires a structure as well as evidence. The structure shows the logicaldevelopments and relationships that constitute the argument that the evidence providedjustifies the top-level safety claim. It is the skeleton on which the flesh of specific evidence ishung. The larger and more complex the safety case, the more important it is that the structureis carefully developed and defined.

The question of structure is particularly important for a Whole Airspace ATM System SafetyCase as it must necessarily rely heavily on existing safety cases, justifications anddocumentation. Bringing them together into a single, coherent and logically consistentstructure would be a major benefit of a Whole Airspace ATM System Safety Case.

There are three key questions regarding the structure of a Whole Airspace ATM SystemSafety Case :

1. Why is structure important?2. How is the structure best represented?3. What is the most appropriate structure?

This Section addresses these questions.

5.1 WHY IS STRUCTURE IMPORTANT?

A safety case must be both correct and understandable. If it not correct, then the desired safetyis not assured. If it is not understandable then there can be little confidence in the claimedsafety assurance. The structure of a safety case is important in both respects. A clear,comprehensible structure makes it most likely that the desired safety is indeed justified byevidence. It also makes it easy to understand the argument that leads from evidence to theclaim for safety and thus to have confidence in the claimed safety assurance. (‘Easy tounderstand’ is, of course, not an absolute. The key point is that the argument is readilyunderstand by those who must produce, assess and use the safety case.)

In simple terms, a good, clear structure provides a planned and organised map of judiciouslyplaced ‘stepping stones’ that helps to ensure that the reader (or user) :

• Understands and is convinced by the safety case• Does not get lost in the evidence and argument• Does not have to make too big a ‘leap of faith’

It helps to bridge the gap between safety evidence and safety requirements and objectives –Figure 5-1.


AEA Technology 14

Safety Requirements & Objectives

Safety Evidence

Safety Argument

Figure 5-1 : A Safety Argument Links Safety Evidence to Safety Requirements andObjectives

Specifically, a good structure :• Shows clearly the logical steps in the safety argument• Shows clearly the evidence provided to support the safety argument• Link the evidence, argument and safety requirements and objectives so it is clear that the

evidence is sufficient to justify the claims and conclusions of the safety case

A good structure has other advantages. A safety case for a large, complex system (such as aWhole Airspace ATM System Safety Case) will usually involve contributions from a numberor organisations who each have responsibilities for parts of the safety case. Responsibilitiescan be mapped onto structure, or the structure developed in accordance with existingresponsibilities. A clear structure facilitates :• Apportionment of responsibilities• Clear definition of responsibilities• Completeness of responsibilities (i.e. all parts of the safety case are ‘owned’ by someone)

In addition, a well-structured safety case helps to ensure safety during change. The structurecan help to ensure correct, appropriate and complete transfer of safety responsibilities whenorganisations change. It can also help to ensure that safety requirements and objectivescontinue to be met when there are technical changes that affect the safety argument.

5.2 HOW IS THE STRUCTURE BEST REPRESENTED?

Safety cases originated as text documents. A text document is most satisfactory for a simplesafety case with a linear structure : the argument proceeds through a logical sequence of stepsthat leads to the conclusion that the relevant plant or activity is safe. However, when thestructure of the argument is complex, it cannot readily be represented by a textual description.Links and inter-dependencies between different parts of the argument result in much cross-referencing that tends to obscure the logical structure of the argument. This makes the safetycase difficult to develop, read, understand and use.

Recent developments have shown how to move beyond a text-based representation of a safetycase. Two issues have been addressed :


AEA Technology 15

1. How to develop and represent the logical structure of a safety case2. How to present the safety case in a way that follows its natural structure and goes beyond

simple textThe first has lead to the representation of the structure of a safety case as a network of Goalsand Sub-goals together with supporting information and evidence. The second has lead to theso-called Electronic Safety Case in which web-based technology is used to develop a safetycase as a set of electronic ‘items’ (which may be text, graphics, video or audio) navigated byhyperlinks. These are complementary in that the logical structure of a safety case must bedeveloped before an Electronic Safety Case can be produced. The logical structure, however,can be equally used as the basis for a traditional text-based safety case. The medium used topresent the safety case itself – text document or Electronic Safety Case – is therefore largely amatter of practical convenience and does not affect the logical structure. Thus, the rest of thissection will be concerned with describing the representation of safety case structure as anetwork of Goals and Sub-goals.

5.2.1 Goal Networks

The fundamental concept in representing a safety case as a network of Goals and Sub-goals isthe idea that the purpose of a safety case is to achieve a desired goal by means of logicalargument and evidence. The desired conclusions of the safety case are expressed as one ormore top-level Goals. These may be a simple statement such as ‘System X is safe’ or a morecomplex statement such as ‘System X meets all safety regulation targets and is as safe asreasonably practicable’. These are then broken down into lower-level Sub-goals. Sub-goalsare more specific or detailed than Goals. If the Sub-goals are met, then the related Goal ismet. A Sub-goal can be broken down into further Sub-goals. Two or more Goals or Sub-goalscan share the same lower-level Sub-goal. Thus, complex networks of logically related Goalsand Sub-goals can be built up. If the bottom Sub-goals are achieved, the all higher level Goalsand Sub-goals are achieved – including the top-level Goal(s), the conclusion(s) of the safetycase.

The network of Goals and Sub-goals provides the structure of the logical inferences thatconstitute the safety case. It is supported by :

• Strategies adopted• The rationale for the approach (assumptions, justifications)• The contexts in which Goals and Sub-goals are stated• Evidence required to show that the Goals and/or Sub-goals are met

Eventually, specific data and information are provided that satisfy the evidence requirements.

The structured logical inferences represented by the network of Goals and Sub-goals togetherwith the supporting information and specific evidence are the logical argument that the top-level Goals have been met. In other words, they are the safety case.

5.2.2 Goal Structuring Notation

A graphical notation has been developed by the University of York to represent the goal-structure and supporting information. This Goal Structuring Notation (GSN) facilitates the


AEA Technology 16

construction of complex safety cases by showing clearly the logical relationships between theGoals, Sub-goals, strategies, rationales, contexts and evidence. Provided the network iscorrect and the evidence is true, then the top-level Goals are achieved.

GSN makes use of graphical symbols to represent entities in the safety argument – goals, sub-goals, strategies, contexts and evidence together with directed arrows that show the directionof the breakdown of goals and sub-goals. The conventional notation is as follows :

Goal or Sub-goal

Strategy

Context

Evidence

Goal breakdown direction

Figure 5-1 is a simplified illustration of the use of GSN (note that this is for illustration onlyand must not be considered as the basis of a safety case for a specific system). The top-levelsafety goal is that the system is ‘safe’. This is progressively broken down until sub-goals arereached for which convincing evidence can be provided. The illustration shows that GSNprovides a clear, structured and intuitive hierarchical breakdown that captures the elementsmost important to a safety argument. It shows the logic of the argument more clearly andconvincingly than a linear text-based description. Even if a linear text-based description of theargument is needed (i.e. a report), a GSN summary is a valuable tool for guiding both thereader and the safety case developer through the logic of the argument and giving assurancethat the safety goals are met.


AEA Technology 17

System is safe

All hazardseliminated or

sufficiently mitigated

Hardware reliabilityand failure ratesappropriate to

hazards

Software developedto Integrity Level

appropriate tohazards

Hazards identifiedfrom Functional

Hazard Assessment(Ref B)

Continuity of servicetarget

(Ref B)

Signal integrity target(Ref C)

Integrity Levelprocess standard is

Ref D

Software module M1developed to

Integrity Level IL1

Software module M2developed to

Integrity Level IL2

Processevidence of

IL1

Processevidence of

IL2

Hazard H1 has beeneliminated

Probability of HazardH2 < X per landing

Fault treeanalysis

Independentdesignreview

Failure rate for failuremode F < Y peroperational hour

FailureModes and

EffectsAnalysis

Argument thathazards areacceptable

Argument thatdesign and build are

satisfactory

Figure 5-2 : Illustrative Example of GSN for a Safety Argument


AEA Technology 18

5.2.3 Modules, repeated structures

A number of aspects of a Whole Airspace ATM System Safety Case suggest a modularapproach for at least some parts of the safety case. For instance, implementation of a commonapproach to ATM across states suggests that the structure of the relevant part of the WholeAirspace ATM System Safety Case could involve a number of similar or identical modules,one for each state.

GSN capabilities have recently been developed that permit the definition and re-use ofmodules within an overall safety case structure. This facilitates the construction of complexbut logically coherent and comprehensible structures. Re-used modules need not be remainidentical, a re-used module may be subsequently modified if necessary, for instance to takeinto account special local circumstances.

5.2.4 External Referencing

Closely allied to modular structures is external referencing to other, free-standing structures.A Whole Airspace ATM System Safety Case will necessarily need to utilise existing safetycases, justifications and documentation. GSN provides facilities for external referencing thatensure consistency and logical correctness. Thus, GSN can be used to produce a frameworkthat incorporates existing safety cases, justifications and documentation.

Importantly, GSN external referencing is concerned only with the interface to a free-standingstructure (i.e. safety case, justification etc.). Its internal structure and content are not ofconcern. Thus, confidentiality of a sub-system safety case can be maintained (for legal,commercial or other reasons) while using GSN to ensure that the overall safety case for thewhole airspace is sound.

5.2.5 Previous Use of GSN

GSN is now an established technique for representing and developing safety case structure ina number of fields. The following table gives a selection of applications outside the civil airtraffic management sector.

Organisation ApplicationBAE Systems Parts of Eurofighter Safety JustificationsBAE Systems Parts of Nimrod Safety JustificationsBAE Systems South African HawkRoyal Air Force (UK) UK ASACS – Military Air Traffic ManagementUK Ministry of Defence HarrierUK Ministry of Defence Site Safety Justifications (Complex Multi-facility,

Multi-role safety case)Railtrack/Siemens Dorset Coast Rail Resignalling ProjectWestinghouse London Underground Jubilee Line Extension

Within the civil air traffic management sector, GSN has been used by UK NATS, by the Irishair traffic management organisation and, within EUROCONTROL, for the RVSM Pre-Implementation Safety Case.


AEA Technology 19

6 Whole Airspace ATM System Safety Case Structure -Example

Sections 5.1 and 5.2 have shown firstly that the structure of a safety case is important andsecondly that GSN provides a means of representing that structure. This section considerssome aspects of the structure of a Whole Airspace ATM System Safety Case and how it maybe developed from a top-level goal.

Note that a very simple, generic example has been chosen and developed specifically in orderto illustrate certain considerations regarding structure that are expected to apply to a completeWhole Airspace ATM System Safety Case. It should not therefore be considered as a basis fora Whole Airspace ATM System Safety Case, but rather a vehicle for raising structuralconsiderations that will need to be addressed.

6.1 SYSTEM DESCRIPTION

A very simple, generic whole-airspace system is the basis for the present considerations. Thesystem is described as follows :1. The whole-airspace consists of a contiguous region of en-route airspace.2. Basic ATM rules are applicable throughout the airspace.3. The airspace is divided into geographical areas.4. The basic ATM rules are implemented on an area-by-area basis.5. Each geographical area interacts with other geographical areas and with airspace-wide

systems in ways that can affect safety within the geographical area.

Although the generic system is very simple, examples of specific real system attributes can bemapped onto it as follows :

Generic Specific ExamplesContiguous region of en-route airspace ECAC en-route airspaceBasic ATM rules Minimum safe separation distances

Use of airwaysGeographical areas National en-route airspaces

Maastricht centre upper air spaceAirspace-wide system Satellite navigation system

Thus, the simple generic system, while far from complete, is a reasonable basis for examiningthe principles of safety case structure.

6.2 TOP-LEVEL SAFETY GOAL

The top-level safety goal is the simple objective ‘The airspace is safe’. This is not developedfurther for the present example. However, it is assumed that :


AEA Technology 20

1. ‘Safe’ can be adequately defined.2. The same definition of ‘safe’ applies equally to each geographical area.

The first assumption ensures that ‘The airspace is safe’ is a well-defined, unambiguous goal.The second assumption means that a lower level of safety in one geographical area cannot becounterbalanced by a higher level in another area.

6.3 ALTERNATIVE STRATEGIES

The simple system described in Section 6.1 suggests two alternative high-level strategies forthe safety argument leading to the top-level goal ‘The airspace is safe’ :

1. Base the argument on geographical areas; or2. Base the argument on basic ATM rules

There is no reason why either of these strategies should not be satisfactory for thedevelopment of the safety case. Nor is there any a-priori reason why one should be better thanthe other. Both will therefore be developed and compared.

6.4 GEOGRAPHICAL AREA STRATEGY

6.4.1 Top-level Structure

Basing the argument on geographical area leads to the top-level structure given in Figure 6-1.The means by which each area is shown to be safe is not addressed at this level. However, thestrategy requires that the assumptions that underlie the arguments that each area is safe mustbe shown to be valid in order for the top-level goal to be satisfied.

The Airspace is safe

Base argument ongeographical areas

Each Area is safeAssumptions for Area

safety cannot beviolated

Definition of ‘safe’

Figure 6-1 : Top-level Structure – Based On Geographical Areas

6.4.2 Lower-level Structure

Two sub-goals must now be achieved for the strategy based on Geographical Area :


AEA Technology 21

1. Each Area is safe2. Assumptions for Area safety cannot be violated

Since each Area implements the basic ATM rules, the sub-goal ‘Each Area is safe’ isdeveloped in terms of the implementation of those rules (see Figure 6-2). Similarly, the sub-goal ‘Assumptions for Area safety cannot be violated’ is developed in terms of the events thatmight in principle violate the assumption (see Figure 6-3).

Each of these trees could be developed further. However, the present level of development issufficient for the moment.

Each Area is safe

Area safety based onbasic ATM rules

Basic ATM rulesimplemented safely in

each areaBasic ATM rules are

safe


Evidence thatbasic ATM rules

are safe


implementedsafely in each

area

Figure 6-2 : Development of Sub-goal ‘Each Area Is Safe’


AEA Technology 22

Assumptions for Areasafety cannot be

violated

Whole-airspace andout-of-area events

cannot violate safetyassumptions

Whole-airspace eventsknown, do not violatesafety assumptions

Out-of-area eventsknown, do not violatesafety assumptions

Evidence thatwhole-airspace

events known, donot violate safety

assumptions

Evidence thatout-of-area


assumptions

Figure 6-3 : Development of Sub-goal ‘Assumptions for Area Safety Cannot BeViolated’

6.4.3 The Complete Structure

The structures developed in the previous two Sections are combined to give the completestructure for the safety argument based on a Geographical Area strategy. The completestructure is given in Figure 6-4.


AEA Technology 23


Base argument ongeographical areas

Each Area is safeAssumptions for Area

safety cannot beviolated

Area safety based onbasic ATM rules




each areaBasic ATM rules are

safe





are safe



area



assumptions



assumptions

Figure 6-4 : Complete Structure Based On Geographical Areas Strategy


AEA Technology 24

6.5 BASIC ATM RULES STRATEGY

6.5.1 Top-Level Structure

The top-level argument based on basic ATM rules is shown in Figure 6-5. The breakdowninto geographical areas is not addressed at this level. However, the strategy requires both thatthe basic ATM rules are safe and that they are implemented safely in order for the top-levelsafety goal to be achieved.


Base argument onbasic ATM rules

Basic ATM rules areimplemented safely

Basic ATM rules aresafe


Figure 6-5 : Top-level Structure – Based On Basic ATM Rules

6.5.2 Lower-level Structures

Two sub-goals must now be achieved for the strategy based on basic ATM rules :

1. Basic ATM rules are safe2. Basic ATM rules are implemented safely

The sub-goal ‘Basic ATM rules are safe’ appeared at the bottom level of the structure basedon Geographical Areas (Section 6.4.2). It was not developed further there. For consistency itwill not be developed further here. Thus all development is in terms of the sub-goal ‘BasicATM rules are implemented safely’.

At this point, Geographical Areas are introduced. The basic ATM rules must be implementedsafely in each geographical area and the assumptions that underlie their safe implementationmust not be violated. This gives the structure in Figure 6-6.


AEA Technology 25


Basic ATM rulesimplemented safety

in each geographicalarea


each area


violated

Figure 6-6 : Development of Sub-goal ‘Basic ATM Rules Are Implemented Safely’

The sub-goal ‘Assumptions for Area safety cannot be violated’ was developed further underthe geographical area strategy. It is therefore developed in the same way here (Figure 6-7).


violated







assumptions



assumptions

Figure 6-7 : Development of Sub-goal ‘Assumptions for Area Safety Cannot BeViolated’


AEA Technology 26

Note that for consistency with the level of development in the Geographical Areas strategy,the sub-goal ‘Basic ATM rules implemented safely in each area’ is not developed furtherhere. Thus, evidence to support the sub-goal must be provided. For simplicity, a new diagramshowing the evidence is not given here, it will however be included in the complete structure.

6.5.3 The Complete Structure

The structures developed in the previous two Sections are combined to give the completestructure for the safety argument based on a basic ATM rules strategy. The complete structureis given in Figure 6-8.


AEA Technology 27


Base argument onbasic ATM rules


Basic ATM rulesimplemented safetyin each geographical

area


each area

Basic ATM rules aresafe






violated



are safe



area



assumptions



assumptions

Figure 6-8 : Complete Structure Based On Basic ATM Rules Strategy


AEA Technology 28

6.6 COMPARISON AND IMPLICATIONS

Comparison of the two different structures for the safety arguments (Sections 6.4 and 6.5)shows the following :

1. The strategy adopted affects the structure of the safety argumentBoth the top-level strategy based on Geographical Areas and that that based on basicATM rules result in the same top-level goal being satisfied. However, the structures of thesafety arguments are different. If alternative strategies had been considered at lowerlevels, then more alternative structures would have been produced.

2. Different structures can have the same bottom-level sub-goals.The example was deliberately chosen for this to occur. It is not true in general. However,the example shows that even with a given set of bottom-level goals, different safetyarguments can be constructed to achieve the same top-level goal.

3. A safety case is more than just a collection of evidence.The example was deliberately chosen so that the evidence requirements would be thesame in both cases. Since the evidence requirements are the same, the safety case isclearly more than just the sum of the evidence. The structure (i.e. the logical argument) isas much part of the safety case as the evidence.

4. There is no intrinsically best structure (i.e. safety argument)The two structures developed here are different but neither is intrinsically better. Bothresult in the same top-level goal being satisfied. However, in a more complex safetyargument, factors such as simplicity, amount of cross-linking and the bottom-level goalsand evidence requirements may make one structure more appropriate than others.

The main implication for a whole-airspace safety case is that the structure of the safety case isnot pre-determined. It will be determined in part by the technical basis for ATM safety.However, it will also be strongly influenced by external factors such as existing safetyarguments and institutional responsibilities and potential technical and institutional changes.The optimum structure will require investigation and evaluation of alternatives.

7 Conclusions

It is concluded that :

• Institutional and technical change is leading to increasing integration of ATM systemsthroughout ECAC airspace

• Integration means that the ATM safety must be addressed and demonstrated at a whole-airspace level

• Technical tools (in particular, Goal Structuring Notation) are available for developing andfacilitating large, complex safety cases including interfacing with and re-use of existingsafety cases, safety arguments and justifications

• A Whole-Airspace ATM System Safety Case will be a valuable tool for safetymanagement as well as a demonstration of whole-airspace ATM system safety


AEA Technology 29

8 Recommendations for Further Work

It is recommended that a Whole Airspace Safety Case is developed for the airspace coveredby EUROCONTROL member states as follows :• The Safety Case should interface with and make maximum use of existing safety cases,

safety arguments and justifications• Development should establish links with, and use outputs from, related studies such as the

JAA Future Aviation Safety Team (FAST) study• Development should be completed within 2 years

8.1 PURPOSE

The main purpose of the Whole Airspace ATM System Safety Case is to be a high-levelsafety management tool for developing, integrating and demonstrating the safety of changesin ATM across the airspace over the 10-20 year timescale. A secondary purpose is to be arepository for the safety information, including arguments, assumptions, justifications andevidence, that demonstrate the safety of the airspace (this will involve extensive referencingto external sources).

8.2 SCOPE

A Whole Airspace Safety Case will be developed for civilian flights in the airspace coveredby EUROCONTROL member states. Ground movement, take-off and landing are excluded. Itis recognised that these are important for safety. However, the arguments for safety duringthese flight phases differ significantly from those for other phases. It is therefore consideredappropriate to omit these phases from a first development of a Whole Airspace ATM SystemSafety Case. They may be added after a successful first development.

The development of the Whole Airspace ATM System Safety Case will focus on producingan optimal structure for a sound, robust and maintainable safety argument. Maximum use willbe made of existing and planned safety cases, justifications and assessments. In particular,new evidence of safety will not be produced, although any gaps or inadequacies will beidentified.

8.3 INTERACTIONS

The following interactions will be particularly important and appropriate links should beestablished :

• National service providers that have existing safety cases, arguments and justificationsthat may interface with the Whole Airspace ATM System Safety Case

• The JAA’s FAST study, and other relevant studies of the safety implications of futuresystems


AEA Technology 30

• Relevant EUROCONTROL activities, including Safety and Quality Services, the SafetyPerformance Framework, the Safety Regulation Commission and the Safety RegulationUnit.

8.4 TASKS

Three technical Tasks are proposed :

T1 Develop Whole Airspace ATM System Safety Case StructureT2 Implement structure using an appropriate computer toolT3 Identify and document links to existing safety documentation

An illustrative breakdown into sub-tasks is as follows :

T1 Develop Whole Airspace ATM System Safety Case StructureT1.1 Identify key stakeholder and documentationT1.2 Gather information re safety case structure through meetings with key stakeholders

and from documents, review informationT1.3 Develop alternative draft structures using Goal Structuring NotationT1.4 Determine selection criteria for the optimum safety case structureT1.5 Review and assess alternative draft structures, select optimum draft structure in

consultation with key stakeholdersT1.6 Develop final version of safety case structure

T2 Management and maintenance of the Safety CaseT2.1 Review candidate computer tools for managing and maintaining the safety case,

identify and acquire an appropriate toolT2.2 Implement the safety case structure in the chosen toolT2.3 In consultation with key stakeholders, develop and recommend strategies for

managing, maintaining and using the safety case

T3 Add links to existing safety documentationT3.1 Identify documentation that provides the evidence needed for the safety case and any

restrictions on access (e.g. confidentiality)T3.2 Add references, sources and other relevant information (e.g. restrictions on access) to

the safety case

8.5 SCHEDULE

The proposed total duration of the project is 2 years.


AEA Technology 31

Acknowledgements

The contributions of the following people are gratefully acknowledged :

Alfred Roelens (National Aerospace Laboratory, Netherlands), for technical contributions tothis report and for presentations at the Workshop.

Prof. John McDermid (University of York), Tim Kelly (University of York), Paul Normal(BAE Systems) and Wayne Hoskins (AEA Technology Rail) for presentations at theWorkshop.


AEA Technology 32

References

1. ‘Whole Airspace Safety Case Workshop 24-25 September 2001’AEAT LD76008/1 Issue 1, September 2001

2. ‘A Study Into Target Levels Of Safety (TLS) Within The Aviation Industry,Including Comparative Analyses With The Rail And Nuclear Power Sectors’ NLR-CR-2001-145, March 2001

3. ‘EATMP Safety Policy’ SAF.ET1.ST01.1000-POL-01-004. ‘EATMP Safety Policy : Implementation Guidance Material’

SAF.ET1.ST01.1000-GUI-01-005. ‘Air Navigation System Safety Assessment Methodology’ SAF.ET1.ST03.1000-

MAN-01-006. ‘Communication From The Commission To The Council And The European

Parliament on the implementation of the Single European Sky’ COM (2001) yyyfinal

7. ‘Proposal for a Regulation Of The European Parliament And Of The Council onestablishing common rules in the field of civil aviation and creating a EuropeanAviation Safety Agency’ COM (2000) 595 final’ Brussels, 27.9.2000

8 ‘Communication From The Commission To The Council And The EuropeanParliament. Action programme on the creation of the single European sky andProposal for a Regulation Of The European Parliament And Of The Council layingdown the framework for the creation of the single European sky’ COM (2001) 123final, Brussels 10.10.2001


AEA Technology 33

Glossary : Acronyms and Abbreviations

Acronym or Abbreviation Definition

4-D trajectory Trajectory specified by 3 spatial dimensions and timeANS Air Navigation SystemASTER Aviation Safety Targets for Effective Regulation – a European

Commission projectATM Air Traffic ManagementCARE Cooperative Actions for R&D in EUROCONTROLCNS Communication, Navigation, SurveillanceEASA European Aviation Safety AgencyEATMP European Air Traffic Management ProgrammeECAC European Civil Aviation ConferenceEGNOS European Global Navigation Overlay ServiceESARR EUROCONTROL Safety Regulatory RequirementEU European UnionFAST Future Aviation Safety TeamGNS Goal Structuring NotationGPS Global Positioning SystemINTEGRA An Action within the CARE programme to develop metrics for

capacity, safety, efficiency and environmental impactJAA Joint Aviation AuthoritiesNATS National Air Traffic Services plcRVSM Reduced Vertical Separation MinimaSRC Safety Regulation CommissionTLS Target Level of SafetyUK United Kingdom


AEA Technology

Appendices

CONTENTS

Appendix 1 FAST Study – ANS Changes


AEA Technology

Appendix 1FAST Study – ANSChangesCONTENTS

A2-1 Safety-Significant Areas of Air Navigation System ChangeIdentified by the FAST Study


AEA Technology

Change CommentsANS 1 Emergence of new

concepts for airspacemanagement.

In a future “Free Flight” environment, authority /responsibility may alternate between the flight deckand the ground as a function of traffic density,conflict proximity, or workload. Maintainingawareness of this will be a critical safety issue. Newrunway approach concepts including GPS, angles,curves, AILS, etc., may create special safetyconsiderations for managers of the airspace system.

ANS 2 Increasing number ofaviation operations.

By 2015 it is estimated that air traffic from allsources will double. These new operations maycreate additional bottlenecks in certain areasRegional wars and new airspace systems designsmay also contribute to distributed traffic flows.Technology advances providing aircraft with theability to fly through or around regions of adverseweather may result in increasing frequency ofpenetrations of adverse weather and/or increasedtraffic through favourable weather regions. Aappropriate set of agencies should be looking at theresulting traffic loads.

ANS 3 Increase in air traffic flowmanagement (ATFM)technology developmentactivities.

In response to technological developments and userconcerns, ATFM will probably move toward partialdecentralisation.

ANS 4 Increased requirements forcentralised control ofATM.

Pressure to centralise control of ATM acrossinternational boundaries will require new paradigmsfor state sovereignty and airspace utilisation, andmay tax the ability of less-developed countries tokeep pace with technological advances.

ANS 5 Decreased separationstandards.

Between runways, between aircraft, betweenlanding operations, RVSM reductions?

ANS 6 Increasing operations oflow-technology aircraft inATM environmentsfeaturing advancedcapabilities.

Although opinion polls demonstrate that the publichas confidence in the safety of the aviation system1,increased media attention following generalaviation accidents and incidents raises theawareness of aviation hazards and has the potentialto erode this confidence. Articles on the safetyaspects of both large and small aircraft arebecoming more numerous. It is important foraviation system stakeholders to become pro-activein providing the media and the public with well-researched and factual information on the safety ofthe aviation system and general’s aviation role insafety management.

ANS 7 Introduction of newtechnologies with

Increasing pressure to replace humans withautomated systems may characterise future design

1 This list of areas of change was established before the September 11 events.


AEA Technology

Change Commentsunforeseen human factorsaspects.

philosophies. There may be an increasing need toadequately design systems from the start to takeadvantage of human flexibility and creativity and toaugment human abilities with computers. This hasbeen (and still is) the focus of many activities(human factors, man-machine interface, controlconsole layout, etc.). Methods are being developedby manufacturers with the participation of humanfactor specialists.

ANS 8 Increased level ofinformation inequality inshared decision makingcontexts.

There may be an increased requirement foreffective and timely decision making in a multi-agent context (multiple aircraft, ATC, AOL,automation). Shared decision making may be errorprone, and may be even more difficult if madeunder time pressure and if automation aids areinvolved. Problems may increase further if there areinformation inequalities within the system (e.g.some of the participant know more than others).There may be increased dependence on informationsystems to present timely and co-ordinated data toair traffic controllers. The volume growth ofavailable information sources may overload theinformation sharing networks and result in delays intransmission of information upon which criticalsafety decisions are being based.

ANS 9 Increasing amount ofinformation available toATM personnel

There may be increased expectations for aircraftperformance and traffic situation awareness byATM personnel. However, most ATC facilities willrequire new displays for presentation of these data.This may create potential errors due to lack ofeffective information integration and monitoring.Too many operational modes may be available inATC hardware leading to loss of awareness of thesystem status and mode confusion / distraction.

ANS10

Decreasing ATMequipment design andoperational expertise.

The underlying knowledge of why ANS systemsare designed as such, how key maintenance is to beperformed, and why resulting ATC operationalrules are as they are is being lost due to long designcycle times, extended hardware life, and the slowpace of modernisation. Unforeseen uses of thesystems may also present special challenges inorder to maintain safe operations. Failure todocument and archive design data, initialspecifications, test data, and lessons learned mayalso increase safety risk. Modern analytical toolssuch as fuzzy logic and neural nets must be usedwith care since in most cases these tools havenarrow functionality. Artificial intelligence may be


AEA Technology

Change Commentsused for creating design data bases containingpreviously successful design details and principles.

ANS11

Gap between skills,abilities, and attitudetoward technology andautomation of future airtraffic controllers and thepast design philosophiesused in the development ofpresent ATM systems.

Since today’s ATM systems will be in use for manyyears, it must be recognised that there may bediscrepancies between the operational concepts thatwere in the minds of the designers and the actualoperational approaches and techniques used bynewer, younger controllers having differentattitudes toward automation than senior designersand operators.

ANS12

Increasing variation ofsophistication of hardwareand software within theANS system.

The proliferation of new software and technologysystems may complicate maintenance, drive upcosts, preclude software reuse, and increase trainingrequirements and the potential for human error.These systems may be characterised by a lack ofunifying architecture as well as different orincompatible communication protocols/dataformats, and user interfaces.

ANS13

Increasing need formaintenance of complex,integrated ANS systems.

Maintenance of next generation ground basedhardware and software systems may require greatercare and verification once completed.

ANS14

Decreasing maintenanceexpertise required forstate-of-the-art ANSsystems.

The international harmonisation of ANSmaintenance standards should incorporate thehighest safety standards. The internationalharmonisation of these standards should onlyproceed when it can be demonstrated that there isadequate provision of safety monitoring by therelevant authorities. Minimum internationalstandards of training, health and safety, job security,and trade union rights should be established forANS maintenance workers.

ANS15

Increasing reliance on outdated equipment.

Within such a large and complex system we canassume that equipment will wear out or becomeoutdated, and that the problem may be compoundedby slow or incompetent response by bothgovernment and private sectors. However, on whatbasis does the travelling public care that acontroller’s radar display does not contain theprocessing power of a personal computer (whichmay not need)? And why is it perceived as a systemshortcoming that backup flight information is stillwritten out on strips of paper?

ANS16

Increasing reliance onsatellite-based systems forCNS functions.

Future air navigation systems will featureinternational agreement on a “next-generation” planfor more efficient communication, navigation,surveillance and air traffic management(CNS/ATM), based heavily on satellite technology.The much more accurate positioning of aircraft in


AEA Technology

Change Commentsthe airway due to Global positioning Systemtechnologies may also require changes to existingprocedures, e.g. a 45 degree turn prior to anemergency descent to prevent collision with anaircraft directly under it.

ANS17

Increasing dependence onsecure data links forperforming ATM/CNSfunctions.

The increase in data link traffic arises from theintroduction of more modern aircraft and airlinesystems and ground applications, including theAutomatic Terminal Information Service (ATIS)and departure clearance. This continuing highgrowth of data link worldwide underlines the needfor the introduction of the increased capacity andflexibility and security of the next generation ofdata link services.

ANS18

Increasing use of ATMwarning and alert systems.

Advanced digital alert and warning systems inATM environments may change controllerworkload and situational awareness.

ANS19

Increasingly complexinteractions among highlyautomated ground-basedand flight deck systems.

There may be a future need for systems levelintegration of ground- and flight deck systems. Thelack of competence and enforced systemsarchitecture integration may permit undesirableincompatibilities to develop among existing ATCair and ground based systems and may do so forfuture systems. Overcoming these incompatibilitiesmay result in greater system development,integration, and maintenance costs, and reducedoverall systems performance.

ANS20

Introduction of artificialintelligence.

Future ATM tools may achieve enhancedfunctionality using software “intelligent agents”.The characteristics of these systems will differsignificantly from most software tools in use today.They may be very complex in function, and mayinclude intent and reasoning systems not wellunderstood by the controller. They may approach asemi-autonomous status in the eyes of thoseinteracting with them. They may have unique,unfamiliar, and unanticipated characteristics andinterfaces. This will lead to the potential for a greatdeal of error especially if these systems are givenlimited control of the ATM functions independentof the human. The clearest analogy of this problemtoday may be the airborne FMS; its level ofcomplexity, and the lack of awareness by the flightcrew of the operational subtleties of the variouscontrol modes and when the FMS switches modes.

ANS21

Discrepancies in the paceand direction ofdevelopment of ground

Aircraft and ATC systems have undergonesignificant advances in recent decades. However,the results of the Advanced Technology Safety


AEA Technology

Change Commentsversus in-flight CNSsystems.

Survey Report suggests that some of thesedevelopments have occurred in an uncoordinatedfashion and that issues of systems compatibilitybetween airborne and ground-based systems havenot always been addressed.

ANS22

Evolution of Flightmanagement Systemdatabases.

GPS and digital terrain elevation data may beincorporated into future FMS databases. Theintegrity of the computerised navigation andperformance systems rests on the quality of theFMC/FMGS databases. Avionics and airframemanufacturers and regulatory authorities haverecognised the potential for entering incorrect datathrough the FMC/FMGS. The final safety net in theprocess of checking the accuracy of the databaseinformation currently lies with the pilot who shouldcross-check electronic data against printed data.

ANS23

Increased requirement forco-ordination with militaryflight operations.

Situations in the US and Europe may be quitedifferent. A critical issue may be detection andavoidance of low-observable military aircraft bycivilian ATM systems.

Date post:	02-May-2018
Category:	Documents
Upload:	haxuyen
View:	228 times
Download:	5 times

Whole Airspace ATM System Safety Case - Preliminary...

Documents