Development of the Safety Case for LPV at Monastir
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Development of the Safety Case for LPV at Monastir

  • 124 views
Uploaded on

Presentation at MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 ...

Presentation at MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014
Presenter: Philip Church of Helios
philip.church@askhelios.com
_______________________________________________________________________
Follow Helios via Linkedin, www.twitter.com/askhelios and www.facebook.com/askhelios

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
124
On Slideshare
124
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 1 Development of the Safety Case for LPV at Monastir Euromed GNSS II project/MEDUSA Final event on GNSS for aviation Your logo herePhilip Church Principal Consultant philip.church@askhelios.com
  • 2. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 2 Agenda The requirement for safety The design for implementation Methodology Implementation for Monastir Conclusions of the safety assessment
  • 3. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 3 Scope of the Safety Case Operational Environment Aircraft type, Traffic levels, Weather, Terrain, Type of airspace Aircraft Procedures Equipment Human ATM System Procedures Equipment Human ATM Services ATC Hazards Causes, focusing on the deltas
  • 4. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 4 Design for implementation
  • 5. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 5 Ongoing Safety Management Planning – Safety Requirements are met through • Design – e.g. reliability, procedures, conformance with standards • ATCO awareness through training and familiarisation • Transition assurance and readiness • Ongoing safety management and assurance / maintained safety margin • Arrangements to ensure ATCOs remain familiar with system • Contingency arrangements • What are the arrangements for old system decommission? • Arrangements to monitor alerting functions • Maintenance planning and arrangements • Arrangements to monitor occurrence and fault reports • Unit Safety (Case?) arrangements
  • 6. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 6 Some considerations for monitoring of risk • A number of factors influence the probability of an accident occurring • These factors could be termed as “barriers” • The effectiveness of these barriers increases or decreases over time in response to changing environments, services etc. • A combination of leading and lagging indicators can be defined to assess the effectiveness of some of these key barriers, and report them to the Board • E.g. Top 10 risk of a catastrophic accident • How to monitor and evaluate this risk, in the absence of the specific outcome
  • 7. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 7 Ongoing safety risk in an organisation Tolerable level of safety = ICAO norms = 1E-08 per flight hour Actual safety level Safety margin Initiative in response to specific risk Degrading safety margin due complacency or changing context In order to measure this, there needs to be a mature reporting system (despite more reporting leading to the appearance of more incidents)
  • 8. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 8 Relating the probability of an accident to measurable metrics • It isn’t an exact linear sequence, but the relationship between the accident and the underlying barriers (which prevent the accident occurring) can be presented as probabilities For every 1 accident… …we tend to have 10 non- fatal accidents… …and 600 minor occurrences (unsafe acts) …30 serious reportable incidents… Data on probability based on Heinrich model from Industrial Accident Prevention: A Safety Management Approach
  • 9. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 9 Methodology
  • 10. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 10 Methodology • Number of different options • SAE ARP1476 (Fault and Event Tree Analysis, FMEA) • ED-125 • Probability Risk Assessments • Eurocontrol SAM • PSSA • FHA • SSA • ESARRs • For PBN: • the assessment needs to be more operationally than technically focused • The HAZARD needs to be set at the right level to set the Safety Requirements
  • 11. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 11 Linking the Hazard Assessment to Safety Requirements Operational Hazards Contributing Factors & Operational Outcomes Bow Tie Model Safety Targets Derivation Safety Objectives specified Quantitative Fault Tree Analysis on contributing factors Integrity, Functional/ Performance and SWAL Safety Requirements Specified Hazard Log Qualitative Event Tree Analysis on operational outcomes
  • 12. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 12 Hazard Assessment – Example of the Bow-tie Model Safety Objective Safety TargetSafety Requirements
  • 13. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 13 Ops failures Ops failures Justification for safety objectives – e.g. major occurrences Safety target, SC3, ACC e.g. 4E-05 / ATSU hour Non ATM related ATM related Not a factor quantitatively, since target only includes ATM-related factors H-01 H-02 Ops failures Ops failures Ops failures Ops failures Organised into 4 hazards for clarity – target divided equally 1E-051E-05 H-03 Ops failures Ops failures Ops failures 1E-05 H-04 Ops failures Ops failures Ops failures 1E-05 Safety Objective
  • 14. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 14 What is the safety case trying to prevent? Localisation of CONOPS Local Safety Objectives HAZARD identification Risk assessment Safety Case development
  • 15. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 15 Implementation for Monastir
  • 16. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 16 Monastir – Top Level Safety Argument
  • 17. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 17 Customisation of CONOPS • The operational environment describes: • the level of ATS provided • traffic types/levels • CNS equipment • airport ground equipment • airspace and existing procedures • Assumptions confirmed by local operational and technical experts • The EUROCONTROL CONOPS provides generic concept of operations for APV SBAS approach • Essential to that these are validated locally to ensure safety assessment remains valid
  • 18. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 18 Local safety requirements – safety classification • Not only the classification – also the content of the safety assessment
  • 19. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 19 Local safety requirements – Hazard Log
  • 20. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 20 Nominal operations • Claim that conducting APV SBAS and LNAV/APV Baro approach operations are safe by design when all systems are working normally • Combination of all elements: • flight crew • aircraft avionics • flight databases • ATCOs, and • EGNOS signal • Show that the operations are consistent with established requirements for system integration, reliability and safety
  • 21. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 21 Nominal operations • Important to consider risk from an operational perspective, with involvement of operational and technical experts, early in the analysis as part of a ‘top-down’ process • Use Cases were derived where the operation could be affected by the procedures (changes) introduced based on the step-by-step flight profile through final approach: • intercepting the final approach path • follow the final approach path • descend to DA • (execute correct Missed Approach ) • Does not propose any new requirements – simply asserts that existing ones are complied with
  • 22. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 22 Non-nominal operations • Claim addresses the risks of failures of APV SBAS and LNAV/APV Baro operations as implemented at Monastir aerodrome: • CONOPS contains no known deficiencies • All hazards correctly identified and assessed • All mitigations captured as safety requirements or assumptions as appropriate
  • 23. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 23 Non-nominal operations • HAZID held in Rome, June 2013 with representatives from the airport, procedure design and flight ops • HAZID panel did not note any new additional hazards that would exist in the implementation at Monastir: • Hazard H3 - Fly low while intercepting the final approach path (vertical profile); • Hazard H4 - Attempt to intercept the final approach path from above (vertical profile); • Hazard H6 - Failure to follow the correct final approach path; • Hazard H7 - Descending below Decision Altitude (DA) without visual; • Hazard H8 - Failure to execute correct MA.
  • 24. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 24 Non-nominal operations
  • 25. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 25 Non-nominal operations – FTA/ETA
  • 26. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 26 Non-nominal operations – Integrity requirements (SOs) Cause (Event) Probability of occurrence [per approach] Procedure validation error 4.20 E-04 Error in coding the procedure 1.00 E-08 Procedure publishing error 1.00 E-07 Aircraft DB coding/packing error 1.00 E-07 Error in DB loading tools 1.00 E-08 High pressure given by ATC/AFIS 1.63 E-06 High pressure given by MET system 1.26 E-06 High pressure set by pilot 1.63 E-06
  • 27. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 27 Non-nominal operations - TLS Accident type TLS in accidents per approach Controlled flight into terrain (CFIT) 1.0 x 10-8 Landing accident 2.0 x 10-7 Mid-air collision (MAC) 1.0 x 10-10
  • 28. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 28 Non-nominal operations – setting SOs
  • 29. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 29 Practical design and implementation steps • The design and implementation of APV SBAS and LNAV/APV Baro at Monastir, when deployed, fully satisfies the specified functional and performance SRs and IRs • Presents evidence consistent with the following sub-claims: • Assumptions for aircraft equipment and operators are adequately specified and validated for the implementation of APV SBAS and LNAV/APV Baro • Safety requirements and assumptions for ATC (people and equipment) are adequately specified and met/validated for the implementation of APV SBAS and LNAV/APV Baro • The APV SBAS and LNAV/APV Baro procedures are demonstrated to be practical
  • 30. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 30 Transition into operation • APV SBAS and LNAV/APV Baro are acceptable for initiation of operations, with transition risks fully addressed and mitigated as appropriate, i.e. • The APV SBAS and LNAV/APV Baro procedures are accepted as meeting the safety requirements • HMI is shown to be satisfactory • There are sufficient trained staff to operate and maintain the system • The APV SBAS (LPV) and LNAV/APV Baro procedures are published and promulgated to all relevant people • Validation flight trials have been successfully completed • All appropriate regulatory approvals to operate the procedure have been obtained • Any remaining system shortcomings have been highlighted and accepted for operation, including any unvalidated assumptions • A transition and reversion plan has been developed
  • 31. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 31 In service safety monitoring • The risks associated with operating APV SBAS and LNAV/APV Baro at Monastir will be monitored in service and corrective actions taken as necessary • Imperative that the safety of the APV SBAS and LNAV/APV Baro procedures at Monastir are monitored to ensure that safety is not eroded • Safety management • SBAS status and performance monitoring • Change management • Incident reporting
  • 32. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 32 Conclusions of the safety assessment
  • 33. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 33 Conclusions Hazard ID Safety objective Achieved probability of occurrence Objective met H3 6.40 E-05 4.63 E-06  H4 2.67 E-04 4.77 E-06  H6 6.40 E-05 1.78 E-06  H7 4.00 E-08 2.29 E-08  H8 2.00 E-07 1.22 E-07  • Compliance with the safety requirements, validation of the assumptions and fulfilment of the safety argument claims through evidence will support the overall claim of the assessment that APV SBAS and LNAV/APV Baro procedures at Monastir are acceptably safe for introduction and continued operational use
  • 34. MEDUSA final event on GNSS for civil aviation, Tunis, 04 June 2014 34