The document discusses using scenario analysis to proactively address liability issues in technology design. It provides an example scenario involving a remotely operated air traffic control tower. In the scenario, a data transmission problem causes delays in ground information. Overreliance on technology by both air traffic controllers and pilots leads them to miss cues and communicate incorrectly, resulting in an aircraft collision on the runway. Key liability issues raised include responsibility for accidents due to overreliance on technology, technical failures despite certification, outdated or inconsistent sensor information, and tolerated deviations from standard procedures. Scenario analysis can help identify such issues to support legal compliance in technology design.

1. SCENARIOS AS A MEANS TO PROACTIVELY DISCUSS
LIABILITY ATTRIBUTION:
REMOTELY OPERATED TOWER TAKEN AS AN EXAMPLE
Paola Lanzi | Deep Blue

2. Which issues should we take into account in the design
process in order to guarantee that a new technology is
acceptable from the legal perspective?

3. SCENARIO BASED APPROACH
• Scenarios are powerful means to design and
evaluate new concepts, in the context and
proactively
• In ALIAS, we propose to use scenarios to
investigate liability aspects of the new concept
• The final purpose is to classify and model the
scenarios in order to build a method to
proactively include liability aspects in the design
process (Legal Case).

4. REMOTELY OPERATED TOWER
TAKEN AS AN EXAMPLE

5. CURRENT OPERATIONS

6. CURRENT OPERATIONS

7. REMOTELY OPERATED TOWER

8. REMOTELY OPERATED TOWER

9. REMOTELY OPERATED TOWER

10. STRUCTURE OF THE SCENARIO
• context of operations
• story
• analysis of incident/accident steps and
components
• discussion of the main elements of the scenario
• list of issues on liability attribution raised by the
scenario that can be relevant for the ALIAS
project

11. TRUST AND OVERTRUST

12. CONTEXT OF OPERATIONS
A Remotely Operated Tower Centre (ROTC) is in operations.
It makes up of 2 Remote Tower modules, each one remotely
connected to one airport. The two airports are physically distant one
from the other and may be subject to different meteo and traffic
conditions.
Advanced Visual Features available in the ROTC ensure high visibility
in case of adverse meteo conditions (as rain and fog).
The system has been certified as safe and reliable.
The staff is properly trained and allocated. All the ATCOs are rated to
manage both tower modules. Personnel is available at the aerodromes
for local activities and interventions (as for instance runway
inspection).

13. THE STORY
It is early morning, the landing peak is approaching. There are good visibility conditions at the
airports.
A technical problem occurs in the data transmission line between one of the airports and the ROT. It
implies a certain delay in the provision of the ground information.The problem is not automatically
detected. After a while the ATCO managing the ROT starts noticing a misalignment between the a/c
position reported by the pilot and the information displayed in the ground surface movement screen.
Since the same problem has already occurred and has been promptly solved, the ATCO does not
worry about it. He keeps managing the traffic taking into account that the information represented in
the ground screen is not perfectly aligned with the current situation. Unfortunately the delay
increases slowly and the ATCO is not aware of it.
Suddenly the problem gets worse. While a traffic is landing on the rwy, the ground surface movement
screen switches off. The ATCO now is worried. He stands up from his chair, calls the supervisor,
gives a call to aerodrome local staff to inform about the problem. In the meantime the aircraft has just
landed and is leaving the rwy very slowly due to a problem at the wheels. The ATCO notices that the
pilot has not communicated the exit from the rwy and asks for a confirmation. The pilot confirms that
they are leaving the rwy. The pilot does not specify that the a/c is moving very slowly as he is aware
that the ROT is able to follow the ground surface movements in a very precise manner.
In the meantime another a/c is approaching the airport and requests to land. The other a/c has not
communicated that the runway is free but many pilots do not do that, knowing the behaviour of the
ground surface movement radar. The ATCO believes that the runway is free and authorises the
landing.
The aircraft is aligned on the ILS and ready to touch down. The pilot sees that the rwy is engaged but
thinks that the other aircraft has just landed and is leaving the rwy. When he realises that the a/c on
the rwy is moving too slowly to make it free on time it is too late, he instructs a go around, but there is
no time enough. The two a7c crash at the rwy.

14. In your opinion which are the causes of this event?

15. THE STORY
It is early morning, the landing peak is approaching. There are good visibility conditions at the
airports.
A technical problem occurs in the data transmission line between one of the airports and the ROT. It
implies a certain delay in the provision of the ground information. The problem is not automatically
detected. After a while the ATCO managing the ROT starts noticing a misalignment between the a/c
position reported by the pilot and the information displayed in the ground surface movement screen.
Since the same problem has already occurred and has been promptly solved, the ATCO does not
worry about it. He keeps managing the traffic taking into account that the information represented in
the ground screen is not perfectly aligned with the current situation. Unfortunately the delay
increases slowly and the ATCO is not aware of it.
Suddenly the problem gets worse. While a traffic is landing on the rwy, the ground surface movement
screen switches off. The ATCO now is worried. He stands up from his chair, calls the supervisor,
gives a call to aerodrome local staff to inform about the problem. In the meantime the aircraft has just
landed and is leaving the rwy very slowly due to a problem at the wheels. The ATCO notices that the
pilot has not communicated the exit from the rwy and asks for a confirmation. The pilot confirms that
they are leaving the rwy. The pilot does not specify that the a/c is moving very slowly as he is aware
that the ROT is able to follow the ground surface movements in a very precise manner.
In the meantime another a/c is approaching the airport and requests to land. The other a/c has not
communicated that the runway is free but many pilots do not do that, knowing the behaviour of the
ground surface movement radar. The ATCO believes that the runway is free and authorises the
landing.
The aircraft is aligned on the ILS and ready to touch down. The pilot sees that the rwy is engaged but
thinks that the other aircraft has just landed and is leaving the rwy. When he realises that the a/c on
the rwy is moving too slowly to make it free on time it is too late, he instructs a go around, but there is
no time enough. The two a/c crash at the rwy.

16. DISCUSSION
• Active errors, latent conditions and previous near misses.
• Leit motiv of over trust in the technology and in the
system.
- The ROT ATCO does not warn of the slowdown of the data transmission. Since the
problem occurred in the past and had a quick and automatic resolution he does not
perceive the situation as potentially dangerous.
- The pilot of the first a/c confirms that they are leaving the runway, but does not
clarify that they are moving very slowly. He assumes in fact that the ROT ATCO is
able to monitor the aircraft position in the ground surface movement screen.
- The ROT ATCO authorises the second a/c to land although the first one has not
reported that the rwy is free. He assumes that the pilot omitted to report the exit
from the rwy, counting on the monitoring of the a/c on the ground surface movement
screen.
- The pilot of the second a/c does not inform the ROT ATCO that the rwy is engaged.
He assumes that the previous a/c is leaving the rwy and the ROT ATCO has the
situation under control.

17. LIABILITY ASPECTS
• In the scenario there is a leit motiv of over trust in the technology
and in particular in the reliability and in the resilience of the system.
Who is responsible for accidents/incidents that are due to
over trust in the support provided by the technology? What
kind of liability is involved?
• The ROT system shall be certified to allow safe operations and to
be resilient against failures and adverse conditions.
Who is responsible for accidents/incidents that are due to
technical malfunctions, although the system has been
certified as safe and resilient? What kind of liability is
involved?

18. LIABILITY ASPECTS
• In the scenario the technical malfunction of the data transmission system does not
impact on the traffic management, until the ground surface movement screen
switches off. The ROT ATCO decides to rely on the information reported by the pilot
and to mentally update the traffic picture represented on the screens. A different kind
of accident might have happened if the ROT ATCO decided to rely on the delayed
information reported on the screens.
Who is responsible for accidents/incidents due to wrong, not updated and/or
not coherent information from sensors and surveillance radar? What kind of
liability is involved?
• In the scenario there are some emergent practices of deviation from standard
procedures that are strictly connected to the technology in use: the ROT ATCO that
does not warn of the technical problem in the data transmission and the pilots that
often do not report the release of the runway. A tolerant attitude of the organisation
towards the emergent practices of deviations is often present in case of accidents
and incidents.
Who is responsible for accidents/incidents due to the application of known
and tolerated emergent practices of deviations from the standard procedures?
What kind of liability is involved?

19. Does this approach work?
You can further contribute to our discussion joining our Network at:
http://network.aliasnetwork.eu