Executive summary|
Executive summary |
The Parts I, II and III of this consolidation report have been produced as the final deliverables of a European collaborative project known as ARIBA (ATM system safety criticality Raises Issues in Balancing Actors responsibility) carried out in behalf of DGVII of the European Commission within its Transport Research and Technological Development Work Programme 1994-1998. This Programme invited proposals in three main air transport domains: Air Traffic Management, Air Transport Safety and Environment, and Airports. The project was selected following submission in response to Research Task 4.1.3/25 in the ATM domain, the full title of which is ‘Analysis of the safety criticality of the different system components to identify suitable methods for certification of ATM systems deriving from other areas, such as aeronautics or nuclear power plants’.
As such the certification objective used by the ARIBA project is “To develop a certification framework that enables an effective safety management of the implementation of ATM advancements by the responsible actors”. This report forms Part III of the ARIBA consolidation report, and is aimed at developing an effective approach towards safety validation of ATM automated systems by manufacturers.
The key resources of an ATM service provider are competent ATCo’s, appropriate technical systems and proven procedures. Due to the competencies of ATCo’s and pilots, an ATM service provider is able to provide safe services up to a certain level of traffic flow. In effect, ATM safety responsibilities end up with the human elements in the responsibility chain, i.e. the air traffic controllers and pilots. This forms an understandable reason why ATM service providers (and airlines) have difficulties with accepting any new system, procedure or operation that potentially reduces their ATCo’s and pilots controllability of various non-nominally evolving traffic situations, while at the same time their responsibility increases with traffic volume. The key issue is how this paradoxical development can be managed.
Currently, a significant cost element of introducing advanced ATM operations is that, because of the lack of a systematic way to manage safety related changes, the duration of the implementation becomes uncontrollable, while a safety responsible actor has to stay indecisive. Consequently, the potential investors often know in advance that it might take decades before they receive any return on investments. Obviously, no commercial-like actor should invest under such conditions. The aim of ARIBA is to make these situations manageable by two complementary approaches:
· Developing a harmonisation approach towards ‘system safety criticality related responsibility issues’ including a practical, effective framework for operational introduction of ATM enhancements. This should include recommendations for the implementation and further development of this framework, in relation to existing practices and ideas. Since ATM makes part of civil aviation, these focused objectives are studied within the wider scope of safety certification in civil aviation.
· Identifying a cost-effective methodology for ATM safety validation throughout all life-cycles, by means of building on the results from earlier safety and validation methodology studies (e.g. DAAS, APATSI, MUFTIS, SECAM, VAPORETO, FRAIS, GENOVA, CASCADE and RHEA) and those from other safety-critical domains, with particular attention paid to their usability for validating forthcoming technological enhancements in ATM, such as Space-based navigation and surveillance, Advanced ATC automation support tools, Flight plan data exchange through air-ground data link.
A recent FAA-initiated international RTCA Task Force on certification has considered the question why the dynamic growth and globalisation of aviation have outpaced the existing certification framework in civil aviation. The time and cost required for implementing new operational capabilities has increased, while the translation of those capabilities into actually improved operations often asks for an unpredictable amount of time, cost and effort. This situation is further worsened by the existence of many differences between national certification processes and criteria. All together, the “certification” process from initial concept development to effective operational use has grown out of control. In order to see this unhealthy situation improved, the international RTCA Task Force identified 15 specific recommendations (listed in Annex C of Part I) on how to make the regulatory oversight process more responsive to today’s operational environment.
The RTCA recommendations form a clear support for the ARIBA approach of studying the ATM safety certification problem not in isolation, but to focus in from the wider scope of the safety certification problem in civil aviation. There are also three complementary developments that will be covered by ARIBA:
· The study of the ATM safety certification is based on the experience gained in other safety-critical domains (e.g. nuclear, petrochemical, rail transport).
· In Europe there already is a clear basis for thinking in terms of complementary responsibilities from various actor types, such as airports, ATM service providers, regulators and policy makers, where the RTCA report commonly refers to them as one actor type: authorities.
· Advantage is taken of recent advancements in safety assessment methodology that overcome the serious limitations of established techniques, e.g. human controllers are capable solvers of non-nominal situations under various circumstances, while the established techniques rather represent them as error sources only.
In effect ARIBA is aimed at getting better hold on the responsibility problem in safety certification in the multi-actor environment of ATM. This is achieved in two stages:
· Stage 1: In-depth studies
· Stage 2: Consolidation
Both stages are shortly explained in the next two subsections. Eventually, the consolidated ARIBA findings will be communicated to the ATM community by means of a World Wide Web site and presentations at an appropriate symposium.
During the first stage, in-depth studies have been conducted within the following five parallel streams of work:
1. This has produced an inventory of the ATM certification perception around Europe. Although there is some common belief that there is need for ATM certification, there also is a certain level of detail where significant differences in the various certification views appear. It is at this level where ARIBA should develop a rationale for harmonising the different views. The identified level of detail, the main differences in views and the resulting recommendations have been described in [ARIBA-WP1].
2. This has produced an assessment of existing certification practices in other domains. A large variety of risk-critical areas have been studied where it is common practice to apply specific forms of certification. For each domain, use has been made of experts with broad and deep knowledge in that field. The findings are documented in [ARIBA-WP2].
3. This has analysed the ATM certification problem. In order to avoid the need for jumping to conclusions in a complex field, the scientific approach was first to elaborate the problem statement, and next to solve the problem. Following this principle, the identification of the specific problems formed an important result of this analysis. The findings of this are documented in [ARIBA-WP3].
4. This has demonstrated how to objectively assess the human operator performance in providing ATM safety by following an adequate stochastic modelling approach. It has been shown that by means of this approach it becomes possible to design future developments in ATM such that for a human operator the balance between controllability and responsibility for ATM safety evolves in a proper direction. This study has been documented in [ARIBA-WP4].
5. This has studied the development of a safety case for an advanced design of ATM automation equipment, with the aim to relate performance settings on automation sub-systems to the safety targets of the overall ATM design. The WP5 work has resulted in new insight into Safety Case thinking for ATM, but has also shown that a system engineering directed safety case approach is not really capable of connecting the safety targets settings at the top level with those at the equipment level. [ARIBA-WP5] provides further details.
Since the five main studies of the first stage have largely been conducted independently of each other, and since there also are complementary external sources, there is a clear need for an integration and consolidation of these results into recommendations and guidelines on safety validation and safety certification in ATM. During this consolidation it is not the task of ARIBA researchers to enforce decisions on issues for which an objective rationale is missing. Rather, the aim of ARIBA is to provide insight into the problem, and identify possible directions for its solution.
The certification objective used during the ARIBA consolidation is “To develop a certification framework that enables an effective safety management of the implementation of ATM advancements by the responsible actors”. The consolidated results are documented in the following three self-contained final report parts:
· Part I develops an improved safety certification framework in ATM. From experience gained in other safety-critical domains three things will become clear: 1) for safety-critical domains safety management and Safety Case building is a matter of good business practice, 2) the complexity of ATM advancement asks for dedicated safety validation methodology, and 3) enforcement of safety certification by authorities is most effective if it supports good business practices. Following these findings, Part I develops good safety business practices for the various commercial-like actors in ATM, identifies the particular safety driven collaboration needs of various commercial actors in ATM, and subsequently identifies how authorities could support the best business practices approach through appropriate enforcement of formal survey and approval.
· Part II outlines safety validation of changes to systems or operations in ATM. The central theme is safety validation by building Modern and Joint Safety Cases for changes in ATM operations, that are aimed at incorporating various types of human involvement, and in contrast with Classical Safety Case, that take the safety management approach into account. In addition, it covers all kinds of hazards and not just failure modes. Part II outlines how several complementary state-of-the-art approaches allow to build Modern and Joint Safety Cases for ATM. These approaches are: 1) development of suitable risk criteria, 2) dependability techniques for the assessment of technical (sub)systems, 3) task load analysis for pilots and controllers, 4) fast-time simulation to assess air traffic network characteristics, 5) hazard identification and classification techniques, 6) accident risk assessment techniques in ATM, 7) providing feedback to advanced operation, and 8) technique to identify pro-active and reactive safety improvements of the operation/service. Part II concludes with guidelines to support the further development and application of the proposed methodologies.
· Part III outlines safety validation of ATM automated systems by a manufacturer. From dependability experience in various domains, including certification of airborne systems, several complementary approaches have been identified as being of key importance to safety validation by ATM/CNS system manufacturers: systematic building of a safety case, usage of development standards (especially for software development), dependability assessment feedback during design, reverse engineering, etc. Part III presents how these approaches can best be combined in support of an effective safety validation for ATM automated systems from conceptual design up to site acceptance, and presents guidelines to develop further standardisation in support of the proposed methodology, and its implementation at manufacturers.
In conclusion, ARIBA identifies the need for goal setting safety management approaches by ATM service providers and airports, and the adoption of three types of Safety Cases: 1) Classical Safety Case for an ATM automation system by a manufacturer, 2) Modern Safety Case, for a change that involves the safety management by a single service provider, and 3) Joint Safety Case, for a change that involves the safety management by more than one actor. A Classical Safety Case may form supporting evidence in a Modern Safety Case by an ATM service provider or an airport, while Modern Safety Cases form supporting evidence in a Joint Safety Case. The required type of supporting evidence has been identified in earlier stages.
The present document forms Part III of the ARIBA consolidation report. The aim of Part III is to consolidate a cost-effective safety validation methodological framework for manufacturers of ATM automation systems.
After the present introduction, the report first
discusses the problem of safety validation for an automated ATM system, and the
organisation of resulting data into a safety case (section 2). Then, in section
3, it presents the proposed methodological framework for safety validation of
an automated system. A few guidelines for actual implementation of this framework
are presented in section 4, and conclusions in section 5.
As the other parts of this report, this document adopts ISO terminology definitions.
|
Executive summary |
