Executive Summary

Executive Summary

ARIBA stands for “ATM system safety criticality Raises Issues in Balancing Actors responsibility”. It is a project carried out on behalf of DGVII of the European Commission in 1998-1999 and addresses certification in ATM services.

Due to the competence of pilots and ATCo’s, and the availability of appropriate technical systems and proven procedures, an ATM service provider is able to safely manage a certain traffic flow. In effect, ATM safety responsibilities end up with the human elements in the responsibility chain, i.e. the air traffic controllers and pilots. This forms an understandable reason for ATM service providers (and airlines) to have difficulties with accepting any new system, procedure or operation that potentially reduces the controllability of various non-nominally evolving traffic situations, while their responsibility increases with traffic volume. Currently, a major cost element of introducing advanced ATM operations is that the duration of the implementation period becomes uncontrollable when safety responsible actors become indecisive due to the lack of a systematic way to manage these paradoxical developments (lower controllability, higher responsibility). Consequently, potential investors know in advance that it might take decades before they receive any return on investments. Obviously, no commercial-like actor should invest under such condition. The aim of ARIBA is to make these situations manageable.

A recent FAA-initiated international RTCA Task Force on certification has considered the question why the dynamic growth and globalisation of aviation have outpaced the existing certification framework in civil aviation. The time and cost required for implementing new operational capabilities has increased, while the translation of those capabilities into actually improved operations often asks for an unpredictable amount of time, cost and effort. This situation is further worsened by the existence of many differences between national certification processes and criteria. All together, the “certification“ process from initial concept development to effective operational use has grown out of control. The RTCA task force on certification developed recommendations on how to make the regulatory oversight process more responsive to today’s operational environment. These recommendations form a clear support for the ARIBA approach of studying the ATM safety certification problem not in isolation, but to focus in from the wider scope of the safety certification problem in civil aviation. In doing so, ARIBA has also introduced three key developments in certification:

· In Europe there already is a sound basis for thinking in terms of complementary responsibilities of various actor types, such as airports, ATM service providers, regulators and policy makers, where the RTCA task force on certification commonly refers to them as one actor type: authorities.

· Experience gained in other safety-critical domains (e.g. nuclear, petrochemical, rail transport) shows that safety management and Safety Case building are effective tools to combine business interests with safety interests.

· Advantage is taken of recent advancements in safety assessment methodology that overcome the serious limitations of established techniques, e.g. human controllers are capable solvers of non-nominal situations under various circumstances, while the established techniques rather represent them as error sources only.

The ARIBA project has used these key elements to develop significant improvements in safety certification for ATM. This is accomplished in two subsequent stages.

Stage 1: In-depth studies.

During the first stage, all effort was directed to the following five parallel in-depth studies:

1. ATM certification perceptions of various actor types and around Europe have been identified through enquiries. These results have been analysed and subsequently synthesised into ATM certification recommendations.

2. Existing certification practices have been analysed for the following applications: airborne software, systems in military aviation, automation systems in finance, equipment for nuclear industry, safety-critical systems for railways.

3. The ATM certification problem has been studied on the basis of the successful results obtained through the development and introduction of safety management approaches in the off-shore petrochemical industry.

4. For a basic ATM operational example it has been shown possible and effective to combine models from cognitive psychology with high level models of ATM systems, and subsequently assess accident risk and human controllability.

5. It was shown that there is a large variety in possible safety cases, and that an advanced methodology for building safety case for complex technical systems is not really capable of building safety cases for advanced ATM operations.

Stage 2: Consolidation

The aim of the consolidation stage of ARIBA has been to develop a safety certification framework and recommend supporting methodologies that enable an effective implementation of ATM advancements by the responsible actors. The safety certification framework is documented in Part I, the recommended methodologies are documented in Parts II and III for ATM service providers and manufacturers of ATM automation methodology respectively.

· Part I develops a new safety certification framework in ATM, using experience gained in other safety-critical domains. Three things will become clear: 1) for safety-critical domains safety management and Safety Case building are a matter of good business practice, 2) the complexity of ATM advancement asks for a dedicated safety validation methodology, and 3) enforcement of safety certification by authorities is most effective if it supports good business practices. Following these findings, Part I develops good safety business practices for the various commercial-like actors in ATM, identifies the particular safety driven collaboration needs of various commercial actors in ATM, and subsequently identifies how authorities could support the best business practices approach through appropriate enforcement of formal survey and approval.

· Part II outlines safety validation of changes to systems or operations in ATM. The central theme is safety validation by building Modern and Joint Safety Cases for changes in ATM operations that are aimed to incorporate various types of human involvement, and in contrast with Classical Safety Case, that take safety management approach into account. In addition, it covers all kinds of hazards and not just failure modes. Part II outlines how several complementary state-of-the-art approaches allow to build Modern and Joint Safety Cases for ATM. These approaches are: 1) development of suitable risk criteria, 2) dependability techniques for the assessment of technical (sub)systems, 3) task load analysis for pilots and controllers, 4) fast-time simulation to assess air traffic network characteristics, 5) hazard identification and classification techniques, 6) accident risk assessment techniques in ATM, 7) providing feedback to advanced operation, and 8) technique to identify pro-active and reactive safety improvements of the operation/service. Part II concludes with guidelines to support the further development and application of these methodologies.

· Part III outlines safety validation of ATM automated systems by a manufacturer. From dependability experience in various domains, including certification of airborne systems, several complementary approaches have been identified as being of key importance to safety validation by ATM/CNS system manufacturers: systematic building of a safety case, usage of development standards (especially for software development), dependability assessment feedback during design, and reverse engineering. Part III presents how these approaches can best be combined in support of an effective safety validation for ATM automated systems from conceptual design up to site acceptance, and presents guidelines to develop further standardisation in support of the proposed methodology, and its implementation at manufacturers.

In conclusion, in order to realise an effective safety management of implementing ATM advances, ARIBA addresses the need and development of a safety-certification framework that leaves the responsibilities with the key commercial actors involved, and that promotes an active collaboration between airlines, airports and ATM service providers in projects that are dedicated to effectively introduce advanced ATM operations.

The current report forms Part III of the ARIBA consolidation report.

title