annex a ads programme stage 0 ads initial safety analysis … · ads programme – initial safety...

TAG/20229/R02 Issue: 1.0

TA Group Ltd Annex A-1

A

ANNEX AADS PROGRAMME STAGE 0

ADS INITIAL SAFETY ANALYSIS:

ACRONYMS AND REFERENCE DOCUMENTATION

TAG/20229/R02 Issue: 1.0


CONTENTS

Section Page No.

A.1 Overview A-3

A.2 Acronyms A-3

A.3 Reference and Related Documentation A-4

TAG/20229/R02 Issue: 1.0


A.1 Overview

A.1.1 Annex A of the ADS Initial Safety Analysis identifies the acronyms and referencedocumentation relating to the ADS Initial Safety Analysis tasks that werecompleted under Stage 0 of the ADS programme.

A.2 AcronymsACAS Airborne Collision Avoidance SystemADS Automatic Dependent SurveillanceADS-B ADS – BroadcastADS-C ADS – ContractANS Air Navigation System / ServiceAIRSAW AIrborne Situation AWarenessASAS Airborne Separation Assurance SystemATC Air Traffic ControlATCC Air Traffic Control CentreATCO Air Traffic Control OfficerATM Air Traffic ManagementATS Air Traffic System / ServiceATSU Air Traffic Service Unit (generally referring to ground based ATCC rather than

a box on an aircraft)CIP Convergence and Implementation ProgrammeCNS Communications, Surveillance and NavigationEATCHIP European Air Traffic Control Harmonisation and Implementation ProgrammeEATMP European Air Traffic Management ProgrammeECAC European Civil Aviation ConferenceFANS Future Air Navigation SystemFFAS Free Flight AirspaceFHA Functional Hazard AssessmentFMEA Failure Modes and Effects AnalysisFTA Fault Tree AnalysisHF High FrequencyICAO International Civil Aviation OrganisationISA Initial Safety AnalysisMAS Managed AirspaceMSSR Monopulse Secondary Surveillance RadarPR Primary Surveillance RadarRF Radio FrequencySAM Safety Assessment MethodologySMAA Study of Mediterranean and Adjacent AreaSRU Safety Regulation UnitSSR Secondary Surveillance RadarSTCA Short Term Conflict AlertTAG TA Group LtdTIBA Traffic Information Broadcast by AircraftTMA Terminal Control / Manoeuvring AreaVDL VHF Data LinkVHF Very High Frequency

TAG/20229/R02 Issue: 1.0


A.3 Reference and Related Documentation

Title Reference No. & Issue

ADS Programme – Work Programme Plan TBD, Edition 1.3

ADS Programme – Stage 0 Work Plan SUR/ET3/ST01.003/001, Edition 1.1

ADS Programme – Initial Safety Analysis Statement ofWork

TBD, Edition 0.1

ADS Programme – Safety Management Plan SUR/ET3/ST03.1010/001, Edition 0.3

ADS Programme Initial Safety Analysis Task Plan TAG/20229/R01 Issue: Final

Towards a Safety Case for ARTAS TBD, Edition 0.1

ADS Programme – Development of ADS Scenarios TBD, Edition 0.1

CNS Outsourcing Project ADS (ADS-B and ADS-C)Course Workbook

FANS-IS/CDOP/143, Issue 1.0

Traffic Scenarios for ECAC in 2015 TBD, Edition 0.2

Scandinavian NEAN Upgrade Programme report

OverviewVolume 1 Exec Summ Iss 1Volume 2 Final consolidated progressrpt

Certification RoadmapProject Definition DocumentTest Methodology

ARTAS Dependability study Report CENA/NT97613/SDF, Version 1.1

ARTAS Dependability study Paper No Reference

Emerald study documentation DERA

Annexes to ARTAS Dependability ReportCENA/NT97613/SDF, Version 1.1

Annexes A, B and N

ARTAS CBA Final Report E-013-019 Rev.1

ARTAS CBA Final Report Executive Summary E-013-020 Rev.1

Annexes to Scandinavian NEAN Upgrade Programmereport

Annex C and Preliminary SafetyAnalysis

ADS Programme - Scenarios SUR/ET3/ST06.2100/001Edition 0.4

Study of Mediterranean and Adjacent Area for ADS(SMAA) ATC Infrastructure Survey (2 volumes)

SMAA/D1-R4

ICAO ADS Lexicon

ATN Project, Draft European ATN Implementation Plan DED6/ATN/ATNI-TF/DOC/37 Issue0.3

ADS Functional Architecture Diagram #1

EATCHIP Convergence and Implementation ProgrammePart 2 Status Report 1998 Level 1

Edition 3.2 - April 1999

TAG/20229/R02 Issue: 1.0


Title Reference No. & Issue

EATCHIP Convergence and Implementation ProgrammePart 2 Status Report 1998 Level 2

Edition 3.2 - April 1999

Area Navigation EquipmentOperational Requirements and Functional Requirements

Edition 2.2 December 1998

Aerospatiale Matra AirbusDAP Safety, Test and Certification Study

Technical Note: 555.1750/99, August1999

ICAO Manual of Air Traffic Services Data LinkApplications

Doc 9694-AN/955

First Edition, 1999

RTCA: Appendices to the Minimum Aviation SystemPerformance Standards for Automatic DependentSurveillance Broadcast (ADS-B)A, AcronymsB, Definition of TermsC, Bibliography and ReferencesD, Near-Term ADS-B ApplicationsE, Other ApplicationsF, Efficient Spectrum UtilisationG, Design Tradeoff ConsiderationsH, Receive Antenna Coverage ConstraintsI, Integrity Considerations for ADS-B ApplicationsJ, Accuracy and Update Period AnalysisK, Latitudency and Report Time Error DataL, Track Acquisition and Maintenance RequirementsM, Examples of On Condition Report Formats

06/01/1998

Minimum Aviation System Performance Specification -Required Navigation Performance for Area Navigation

EUROCAE document ED-75, March1997

EATMP Safety Policy SAF.ET1.ST01.1000-POL-01-00,Edition 1.1

EATMP Air Navigation System Safety AssessmentMethodology

SAF.ET1.ST03.1000-MAN-01-00,Edition 0.5

ATM Strategy for 2000+ Volumes 1 & 2 Eurocontrol, November 1998

Overall CNS/ATM Architecture for EATCHIP Volume 1 ASE.ET1.ST02-ADD-01-00, Edition1.0

Overall CNS/ATM Architecture for EATCHIPArchitecture Country Inventory Report

ASE.ET1.ST02-REP-02-00Edition 1.0

A.3.1

TAG/20229/R02 Issue: 1.0

TA Group Ltd Annex B-1

B

ANNEX BADS PROGRAMME STAGE 0


BASELINE SURVEILLANCE SYSTEM SAFETY

TAG/20229/R02 Issue: 1.0


CONTENTS

Section Page No.

B.1 Overview B-3

B.2 Methodology B-3

B.3 Results and Conclusions B-4

B.3.1 Questionnaire B-4B.3.2 Literature Review B-4

APPENDICESB1: EXAMPLE QUESTIONNAIRE B1 – 1 TO B1 - 5

B2: CIP SURVEILLANCE STATUS B2 – 1 TO B2 - 11

TAG/20229/R02 Issue: 1.0


B.1 OverviewB.1.1 Annex B of the Initial Safety Analysis reports on the Baseline Surveillance

System Safety. It is identified under Task 2 of the ADS Initial Safety AnalysisTask Plan, [Ref. 2].

B.2 MethodologyB.2.1 In order to establish the baseline surveillance system safety as required of this

task, two approaches were taken.

B.2.2 The first approach was to develop a questionnaire for distribution amongstEurocontrol member states. The questionnaire was designed to determine thesafety features of the existing surveillance systems in the context of theoperational environment that the surveillance system was supporting. In addition,the questionnaire requested the identification of integrity or availabilityrequirements, and the degree to which such requirements were satisfied by theexisting surveillance system. This questionnaire is included within this documentas Appendix B1.

B.2.3 The second approach was thorough a review of the available literature relating tothe airspace complexity and surveillance configurations utilised within thatairspace for those Eurocontrol member states identified within the literature. Thefollowing documentation was reviewed in support of this task:• ATN Project, Draft European ATN Implementation Plan

DED6/ATN/ATNI-TF/DOC/37 Issue 0.3

• Overall CNS/ATM Architecture for EATCHIP Volume 1ASE.ET1.ST02-ADD-01-00Edition 1.0, August 1997

• Overall CNS/ATM Architecture for EATCHIP Architecture Country InventoryReportASE.ET1.ST02-REP-02-00Edition 1.0, July 1997

• Area Navigation EquipmentOperational Requirements and Functional RequirementsEdition 2.2 December 1998

• EATCHIP Convergence and Implementation Programme Part 2 Status Report1998 Level 1Edition 3.2 - April 1999

• EATCHIP Convergence and Implementation Programme Part 2 Status Report1998 Level 2Edition 3.2 - April 1999

• Study of Mediterranean and Adjacent Area for ADS (SMAA) ATCInfrastructure Survey (2 volumes)SMAA/D1-R4

B.2.4 The current status of the surveillance system within ECAC airspace has beenextracted from the CIP Status Report and is reported within Appendix B2.

TAG/20229/R02 Issue: 1.0


B.3 Results and Conclusions

B.3.1 Questionnaire

B.3.1.1 No conclusions could be drawn from the questionnaires as no responses werereceived from member states with respect to the questionnaires supplied to them.

B.3.2 Literature Review

B.3.2.1 The literature review identified that the configuration of surveillance equipment inuse within ECAC airspace is well documented through the Convergence andImplementation Programme and through other surveillance projects (e.g. NUP,SMAA, etc.).

B.3.2.2 What is not defined within the literature, however, is what the current systemsafety requirements are, and the extent to which they are met. As such, it is notpossible to establish the baseline safety level for the surveillance system from theavailable documentation.

B.3.3 Conclusion

B.3.3.1 TAG concludes that this task has been only partly concluded. The configuration ofexisting surveillance systems is well documented for many ECAC states.However, the integrity requirements, and more particularly, the level of integrityactually provided by the existing surveillance systems have not been established.Indeed, it is probable that the integrity levels may never be established for thetotality of existing surveillance systems across the ECAC states. Therefore adecision will have to be taken during Stage 1 of the ADS Programme as towhether it is cost effective to continue expending effort on achieving thisobjective.

TAG/20229/R02 Issue: 1.0


REFERENCES

1. EUROCONTROL ADS Programme Safety Management Plan.SUR/ET3/ST03.1010/001, Edition 0.3, 22/03/1999.

2. ADS Programme Initial Safety Analysis Task PlanTAG/20229/R01 Issue: Final, September 1999.

3. EATMP Air Navigation System Safety Assessment MethodologySAF.ET1.ST03.1000-MAN-01-00, Edition 0.5, 30/04/1999, Working Draft

4. EUROCONTROL ADS Programme Scenarios.SUR/ET3/ST06.2100/001, Edition 0.4, 01/09/1999.

5. Minimum Aviation System Performance Specification - Required NavigationPerformance for Area NavigationEUROCAE document ED-75, March 1997.

TAG/20229/R02 Issue: 1.0

TA Group Ltd B1 - 6

Appendix B1

EXAMPLE QUESTIONNAIRE

TAG/20229/R02 Issue: 1.0

TA Group Ltd B1 - 7

Current Surveillance System Questionnaire

Notes

1. The terms “main” and “back-up” are noted to be non-standard terms, but are deliberatelyemployed rather than “primary” and “secondary” to avoid confusion with Primary andSecondary Surveillance Radar (PSR/SSR).

2. The ICAO ATS Airspace Classifications are as defined in Appendix 4 of Annex 11 to theConvention on International Civil Aviation, 12th Edition, July 1998.

3. The ATC Complexity Classifications are as defined within “ECAC Reference Levels forthe ATM DPS Domain, edition 1.3, DPS.ET1.ST02.1000-REP-01-00.

For each different ICAO ATS Airspace Classification and ATC Complexity Classificationwithin your control, please complete the following questionnaire.

The following questions identify the scope of the responses given later in the questionnaire.

1 ICAO ATS Airspace Classification

2 ATC Complexity Classification

The following questions relate to the current surveillance system architecture utilised withinthe classification of airspace.

3 Identify the surveillance systems currently employed within your airspace, utilising “S”in the response column to indicate sole means, “M” for main means, and “B” for back-up:

Independent Surveillance

• Primary Surveillance Radar (PSR)?

Co-operative Independent Surveillance

• Conventional Secondary Surveillance Radar (SSR)?

• Monopulse SSR (MSSR) - Mode A/C?

Dependent Surveillance

• Manual – (Procedural Environment, i.e. manual position reporting)?

4 Where a “back-up” is specified, is the “back-up” capable of providing theequivalent service to the main means?

Y/N

5 Are main and “back-up” means utilised concurrently? Y/N

6 Is the “back-up” a duplicate of the main means? Y/N

TAG/20229/R02 Issue: 1.0

TA Group Ltd B1 - 8

7 What, if any, are the common elements between the main and “back-up” systems:

• Location? (please give details below) Y/N

• Services/supplies? (please give details below) Y/N

• Data paths? (please give details below) Y/N

• Data processing? (please give details below) Y/N

• End user applications? (please give details below) Y/N

TAG/20229/R02 Issue: 1.0

TA Group Ltd B1 - 9

The following questions relate to standards and regulatory requirements to which the systemwas designed and to which it is currently compliant.

8 Identify the Standards/Regulatory Requirements to which system was designed (i.e.those which were current at the time of design) and the current standards to which thesystem is known to be compliant:

• International (i.e. ICAO, RTCA, IEC, ISO, etc.)? (please give details below)Designed to: Current standards compliancy

• European (i.e. JAA, EUROCAE, SRC, etc.)? (please give details below)Designed to: Current standards compliancy

• National (i.e. CAA, Safety Regulator, etc.)? (please give details below)Designed to: Current standards compliancy

• Local/Internal? (please give details below)Designed to: Current standards compliancy

TAG/20229/R02 Issue: 1.0

TA Group Ltd B1 - 10

The following questions relate to the Applications utilising surveillance data and the SafetyRequirements that these applications place on the Surveillance System.

9 What applications do you possess which utilise Surveillance Data, for example AirSituation Display, Safety Nets, etc.? (please give details below)

10 What are each application’s requirements for surveillance data integrity/availability?(please give details below)

Note: Quantification should give units

11 Are these requirements adequately met by the current surveillance system? Y/N

If not, what is planned to improve the situation?

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 1

Appendix B2

CIP SURVEILLANCE STATUS

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 2

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 3

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 4

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 5

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 6

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 7

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 8

TAG/20229/R02 Issue: 1.0

TA Group Ltd B2 - 9

TAG/20229/R02 Issue: 1.0


TAG/20229/R02 Issue: 1.0

TA Group Ltd Annex C-1

C

ANNEX CADS PROGRAMME STAGE 0


DERIVATION OF RISK CRITERIA

TAG/20229/R02 Issue: 1.0


CONTENTS

Section Page No.

C.1 Overview C-3

C.2 Purpose C-3

C.3 Background C-3

C.4 Approach for Failure Condition Severity C-3

C.5 Approach for Derivation of Quantitative Probabilities C-5

C.6 Approach 1 C-6

C.7 Approach 2 C-7

C.8 Comparison of Approach 1 with Approach 2 C-8

C.9 Combining the outcomes of Approach 1 and Approach 2 to develop a ConsensusApproach C-9

C.10 Conclusion C-9

TAG/20229/R02 Issue: 1.0


C.1 OverviewC.1.1 Annex C of the ADS Initial Safety Analysis reports on the derivation of the Risk

Criteria that was produced as a paper for review by Eurocontrol. It is necessary forthe development of Future Surveillance System Safety Requirements. It is identifiedunder Task 3 of the ADS Initial Safety Analysis Task Plan, [Ref. 2].

C.2 PurposeC.2.1 The purpose of this paper is to provide a definition for the Risk Criteria to be utilised

in support of the ADS Initial Safety Analysis activities for the ADS Programme.

C.3 BackgroundC.3.1 Within Eurocontrol, both the EATMP Safety Policy 1 and the EATMP ANS SAM 2

state that a risk based approach to safety is to be taken. Risk is defined as acombination of the probability (or frequency) with which a hazard (and,subsequently, a failure condition) occurs and the specific consequences of itsoccurrence.

C.3.2 The EATMP ANS SAM proposes a qualitative set of probability definitions togetherwith a set of severity definitions to categorise the consequences of failure conditions.However, no quantification of probability is proposed within the document, and onlylimited guidance is provided on how to determine appropriate quantification ofprobability.

C.4 Approach for Failure Condition SeverityC.4.1 For the purposes of assessing the severity of ADS hazards, it is proposed to utilise

the Severity Definitions provided in the EATMP ANS SAM, noting that thesedefinitions require careful interpretation to ensure that failure conditions are notover-categorised. These Severity Definitions are reproduced overleaf.

1 EATMP Safety Policy, SAF.ET1.ST01.1000-POL-01-00, Edition 1.1, 25 August 19992 EATMP Air Navigation System Safety Assessment Methodology, SAF.ET1.ST03.1000-MAN-01-00, Edition0.5, 30 April 1999

TAG/20229/R02 Issue: 1.0


Failure ConditionSeverity

Effect on Aircraft Effect on Flight Crew andOccupants

Effect on ATCO

Catastrophic Collision betweenaircraft or withobstacles

Undetected failure, which wouldprevent continued safe flight andlanding.

Failure which would suddenly preventthe provision of any degree of AirNavigation Service within severalairspace sectors without warning andfor a significant period of time.No contingency Measure can beapplied.

Hazardous Critical near collisionbetween aircraft orwith obstacles

Undetected failure which wouldreduce the ability of the FlightCrew to cope with adverseoperating conditions to the extentthat there would be:• A large reduction in safetymargins or functionalcapabilities;

• Physical distress or higherworkload such that the FlightCrew cannot be relied upon toperform their tasks accurately orcompletely;

Serious or fatal injury to arelatively small number of theoccupants.

Failure, which would result in asudden inability to maintain an AirNavigation Service within safetymargins in one or more sectors for asignificant period of time.Through a high increase in workloadfor the ATCO and/or the provision ofmisleading information to the ATCOthis situation may lead to:• A critical near collision betweenaircraft or with obstacles and/or

Many losses of separation where thedistance between the aircraft involvedare less than half of the separationstandards.

Major Near collisionbetween aircraft orwith obstacles

Undetected failure, which wouldreduce the ability of the FlightCrew to cope with adverseoperating conditions to the extentthat there would be, for example,a significant reduction in safetymargins or functional capabilities,a significant increase in FlightCrew workload or in conditionsimpairing Flight Crew efficiency,or discomfort to occupants,possibly including injuries.

Failure which would compromise theability to maintain a safe AirNavigation Service within one or moreairspace sectors without warning andfor a significant period of time. TheATCO’s workload increasessignificantly and he may be providedwith less information than required fornormal operations.Contingency Separation Measures canbe applied but the risk of infringingsafe separation is high and multiplelosses of separation may occur untiltraffic levels have been reduced.

Minor No actual risk ofcollision, but violationof planned separationstandards

Undetected failure which wouldnot significantly reduce airplanesafety, and which involve FlightCrew actions that are well withintheir capabilities. Minor FailureConditions may include, forexample, a slight reduction insafety margins or functionalcapabilities, a slight increase inFlight Crew workload, such asroutine flight plan changes, orsome inconvenience to occupants.

Failure which would slightly impairthe ability to maintain a safe AirNavigation Service within one or moreairspace sectors without warning andfor a significant period of time.ATC procedures are able tocompensate for the loss offunctionality, but the ATCO’sworkload is likely to be high or theoverall system capacity is affected.

No Effect No effects on safety Failure conditions which have nosafety significance.

Failure conditions which have nosafety significance.

Table 1. EATMP ANS SAM Severity Category Definitions.

TAG/20229/R02 Issue: 1.0


C.5 Approach for Derivation of Quantitative ProbabilitiesC.5.1 The derivations developed in this paper are based on the contention that Risks, both

Acceptable and Unacceptable, are constants which define the envelope of thetolerable region of the EATMP ANS SAM Risk Matrix, reproduced in Figure 1below. This contention would suggest that the Severity multiplied by the Likelihoodis a constant for each of acceptable and unacceptable. In order to derive quantifiedrisk criteria, two approaches have been utilised to identify potential schemes.Approach 1 is based on the definitions of the failure condition severity categoriesfrom the EATMP ANS SAM. Approach 2 is based on the definitions for thequalitative probability of occurrence, similarly identified within the EATMP ANSSAM.

PROBABILITY OF OCCURRENCE

EXTREMELYIMPROBABLE

EXTREMELYREMOTE REMOTE REASONABLY

PROBABLE

FAIL

UR

E C

ON

DIT

ION

SE

VE

RIT

Y

CATASTROPHIC

HAZARDOUS

MAJOR

MINOR

NO EFFECT

ACCEPTABLE TOLERABLE UNACCEPTABLE

Figure 1. EATMP ANS SAM Risk Classification Scheme

C.5.2 An alternative to these approaches would be to assume that probabilities ofAcceptable and Unacceptable Risks are variable dependent on perception. Thiswould suggest that the probabilities are weighted dependent upon Failure ConditionSeverity Category and would make the categories very difficult to derive. Thecontention that probabilities of Acceptable and Unacceptable Risks are variabledependent on perception is not developed further here.

TAG/20229/R02 Issue: 1.0


C.6 Approach 1C.6.1 The definitions from the EATMP ANS SAM relating the potential effects on aircraft

and occupants to severity categories are reproduced in Table 2 below.Severity Definition Reduction of

Safety MarginsPotential Effects on Aircraft and Occupants

CatastrophicCollision between aircraft orwith obstacles.

Excessive Failure condition potentially resulting in multiple deathand/or aircraft loss.

HazardousCritical near collision betweenaircraft or with obstacles

Large Failure condition potentially resulting in significantaircraft damage and/or causing serious injury to arelatively small number of persons

MajorNear collision between aircraftor with obstacles

Significant Failure condition resulting in small aircraft damageand/or causing discomfort to occupants

MinorNo actual risk of collision

Slight Failure condition some inconvenience to occupants

Table 2. EATMP ANS SAM Hazard Severity Category Definitions.

C.6.2 From the EATMP ANS SAM definitions, the relative severity of each of the hazardcategories can be estimated utilising the definitions given in Table 2. Thesedefinitions effectively define a point value for each category and hence a value forthe likelihood can be developed.

SeverityDefinition

EstimatedRelativeSeverity

Comment/Justification

CatastrophicCollisionbetweenaircraft or withobstacles.

100,000:1 Relative likelihood: 1 in 100,000 losses of planned separation leading to acollision.‘Collision’ is a starting point, although there has to be ‘tolerable’ number ofcollisions due to the practical inability to reduce the level of collisions tozero. Collisions rarely happen even when a near collision occurs.

HazardousCritical nearcollisionbetweenaircraft or withobstacles

1,000:1 Relative likelihood: 1 in 1,000 losses of separation lead to a critical nearcollisionA ‘critical near collision’ is very close in severity to a ‘collision’. Theultimate difference, though small, being that the aircraft doesn’t actuallycrash. This suggests a severity almost as great as the collision itself and ahence a tolerability, which would provide a banding which is wider than forthe collision.

MajorNear collisionbetweenaircraft or withobstacles

100:1 Relative likelihood: 1 in 100 losses of separation lead to a near collisionNear collision is still close to collision in terms of severity, but there is areduced probability of collision occurring. The perception of ‘near collision’suggests that the safety margin was reduced over that which it ought to havebeen to present no risk, i.e. separation minima had been breached.

MinorNo actual riskof collision

1:1 No actual risk of collision, but violation of planned separation standards.

Table 3. Development of Severity Definitions into Relative Severities

C.6.3 It should be noted that the above estimations of relative severities are purelysubjective since it is difficult to provide substantive justification of such an approach.Additionally, it is acknowledged that other metrics could be utilised to determine arelative severity measure for each category. One alternative considered was the costimpacts, but the range of values (no cost for “Minor” to many million Euros for“Catastrophic”) are not directly applicable for the purposes of this assessment.

TAG/20229/R02 Issue: 1.0


C.7 Approach 2C.7.1 For Approach 2, the quantitative likelihood can be estimated from the qualitative

probability definitions of the EATMP ANS SAM, reproduced in Table 4.PROBABILITY DEFINITIONExtremely Improbable Unlikely to occur throughout the total lifetime of the systemExtremely Remote Unlikely to occur throughout the total lifetime of the system, but may occur

exceptionallyRemote Likely to occur some time throughout the total lifetime of the systemReasonably Probable Likely to occur several times throughout the total lifetime of the system

Table 4. EATMP ANS SAM Probability definitions.

C.7.2 The term ‘lifetime’ requires definition for the Aircraft and the Air Traffic Systems.It is not unreasonable, based on past experience, to assume that the typical life of anATM/aircraft is of the order of 30 years. Whilst 30 years is ‘historically’ correct it isquestionable as to whether the assumption is valid, given the changes in computertechnology and the increasing levels of air travel. For example, it is probable thatnew Air Traffic Control Centres will have their computer systems re-hosted within10 years of operation. It is reasonable, however, to assume 30 years as aconservative, but valid order of magnitude estimate. 30 years is equal to 262980hours, which means that once in 30 years is 3.8 x 10-6 per hour. This 24 hour a dayoperational time is not strictly applicable to an individual aircraft as the life of theaircraft is based upon flying time. The flying time of an aircraft is unlikely toapproach 24 hours a day for each day of its lifetime.

C.7.3 The qualitative probability terms identified above cover bands of probability whereasthe associated definitions are phrased in relatively discrete terms such that thedefinitions do not define a continuum. It is therefore assumed that the definitionsrelate to the upper bound of the probability band on the basis that this is the mostlikely intent of the EATMP ANS SAM authors. For example, the resultant valuederived for “Extremely Improbable” would define the boundary between the“Extremely Improbable” and “Extremely Remote” bands. This example wouldsimilarly define the boundary between the tolerable and unacceptable regions forCatastrophic failure conditions within the Risk Matrix of the EATMP ANS SAMreproduced at Figure 1 on page C-5.

C.7.4 Following a similar process as that identified for the severity categories in Table 3,the qualitative probabilities have been developed into quantitative values based uponthe given definitions. This assessment is presented in Table 5 overleaf.

TAG/20229/R02 Issue: 1.0


Probability DefinitionProposed upper

bound of theprobability band

Comment/Justification

ExtremelyImprobable

Unlikely to occurthroughout the totallifetime of the system

< 0.001 in 30years

Assumed less than 1 in 1000 lifetimes.

ExtremelyRemote

Unlikely to occurthroughout the totallifetime of the system,but may occurexceptionally

>0.01 in 30 yearsto <<1 in 30 years

The phrase ‘may occur exceptionally’suggests that it is likely to occur overseveral lifetimes. Given the use of ‘several’identified against ‘reasonably probable’,perhaps no more than 100 lifetimes.

Remote Likely to occur sometime throughout the totallifetime of the system

≥1 in 30 years to<< 10 in 30 years

The phrase ‘some time’ suggests at leastonce, but not exceeding 10 times

ReasonablyProbable

Likely to occur severaltimes throughout thetotal lifetime of thesystem

>> 1 in 30 yearsto < 100 in 30

years

The phrase ‘several times’ suggests morethan once but no more than 100 times perlifetime (given a lifetime of 30 years).More than 100 times would suggest thephrase ‘many times’ which is not used here.There will be a boundary value lying in theregion of 1 to 10 times per lifetime between‘Reasonably Probable’ and ‘Remote’.

Table 5. Quantification of Occurrence Probabilities.

C.7.5 In a similar vein to Approach 1, it should be noted that the above quantification oflikelihood is purely subjective given the difficulty of providing substantivejustification of the proposed values.

C.8 Comparison of Approach 1 with Approach 2C.8.1 From the results contained within Table 3 and Table 5 and using tolerable regions

identified in the Risk Matrix contained within Figure 1, the relative severity of eachfailure condition and the maximum tolerable probability of occurrence can becompared. This comparison is presented in Table 6.

FailureConditionSeverity

RelativeSeverity

Maximum TolerableFailure Condition

Occurrence Probability

Assessed upperbound of

Probability bandfrom description /

as perceived

Relative Likelihood(from assessed

probability), takingthe upper bound

Catastrophic 100,000:1 Extremely Improbable <0.001 in 30 years 1:100,000(0.001 in 30 years)

Hazardous 1,000:1 Extremely Remote ≥0.01 in 30 years to<<1 in 30 years

1:1000(0.1 in 30 years)

Major 100:1 Remote ≥1 in 30 years to<10 in 30 years

1:20(5 in 30 years)

Minor 1:1 Reasonably Probable >1 in 30 years to<100 in 30 years

1:1(100 in 30 years)

Table 6. Comparison of Relative Severity to Assessed Quantitative Likelihood

TAG/20229/R02 Issue: 1.0


C.9 Combining the outcomes of Approach 1 and Approach 2 to developa Consensus Approach

C.9.1 From Table 6 it can be seen that the two approaches agree on theCatastrophic/Extremely Improbable pairing and Hazardous/Extremely Remotepairing (given a baseline of Minor/Reasonably Probable). There is an overlapbetween the definitions of the ‘Remote’ and ‘Reasonably Probable’. This means thatthe approach using the definitions of the occurrence probability provides a solutionwhich is not complete.

C.9.2 For the reasons above, it is necessary to combine the outcomes from each of theprevious approaches to develop a consensus. This consensus approach has theadditional benefit of providing a degree of cross-justification for the twoindependent, but highly subjective, approaches that have been taken. This result ispresented in Table 7.

FailureConditionSeverity

MaximumTolerable

OccurrenceProbability

RelativeSeverity

Relativelikelihood

Upper Bound ofConsensusLikelihood

Associated Probability Range

Catastrophic ExtremelyImprobable

100,000:1 1:100,000 1:100000(0.001 in 30 years)

< 0.001 in 30 years(<4 x 10-9 per hr)

Hazardous ExtremelyRemote

1,000:1 1:1,000 1:1000(0.1 in 30 years)

≥0.001 in 30 years to <0.1 in 30 years(≥4x10-9 per hr to <4x10-7 per hr)

Major Remote 100:1 1:20 1:50(2 in 30 years)

≥ 0.1 in 30 years to <2 in 30 years(≥4x10-7 per hr to <8x10-6 per hr)

Minor ReasonablyProbable

1:1 1:1 1:1(100 in 30 years)

≥ 2 in 30 years to <100 in 30 years(≥8x10-6 per hr to <4x10-4 per hr)

Table 7. Consensus Quantitative Probabilities.

C.10 ConclusionC.10.1 It is proposed that the ADS Initial Safety Analysis for ADS will adopt the EATMP

ANS SAM Failure Condition Severity definitions (Table 1 of this paper), and willadopt the Risk Matrix (reproduced in Figure 1 of this paper). The quantifiedprobability bands for the qualitative probabilities defined in the EATMP ANS SAMare proposed to be as follows:

Probability Term Lower bound of Probability Upper bound of ProbabilityExtremely Improbable N/A 4 x 10-9 per hourExtremely Remote 4 x 10-9 per hour 4 x 10-7 per hourRemote 4 x 10-7 per hour 8 x 10-6 per hourReasonably Probable 8 x 10-6 per hour 4 x 10-4 per hour

Table 8. Quantitative Probabilities.

TAG/20229/R02 Issue: 1.0


REFERENCES



TAG/20229/R02 Issue: 1.0

TA Group Ltd Annex D-1

D

ANNEX DADS PROGRAMME STAGE 0


FUTURE SURVEILLANCE SYSTEM QUESTIONNAIRE

TAG/20229/R02 Issue: 1.0


CONTENTS

Section Page No.

D.1 Overview D-3

D.2 Methodology D-3

D.3 Results and Conclusions D-3

APPENDICESD1: EXAMPLE QUESTIONNAIRE D1 – 1 TO D1 - 4

TAG/20229/R02 Issue: 1.0


D.1 OverviewD.1.1 Annex D of the ADS Initial Safety Analysis reports the findings of the Future

Surveillance System Questionnaire. It is identified under Task 3 of the ADS InitialSafety Analysis Task Plan, [Ref. 2].

D.2 MethodologyD.2.1 In order to establish the future surveillance system safety requirements, two

approaches were taken.

D.2.2 The first approach was to develop a questionnaire for distribution amongstEurocontrol member states. The questionnaire was designed to determine the futuresurveillance system architecture anticipated by a state together with the safetyfeatures and integrity / availability requirements. This questionnaire is includedwithin this Annex as Appendix D1.

D.2.3 The second approach was through Hazard Identification brainstorming exercises.These are reported within Annexes E and F of this ADS Initial Safety AnalysisReport.

D.3 Results and ConclusionsD.3.1 No conclusions could be drawn from the questionnaires as no responses were

received from member states with respect to the questionnaires supplied to them.

TAG/20229/R02 Issue: 1.0


REFERENCES



TAG/20229/R02 Issue: 1.0

TA Group Ltd D1 - 1

Appendix D1

EXAMPLE QUESTIONNAIRE

TAG/20229/R02 Issue: 1.0

TA Group Ltd D1 - 2

Future Surveillance System QuestionnaireNotes

1. The terms “main” and “back-up” are noted to be non-standard terms, but are deliberatelyemployed rather than “primary” and “secondary” to avoid confusion with Primary andSecondary Surveillance Radar (PSR/SSR).

2. The ICAO ATS Airspace Classifications are as defined in Appendix 4 of Annex 11 to theConvention on International Civil Aviation, 12th Edition, July 1998.

3. The ATC Complexity Classifications are as defined within “ECAC Reference Levels forthe ATM DPS Domain, edition 1.3, DPS.ET1.ST02.1000-REP-01-00.

For each different ICAO ATS Airspace Classification and ATC Complexity Classificationwithin your control, please complete the following questionnaire.

The following questions identify the scope of the responses given later in the questionnaire.

1 ICAO ATS Airspace Classification

2 ATC Complexity Classification

The following questions relate to the future surveillance system architecture to be utilisedwithin the classification of airspace.

3 Identify the surveillance systems intended to be employed within your airspace in thefuture, utilising “S” in the response column to indicate sole means, “M” for main means,and “B” for back-up:

Independent Surveillance

• Primary Surveillance Radar (PSR)?

Co-operative Independent Surveillance

• Conventional Secondary Surveillance Radar (SSR)?

• Monopulse SSR (MSSR) - Mode A/C?

• Mode S (but not including all enhanced surveillance functions)

Dependent Surveillance

• Manual – (Procedural Environment, i.e. manual position reporting)?

• Automatic – (ADS-B: Mode S Extended Squitter &VDL Mode 4,)

• Automatic – (ADS-C: FANS-1/A & ICAO-ADS)

TAG/20229/R02 Issue: 1.0

TA Group Ltd D1 - 3

The following questions relate to standards and regulatory requirements to which the systemwill be designed.

4 Identify the Standards/Regulatory Requirements to which system will be designed:

• International (i.e. ICAO, RTCA, IEC, ISO, etc.)? (please give details below)

• European (i.e. JAA, EUROCAE, SRC, etc.)? (please give details below)

• National (i.e. CAA, Safety Regulator, etc.)? (please give details below)

• Local/Internal? (please give details below)

TAG/20229/R02 Issue: 1.0

TA Group Ltd D1 - 4

The following questions relate to the Applications utilising surveillance data and the SafetyRequirements that these applications place on the Surveillance System.

5 What current and planned applications are intended to utilise Surveillance Data, forexample Air Situation Display, Safety Nets, etc.? (please give details below)

6 What are each application’s requirements for surveillance data integrity/availability?(please give details below)

Note: Quantification should give units

annex a ads programme stage 0 ads initial safety analysis … · ads programme – initial safety...

Documents