functional hazard assessment and very preliminary system

6th FP Project FP6 -503192

© 2006, EC Sponsored Project Emma (Copyright Notice in accordance with ISO 16016) The reproduction, distribution and utilization of this document as well as the communication of its contents to other without explicit authorization is prohibited. This document and the information contained herein is the property of Deutsches Zentrum für Luft- und Raumfahrt and the EMMA project partners. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design. The results and findings described in this document have been elaborated under a contract awarded by the European Commission, under contract FP6 -503192.

Functional Hazard Assessment and very Preliminary System Safety Assessment Report

Final version

Stéphane Paul

Thales ATM

Document No: D1.3.9 Version No: 1.0 Classification: Public Number of pages: 241

Project Funded by European Commission, DG TREN The Sixth Framework Programme Strengthening the competitiveness

Contract FP6 -503192

Project Manager Michael Roeder

Deutsches Zentrum für Luft und Raumfahrt Lilienthalplatz 7, D-38108 Braunschweig, Germany

Phone: +49 (0) 531 295 3026, Fax: +49 (0) 531 295 2180 Email: [email protected]

Web page: http://www.dlr.de/emma

Functional Hazard Assessment and very Preliminary System Safety

Assessment Report

Save Date: 2006-10-11 Public 2 of 241 File name: D139_FHAvPSSA_V1.0.doc Version 1.0

Distribution List Member Type No. Name POC Distributed

Internet http://www.dlr.de/emma X Web Intranet https://extsites.dlr.de/fl/emma X 1 DLR Jörn Jakobi X 2 AENA Francisco José Rodríguez Angelina X 3 AI Marianne Moller X 4 SELEX Giuliano d'Auria X 5 ANS_CR Miroslav Tykal X 6 BAES Stephen Broatch X 7 STAR Max Koerte X 8 DSNA Nicolas Marcou X 9 ENAV Antonio Nuzzo X 10 NLR Jürgen Teutsch X 11 PAS Alan Gilbert X 12 TATM Stéphane Paul X 13 THAV Alain Tabard X 14 15 AUEB Konstantinos G. Zografos X 16 CSL Libor Kurzweil X 17 DAV Rolf Schroeder X 18 DFS Klaus-Ruediger Täglich X 19 EEC Stéphane Dubuisson X 20 ERA Jan Hrabanek X 21 ETG Thomas Wittig X 22 MD Phil Mccarthy X 23 SICTA Claudio Vaccaro X

Contractor

24 TUD Christoph Vernaleken X CSA Karel Muendel X

Sub-Contractor N.N.

Customer EU Morten Jensen X Additional EUROCONTROL Paul Adamson X

TUDelft Erik Theunissen X


Assessment Report


Document Control Sheet Project Manager ROEDER Michael Responsible Author PAUL Stéphane TATM

LUPINSKI Françoise, BERNAT Jean TATM BERTHON Guy, GAYRAUD Pierre, TABARD Alain

THAV Additional Authors

MARCOU Nicolas, Isabelle Daguzon DSNA VINAGRE SOLANS Lluis AENA NUZZO Antonio ENAV

Reviewers

VALENTINO Angelo SELEX Subject / Title of Document: Functional Hazard Assessment and very Preliminary System Safety

Assessment Report Related Task: WP1.3 Deliverable No. D1.3.9 Save Date of File: 2006-10-11 Document Version: 1.0 Reference / File Name D139_FHAvPSSA_V1.0.doc Number of Pages 241 Dissemination Level Public Target Date 2006-02-28

Change Control List (Change Log)

Date Issue Changed Items/Chapters Comment 2004-04-02 0.01 Initial draft. Made compliant to Thales ATM quality manual. 2004-04-27 0.02 All, but mainly refined system

description.

2004-05-10 0.03 All. Made to be more compliant with EUROCONTROL safety assessment methodology. Distributed to DSNA, THAV.

2004-05-13 0.04 Reduced drawing size Quotation from Alan Gilbert.

Distributed to DLR, NLR, AHA, Françoise Lupinski.

2004-06-22 0.05 Some comments by F. Lupinski (including re-organised appendixes) New document references Table of contents shows appendixes Corrected footers & headers Started to fill-in appendixes A & B

No feedback yet from DSNA, THAV, DLR, NLR, AHA.

2004-07-16 0.06 Better introduction to appendix BFused appendixes F and G Major contribution to appendixes A, B, C and D

After KOM between TATM and DSNA. Distribution to THAV for 2nd KOM.


Assessment Report


Date Issue Changed Items/Chapters Comment 2004-07-29 0.07 Template update, footer

corrections. Major contribution to appendixes A, B, C and D

After KOM between TATM and THAV. Consolidated with all AGATE failure conditions (except for interfaces with cockpit). Provided to Françoise Lupinski for review

2004-08-09 0.08 Revised structure for chapter 3 + start of ICAO requirement collection. Note on security. Explanations on switchover. Explanations on detection vs. non-detection of failure modes. Appendixes A, B, C and D including: x Comments by Françoise

Lupinski. x Suppression of the C3O0_01

data flow.

Distribution to THAV before visio-conference.

2004-08-17 0.09 End of ICAO requirement collection related to safety. Appendixes A, B, C and D. Formalisation of operational effects. Change of “unavailability of…” to “temporary interruption of…” Use of automatic numbering for operational effects.

Sent to NLR (on NLR request).

2004-08-20 0.10 Appendixes A, B, C and D including: x Still more explanations on the

structure of the tables in appendixes C and D.

x Aircraft on-board guidance becomes an external function.

Sent to DSNA and THAV so they can start their own contributions.

2004-08-23 0.11 Data on time management in secondary surveillance sensors.

Based on inputs by Holger Neufeldt. Sent to Airbus (on their request).

2004-09-08 0.12 Inputs on recording Provided to ANS-CR and EUROCONTROL during SP1 meeting in Brussels.

2004-10-28 0.13 Inputs on technical supervision and time management by Françoise Lupinski. Corrections linked to comments from Guy Berthon.

Distribution to Jean BERNAT, Thales ATM safety engineer on the C-ATM project.

2004-11-12 0.14 All. Integration of DSNA contributions dated 02 November 2004. Integration of THAV contributions, dated 12 October 2004, received 03 November 2004.

2004-12-13 0.15 Update of ICAO & SAM references. Related change of title and introduction chapter to

Distribution to THAV and TATM.


Assessment Report


Date Issue Changed Items/Chapters Comment present new PSSA aspects. New term definitions. Inputs on EUROCONTROL’s A-SMGCS level 1 and 2 safety case by NATS and Helios Technology. Update of hazard identification, severity allocation and safety objectives.

2005-01-05 0.16 Annex F: more details to explain derivation of safety objectives per A-SMGCS implementation level. Better summary in chapter 3. Slight rewording of operational effects and hazards.

After review/comments by Françoise Lupinski. Sent to Nicolas Marcou & Françoise Lupinski.

2005-01-18 0.17 Updated aircraft equipment definition (from THAV). Considerations for hazard identification in relationship to aircraft equipment in annex E (from THAV). Suppression of annex G. Justification of share of the TLS allocated to equipment depending on A-SMGCS implementation level, and re-organisation of annex F. Relaxation of severity definition in Figure 13. Updated chapter 3. Renamed and filled in chapter 4. Spelling.

After review/comments by Françoise Lupinski. Integrates part of the contribution by Guy Berthon sent by e-mail. Distribution to THAV and DSNA.

2005-01-22 0.18 Explanations on formula for share of safety objective between equipment, and people + procedures. Document modified online (everywhere) during FHA meeting at Bagneux on 20-21 January 2005 with DSNA & THAV. Mainly, new hazards were identified, with a split per A-SMGCS implementation level.

After receiving comments on version 0.16 by DSNA (not all comments integrated). Distributed to meeting participants.

2005-02-01 0.19 A-SMGCS boundary justification. Recommendations of operational effects and hazards tables recopied in §4. Explanations on possible


Assessment Report


Date Issue Changed Items/Chapters Comment redundancy of HMI. Split of §3.2.1 into implementation levels, and update of list of hazards per level. Following identification of new hazards (version 0.18), links between operational effects and hazards re-established. Check and corrections of all references to ICAO manual. New section named “A target level of safety for A-SMGCS” based on input by DSNA (email dated 31 Jan). New section named “Safety and safety nets”. Correction of bugs in headers. Suppression of references to AHA work (including in figures).Renewed explanations on TLS share. Re-computation of safety objectives.

2005-02-02 0.20 Add of a password to open document.

Distributed to EMMA consortium during SP1 workshop (on 10 February).

2005-02-02 0.21 Addition of ICAO implementation level table in annex E.

Distributed to AENA for review.

2005-02-14 0.22 Replace “irrelevant” by “no effect” on safety. Integration of part of the contribution from Thales Avionics in §1.6, §1.7, and §2.2. Check & completion of list of acronyms. Addition of an “initial version” label to this release, as it is agreed that the final release will be published after the workshop. More details on computations of value of safety objectives in appendix F.

Comments on release 0.20 by Françoise Lupinski. Contributions of Thales Avionics related to §4.2, §5.1, appendix A, and appendix E have not been withheld for integration.

2005-02-28 0.23 Figure 8, and corresponding text. Rewording of “Temporary interruption of...” definition. Notion of system boundary replaced by interface. New question on impact expectation once the full concept

Integrates official peer review comments by Angelo Valentino (SELEX) Integrates additional peer review comments by AENA and ENAV. Last contribution on other hazards by DSNA. Some comments by Jean Bernat.


Assessment Report


Date Issue Changed Items/Chapters Comment of operations is developed. Operational effects labelled for traceability. Updated list of hazards originating from people and procedures. New ICAO recommendation added. Enhanced definition of system operational state. Corrected severity assessment criteria for hazards 1, 3, and 4. Note to explain hazard 5 unexpected event. Note significance of the greyed out rows in FMEA. More explanations on the 4 operational effects categories. In accordance with the Vocabulaire Electrotechnique International (VEI191) replacement of failure mode by fault mode and failure modes and effects analysis (FMEA) by fault modes and effects analysis. Updated A-SMGCS data and control flows (Table 14).

2005-03-02 0.24 Rewording of arguments related to use of TCAS with respect to severity.

Thales ATM internal review of comments with Françoise Lupinski

2005-03-02 0.25 - DLR formal review 2005-03-07 0.26 Update of figure 20.

Update of note related to HZ-05. Introduction of name of reviewers. Based on THAV input, section 1.6.2., and introduction of annex E.

Contains updated contribution from Thales Avionics. Distribution to THAV and DSNA.

2005-04-05 0.27 Update of failure definition. New doc references. Review of AGATE document status. Table 9 corrected. Better explanations on structure of the analysis tables for table 15.Corrected header of table 16. Annunciation changed with announcement and structure of the severity analysis table

After Bengt Collin’s (Eurocontrol) comments send via Morten. After Rodolfo Piedra’s (EC) comments. Distributed during FHA workshop.


Assessment Report


Date Issue Changed Items/Chapters Comment corrected. Figure 21 Appendix E, caption added for superscripts (1), 1*, 2*, 3*, and 4*.

2005-04-06 0.28 Shift to final version Inclusion of FHA workshop questionnaire

2005-06-06 0.29 New section (§1.6.3) on scenario implementation levels (SIL) and update of terminology everywhere in text. New section (§4.3) on recommendations for the adaptation to a specific environment

Modifications related to 1st FHA workshop feedback comments

2005-09-12 0.30 Description of hazard effects and related severity. Change of title of D141. New appendix H for 2nd workshop short report. Typos. Adaptation of chapter 3 to reflect updates of annexes.

Modifications related to 2nd FHA workshop feedback comments Delivery for approval to all workshop participants.

2005-09-26 0.31 New §1.6.4. Last contribution by DSNA on scenario implementation level (SIL) and frequently asked questions. Final delivery to DLR for delivery to EC.

2006-01-30 0.32 Appendix H Addition of CVs of participants to 2nd FHA workshop.

§1.3.3 Editorial practices clarified. §1.6.2 Introduction about the used prescriptive method. §1.7.3 More data on the A-SMGCS levels 1 and 2

preliminary safety case by EUROCONTROL, because it has reached release 1.0.

§1.7.6 New data on TUDelft work. §3.2.2.1 Simplified TLS computations §3.3 New table for summary of hazard severities §3.4.1 Extended explanations a scalar product. New §3.4.3 and §3.4.4 Cross-check of numerical illustration, and cross-

check with EUROCONTROL A-SMGCS safety case

§5.2 Change of definition of probability of occurrence to be in line with NATS' mapping of undeveloped outcomes.

Appendix F Cross-check of SIL II results with EUROCONTROL A-SMGCS safety case

All Typographical corrections. Submission to DLR for internal project review


Assessment Report


Date Issue Changed Items/Chapters Comment and/or delivery to EC.

2006-02-07 0.33 File Name changed to EMMA standards, Distribution list updated, target date updated

Formal review by DLR. Submission to EC.

2006-10-11 1.0 EC approval.


Assessment Report


Before an A-SMGCS is actually made operational, a safety assessment should take place in order to provide a good understanding of the safety impact caused by the application of the system but also the safety impact in case of failure of elements of the system.

ICAO manual on Advanced Surface Movement, Guidance and Control System (A-SMGCS).


Assessment Report


Table of Contents

1 Scope .......................................................................................................................................................................14 1.1 Identification.....................................................................................................................................................14 1.2 Project overview ...............................................................................................................................................14 1.3 Document overview..........................................................................................................................................14

1.3.1 Purpose ......................................................................................................................................................14 1.3.2 Applicability ..............................................................................................................................................16 1.3.3 Editorial practices ......................................................................................................................................16 1.3.4 Document structure....................................................................................................................................16 1.3.5 Meaning of “final” version ........................................................................................................................16 1.3.6 Safety versus security ................................................................................................................................17

1.4 Safety assessment methodology .......................................................................................................................17 1.4.1 First step: identification of potential equipment failures ...........................................................................18 1.4.2 Step two: identification of hazards ............................................................................................................19 1.4.3 Step three: assessment of hazard severity..................................................................................................19 1.4.4 Step four: specification of safety objectives and identification of safety requirements ............................21

1.5 System overview...............................................................................................................................................22 1.5.1 System mission ..........................................................................................................................................22 1.5.2 System boundaries .....................................................................................................................................24 1.5.3 About procedures.......................................................................................................................................26

1.6 Operational scenario .........................................................................................................................................26 1.6.1 The different meanings behind “A-SMGCS implementation levels”........................................................26 1.6.2 A conservative approach............................................................................................................................28 1.6.3 The ICAO's generic implementation levels applied to EMMA, focusing on the worst credible cases .....28 1.6.4 EMMA scenario implementation levels ....................................................................................................29 1.6.5 Airborne equipment technologies and flight crew role .............................................................................32 1.6.6 Concept of operations and its impact on exposure time ............................................................................32 1.6.7 Follow-up...................................................................................................................................................33

1.7 State of the art...................................................................................................................................................33 1.7.1 A target level of safety for A-SMGCS ......................................................................................................33 1.7.2 The AGATE functional hazard assessment ...............................................................................................35 1.7.3 A-SMGCS levels 1 and 2 preliminary safety case by EUROCONTROL.................................................37 1.7.4 Operational hazard assessment by the C-ATM project .............................................................................40 1.7.5 The FHA of Maastricht upper area control centre .....................................................................................40 1.7.6 Safety assessment for on-board equipment ...............................................................................................41 1.7.7 ICAO requirements and their impacts on this assessment.........................................................................43 1.7.8 Safety and safety nets ................................................................................................................................47 1.7.9 State-of-the-art conclusion.........................................................................................................................47

2 Referenced documents.............................................................................................................................................48 2.1 Applicable documents ......................................................................................................................................48 2.2 Other relevant publications...............................................................................................................................48


Assessment Report


2.2.1 Emma deliverables ....................................................................................................................................48 2.2.2 Thales ATM publications ..........................................................................................................................48 2.2.3 Publications from other EMMA consortium partners ...............................................................................48 2.2.4 External publications .................................................................................................................................49

3 Main results of the functional hazard assessment and very preliminary system safety assessment ........................50 3.1 Identification of potential equipment failures...................................................................................................50

3.1.1 Functional decomposition..........................................................................................................................50 3.1.2 Identification of data & control flows .......................................................................................................51 3.1.3 Posting of fault modes on each data & control flow..................................................................................51

3.2 Identification of hazards ...................................................................................................................................53 3.2.1 Hazards originating from equipment .........................................................................................................53 3.2.2 Other hazards and share of the target level of safety .................................................................................55

3.3 Assessment of hazard severity..........................................................................................................................59 3.4 Specification of safety objectives .....................................................................................................................60

3.4.1 Introduction ...............................................................................................................................................60 3.4.2 Numerical illustration ................................................................................................................................63 3.4.3 Cross-check of numerical illustration........................................................................................................63 3.4.4 Cross-check with EUROCONTROL A-SMGCS safety case....................................................................64

4 Recommendations ...................................................................................................................................................65 4.1 Recommendations for the specification, design and development...................................................................65 4.2 Recommendations to the ICAO manual on A-SMGCS ...................................................................................66 4.3 Recommendations for the adaptation of the functional hazard assessment and very preliminary system safety assessment to a specific environment .....................................................................................................................66

5 Notes........................................................................................................................................................................68 5.1 Acronyms..........................................................................................................................................................68 5.2 Term definitions ...............................................................................................................................................71

Appendix A - Functional decomposition....................................................................................................................83

Appendix B - Data and control flows .........................................................................................................................89

Appendix C - External fault modes and effects analysis ..........................................................................................102

Appendix D - Internal fault modes and effects analysis ...........................................................................................114

Appendix E - Identification of hazards.....................................................................................................................166

Appendix F - Assessment of hazard severity and probability of occurrence ...........................................................205

Appendix G - 1st workshop questionnaire, analysis and lessons learnt ....................................................................227

Appendix H - 2nd workshop short report ..................................................................................................................238


Assessment Report



Assessment Report


1 Scope

1.1 Identification

This document is a functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) report performed for a generic advanced surface movement, guidance and control system (A-SMGCS). x Document Name: Functional Hazard Assessment and very Preliminary System Safety Assessment Report x EMMA No.: D1.3.9 x Revision: 1.0 x File Name: D139_FHAvPSSA_V1.0.doc

1.2 Project overview

The project is named “European Airport Movement Management by A-SMGCS” with the acronym EMMA. The duration of the project is 2 years, with a follow-up in EMMA-2 (another 2.5 years). The project is organised in six different sub-projects. There are three ground-related sub-projects and one on-board-related sub-project. Based on an advanced operational concept, three functional level III advanced surface movement, guidance and control systems (A-SMGCS) will be implemented at three European airports: Prague-RuzynƟ, Toulouse-Blagnac and Milano-Malpensa. The systems are to be tested operationally (i.e. with live traffic). The three ground-related sub-projects and the on-board-related sub-project are autonomous, but are inter-linked with the sub-projects ‘concept’ and ‘validation’ to guarantee that the different systems are based on a common A-SMGCS interoperable air-ground co-operation concept and that all are validated with the same criteria. On-site long-term trials are to ensure the assessment of benefit estimations. The results of the test phase shall feed back to the concept of operations, and are intended to set standards for future implementation in terms of: (a) common operational procedures, (b) common technical and operational system performance, (c) common safety requirements, and (d) common standards of interoperability with other ATM systems. These standards shall feed the relevant documents of international organisations involved in the specification of A-SMGCS, i.e. mainly ICAO, EUROCAE / RTCA, and EUROCONTROL.

1.3 Document overview

1.3.1 Purpose

The purpose of this functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) report is to provide safety objectives and recommendations (i.e. potential safety requirements) for advanced surface movement, guidance and control systems (A-SMGCS), prior to design, development and operation. Why a combined FHA and PSSA? A system (e.g. an A-SMGCS) can be described at a sufficiently abstract level so that no breakdown is made in terms of equipment, people or procedure. According to [2], a functional hazard assessment (FHA) should be performed at this level, and the result (i.e. the safety objectives) should stay valid, irrespective of the level of automation. The safety assessment follow-up should then be performed by a series of preliminary system safety assessments (PSSA). In the first PSSA step, the share of responsibilities between people, procedures and equipment may be taken into account as any other specific (local) implementation issue. During the PSSA, the high-level safety objectives (originating from the FHA) are split between equipment, people or procedure, down to the


Assessment Report


transistor or to the line of code if so required. Each PSSA-iteration corresponds to a design or implementation choice. Each decision to change one of these choices invalidates the whole corresponding PSSA, but should (ideally) not impact the FHA. But is the above approach really applicable to A-SMGCS safety assessment? The above states that an FHA is independent of the level of automation (i.e. independent of the ICAO A-SMGCS level of implementation). Therefore, an A-SMGCS FHA should be strictly identical to a SMGCS FHA, and is therefore of no direct interest in this project. The purpose of this report is to assess the changes in terms of safety when automation is introduced. Focus is therefore on (new) equipment and on the way to use it. This explains why this functional hazard assessment has been combined with a very preliminary system safety assessment. Because A-SMGCS related procedures are not yet mature (cf. §1.5.3), this safety assessment does not consider the complete system (i.e. people, procedures and equipment), but focuses mainly on A-SMGCS equipment services, as specified in the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. The D1.3.9 report considers all relevant functional implementation levels (i.e. level-II, level-III, level-IV and level-V) as defined in [32]. Except for the aforementioned limitations, the safety process followed in this document conforms to the EUROCONTROL air navigation system (ANS) safety assessment methodology (SAM) [2], as detailed in §1.4. It first identifies potential equipment failures, or more precisely observable failures on the data and control flows (i.e. fault modes). Operational effects and mitigation means are described successively at equipment and at system level.

Equipment failure

Operational effects at equipment level

Hazards = operational effects at A-SMGCS level

Operational effects at aerodrome ATC level (i.e. failure condition)

Aerodrome ATC level

A-SMGCS level

Equipment level

Equipment mitigation

External mitigation

System mitigation

Figure 1: A hazard is expressed at the boundary of the scope of the system under assessment

Hazards are identified at the boundary of the A-SMGCS. The hazards considered here all originate from equipment failures, so they only constitute a subset of all possible hazards. The process then assesses the severity of the hazards, based on the analysis of the operational consequences (i.e. hazards effects), at system level, on the safety of aircraft operations, within a generic operational environment (cf. §1.6). Then, based on the target level of safety defined in the ICAO manual on A-SMGCS [32] for aircraft taxi operations, this report provides qualitative or quantitative statements (i.e. safety objectives) that define the maximum probability at which the identified hazards can be tolerated to occur. The document concludes on recommendations (i.e. potential safety requirements) that should help reach those safety objectives.


Assessment Report


1.3.2 Applicability

This document is not applicable to any specific programme. This document is built as a generic functional hazard assessment and very preliminary system safety assessment report to be reused, as a template, in all advanced surface movement, guidance and control system (A-SMGCS) equipment programmes that comply to the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32].

1.3.3 Editorial practices

In the writing of this report (and with the exception of §1.6.1), the ICAO conventions for the notations of the five levels of A-SMGCS implementation for particular aerodromes [32] have been used. They range from I (i.e. SMGCS) to V (i.e. full A-SMGCS). However, to avoid confusion with the EUROCONTROL A-SMGCS implementation levels, we have decided (during the 1st EMMA FHA workshop) to refer, in this document, to the ICAO implementation levels by the name “scenario implementation levels”, abbreviated by SIL. The use of acronyms is discouraged in safety documentation, as clarity is more important than brevity. Thus all acronyms are expanded at least once in each section. It is clearly agreed that "severity" applies to "hazard effects", not to "hazards". However, in this document we have only worked on the worst credible case of hazard effects (without developing event trees for hazards) and therefore the shorthand "hazard severity" is commonly used to designate the severity of the worst credible case effect of the hazard.

1.3.4 Document structure

This document consists of an overview and series of appendices providing the safety assessment details. This report provides: x a project overview, a system overview and a safety assessment methodology overview (cf. §1), x a list of referenced documents (cf. §2), x the main results of the functional hazard assessment and preliminary system safety assessment steps (cf. §3), x recommendations (cf. §4), x appendices providing the detailed analysis.

1.3.5 Meaning of “final” version

Most EMMA deliverables are delivered in two steps: an “initial” version, and a “final” version. This document is no exception. This document is the “final” version. This section explains the main differences between the “initial” version and the “final” version of the document. First, the “initial” version had a confidential level of dissemination. This “final” version is public. Next, the “initial” version was published prior to the two functional hazard assessment workshops organised by Thales ATM with the air navigation service providers who are involved in EMMA, and some other stakeholders. This “final” version now includes all the feedback collected during the workshops and post-workshops comments. Finally, this “final” version contains the complete contribution from Thales Avionics relating to the on-board part.


Assessment Report


1.3.6 Safety versus security

Depending of the origin of the feared event, a distinction is made between: x safety, when the origin of the feared event is accidental, x security, when the origin of the feared event is intentional. Safety, and therefore this assessment, is normally not concerned by malevolent behaviours. However, considering the current psychosis that followed the 11th September 2001 attack, a few security issues have been considered when and where the system was seen as most vulnerable.

1.4 Safety assessment methodology

The safety assessment process recommended by EUROCONTROL consists of three major phases: x functional hazard assessment (FHA), x preliminary system safety assessment (PSSA), x system safety assessment (SSA). The objectives of the FHA, the PSSA and the SSA are as follows. The functional hazard assessment (FHA) analyses the potential consequences on safety resulting from the loss or degradation of system functions. Using service experience, engineering and operational judgement, the severity of each hazard effect is determined qualitatively and is placed in a class. Safety objectives determine the maximum tolerable probability of occurrence of a hazard, in order to achieve a tolerable risk level. The preliminary system safety assessment (PSSA) determines if the proposed system architecture is likely to achieve the safety objectives. PSSA examines the proposed system architecture and determines how faults of system elements and/or external events could cause or contribute to the hazards and their end-effects identified in the FHA. Next, it supports the selection and validation of mitigation means that can be devised to eliminate, reduce or control the hazards and their end-effects. System safety requirements are derived from safety objectives; they specify the potential means identified to prevent or to reduce hazards and their end-effects to an acceptable level in combination with specific possible constraints or measures. The system safety assessment (SSA) collects arguments, evidence and assurance to ensure that each system element as implemented meets its safety requirements and that the system as implemented meets its safety objectives throughout its lifetime. It demonstrates that all risks have been eliminated or minimised as far as reasonably practicable in order to be acceptable, and subsequently monitors the safety performance of the system in service. The safety objectives are compared with the current performances to confirm that they continue to be achieved by the system. This section details the steps followed in this document for this functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA). For more details on the general objectives of the two other assessment steps (i.e. PSSA and SSA), please refer to the safety assessment methodology in [2]. Figure 2 (on page 20) details the process leading to: x the specification of A-SMGCS safety objectives and the identification of safety requirements, and x the role played by each partner in this functional hazard assessment1 and very preliminary system safety

assessment. In the figure, the two main inputs to the study are shown in bold green, at the upper and lower end of the diagram, whilst the outputs are highlighted in red italics.

1 According to safety assessment methodology [2], human factors and ergonomic expertise, and software/hardware engineering are not required

during functional hazard assessment.


Assessment Report


1.4.1 First step: identification of potential equipment failures

The first and main input to this report is the operational and performance requirements that are contained in the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. The terms “system”, “equipment” and “total system” have been used in that document, opening some ambiguity on the significance of “system”. Even though the term “system” is used in the acronym A-SMGCS, the main scope of the ICAO manual on A-SMGCS is clearly the equipment2. Indeed, in the manual, procedures and actors (i.e. controller, pilot, and vehicle driver) tasks are not addressed. On the contrary and in agreement with [2], in this report, the term “system” is used to designate a combination of physical components, procedures and human resources organised to perform a function. Therefore, so as to avoid confusion in this document, when referring to the A-SMGCS as specified in [32], it will always be suffixed by the term “equipment”: A-SMGCS equipment. Because A-SMGCS related procedures are neither mature, nor sometimes even defined, this report cannot consider the complete advanced surface movement, guidance and control system, but often needs to focus on A-SMGCS equipment. In particular, during the first step of the study, which aims at identifying what can go wrong with the system (i.e. identification of potential failures), this document only addresses the identification of potential equipment function failures. See also §1.3.1 for more reasons to focus on equipment. The causes of an equipment function failure are numerous (e.g. software bug, hardware failure, power supply interruption, overflow, misrouting, etc.) and seldom relevant3 in a hazard assessment. The importance is on the ways the equipment function failure reveals itself, at the function output. In this document, these “ways” are modelled very simply as fault modes (previously called failure modes). This report makes use of three types of fault modes: x “Loss of}”, when referring to the total function loss, as normally provided by the equipment; x “Temporary interruption of}”, when referring to a certain duration (specified in the “acceptable outage”

column of Table 5-9 on page 101) during which the function is not provided by the equipment, but below the duration above which it is declared lost;

x “Corruption of}” in all the other cases. The “loss of…” fault mode comprehends the cases when: x the output of the function is really lost (e.g. in case of a non-secure connection), x the output of the function is delayed to such an extent that it has become obsolete, and thus cannot be used any

more. Further, for all fault modes, the two cases “without detection” and “with detection” are taken into account. Our choice to model potential equipment failures with the above list of fault modes, implies that a consensus is reached on a clear and non ambiguous: x functional decomposition (of the A-SMGCS equipment), and x on the interfaces (i.e. mainly data and control flows) between these functions, and x on the interfaces of these functions with external equipments (e.g. approach or area control centre). The level of detail of the functional decomposition must be sufficient to obtain significant results during the safety assessment, but must avoid to loose relevance with too much details. The level of detail has been set using the EUROCAE WG-41 minimum aviation system performance standards (MASPS) [33] and the industrial knowledge of Thales ATM and Thales Avionics, as equipment manufacturers. The result of that consensus, including ICAO requirements and DSNA as end-user, is provided in appendix A. It represents a common view on A-SMGCS by an ATC systems industry, an avionics industry, and an air traffic management service provider.

2 Anybody’s system is somebody else’s subsystem! 3 The causes may however be relevant in the recommendations provided.


Assessment Report


Based on the functional decomposition (cf. appendix A) and the corresponding data and control flows (cf. appendix B), the analysis of the fault modes is done successively: x from an external point of view, and x from an internal point of view. In the external point of view, the complete A-SMGCS equipment is considered as a black box, and the fault modes of all external data & control flows are analysed4. The results are given in appendix C. In the internal point of view, the complete A-SMGCS equipment is considered as a white box, and all the fault modes of all the internal data and control flows are analysed. The results are given in appendix D. In the first step of this safety assessment, related to the identification of potential equipment failures, care has been taken to analyse neither the effects nor the mitigation means beyond the sole equipment domain. Thus, this study is totally re-usable in any operational environment. In the second step related to hazard identification, the scope of the failure effects and mitigation means is re-opened to the complete system, i.e. including people and procedures. However, in order not to be too much site-dependant, the worst credible case is always considered (i.e. no event tree has been filled in).

1.4.2 Step two: identification of hazards

According to [2] and [19], a hazard is any condition, event, or circumstance that could induce an accident. This definition is not in accordance with ESSAR 3, and is too vague to be useful in the context of safety assessment. In the safety assessment methodology (SAM) version 1.0, a hazard was defined as a potentially unsafe condition (i.e. a state, not an event). When identifying hazards, different levels of hazards can be considered (cf. Figure 1 on page 15). Ideally hazards should be at the level of the air navigation system or service (cf. SAM v2.0, FHA, guidance material B1, §4). However, since the scope of an A-SMGCS is reduced to a sub-level of this air navigation system, the hazards herein are identified at the boundary of the A-SMGCS, but they encompass all elements of that sub-system, i.e. people (controllers, pilots, and drivers), procedures and equipment. Failures (and in particular the equipment failures as identified in appendixes C and D) may induce hazards. Some equipment fault modes may not have any effect for the operators, and so, are not related to any hazard. This may be due to redundancy facilities that may palliate functional equipment failures (e.g. dual nodes, similar function available on adjacent working positions), or even to functional redundancy (e.g. the radar tracking function with the raw video fallback function). Thus, step 2 of this safety assessment consists in the determination of the effects of the potential equipment failures from an air traffic control (ATC) viewpoint, at the boundary of the A-SMGCS. This is done by systematic consideration of the potential effects of the previously identified fault modes on aircraft operations, taking account of all mitigation means (people & procedures) that are an integral part of the A-SMGCS. The list of hazards resulting from this analysis is presented in appendix E.

1.4.3 Step three: assessment of hazard severity

The purpose of the 3rd step of this safety assessment is to classify the severity associated with each identified hazard, by considering the worst credible consequences on the safety of flight operations (i.e. combining level of loss of separation and degree of ability to recover from the hazardous situation by means external to the A-SMGCS). The hazard severity classification scheme (cf. Table 5-3 on page 79) is used for this purpose.

4 This analysis is sometimes referred to as the analysis of the robustness of the A-SMGCS equipment vis-à-vis external events.



A-SMGCS TargetLevel of Safety

SurveillanceTarget Level

of Safety

ControlTarget Level

of Safety

RoutingTarget Level

of Safety

GuidanceTarget Level

of Safety

SurveillancePeople TLS

ICAO manual onA-SMGCS

ControlEquipment

TLS

RoutingEquipment

TLS

GuidanceEquipment

TLS

Surveillancesafety

objectives

Control safetyobjectives

Routing safetyobjectives

Guidancesafety

objectivesDSNA + TATM

+ THAV

SurveillanceEquipment

TLS

SurveillanceProcedures

TLS

etc. etc. etc.

etc. etc. etc.

Severity ofsurveillance

related hazards

Severity ofcontrol related

hazards

Severity ofrouting related

hazards

Severity ofguidance

related hazards

Surveillancerelated hazards

Control relatedhazards

Routingrelatedhazards

Guidancerelated hazards

TATM + THAV

Safetyrequirements

Surveillanceequipment

failures

Controlequipment

failures

Routingequipment

failures

Guidanceequipment

failures

Equipment system engineering: functional decomposition and data flow identification

ICAO manual onA-SMGCS Operational and performance requirements

Figure 2: Detailed process leading to the specification of safety objectives, and role of each partner


Assessment Report


An advanced surface movement, guidance and control system (A-SMGCS) is only a small part of the global air traffic management system. It contributes to the application of a certain number of critical ATM services (e.g. exercising safe separation and control over aircraft on the manoeuvring area). It shares these critical services with the voice communication system (VCS). Even in case of a complete loss of A-SMGCS information delivery to controllers, present procedures are so that controllers can still exercise air traffic control (ATC) in a degraded mode by using radio communications (i.e. VCS is considered as an A-SMGCS backup facility in case the A-SMGCS enters the failed mode) or even light signals (cf. ICAO doc. 4444, §7.5.3.2.3 Communication requirements and visual signals.) Thus, critical services are still operational due to VCS5 or light signals. Moreover, as highlighted in the AGATE study [21], “unlike air control, the ground control allows for the stopping6 of traffic if the criticality of a situation justifies it.” Consequently, AGATE has assumed that A-SMGCS hazard severity cannot be more than hazardous (i.e. severity class 2). In our view, this analysis may be true for approach and for en-route air traffic control. But on the ground, if a dangerous situation develops unbeknownst to the controller, or if, due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on December 6th), there is no external mitigation mean that can help avoid the accident. Thus, such a hazard would be catastrophic (i.e. severity class 1). The results of the hazard severity assessment are documented in appendix F.

1.4.4 Step four: specification of safety objectives and identification of safety requirements

The final step of the functional hazard assessment (FHA) is concerned with the provision of system safety objectives and recommendations (that eventually may become equipment safety requirements as part of the very preliminary system safety assessment). In Figure 2 (i.e. the safety assessment detailed process of page 20), this step is shown in red. It is the converging point between the top-down approach, which started from an externally defined target level of safety (TLS), and the bottom-up approach, which started from the advanced surface movement, guidance and control system (A-SMGCS) equipment decomposition and the analysis of the A-SMGCS equipment potential failures. At the top, the target level of safety defines a tolerable level of risk. An acceptable or tolerable risk is a willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled. To accept or tolerate a risk means that it is not regarded as negligible or something that might be ignored, but rather as something that needs to be monitored and reduced if possible (e.g. by implementing safety requirements). The ICAO manual on A-SMGCS [32] states in §4.1.1.2: “A-SMGCS target level of safety should be 1 x 10-8 (per operation).” This figure has been accepted as is for this safety assessment. Readers with particular interest on this subject may however refer to §1.7.1 for more details. As a follow on, we have provided a split of the risk between the people, the procedures and the equipment. These figures cover each A-SMGCS scenario implementation levels (cf. Figure 26 on page 206), and are used in the specification of our system safety objectives. Safety objectives specify the maximum acceptable or tolerable probability for the occurrence of a hazard of a given severity, in order to achieve an acceptable or tolerable risk level. Where appropriate they also specify a maximum

5 Statement from a controller in Prague during the BETA (operational Benefit Evaluation by Testing an A-SMGCS) tests: "What’s all this? Give me

a mike, and I can control anything." 6 This is true, however en-route controllers can solve conflicts in a 3D environment, whereas only two dimensions are available on the ground.


Assessment Report


exposure time. Safety objectives are specified qualitatively or quantitatively, as appropriate. The results are documented in appendix F. Finally, safety requirements are derived from the safety objectives: they specify the potential means identified to prevent functional failures or to reduce their effects to an acceptable risk level, in combination with specific constraints or measures. They specify for example the availability, the integrity of the functions, design constraints or operational limitations. Some safety requirements have already been specified in the ICAO A-SMGCS manual (cf. §0). All other recommendations derived from this safety assessment are presented in the recommendations synthesis (cf. §4).

1.5 System overview

The use of automation is one of the main differences between SMGCS and A-SMGCS. Advanced surface movement guidance and control systems (A-SMGCS) is the term used by ICAO [32] to describe a modular equipment consisting of different functions to support the safe, orderly and expeditious movement of aircraft and vehicles on aerodromes under all circumstances with respect to visibility conditions, traffic density, complexity of the layout and the demand.

1.5.1 System mission

The A-SMGCS equipment should provide surveillance, routing, guidance and control services to aircraft and affected vehicles for aerodrome types classified at least as scenario implementation level II (according to terminology defined in [32]). Within the movement area, the A-SMGCS equipment surveillance function should: x provide accurate positional and kinematic information of all movements; x provide identification on authorised movements; x cope with moving and static aircraft/vehicles; x be capable of updating accurate surveillance data required for the alerting, guidance and control requirements

both in time and distance; x be immune to operational significant effects of weather and topographical features. Where possible the surveillance should extend to the aerodrome boundary. Within the areas specified above, surveillance should be provided up to an altitude sufficient to cover missed approaches and low level operations. Either manually or automatically, the A-SMGCS equipment routing function should: x be able to designate a route for each mobile within the movement area; x allow for a change of destination at any time; x allow for a change of a route to the same destination; x be capable of meeting the needs of dense traffic patterns at complex aerodromes; and x not constrain the pilot's choice of a runway exit following the landing. In a semi-automatic mode, the A-SMGCS equipment routing function should provide the control authority with advisory information on designated routes. In an automatic mode, the A-SMGCS equipment routing function should: x designate and assign routes; and x provide adequate information to enable manual intervention in the event of a failure or at the discretion of the

control authority.


Assessment Report


When designating routes, the A-SMGCS equipment routing function should: x minimise taxi distances in accordance with the most efficient operational configuration; x be interactive with the control function to minimise junction conflicts; x be responsive to operational changes (e.g. runway heading changes, routes closed for maintenance, temporary

hazards or obstacles etc.); x use standardised terminology or symbology; x provide a means of validating routes. When visibility conditions are insufficient for the pilot to taxi by visual guidance only, and when the competent authorities permit operations in these visibility conditions, the A-SMGCS equipment guidance function should: x provide guidance necessary for any authorised movement and be available for all possible route selections; x provide clear indication to pilots and drivers to allow them to follow their assigned route; x enable all pilots and drivers to maintain situational awareness of their position on the assigned route; x be capable of accepting a change of route at any time; x be capable of indicating routes and areas either restricted or not available for use; x allow monitoring of the serviceability of all guidance aids. Keeping aircraft pilots, vehicle drivers and controllers in the decision loop, the A-SMGCS equipment control function should support the application of measures and allocate priorities: x to detect conflicts and incursions, and provide resolutions (traffic monitoring & alerting sub-function); x to ensure safe, expeditious and efficient aerodrome movement (planning sub-function); x to prevent conflicts and incursions (plan monitoring & alerting sub-function). The traffic monitoring & alerting sub-function should: x be able to provide, in order to meet required separation minima, longitudinal spacing to predetermined values,

based on speeds, relative directions, aircraft size, jet blast effects, human and equipment response times, and deceleration performances;

x detect, provide alerts and provide resolutions (e.g. activate protection devices) for conflicts and incursions. The planning sub-function should provide plans for: x the sequencing of aircraft after landing or when departing from the parking positions to ensure minimum delay

and maximum utilisation of the available capacity of the aerodrome; x the possible segregation of support and maintenance vehicles from operational activities; x the spacing between aerodrome movements according to the prescribed minima, taking into account wake

vortex, jet blast, propeller wash and rotor wash from taxiing helicopters, aircraft configuration, different locations and layouts (runway, taxiway, apron or aircraft stand);

x the separation of aerodrome movements from obstacles or from other aircraft isolated for security reasons. The plan monitoring & alerting sub-function should provide, within an adequate time to enable the control authority to take the appropriate remedial action: x short term warnings on authorised movements when:

x predicted separation will be below a predefined minima, x a movement is detected as likely to enter a critical or restricted area, x computed deviation will be more than the predefined maximum deviation, compared to the assigned route;

x medium term warnings on movement plans, with respect to predicted conflicts or plan inconsistencies. Once a conflict / inconsistency has been detected, the plan monitoring and alerting function should either automatically solve the conflict / inconsistency or automatically provide the most suitable solution on request.


Assessment Report


1.5.2 System boundaries

Figure 3 (on page 25) provides a high level view of the advanced surface movement, guidance and control system (A-SMGCS) equipment boundaries and main external and internal data flows. The following equipment has been identified as interfacing with the A-SMGCS equipment: x approach (APP) or area control centre (ACC) radar data processing systems7 (RDPS) providing access to

approach secondary surveillance radar (ASR) and/or approach primary surveillance radar (PSR) data, x airport operational database (AODB), usually comprehending a stand & gate (S&G) allocation system, x departure manager (DMAN), x approach (APP) or area control centre (ACC) flight plan data processing system (FDPS), potentially including

an arrival manager (AMAN), and further connections to the central flow management unit (CFMU) and aeronautical fixed telecommunication network (AFTN),

x aeronautical information system (AIS), x docking guidance system (DGS), x airfield lighting system (ALS), x global navigation satellite system (GNSS) for universal time and vehicle on-board positioning equipment, x aircraft on-board equipment, connected via the air-ground data link (AGDL), e.g. aircraft communications

addressing and reporting system (ACARS) or aeronautical telecommunication network (ATN). The functional hazard assessment (FHA) part of this report is concerned with the functions, not with system architecture. Thus, in this document, the external interfaces will be represented by generic functions like "External input interface from equipment X" or "External output interface to equipment X". Figure 3 pictures most of the operational data flows; in order not to overload the figure, the time synchronisation, supervision, recording and aerodrome mapping database (AMDB) data flows are not sketched.

7 Direct connections to approach PSR and SSR could be envisaged. However, this would extend the scope of A-SMGCS without due justifications.


Assessment Report


Movements

Con

trol

Fusion

Surveillance

Taxi routes

Syst

em tr

acks

+ P

ilot /

driv

erre

ques

ts,

inst

ruct

ions

& c

lear

ance

s

ControllerWorkingPosition

A-SMGCS

APPFDPS

sensors

APPRDPS

DMAN

AODB Flight plan &co-ordination data

AIS

Aerodrome andmeteorological

data

Aerodrome data

System tracks

ManualCommands

Rou

ting

VCS

Voice

Airfield lighting commands

AGDL

DGS

Dockingguidance

commands

GNSS

Gui

danc

e

Flight plan data

Conflicts

System tracks + Pilot / driverrequests, instructions & clearances

Flight plan data

Recording

Time Mngt

Supervision

All functions

DAP

co-op

Co-ordination

Flightdata

System tracks

Sensortracks

sensorsnon co-op

RETSSensortracks

Video

ALSState & status

Correlation

System tracks

NMS

NAVAIDS

Guidancestate & status

AMDB

Figure 3: A-SMGCS equipment boundaries and main flows

In addition, the following equipment is interfacing with the A-SMGCS equipment, but is not part of the scope of this safety assessment: x voice communications system (VCS): until A-SMGCS has matured, VHF radio communication is the main

communication means for controlling aircraft and vehicles; dedicated channels are often used to support tower communications with aircraft and vehicles and multiple channels are usually used for controlling different parts of the airport; the voice communications & control system is assumed to be always available;

x noise monitoring system (NMS). Clearly, the system boundaries defined above are arbitrary. In particular, the inclusion of the vehicle driver interface and the exclusion of the aircraft pilot interface are disputable. The rationale behind the above-defined system boundaries is system jurisdiction: even though it is difficult to be generic, all functions included inside the above boundaries usually fall into the jurisdiction of the air traffic authority performing air traffic control at the aerodrome8. This is key when performing a safety assessment, as each entity is individually responsible towards its regulatory authority for the functions falling under its jurisdiction.

8 One may object that vehicle equipment is more often in the airport authority’s jurisdiction rather than in the air traffic authority’s jurisdiction.

However, when considering equipped follow-me cars, vehicle on-board equipment is also important for the safety assessment performed by the air traffic authority.


Assessment Report


1.5.3 About procedures

As mentioned in §1.3.1, because A-SMGCS related procedures are not yet mature, this report does not consider the complete system (i.e. people, procedures and equipment), but focuses mainly on A-SMGCS equipment. Initial procedures have been defined by EUROCONTROL in [7], and these have been used in our definition of hazards, but much is yet to be done. A distinction should be made between: x normal operating procedures, without knowledge of which, it is difficult to establish a consistent functional

hazard assessment (FHA); x contingency procedures, which can be derived from the FHA to suppress some hazards due to equipment

failures; x maintenance procedures, some of which may be derived from the system safety assessment (SSA). Awaiting for the normal operating procedures, some recommendations for the definition of future A-SMGCS procedures have been made (cf. §4). What will be the impact on equipment safety requirements once the full concept of operations is developed? We currently have no answer to this interesting question. All suggestions are welcomed.

1.6 Operational scenario

1.6.1 The different meanings behind “A-SMGCS implementation levels”

After a decade of unbridled research and bustling efforts aimed at the standardisation of advanced surface movement, guidance and control systems (A-SMGCS), attention is now focused on its operational use, and the consequences in terms of safety. SMGCS stands for aerodrome surface movement, guidance and control system, as specified in [31]. In the simplest form, it consists of painted guidelines and signs, and in the most advanced and complex forms, employs switched taxiway centre lines and stop bars. An SMGCS provides guidance to aircraft movements on the aerodrome surface, and some guidance to vehicles. However, an SMGCS is not always capable of providing the necessary support to aircraft operations in order to maintain the required capacity and safety levels, especially under low visibility conditions. According to [32] and [31], an advanced SMGCS (i.e. an A-SMGCS) is expected to provide adequate and safe capacity in relation to specific weather conditions, traffic density and aerodrome layout. These objectives are to be reached by making use of modern technologies and a high level of integration between the surveillance, control, routing and guidance functions of the A-SMGCS. The two aforementioned documents provide operational and performance requirements to reach these capacity and safety levels. To help airport operators to decide on the level of automation they need in their particular context, ICAO has defined five levels of implementation for particular aerodromes [32]. All four basic A-SMGCS functions (i.e. surveillance, control, routing and guidance) are provided at all levels, but the part played by automation and avionics increases progressively through the levels. Numbered from I to V by ICAO, the implementation levels have been revisited and renumbered from 0 to 4 by EUROCAE and from 0 to IV9 by EUROCONTROL (cf. [31] and [20]). All of them seem to agree that the lowest level is the strict application of SMGCS, according to [31]. However, for higher levels, the recommended functional implementations tend to vary considerably, even for basic items. For example, EUROCONTROL cannot see any difference in surveillance between the A-SMGCS levels 1 and 2, whereas ICAO recognises an increased automation of the surveillance function between the A-SMGCS levels II and III. Another major difference is that 9 At the date of this report, EUROCONTROL notation is not quite stabilised: both levels I, II, III & IV and levels 1, 2, 3 & 4 seem to be used in

different documents.


Assessment Report


ICAO links the A-SMGCS implementation levels with the visibility conditions, traffic density and airport complexity, whereas EUROCONTROL focuses more on equipment capability, irrespective of the conditions of use. Current practice in R&D (cf. EMMA proposal) has established yet a different terminology, with two groups: A-SMGCS levels 1 & 2 related to surveillance and alerting automation, and A-SMGCS levels 3 & 4, related to planning and guidance automation. EUROCONTROL confirms the grounds for this grouping by recalling that the “main concerns of the levels I and II rely on the improvements of safety, whereas the ground movements efficiency is dealt with in levels III and IV”. This grouping has two main advantages. First, the A-SMGCS levels 1 & 2 correspond to the year 2005 state-of-the-art technology, with proven off-the-shelf products from the main ATC industrial companies in Europe. On the other hand, the A-SMGCS levels 3 & 4 reflect more advanced or non-standardised technologies and procedures, appealing more to research laboratories than to airport authorities. Second, the grouping of levels forbids sterile quarrels about which function is part or not part of each equipment implementation level. The functions related to levels 1 & 2 usually correspond to basic A-SMGCS tenders (years 2003-2005). In between level 1 and level 2, the way airport authorities decide where to draw the line will more often be driven by financial capabilities (what can I afford?), rather than by a fine analysis of weather conditions, traffic density and aerodrome layout. The point is that the ICAO A-SMGCS implementation levels have been completely assimilated to A-SMGCS functional levels. This is a watershed from which it might be difficult to return. The ICAO document clearly shows that the A-SMGCS functions are progressively automated, shifting from the controller to the equipment. For example, in a level I implementation, surveillance is performed by man; in a level II, surveillance is performed by both man and machine; and in a level III, the surveillance is completely automated. Similarly, EUROCONTROL outlines that in a level II implementation, the control function “will not detect all runway conflicts, but only the more hazardous”, whereas in a level III implementation, the control function “will be able to detect any conflict concerning mobiles on the movement area”. The allocation of functions to A-SMGCS implementation levels is really a safety issue, where the deal is that “we have to trust the equipment to take-over the responsibility over the function”. In this respect, it is interesting to note that for ICAO, the control function is never totally transferred to the equipment, but remains shared between the controller and the equipment. The decision to go forward in automation is clearly related to our understanding of the problem to be solved, and of the potential impacts in terms of safety. Safety assessment, as addressed in this document, is one of the keys to this understanding. Growing automation implies a shift of risk, from people to equipment: procedures must be revised, and a safety assessment must be performed to ensure that the required level of safety is satisfactory. With this in mind, it is clear that an A-SMGCS implementation level is not reached when a given function is successfully implemented, but when the risk addressed to both man and machine is successfully managed. And the conclusion will be given by Alan Gilbert, from Park Air Systems: “the levels of implementation should be closely related to the safety critically of the proposed function, i.e. the more safety-critical a function is, the less likely it is to be implemented in the near future and therefore the higher the implementation level.”


Assessment Report


1.6.2 A conservative approach

This functional hazard assessment (FHA) and very preliminary system safety assessment (PSSA) applies to a generic advanced surface movement, guidance and control system (A-SMGCS) equipment, as defined by the International Civil Aviation Organisation (ICAO) manual on A-SMGCS [32]. It is therefore impossible to describe the detailed operational scenario or the applicable regulatory framework. However, the reader may refer to [4], which provides a generic operational service and environment description (OSED). In any case, as it concerns safety, the report is conservative, i.e. it relies on the most pessimistic environment assumptions. For example, even though infrequently, poor visibility conditions may occur at an airport having a good visibility conditions parameter. Likewise, airport saturation level might be high a certain day at an airport displaying a low airport saturation level. Thus, the hazards are evaluated assuming occurrence in the peak traffic period of the day, in the most crowded day of the year and/or in the worst visibility conditions. The airport complexity level and the A-SMGCS implementation level (between level II and level V) are accounted in the analysis of the impact of the different hazards. In order not to allocated different severity categories to the same hazard in function of the weather conditions, the complexity of the airport where the A-SMGCS functions will be installed, and the level of automation, we have used the ICAO implementation levels (cf. §1.6.1) as generic implementation scenarios (cf. §1.6.3), and defined a different set of hazards for each implementation scenario. To reflect the conservative, worst credible case approach, we have used the prescriptive method for setting the safety objectives, as described in chapter 3, guidance material G of the SAM [2]. Another driving force that lead us to use this method is that it is easier to apply, requires less time, effort and resources, because it doesn’t require the calculation of the probabilities of the hazard generating the effects (Pe). Indeed, it is assumed that they are somehow considered when deciding the severity class that will lead to set the safety objective (i.e. they are already embedded in the risk classification scheme).

1.6.3 The ICAO's generic implementation levels applied to EMMA, focusing on the worst credible cases

We recognise that the ICAO implementation levels are only an annex to the ICAO manual on A-SMGCS [32].

basicsimple

complex vis3

vis2

vis1

basicsim ple

complex vis 3

vis 2

vis 1

Figure 4: Maximum traffic density recommended for ICAO implementation levels II and III


Assessment Report


However, we feel that these levels represent a good study case to analyse safety in different generic configurations. For example, Figure 4 above provides the maximum traffic density (light, medium, heavy) recommended for ICAO implementation levels II and III depending on airport layout (basic, simple, complex) and visibility conditions (vis 1, vis 2, vis 3). Similar recommendations are provided in [32] for ICAO implementation levels IV and V. The ICAO implementation levels form a building block of this functional hazard assessment. To avoid confusions with the EUROCONTROL A-SMGCS implementation levels, we have decided (during the 1st EMMA FHA workshop) to refer, in this document, to the ICAO implementation levels by the name scenario implementation levels (SIL). Safety analysis will be performed on the four A-SMGCS scenario implementation levels provided in [32]. In particular, the worst credible case, very important to determine the severity of a hazard, will be determined using the scenario implementation levels. For example, in a SIL III, when visibility conditions 3 occur, the worst case implies (cf. Figure 4 on page 28) medium traffic density if the layout is basic, but only light traffic if the layout is simple. But, depending of the failure under analysis, one may also consider that the worst case occurs in visibility conditions 2, on a complex layout with light traffic, or on a basic layout with heavy traffic. Figure 4 also shows that a SIL III A-SMGCS is not recommended when visibility 3 conditions occur at an aerodrome with a complex layout, and thus this case is excluded from this safety assessment. Continued use of a SIL III A-SMGCS in these conditions would reflect a hazard of the type abuse of automation.

1.6.4 EMMA scenario implementation levels

The scenario implementation levels (SIL) that have been used for this functional hazard analysis are based on Table 1-1, extracted from Appendix B of the ICAO Advanced Surface Movement Guidance and Control Systems (A-SMGCS) manual. This table is an "example of one means of grouping A-SMGCS implementation into 5 levels that together cover all cases". For each service, it highlights the share of responsibility between the controller, the pilot/vehicle driver and the equipment, i.e. indicates if a user can rely on the equipment to provide him / her given information. The table gives also indication of the implementation level that would be recommended, depending on the conditions of use of A-SMGCS on a given airport: on a basic, simple or complex airport, with low, medium or high traffic density and during visibility conditions 1, 2, 3 or 4. The SIL that have been analysed in this FHA may slightly differ from the ones that have been defined in the ICAO A-SMGCS manual, to take into account some lack of consistency pointed out by the controllers during the EMMA FHA workshops. However, for the needs of the functional hazard analysis, the SIL has always been carefully defined in order to identify the hazards without ambiguity. The following sections aim at presenting some hypotheses that have been made in order to complete the definition of the SIL.

1.6.4.1 SIL definitions

1.6.4.1.1 SIL I

This level corresponds to a basic (i.e. not advanced) surface movement guidance and control systems implementation scenario. Equipment may be provided for assistance only, but the controller does not rely on it to perform control activities. As it has been a common practice during the last decades, it has been considered that all levels of operations (i.e. basic, simple, and complex airports and low, medium and heavy traffic) can be used in visibility conditions 1.


Assessment Report


Table 1-1: Implementation levels table, extracted from Appendix B of the ICAO A-SMGCS manual

1.6.4.1.2 SIL II

In SIL II, surveillance equipment is added. This equipment provides identification and position data for most mobiles on the manoeuvring area. The controller cannot rely on equipment to perform the initial identification of a mobile and has to use outside view or pilot report to do it. Once the latter has been performed, the equipment is assumed sufficiently reliable to ensure correct tracking of identification and position of mobiles. A surface conflict alert (SCA) function performs conflict detection. Using surveillance data, alerts are generated for mobile conflict and intrusion on runways. Following the conclusions of the 2nd workshop, it has been considered that all levels of operations (i.e. basic, simple, and complex airports and low, medium and heavy traffic) can be used up to visibility conditions 2.

1.6.4.1.3 SIL III

In SIL III, it is assumed that the controller can fully rely on surveillance equipment to perform the initial identification on a mobile, i.e. all mobiles are co-operative. A routing function, associated with a planning function (e.g. electronic stripping) allows the controller to inform the system about the clearances that have been issued.


Assessment Report


The surface conflict alert (SCA) function performs conflict analysis and route conformance monitoring. Using surveillance, routing and planning data, alerts are generated for mobile conflict and intrusion on the manoeuvring area and for deviation from the assigned route. Automated conflict resolution is currently unrealistic and has been discarded. Following the conclusions of the 2nd workshop, a manual switch of centre line lights may be implemented, but is considered unrealistic on most airports, due to controller overload. For the needs of this functional hazard analysis (FHA), only manual switch of stop bars and, on pilot request, of centreline lights has been considered. Procedures for operations in visibility condition 3, for instance longitudinal separation on ground allowing several mobiles to taxi on the same taxiway in visibility condition 3, are implemented. However, due to the intrinsic limitations of manual switch centreline lights, restrictions on the use of taxiways may apply, thus limiting capacity. In visibility condition 3, the pilot is responsible for runway, taxiway and protected areas intrusion, but not for conflict detection.

1.6.4.1.4 SIL IV

In SIL IV, automatic switch of centre line lights is implemented. Adapted procedures for full use of airport capacity in visibility condition 3 are defined. In visibility condition 3, the pilot is responsible for runway, taxiway and protected areas intrusion, but not for conflict detection.

1.6.4.1.5 SIL V

In SIL IV, on-board equipment (e.g. moving map) provides the pilot with information about the airport layout, current self-position, assigned route, surrounding traffic and conflict, intrusion and route deviation alerts. Adapted procedures for full use of airport capacity in visibility condition 4 are defined. In visibility condition 3 and 4, the pilot is responsible for runway, taxiway and protected areas intrusion, and for conflict detection.

1.6.4.2 Frequently asked questions about scenario implementation levels

Q. In the ICAO A-SMGCS manual table, the pilot is never responsible for the surveillance. However, it is a task of the pilot/vehicle driver to perform surveillance of conflicting aircraft. A. The surveillance of the pilot is not part of A-SMGCS; it is a Communication, Navigation and Surveillance (CNS) task. In the scope of this study, only conflict detection/analysis/resolution by the pilot is assumed to be part of A-SMGCS. Q. In the ICAO A-SMGCS manual table, operations in visibility condition 3 seem not to be possible for SIL II. However, operations in this visibility condition can be performed using procedural control. A. In SIL II, it is indeed possible to perform procedural control in visibility conditions 3. However, operations are the same as for SIL I, and possible equipment failures have no impact on safety. Generally speaking, the simple presence of a piece of equipment is not sufficient to state that an airport has reached a given SIL: the airport shall define procedures to use the equipment in the traffic density and visibility conditions associated with the SIL. An obvious consequence is that the performances of equipment shall be sufficient to allow a safe use of such procedures… Q In the ICAO A-SMGCS manual, the limits between low, medium and high traffic are fixed. However, the situation differs from an airport to the other, e.g. on a complex airport, 30 movements / hour may be considered as "low". Also, the complexity of an airport may depend on more parameters than the number of runways. A. The split between low, medium and high traffic may be adapted to the complexity of the airport, where the safety assessment is performed, to reflect its real traffic density situation. For the needs of this functional hazard analysis,


Assessment Report


the complexity of the airport mostly reflect the fact that there is one or several ground control working positions (CWP): x basic: one CWP for ground and aerodrome control; x simple: one CWP for ground control, one CWP for aerodrome control; x complex: more than two CWP, depending on the number of runways and the size and complexity of the

manoeuvring area.

1.6.5 Airborne equipment technologies and flight crew role

The on-board airport navigation system, in particular the moving map function, is the main new equipment that is deemed to improve situational awareness at the pilot’s station. The various stages of progressive implementation of such aircraft equipment include: x stage 1: a basic moving map display to show runways, taxiways and other artefacts (e.g. aprons, stands &

gates); x stage 2: the above moving map display to which the aircraft position and orientation are superimposed (for self-

situation awareness); x stage 3: all of the above plus an indication of the route to follow (point A to B, or successive waypoints), as

received from ATC; x stage 4: all of the above plus the position and identification of all other aircraft, vehicle and obstacles, and basic

alerting information (i.e. aircraft versus environment); x stage 5: all of the above plus the capability of detecting runway/taxiway incursions of its own aircraft; x stage 6: all of the above plus traffic advisories, capability of detecting potential ground collision and resolution

advices to avoid hazards. All the functions above provide enhanced situation awareness on-board, but do not provide aircraft control automation. Advanced concepts may be envisioned for aircraft control automation on ground, but those concepts are for the time being out of the scope of this study except for steering and braking cues providing visual indication to the crew of the taxi route and braking information. Those cues will not be used for guiding the aircraft but for assisting the crew to follow a taxi route. Note that, as a first step, the airport map is not intended to be used for navigation / taxiing, but to check that the believed position is consistent with the displayed position. Discrepancies should be reported by the flight crew. The detailed allocation of on-board applications to the various existing or envisioned on-board computers remains to be defined together with adequate cockpit display of traffic information (CDTI) and proper integration of the various aircraft co-operative sensors, e.g. automatic dependant surveillance broadcast (ADS-B), inertial navigation system (INS) / global navigation satellite system (GNSS), very high frequency (VHF) / very high frequency data link (VDL), etc.

1.6.6 Concept of operations and its impact on exposure time

The concept of operations that we foresee for A-SMGCS is as follows: x In all visibility conditions:

x A-SMGCS equipment is used to validate positional information and aircraft identification to reduce the overall controller work load and voice communications,

x A-SMGCS equipment provides a safety net of alerts; x In normal visibility conditions, A-SMGCS equipment does not interfere with the tower ATC prime

responsibility of using normal visual procedures to determine aircraft position, maintain overall situational awareness and ensure spacing between all moving mobiles;

x In low visibility conditions, A-SMGCS equipment is used as the prime means to determine aircraft position, maintain overall situational awareness and ensure spacing between all moving mobiles.


Assessment Report


From the above, it is clear that, even when an air traffic control tower is equipped with A-SMGCS equipment, it will not, or only poorly, be used in normal visibility conditions. Thus, the A-SMGCS exposure time is the duration of low visibility conditions at the considered airport.

1.6.7 Follow-up

This functional hazard assessment (FHA) is performed on a generic system. Because they rest upon design and implementation choices, the preliminary system safety assessment (PSSA) and system safety assessment (SSA) cannot be performed on a generic system. As part of the EMMA-2 project, Thales ATM and DSNA will perform a full safety assessment of the Thales ATM A-SMGCS product, STREAMS, together with the related operational procedures devised by DSNA. The EUROCONTROL safety assessment methodology [2] will once again be followed to perform the preliminary system safety assessment (PSSA) step 2, and the system safety assessment (SSA). The Toulouse-Blagnac platform will be used to verify and validate the equipment and procedures. The equipment will comprehend a surface movement radar, a mode S multilateration, automatic dependant surveillance broadcast, vehicle localizers and driver moving map displays, surface conflict alerting, routing, taxi route conformance monitoring, electronic strips, interoperability with a departure manager, and controller-pilot data link communications. For a full description of the operational scenario at Toulouse-Blagnac for these two following safety assessment steps, please refer to [11]. With the opportunity to record and analyse up to three years of live traffic data, the EMMA and EMMA-2 projects form a unique opportunity to collect evidence that the progressively growing system (with its related procedures), satisfies the end-user’s safety objectives, as defined within this document.

1.7 State of the art

1.7.1 A target level of safety for A-SMGCS

Accident statistics, such as the one presented in [34], [29] or [30], support the setting of a target level of safety for A-SMGCS. The latter document applies to worldwide commercial jet airplanes that are heavier than 60,000 pounds maximum gross weight. It can be seen from Figure 5 that the "taxi, load & parked" phase of flight represents 5% of the accidents, and 0% of the fatalities. But should the scope of A-SMGCS safety assessment be extended to include also takeoff, final approach and landing? In that case, the phases of flight represent together 68% of the accidents, and 26% of the fatalities.


Assessment Report


Figure 5: Accidents and on-board fatalities by phase of flight, 1994-2003 (as extracted from [34])

From Figure 6, it can be seen that airports and air traffic control (ATC) are the primary cause of the accidents in only 4% of the cases.

Figure 6: Accidents by primary cause, 1994-2003 (as extracted from [34])


Assessment Report


In EMMA, for diverse financial, timing and resource availability reasons, the study of the most recent accident statistics could not be performed. It was therefore decided to work with the ICAO target level of safety for A-SMGCS. The ICAO manual on A-SMGCS [32] states in §4.1.1.2 and §4.1.1.3: “A-SMGCS target level of safety should be 1 x 10-8 (per operation). The function risk has been estimated as:

a) guidance: 3.0 x 10-9 per operation; b) surveillance: 3.0 x 10-9 per operation; c) control: 3.0 x 10-9 per operation; and d) routing: 1.0 x 10-9 per operation.”

The manual provides the rational behind those figures: starting from the generally accepted 10-7 value as the target level of safety for the entire flight operation, that appendix discusses how a portion (i.e. 10-8) of this TLS was allocated to the A-SMGCS taxi phase.

1.7.2 The AGATE functional hazard assessment

The Eurocontrol AGATE project was never a formal project and the documents it produced have no official status. However, the AGATE functional hazard assessment report ([21], [2]) is the first significant work in A-SMGCS functional safety assessment. It is therefore interesting to recall here the differences in the scope of the two studies (cf. §1.7.2.1), and the main AGATE conclusions (cf. §1.7.2.2).

1.7.2.1 Synthesis of the AGATE scope

AGATE focused on A-SMGCS equipment only. The following table provides a synthetic view of the functional decomposition of AGATE, as available in Appendix 3 of [21] or chapter 4 of [2].

AGATE function Level 0 Level 1 Level 2

Functional configurations

Tracks data fusion All Velocity assessment

All

Association All

Surveillance enhancement

Key events detection

All

Surveillance (AWARE)

Surveillance information distribution All Runway incursion detection All Short term conflict detection F2, F3, F4 Runway incursion resolution F5

Control / Monitoring (ALERT)

Short term conflict resolution F5 Guidance command & distribution All Guidance (GUIDE) Guidance acquisition & processing F4, F5 Key events prediction All Nose-to-nose conflict free route elaboration or 4D conflict-free route elaboration

F4 F5

Routing / Planning / Conformance monitoring (SMAN)

Route conformance monitoring F5

Table 1-2: Synthesis of the AGATE functional decomposition

The boundaries of the AGATE system are sketched in Figure 7.


Assessment Report


The main differences with the EMMA scope are as follows: x in EMMA, the sensors and related radar data

processing systems (RDPS) are seen as an integral part of the A-SMGCS, the interface being reduced to adjacent (i.e. APP or ACC) radar data processing systems;

x in EMMA, the flight data processing related to ground movement is seen as an integral of the A-SMGCS, the interface being with external adjacent (i.e. APP or ACC) flight plan data processing systems;

AGATE

CWP

DMAN

Visual Aids

AirportManagement

System

FDPS

Aircraft cockpit

Vehicles

Surveillancesensors

AirportOperator

AMANMeteorological

information

RDPS

AircraftOperator External

Interfaces

Figure 7: Synthesis of the AGATE system boundaries

x in EMMA, the A-SMGCS controller working position (CWP) is seen as an integral of the system.

1.7.2.2 The AGATE conclusions

1. None of the identified AGATE hazards involves a catastrophic severity. In case of degradation or loss of one or several capabilities provided by the AGATE assistance tools, the controller has still the possibility10 to communicate with pilots by RTF in order to instruct them or to acquire information about their intentions and position. Moreover, unlike air control, the ground control allows for the stopping of traffic if the criticality of a situation justifies it. 2. Generally, the loss or degradation of functions which result in early detected loss or degradation of various capabilities provided to users may involve a major severity at most, while the undetected loss or degradation of function (e.g. corruption of output data), where no means exist to make users aware about the degradation of capabilities they are using, might involve a hazardous severity as well. A deviation from this rule is observed for the failures resulting in a loss to provide localisation information (and subsequently, runway incursion and conflict alert) to both controller and traffic components, when airport complexity level is high. In that case it is pessimistically assumed that controller workload is too high to allow application of contingency separation measures without serious risk of collision. 3. More sophisticated functional configurations, resulting from the need to allow control of high levels of traffic under poor visibility conditions, involve generally a higher dependence of controller and pilots on capabilities provided by AGATE assistance tools. In case of failure, traffic is much higher than the level allowing a safe air traffic service using classical means and procedures, on one hand, and users are less familiar with these classical means, as they will seldom use them, on the other hand. Moreover, information needed to support the transfer from the normal to the fallback (classical) mode of operation should be available to controller. Consequently, more sophisticated functional configurations might involve failure conditions with more important safety consequences. Meanwhile, differences are not always significant enough to allocate different severity categories. 4. Unlike the functional configurations, the airport complexity level is not determinant for the failure conditions identification. Meanwhile, this parameter plays an important role in the allocation of severity categories to certain types of failure conditions. It is generally the case for those failure conditions that result in a significant increase in the controller and/or pilot workload until traffic is reduced or service restored. In addition, it may also be the case of those failure conditions leading to an increase of the controller error probability when airport is complex.

10 Emma team comment: the controller has this possibility only if he knows that there is a failure.


Assessment Report


5. As expected, AWARE exhibits the greatest number of severe (Hazardous, Major) failure conditions. As AGATE functions will be used in all conditions of visibility, localisation and identification information is crucial for assuring a safe control. Moreover, this information is the basic input for the rest of AGATE functions. 6. ALERT exhibits a significant number of Hazardous failure conditions. Some of them concern the non-detection (including the late detection) of runway incursions or short-term conflicts, which might result from the corruption of the detection mechanisms or from the unreliability of the detection algorithms. The rest of Hazardous failure conditions concern the most sophisticated functional configuration only (F5), where the corruption of the conflict resolution mechanisms, leads to the provision of misleading critical information to GUIDE, which will use it for issuing stop bars automatic commands. Meanwhile, many ALERT failure conditions have a major severity, as this function provides a last "safety net" against the collisions. 7. Only a particular type of failure condition in GUIDE is estimated to be hazardous. It concerns the undetected corruption of the functions involved in the acquisition, processing delivery and distribution of the commands to the visual aids (including stop bars). It is assumed, in a pessimistic perspective, that following an erroneous guidance command, even if the runway incursion or short-term conflict alert is still available, a high risk of collision subsists in some specific situations where time is too short to take into account that alert (e.g. an aircraft cleared to cross a runway using a stop bar, while the runway is in use by another aircraft taking-off or landing). Meanwhile, GUIDE exhibits a significant number of major hazards, arising in sophisticated functional configurations and/or complex airports, where controllers and pilots are fully relying on the automatic guidance based on routes elaborated by SMAN and validated by a controller and additionally, pilots dispose of a moving map in the cockpit. In case of a loss of these capabilities, the ability to maintain a safe air traffic service will be compromised and contingency separation measures will have to be applied. 8. As expected, SMAN is less critical than the other AGATE functions (no Hazardous failure condition). Meanwhile, in the most sophisticated functional configurations and when airport complexity level is high, SMAN exhibits several major hazards. These hazards address the risk of providing undetected corrupted information (predicted key events, elaborated routes) to GUIDE. If not detected by controllers in the route validation process, this might result in erroneous automatic guidance.

1.7.3 A-SMGCS levels 1 and 2 preliminary safety case by EUROCONTROL

EUROCONTROL has launched a Task Requirements Sheet (EATMP-TRS003/04), whose main objective is to produce a safety case for A-SMGCS levels 1 & 2, proving that the concepts and procedures are safe for implementation throughout the European Civil Aviation Conference states. The final results have been reported in [27] since October 2005. At the date of this being written, although the EUROCONTROL document remains a draft, it is version 1.0 and will not change11. Publication is expected to occur after the Safety Regulation Commission (SRC) meeting in February 2006.

1.7.3.1 Executive summary

The following executive summary is copied from [27]. The A-SMGCS preliminary safety case evaluates whether the EUROCONTROL levels 1 and 2 A-SMGCS concept and specifications can be safely implemented. This is to support the EUROCONTROL Airports Programme in the validation of the concept. The A-SMGCS preliminary safety case has been developed based on the generic EUROCONTROL concept and a representative A-SMGCS implementation in Europe (London Heathrow). The safety analysis was performed by applying the EUROCONTROL safety assessment methodology (SAM). Throughout the whole process, stakeholders have participated in a number of workshops to validate the approach, assumptions and results of the analysis.

11 Since EUROCONTROL were not able to demonstrate the feasibility of Level 2 A-SMGCS (at Heathrow), EUROCONTROL will update this

aspect later in 2006 (following improvements to the Heathrow Level 2 system), which will results in a version 2.0 of the current document.


Assessment Report


Assumptions The A-SMGCS preliminary safety case has been developed based on a number of assumptions. The results of the A-SMGCS preliminary safety case are only valid if these assumptions are valid. As such, when stakeholders develop their local safety cases then all the assumptions shall be validated. The key assumptions relate to: x weather (the proportion of time an airport is in visibility condition 1, 2, 3 or 4); x airport layout (the proportion of time an aircraft is on the taxiway or runway); x controller performance (the detection rate of an A-SMGCS failure); x the architecture and performance of a typical A-SMGCS (in this case LHR). The evidence to support the argument has been developed, in part, based on a ‘case study’. Stakeholders should review all the assumptions regarding LHR evidence to ensure it remains valid for their local implementation. Conclusions The A-SMGCS preliminary safety case has shown that the safety requirements for A-SMGCS level 1 can be implemented. The A-SMGCS preliminary safety case has shown that the A-SMGCS level 2 concept safety requirements are currently not achieved at LHR. This does not mean that the concept is unsafe but rather that the implementation has not achieved the required performance. This is recognised by NATS and since the installation of A-SMGCS at Heathrow, NATS have observed that the runway incursion monitoring false alarm rate does not meet their safety requirement for the conflict prediction function. This is primarily due to the way the system handles multipath from the single SMR. For this reason, conflict alerts are not currently presented on the controller display. A project is underway to add two new SMRs, and to upgrade the data fusion system, so that false targets from the sensors do not generate runway incursion monitoring false alerts. It is expected that the safety requirement for conflict prediction will then be met.

1.7.3.2 Commonalities and differences with the EMMA work

The work done in the EATMP-TRS003/04 is very similar to the work done in EMMA. On the 15th September 2005, a cross-presentation of the EMMA and EUROCONTROL work was performed in Brussels. The participants of the meeting were Morten Jensen (EC, EMMA project officer), Chris Machin (Helios, main author of the EUROCONTROL safety case), Paul Adamson and Jean-Pierre Lesueur (Eurocontrol), Stéphane Paul (TATM, main author of EMMA functional hazard assessment), and Jörn Jakobi (DLR, EMMA concept work-package leader). The main discussions of the meeting are reported below. It was recalled that the EMMA functional hazard assessment (FHA) excludes avionics. Focus is on hazards whose origins are related to ground equipment (i.e. ground equipment failures), but the hazards are expressed at the boundary of the system, which encompasses human and procedure elements. The Eurocontrol FHA includes avionics (at least the transponder), environmental description of the airport, and the air traffic controllers, but hazards relate only to A-SMGCS equipment and are expressed at the boundary of that equipment. Hazards are mainly “loss” and “corruption”, which are comparable to the EMMA equipment failure modes. Therefore whilst Eurocontrol will consider the "corruption of the surveillance data" as a hazard, and the "misuse of that data by the controller" as one of the effects, EMMA will consider "misuse of corrupted surveillance data by the controller" as a hazard, and the consequences on aircraft operations as the effects. The EMMA FHA is a generic FHA covering all 5 ICAO implementation levels (that are used to describe different scenarios related to levels of automation, visibility, airport complexity and traffic density) concentrating on the possible worst-case scenarios. On the other hand, the Eurocontrol safety case is not only a FHA: it is a preliminary safety case related to Heathrow airport and its level 1&2 system. Routing, guidance, and onboard services are not included. The EMMA FHA has not identified any hazard in good visibility scenario implementation level (SIL) 2. The Eurocontrol safety case has identified a severity 3 hazard related to undetected corrupted surveillance for aircraft located on the runway, and a severity 2 hazard related to undetected corrupted conflict prediction for aircraft


Assessment Report


located on the runway in the same visibility conditions. This is clearly related to different expectations on the procedures that will be used – cf. discussion in §1.5.3. The main EMMA results are safety objectives related to equipment – and the next steps (PSSA and SSA) will be to make sure that the Thales A-SMGCS equipment is sufficiently safe (in terms of design and implementation) to fulfil these safety objectives. The overall objective of the Eurocontrol work was to prove that the Eurocontrol levels 1 & 2 concept is safe. Eurocontrol included the different visibility conditions and focussed on the sensor and alerting systems (i.e. levels 1 and 2 according to Eurocontrol). The safety case leans on the Heathrow design, implementation and environment for the PSSA and SSA steps. The Eurocontrol level 2 corresponds very much to the ICAO level II. Both Eurocontrol and EMMA have identified a worst severity hazard rated “hazardous” (or severity 2) for these levels: this is an important point of consistency between the two studies. EMMA has shown a severity increase to “catastrophic” (severity 1) for levels III and IV. It was outlined that both EMMA and EUROCONTROL had worked on the risk and severity table. The higher the severity class of an accident the lower must be the probability of occurrence. This relation is estimated by the factor 10² for each severity level by Eurocontrol. EMMA has used the same process, but with a different scale. Eurocontrol estimates that 90% of all accidents are related to aerodrome movements. The EMMA FHA uses the ICAO A-SMGCS TLS, but has shown, using a different set of statistics, that only 68% of all accidents are related to aerodrome movements (in a large acceptance including takeoff, final approach and landing), of which only 4% have ATC as primary cause. EUROCONTROL identified 10 hazards and built up event trees with respect to visibility conditions (e.g. 1% of visibility conditions 3), aircraft on the different parts of the tarmac (e.g. 8% of the time on runways), and failure detected (e.g. 99%) or not (e.g. 1%) by the ATCO. This processing of exposure time and mitigation means reflect the reduction of probability of occurrence (Pe) of the hazard effects in different conditions (e.g. 1% * 8% * 1% for an undetected hazard affecting an aircraft on a runway in bad visibility conditions). EMMA has used a different approach focused on the worst credible case: in EMMA, the probability that an aircraft will be on a runway in bad visibility conditions is 100% on a day with bad visibility conditions, because the flight will not be postponed and because the aircraft has to use the runway to take off. These different approaches may greatly impact the assessment of the safety objectives. Relating to the EUROCONTROL PSSA, safety requirements were allocated arbitrary and evenly to the equipment boxes. At Heathrow the surveillance performance was proved to meet all safety requirements, but conflict detection does not. Heathrow is currently in the process of procuring new SMR to reach the level 2 implementation safety objectives. So, the main differences between EMMA and EUROCONTROL work were summarized as follows: x EMMA looked only to the worst-case scenarios so that the TLS could be verified for every individual

movement; Eurocontrol had a global approach, which satisfies a global TLS (for all movements over one year); thus EMMA will naturally result in much more stringent safety objectives;

x EMMA looked to ICAO implementation levels I to V, Eurocontrol looked to their own implementation levels 1 & 2 – thus, the scope with EMMA is broader and complements Eurocontrol in this way;

x EMMA has performed an FHA only, versus a complete safety case for Eurocontrol (London-Heathrow case); the EMMA work will be complete to a complete safety case during EMMA-2, using the Toulouse-Blagnac set-up and environment;

x EMMA has identified hazards caused by equipment failures but expressed at the boundary of the system (incl. people and equipment) – Eurocontrol has identified hazards at the boundary of the equipment;

x Eurocontrol has used a top down approach; EMMA has used a bottom-up approach;


Assessment Report


x Eurocontrol has worked on the computation of the target level of safety (TLS), EMMA has taken the ICAO TLS value for granted;

x EMMA has opened the door for FHAs related to people and procedures (by stressing its focus on equipment related hazards) – the theme is not mentioned by Eurocontrol;

x The primary objective with Eurocontrol was to show that the concept is safe and secondly to give a local stakeholder a generic approach to prove that their system is safe – the primary objective of the EMMA FHA shall be similar, but for all levels, once EMMA-2 is complete.

1.7.4 Operational hazard assessment by the C-ATM project

Co-operative Air Traffic Management (C-ATM) is a research project supported by the European Commission Directorate General "Transport and Energy" within the 6th Framework Programme. C-ATM is an Integrated Project addressing improvements in the Air Traffic Management system. It aims at optimising task distribution between actors, improving decision making through Collaborative Decision Making principles and the development of an information network, reducing uncertainty, increasing safety and creating additional capacity. In [35], based on use-cases describing the sequences of operations between key ATM actors, the entire C-ATM concept has been analysed for hazard potential. Credible hazards have been identified via a range of methods, but principally have relied on use of subject matter experts and safety assessor expertise. The descriptions therefore remain at a very high-level and cannot be directly compared to the analysis in this document. C-ATM hazards have been classified in terms of severity and frequency. These classifications should be seen as preliminary indications by expert judgement of the relative risk of the various hazards - their absolute risk requiring further study. However, it is to be noted that the worst severity assigned to hazards is 3 (i.e. major); this contrasts greatly with the severity 1 (i.e. catastrophic) assigned to some hazards herein. C-ATM hazards have been linked to an extended Integrated Risk Picture (IRP) model. The hazards and risk mitigation measures identified give a first picture of the risk of the C-ATM services, and show where more study, and perhaps safety investment, should be considered. According to the authors, the next stage is to gain feedback from the stakeholders on this OHA, in order to refine this ATM system-wide risk picture.

1.7.5 The FHA of Maastricht upper area control centre

The Maastricht upper area control centre (MUAC), functional hazard assessment (FHA) report [25] does not deal with A-SMGCS, but it includes an equivalence study between the ESARR 4 [19] and the NATS hazard severity categorisation schemes. The document recalls that the ESARR 4 provides the basis of a risk classification scheme by defining 5 severity levels and a maximum rate of the worst category – the accident, known as a severity class 1 (SC1) event, but: x it does not currently specify maximum rates for SC2 to SC4 events, although it recognises that such maxima

need to be specified; x although it is intended for a priori analysis, it defines the hazard outcomes (at least in its use of examples) in

terms of fully developed events. The MUAC FHA then argues that it is not always possible to be so categorical about the possible consequences of a hazard; rather, it is often necessary to limit the analysis to undeveloped outcomes (SCU2, SCU3, SCU4), which define merely the affect of the hazard on the ability to maintain separation. The latter approach is that which has been adopted by NATS Ltd for UK airspace, for a number of years, and is the basis for the extension to the ESARR 4 scheme that is proposed. Thus, the comprehensive expression is defined as follows:

Pr SC1 + Pr SCU2 / 100 + Pr SCU3 / 1000 + Pr SCU4 / 100000 A similar approach has been used in the EUROCONTROL A-SMGCS safety case (cf. §1.7.3).


Assessment Report


1.7.6 Safety assessment for on-board equipment

The approach to on-board system safety differs essentially from approaches taken for air traffic or airline operations in terms of applicable regulations and industry standards that are used as the reference guidelines. A summary of the state-of-the-art approach to safety assessment for on-board equipment can be found in the EMMA general safety concept document [6], and in particular in §4.2 related to the aircraft system domain. Please refer to that document for full details. The authors would also like to bring the readers attention to the safety analysis work performed by the Delft University of Technology (TUDelft) as part of the Safe Airport Navigation (SAN) project. Erik Theunissen, G. J. M. Koeners, F. D. Roefs and R. M. Rademaker have designed and evaluated an electronic flight bag (EFB) application for surface navigation, and: x listed the different errors that may occur during surface navigation, and organized these in a diagram showing

how they may lead to an incident or accident; x explained how a moving map display (with / without routing) decreases the chance of occurrence of these

errors, and increases the chance that they are timely detected; x analyzed the failure modes added by the surface guidance system, and the possible consequences thereof by

means of a fault tree analysis. The research team concluded that a surface guidance system adds considerably to awareness of position, and possibly routing, traffic and obstacles as well, thereby increasing safety (i.e. the concept is safe). Conformance monitoring and alerting functions increase safety even further. However, the occurrence of an integrity failure may cause an incident with an aircraft at an un-cleared position on the airport. With the permission of TUDelft, an extract of a paper presented at the 24th Digital Avionics Systems Conference, on 30 October 2005 is given below. The paper by E. Theunissen, G.J.M. Koeners, F.D. Roefs (Delft University of Technology, Delft, The Netherlands), P. Ahl (AVTECH, Sweden) and O. F. Bleeker (Rockwell Collins) is entitled "Evaluation of an electronic flight bag with integrated routing and runway incursion detection functions". The extract focuses on the potential on the electronic flight bag (EFB) to increase safety. Figure 8 shows three [pilot] errors that can be made during taxiing: a control error (e.g. steering into the grass); a navigation error (e.g. taxiing onto the wrong taxiway); and a clearance violation such as an unauthorized hold crossing. There is an important difference between a navigation error and a clearance violation on the one hand, and a control error on the other. A navigation error can be seen as a spatial deviation from the planned route, while an unauthorized hold crossing results in an un-cleared position on the planned route.

Figure 8: Three kinds of pilot errors during taxiing

The result of either is that the aircraft ends up at an un-cleared position. In contrast, a control error is a deviation from the centreline, with the aircraft still at a cleared part of the planned route. Furthermore, errors can arise during the planning, communication, interpretation, and memorizing of routing instructions. Again, these errors ultimately lead to the aircraft being at an un-cleared position. Figure 9 shows how different types of errors during or prior to taxiing may lead to incidents12 and subsequently an accident13. The diagram is probabilistic; the grey bars attached to the boxes (representing a certain occurrence) and arrows 12 An occurrence other than an accident, associated with the operation of an aircraft, which affects or could affect the safety of operations [NTSB]. 13 An occurrence associated with the operation of an aircraft which takes place between the time any person boards the aircraft with the intention of flight and

all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage [NTSB].


Assessment Report


(representing a causal relation) are probability bars. The height of these bars is not based on quantitative data, and should be interpreted on an ordinal scale level. The incidents are indicated with the orange blocks, the accident with the red block. Note that with the control error, the resulting situation is not classified as an incident. Although a control error may cause significant economical damage, it is assumed that the effect of the control error will be noticed long before separation with other vehicles becomes an issue and the pilot stops the aircraft. A navigation error can exist much longer before being noticed.

Figure 9: From error, to incident, to accident

Figure 4 shows the same diagram with separate probability bars for three situations: 1. current situation; 2. situation with moving map display; 3. situation with moving map display with routing information . As shown in Figure 10, a moving map display (situation 2) reduces the chance of an incident or accident through its positive influence on position awareness. The impact of a moving map display with routing (situation 3) is larger, since it not only improves position awareness, but route awareness as well. Furthermore, it allows for a route conformance monitoring function and an alerting function, decreasing the chance that a path/route deviation or a clearance violation remains unnoticed. Again, the probability bars are not representative of any quantitative data, but show probabilities on an ordinal scale.


Assessment Report


Figure 10: Influence of an electronic map and routing information on safety

In case routing information is available, the basis for alerting is the difference between the actual and the desired position. With a hold crossing, this will only generate an alert after the violation has occurred. By using a predictive warning scheme that estimates whether with the current direction and velocity a violation will take place within a certain time, a warning can be provided that should allow the pilot to prevent the actual violation. The same concept can be applied to control and navigation errors. This additional reduction in likelihood that a potential incident turns into an actual incident is indicated by the blue bars in Figure 10.

1.7.7 ICAO requirements and their impacts on this assessment

Requirements related to safety are disseminated throughout the ICAO manual on advanced surface movement guidance and control systems [32]. We highly recommend that the reader make direct use of the aforementioned document. However, to ease the understanding of our approach to this hazard assessment and to justify some features that we have taken for granted (because already advocated by ICAO), we have collected below a few relevant requirements.


Assessment Report


The 1st set of requirements is extracted from chapter 2, which is dedicated to the A-SMGCS operational requirements. In §2.6.9 (system failures), the ICAO manual on A-SMGCS reads: “Equipment which shows control data should both be fail-safe14 and fail-soft15. In case of a failure of an element of an A-SMGCS, the failure effect should be such that the element status is always in the "safe" condition. All critical elements of the system should be provided with timely audio and visual indication of failure. An A-SMGCS should be self-restartable. The recovery times should be of a few seconds. The restart of an A-SMGCS should include the restoration of pertinent information on actual traffic and system performance.” In §2.6.11 (pilot considerations), the manual reads: “Pilots should be provided with the following: a) […] e) indication of spacing from preceding aircraft, including speed adjustments; f) indication of spacing from all aircraft, vehicles and obstacles in visibility condition 4; […] h) information to prevent the effects of jet blast and propeller/rotor wash; i) identification of areas to be avoided; j) information to prevent collision with other aircraft, vehicles or known obstacles; k) information on system failures affecting safety; […] m) alert of incursion onto runways and taxiways; and n) the extent of critical and sensitive areas. Note.— Most of the foregoing requirements may be satisfied by ground visual aids.” In §2.6.12.1 (vehicle driver considerations), the manual reads: “Vehicle drivers should be provided with the following: a) […] d) information, and control when and where appropriate, to prevent collision with aircraft, vehicles and known obstacles; and e) alert of incursions into unauthorized areas.” In §2.6.13 (apron management considerations), the manual reads: “The following information should be available to the apron management services: a) […] c) information on the presence of obstacles or other hazards; d) information on the operational status of elements of the system; and […]”. In §2.6.14 (automation), the manual reads: “Where automation is available, the automated systems should demonstrate an acceptable level of HMI efficiency. The design of an A-SMGCS should make it possible to make a distinction between the following system elements and functions: (a) system assistance in the decision-making process; (b) system advice on the decision taken; and (c) system decisions provided directly to the users. Automated guidance should not be used by the system if aircraft control, conflict detection and conflict alert resolution are not available. If the system integrity degrades, it should automatically alert all users and should have the capability to transfer automated functions to the controllers in an easy and safe way. […] Note.— Automation validation processes are expected to encompass all environmental and failure conditions including a reversion to manual control.” In §2.7.3 (integrity), the manual reads: “The system design should preclude failures that result in erroneous data for operationally significant time periods. The system should have the ability to provide a continuous validation of data and timely alerts to the user when the system must not be used for the intended operation. The validity of data should be assessed by the system in accordance with the assigned priority given to these data. Validation of operationally significant data should be timely and consistent with human perception and/or response time.” In §2.7.4 (availability and continuity), the manual reads: “The availability of an A-SMGCS should be sufficient to support the safe, orderly and expeditious flow of traffic on the movement area of an aerodrome down to AVOL. An A-SMGCS should provide continuous service for all areas determined by the competent authority. Any unscheduled break in operations should be sufficiently short or rare so as not to affect the safety of aircraft using the system.

14 The term "fail-safe" in this context means that sufficient redundancy is provided to carry data to the display equipment to permit some components

of the equipment to fail without any resultant loss of data displayed. 15 The term "fail-soft" means that the system is so designed that, even if equipment fails to the extent that loss of some data occur, sufficient data

remain on the display to enable the controller to continue operation without assistance of the computer.


Assessment Report


[…] Automatic positive indication of the status of the system or any operationally significant failure should be given to any aircraft, vehicle or control facility that might be affected.” In §2.7.5 (reliability), the manual reads: “An A-SMGCS should be designed with an appropriate level of redundancy and fault tolerance in accordance with the safety requirements. A self-checking system with failure alerts should be in the system design. A failure of equipment should not cause a reduction in safety (fail soft); and the loss of basic functions. The system should allow for a reversion to adequate back-up procedures if failures in excess of the operationally significant period occur. Operationally significant failures in the system should be clearly indicated to the control authority and any affected user.” It is interesting to see that, even if most safety-related operational requirements apply to the whole system, there is special attention paid to control data. There is also some apprehension towards fully automatic routing (cf. related requirement in Table 5-5 on page 85) and automated guidance (cf. related requirement in Table 5-6 on page 86). In both these cases, a means to revert to manual procedures is recommended. Chapter 3 provides guidance on the application of the operational and performance requirements. The following requirements have been deemed interesting. In §3.2 (division of responsibilities and functions), the manual reads: “The consideration of assigning responsibilities within the operation of A-SMGCS will be a major factor in the overall design of such systems. The design of A-SMGCS should not be constrained by existing allocations of responsibility. It should be recognized that changes may be required to make use of new technology and operational concepts. New elements will be introduced as systems become more capable and the correct operation of certain functions will involve the responsibilities of manufacturers and producers of software. A thorough and ongoing review of the present division of responsibility is required to see more clearly how new concepts will affect existing arrangements. The implementation of an A-SMGCS and its associated procedures enables the introduction of a high level of automation. This automation offers the chance of the “system” management of safety-related tasks that are normally performed by humans. Where there is a safety risk associated with the role and responsibility afforded to system functionality, a full risk assessment should be carried out.” In §3.5.10 (system failures), the manual reads: “The A-SMGCS should have sufficient redundancy, fault tolerance or failure mitigation to enable operations to continue or be downgraded without affecting the required level of safety. This applies to both hardware and software failures that cause an interruption or loss of an A-SMGCS function. In this case, a back-up procedure should be provided for any known potential failure. The possibility of an unpredictable and catastrophic failure should be assumed. In the event of such a failure, a procedure(s) should be provided whereby dependability on the system (which may be the entire A-SMGCS) can be removed.” In §3.5.13.4 (ATC considerations – Automation in ATC), the manual reads: “Automation should be introduced in a modular form and each element should be independent, capable of operating when other elements have become unserviceable. Interfaces should be provided to enable controllers to take over the operation of failed elements. These interfaces should also make it possible for staff to adjust the functioning of automated elements during normal operation when unplanned events, or inappropriate system function, require amendments to the operation […].” In §3.5.13.13 (ATC considerations – ATC and HMI), the manual reads: “If human operators are to provide any meaningful contribution to the operation of A-SMGCS, even if only in a monitoring role and providing backup in the event of system failure, they should be involved in the executive functions of the system. Humans are poor monitors and whilst performing such tasks humans may be unable to take over the functions of a system if they have not been involved in its operation.”


Assessment Report


In §3.5.17 (automation), the manual reads: “The use of automation is one of the main differences between SMGCS and A-SMGCS […]. Any automation should undergo a thorough validation process to ensure that the operational requirements are met. The validation process needs to encompass all environmental and failure conditions, including the reversion to manual control.” In §3.6.2 (integrity), the manual reads: “[…]In the event of any failure, an appropriate alert including the operational significance of the failure should be provided. A safety assessment should be carried out on the level of integrity and should be directly related to the TLS. Other integrity requirements include: a) determination of the integrity risk — the probability of an undetected failure, event or occurrence within a given time interval; b) error identification — an error detection process should be deployed that will maintain the required level of integrity; c) error classification — each detected error should be analysed and a corrective or error processing method should be initiated within a specified time; d) error handling — specifies the number of attempts or retries allowed within a given time period to complete an error free function, transaction or process before a failure is declared; e) data integrity and validation — latent data within an A-SMGCS should be continuously checked for its integrity. This includes data that have a specified life cycle and that are contained within databases; and f) information errors —the propagation of hazardous or misleading information should be prevented.” Chapter 4 of the manual on advanced surface movement guidance and control systems is dedicated to the A-SMGCS performance requirements. The ICAO manual on A-SMGCS [32] states in §4.1.1.2 (system requirement - general – safety): “A-SMGCS target level of safety should be 1 x 10-8 (per operation)” and in §4.1.1.3: “The function risk has been estimated as:

a) guidance: 3.0 x 10-9 per operation; b) surveillance: 3.0 x 10-9 per operation; c) control: 3.0 x 10-9 per operation; and d) routing: 1.0 x 10-9 per operation.”

Chapter 4 of the manual also provides some dependability figures for each of the four main A-SMGCS functions. In §4.2.3 (surveillance requirements), the manual reads: “The actual position of an aircraft, vehicle or obstacle on the surface should be determined within a radius of 7.5 m. Where airborne traffic participates in the A-SMGCS, the level of an aircraft when airborne should be determined to within ±10 m.” In §4.3.1 (routing requirements), the manual reads: “The requirements listed in Table 4-1 should be used in the design of the routing function.”

Table 4-1. Routing maximum failure rate requirements Visibility Condition Requirement (Failures per hour)

1 1.5E-03 2 1.5E-04 3 3.0E-06 4 1.5E-06

In §4.5.1 (control requirements), the manual reads: “The probability of detection of an alert situation (PDA) should be greater than 99.9 per cent. The probability of false alert (PFA) should be less than 10-3.” These dependability figures had no direct implications on this functional hazard assessment and very preliminary system safety assessment. However, they should be accounted for in the following iterations of the preliminary system safety assessments. Finally, §5.5 outlines safety assessment implementation issues.


Assessment Report


1.7.8 Safety and safety nets

According to the SRC policy document 2, "Use of safety nets in risk assessment & mitigation in ATM" [22]: “Safety nets are engineered systems which are designed and operated for the purpose of collision avoidance. Any safety benefit, which may be provided by a safety net, shall be considered as an additional overlay to that provided by the ATM system, as safety nets are considered to be in the collision avoidance layer outside the scope of ESARR 4. The ATM system must be able to demonstrate that it satisfies applicable tolerable ATM safety minima without reliance upon the safety benefit expected to be provided by safety nets. As safety nets can themselves induce new hazards to flight operations, they will be subject to specific safety objectives.”

1.7.9 State-of-the-art conclusion

The AGATE study [21], together with the A-SMGCS levels 1 and 2 preliminary safety case [27] and the NUP operational hazard assessment [24] represent major inputs to this functional hazard assessment. This document pushes the analysis one step further with a strong position on the safety assessment of the consequences of automation.


Assessment Report


2 Referenced documents

2.1 Applicable documents

[1] European Airport Movement Management by A-SMGCS, contract [2] EUROCONTROL Air Navigation System Safety Assessment Methodology (SAM), SAF.ET1.ST03.1000-

MAN-01-00, edition 2.0.

2.2 Other relevant publications

2.2.1 Emma deliverables

All the following EMMA deliverables have a public dissemination level. [3] D1.2.1: ATM interoperability document. [4] D1.3.1: Air-ground operational service and environment description (OSED). [5] D1.3.2: Safety and performance requirements (SPR). [6] D1.3.3: General safety concept (GSC). [7] D1.3.5: Operational requirements document (ORD). [8] D1.3.6: Human factors HMI requirements. [9] D1.3.8: New A-SMGCS user roles. [10] D1.4.1: High-level Air-Ground Functional Architecture (AGFA), previously called Interoperability

document (INTEROP). [11] D1.6.1: Test site operations document for Prague-RuzynƟ, Toulouse-Blagnac and Milan-Malpensa. [12] D2.1.1: Report on aircraft position issues.

2.2.2 Thales ATM publications

[13] System / segment specification (SSS) for the Airport & Terminal Automation System (ATAS), revision H, Thales ATM, July 2004 (commercial in confidence).

[14] Quality Manual, Thales ATM, QM-03 (commercial in confidence). [15] Hazard Analysis / Operational safety, Work instruction IPD-315/03, Product Development Baseline

(commercial in confidence). [16] Safety CSCI Folder, Work instruction IPD-315/09, Product Development Baseline (commercial in

confidence). [17] Generic FHAR template, FAJ09, Product Development Baseline (commercial in confidence). [18] Safety training, Bernard Pauly, 29 April 2004, DT-PLS-SE (commercial in confidence).

2.2.3 Publications from other EMMA consortium partners

[19] EUROCONTROL Safety Regulatory Requirement, ESARR 4, Risk Assessment And Mitigation In ATM, Edition 1.0, 05-04-2001, DGOF/SRU

[20] EUROCONTROL EATMP, DAP / APT, Definition of A-SMGCS Implementation Levels (internal project document subject to change), version 1.0, September 2003.

[21] High-level business case document for A-SMGCS ground assistance tools for Europe (AGATE), proposed issue, edition 1.0, EUROCONTROL, ODT13/DP13, November 1998.

[22] Use of safety nets in risk assessment & mitigation in ATM, EUROCONTROL Safety Regulation Commission policy document 2, edition 1.0, 28 April 2003.


Assessment Report


[23] Review of techniques to support the EATMP Safety Assessment Methodology, EUROCONTROL draft report, Patrick Mana, 11 April 2003.

[24] Operational hazard assessment (OHA) automatic dependant surveillance broadcast (ADS-B) APT, North European ADS-B Network Update Programme (NUP), phase II, Philippe CAISSO, Service Technique de la Navigation Aérienne (STNA), June 2004.

[25] Maastricht Upper Area Control Centre, FHA Report, S.P1237.40.5, Issue 1.1, Brian Orr, Derek Fowler, 30 September 2003 (commercial in confidence).

[26] Maastricht Upper Area Control Centre, Preliminary System Safety Assessment, Interim Report, Ref. C/401/01/501, Issue: 0.1, 6 Feb 04 (commercial in confidence).

[27] A-SMGCS levels 1 and 2 preliminary safety case, release 1.0, October 2005, EUROCONTROL (draft intended for a restricted audience).

[28] EUROCONTROL OATA-P2-D4 2 11-01, Study Report on Avionics. [29] EUROCONTROL Safety Regulation Commission (SRC) document 2, Aircraft accidents / incidents and

ATM contribution, Review and Analysis of Historical Data, Edition 3.0 dated 12 December 2002. [30] Eurocontrol experimental centre, Review of root causes of accidents due to design, EEC Note No. 14/04,

Project Safbuild, Issued: October 2004.

2.2.4 External publications

[31] ICAO manual on Surface Movement, Guidance and Control Systems (SMGCS), doc 9476. [32] ICAO manual on Advanced Surface Movement, Guidance and Control System (A-SMGCS), doc 9830 AN

452 - 2004. [33] EUROCAE WG-41, Minimum Aviation System Performance Specification for Advanced Surface

Movement Guidance and Control Systems, ED-87A, January 2001. [34] Statistical Summary of Commercial Jet Airplane Accidents - Worldwide Operations 1959 – 2003, Airplane

safety, Boeing, April 2004. [35] Preliminary Operational Hazard Assessment, deliverable n° D1.3.2, Co-operative Air Traffic Management

(C-ATM) - Phase 1, Contract No.: TREN/04/FP6AES/S07.29954/502911, Sixth Framework Programme.


Assessment Report


3 Main results of the functional hazard assessment and very preliminary system safety assessment

In agreement with the method described in §1.4, this functional hazard assessment and very preliminary system safety assessment was performed in four steps, whose main results are given below: x identification of potential equipment failures, cf. §3.1; x identification of hazards, cf. §3.2; x assessment of hazard severity, cf. §3.3; and x specification of safety objectives, cf. §3.4. The safety recommendations are provided in §4. Full details on all the above can be found in appendices A to F.

3.1 Identification of potential equipment failures

The identification of potential equipment failures has been performed in 3 steps: x functional decomposition; x identification of data & control flows; x posting of fault modes on each data & control flow and analysis of the effects.

3.1.1 Functional decomposition

According to the ICAO manual on A-SMGCS [32], “an A-SMGCS should support the following primary functions: a) surveillance; b) routing; c) guidance; and d) control.” It is noted that “communication is considered to be an integral part of each of the primary functions.” To keep this report simple and generic, the granularity of the functional decomposition has been limited to only one level beneath the level of primary functions. Surveillance has been decomposed into: x surveillance via non co-operative sensors, x surveillance via co-operative sensors, x data fusion, x traffic movement characterisation. Routing has not been decomposed. Guidance has been decomposed into: x guidance control, x guidance aids monitoring, x vehicle on-board guidance, x traffic information service – broadcast (TIS-B). Control has been decomposed into: x traffic monitoring & alerting, x planning, x plan monitoring and alerting. In addition, the controller working position has been highlighted as a stand-alone function, and the following five technical functions have been retained: time management, technical supervision, legal recording, aerodrome mapping database, and strip printer.


Assessment Report


3.1.2 Identification of data & control flows

Fifty-eight (58) data & control flows have been identified, based on the above functional decomposition. The identification was driven by technical considerations. For example, if it is known that different data or control items (e.g. track position, track speed, track heading, etc.) are handled by the same piece of software or hardware, then these data or control items are known to flow as a coherent group, and are thus presented as a unique data or control flow. Each flow has been analysed in terms of content description, system state & mode (i.e. condition when the flow is active), flow type (i.e. external or internal flow), presentation and application protocols (if standardised), redundancy, periodicity, and acceptable outage.

3.1.3 Posting of fault modes on each data & control flow

The “loss of” and “corruption of” fault modes have been systematically posted on each of the 58 identified data & control flows. For each failure, the detected or not detected cases have been distinguished. This leads to some 58 * 2 * 2 = 232 studied equipment failures. The “temporary interruption of” fault mode has been analysed only on a case-by-case basis. For each equipment failure, the possible operational effects, at equipment level, have been described. The description of operational effects has been slightly formalised in order to maximise their reuse for different equipment fault modes. Thus only 37 significant operational effects were identified, and classified into 4 categories: x controller false confidence in the equipment (i.e. controller over-reliance on the failed equipment, before

equipment failure detection), x controller workload increase due to manual substitution (after equipment failure detection), x controller workload increase due to known malfunctioning that cannot be helped (after equipment failure

detection), x operational effects on vehicle drivers and aircraft pilots (independently of equipment failure detection). The operational effects, at equipment level, that have been identified, are the following: x OE-01: The controller’s traffic situational awareness is severely compromised (due to undetected loss or

undetected corruption of surveillance data as normally provided by the equipment). x OE-02: The controller’s traffic situational awareness is slightly compromised (due to undetected loss or

undetected corruption of some surveillance data, as normally provided by the equipment, e.g. loss of only one source of surveillance, such as raw video, co-operative sensors, non co-operative sensors, etc.). Remains at least one source of co-operative surveillance, and one source of non co-operative surveillance. Complete loss of one source is covered by OE-01. There is no significant impact on conflict detection.

x OE-03: Detection of surface conflicts & incursions by the controller is severely compromised (due to the undetected loss or undetected corruption of control data as normally provided by the equipment).

x OE-04: The controller’s projected situational awareness is severely compromised (due to the undetected loss or undetected corruption of flight plan data as normally provided by the equipment).

x OE-05: The detection of plan deviations by the controller is severely compromised (due to the undetected loss or undetected corruption of plan conformance monitoring data as normally provided by the equipment).

x OE-06: The controller’s awareness of the traffic situation in adjacent sectors is severely compromised (due to loss or corruption of flight plan and / or surveillance data related to adjacent sectors as normally provided by the equipment).

x OE-07: The controller’s context awareness is slightly compromised (due to loss or corruption of guidance data, e.g. incorrect knowledge of equipment state and status, or due to loss or corruption of aerodrome-mapping data as normally provided by the equipment).

x OE-08: The controller human-machine interface (HMI) is stuck in a display configuration that is improper for normal (safe) control operations.


Assessment Report


x OE-09: Equipment response time increases above tolerable values (e.g. due to overload), and the equipment does not detect this slowing down.

x OE-10: The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS).

x OE-11: The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by adjacent tower positions.

x OE-12: The controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress.

x OE-13: The controller has to manually label (some) target reports. x OE-14: The controller has to assign all taxi routes manually (with or without semi-automatic routing support.) x OE-15: The controller has to manually control the ground guidance aids. x OE-16: The controller has to manually update the aerodrome-mapping database. x OE-17: The controller has to mentally maintain the association between the flight plans and the target reports. x OE-18: The control procedures have to revert to paper strips. x OE-19: The controller has to revert to RTF co-ordination with the adjacent approach centre. x OE-20: The controller has to rely (more) on pilots’ RTF reports for mobile positioning & identification data. x OE-21: The controller has to revert to RTF guidance. x OE-22: The controller has to monitor plan adherence (and in particular taxi route adherence) without automated

plan conformance monitoring support. x OE-23: The controller has to return to SMGCS working procedures and conditions. x OE-24: The controller has to use the ground guidance aids own control & monitoring tools to manually control

them. x OE-25: The controller is provided (by the equipment) with missing and/or corrupted traffic data. He knows it,

but cannot / does not prevent it. This effect includes OE-20, whose hazards are not repeated here. x OE-26: The controller is provided (by the equipment) with missing and/or erroneous mobile identification. He

knows it, but cannot / does not prevent it. Note: This effect includes OE-17, whose hazards are not repeated here.

x OE-27: The controller is provided (by the equipment) with missing or false traffic alerts. He knows it, but cannot / does not prevent it.

x OE-28: The controller is provided (by the equipment) with missing and/or erroneous plan monitoring alerts. He knows it, but cannot / does not prevent it.

x OE-29: The controller is provided (by the equipment) with missing and/or erroneous co-ordination support. He knows it, but cannot / does not prevent it.

x OE-30: Pilots and/or drivers do not receive any automated guidance from ground guidance aids. Note: This effect may include OE-34.

x OE-31: Pilots and/or drivers do not receive any automated guidance from on-board equipment. Note: This effect includes OE-34.

x OE-32: Pilots and/or drivers are provided with missing or erroneous indications via the ground guidance aids. x OE-33: Pilots and/or drivers are provided with missing or erroneous guidance indications via the on-board

equipment. x OE-34: Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board

and RTF). Note: When the failure is detected, this effect includes OE-21. x OE-35: Pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data

(including mobile identification). x OE-36: Pilots and/or drivers are provided with inconsistent aeronautical information (between the A-SMGCS

aerodrome-mapping database, the ATIS, the FIS-B, the RTF). Note: When the failure is detected, this effect includes OE-21.

x OE-37: Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.


Assessment Report


Depending on the A-SMGCS scenario implementation level, the environmental conditions, the procedures and the controllers, each of the above operational effect, at equipment level, may represent a hazard (at system level).

3.2 Identification of hazards

3.2.1 Hazards originating from equipment

After the identification of possible operational effects, at equipment level, the possible operational effects at system level have been identified, taking into account people (i.e. controllers, pilots, drivers) and procedures. Because equipment and procedures change with the A-SMGCS scenario implementation levels (SIL), hazards have been split per SIL. Some hazards may seem similar between levels, however since the severity may be different we have preferred to systematically16 identify them as separate hazards. For each level, the worst conditions (as indicated by ICAO) have been used in terms of airport layout, visibility conditions and traffic load. For more details, please refer to annex F.

3.2.1.1 Hazards originating from equipment in a scenario implementation level II

The following hazards have been identified for an A-SMGCS scenario implementation level II: x HZ-01: In visibility condition 2, the controller needs to recover from an equipment surveillance failure by

reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

x HZ-05: In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data.

x HZ-10: In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure separation (essentially on or near runways).

x HZ-25: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

x HZ-26: Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

3.2.1.2 Hazards originating from equipment in a scenario implementation level III

The following hazards have been identified for an A-SMGCS scenario implementation level III: x HZ-02: In visibility condition 3, the controller needs to recover from an equipment surveillance failure by


x HZ-06: In visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

x HZ-11: In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure separation.

x HZ-14: In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips and the voice communications system (VCS).

x HZ-17: In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing.

16 With very few exceptions.


Assessment Report


x HZ-20: In visibility conditions 3, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight data), and continues to use this corrupted data to ensure co-ordination.



3.2.1.3 Hazards originating from equipment in a scenario implementation level IV

The following hazards have been identified for an A-SMGCS scenario implementation level IV: x HZ-03: In visibility condition 3, the controller needs to recover from an equipment surveillance failure by


x HZ-07: In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

x HZ-12: In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

x HZ-15: In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

x HZ-18: In visibility condition 3, the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure routing and automated ground guidance.

x HZ-21: In visibility conditions 3, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.



x HZ-27: Recovery: in visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one position to another.

3.2.1.4 Hazards originating from equipment in a scenario implementation level V

The following hazards have been identified for an A-SMGCS scenario implementation level V: x HZ-04: In visibility condition 4, the controller needs to recover from an equipment surveillance failure by


x HZ-08: In visibility condition 4, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

x HZ-09: In visibility condition 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected.

x HZ-13: In visibility condition 4, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

x HZ-16: In visibility condition 4, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.


Assessment Report


x HZ-19: In visibility conditions 4, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

x HZ-22: In visibility conditions 4, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

x HZ-23: Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously.

x HZ-24: Misuse of automation in visibility conditions 4: due to over-reliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions.



x HZ-27: Recovery: in visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one position to another.

3.2.2 Other hazards and share of the target level of safety

Our safety assessment does not consider all A-SMGCS hazards, but only those hazards that originate from equipment. Other hazards exist which originate from people and procedures (cf. Figure 11). It is not in the scope of EMMA to identify all those hazards. Some have been listed in §3.2.2.2, but this list is not to be considered as complete.

Equipment failure

Operational effects at equipment level

Hazards = operational effects at A-SMGCS level

Operational effects at aerodrome ATC level (i.e. failure condition)

Aerodrome ATC level

A-SMGCS level

Equipment level

Equipment mitigation

External mitigation

System mitigation

People / procedure failure People /

procedure mitigation

Operational effects at people / procedure level

Figure 11: Hazards originating from equipment, and other hazards


Assessment Report


Focusing on hazards originating from equipment failures represents one of the main weaknesses of this analysis. Indeed, the A-SMGCS target level of safety (i.e. 1 x 10-8 per operation) has to be divided between all hazards, not only the former. Some part of the target level of safety should be set aside for other hazards, but to which extent? There is no known SMGCS FHA that could provide us with such an insight. A proposal, to be discussed and agreed at European / international level has been made in §3.2.2.1, for each A-SMGCS scenario implementation levels.

3.2.2.1 Share of the TLS allocated to equipment

Our safety assessment does not consider all A-SMGCS hazards, but only those hazards that originate from equipment failures. It is therefore needed to assume a share of the total target level of safety (TLS) that will be allocated to the equipment. In [27], annex D, 15% of the total TLS was allocated to equipment for an A-SMGCS implementation level 1 & 2 (according the EUROCONTROL terminology – corresponding more or less to ICAO level II). We tend to agree with this share, and propose the following allocations for higher scenario implementation levels.

ICAO scenario implementation level

(SIL)

Share of the TLS allocated to hazards originating from people & procedure failures

Target level of safety allocated to people

& procedure

Share of the target level of safety (TLS) allocated to hazards originating from

equipment failures

Target level of safety allocated to

equipment

I 100% 1.0E-08 0% Not applicable (no A-SMGCS equipment)

II 85% 8.5E-09 15% 1.5E-09 III 65% 6.5E-09 35% 3.5E-09 IV 55% 5.5E-09 45% 4.5E-09 V 45% 4.5E-09 55% 5.5E-09

Table 3-1: Share of the TLS per scenario implementation level

As automation increases, the share of the A-SMGCS target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases (cf. Table 3-1). We propose a major step between ICAO A-SMGCS scenario implementation level II and level III (i.e. +20 points) because at level III, on basic and simple airports with light or medium traffic, the A-SMGCS is suppose to support operations in visibility conditions 3. For us, this is a major step that implies very high confidence in the equipment, and new conflict prediction & resolution tools. In our view, later steps up the A-SMGCS scenario implementation levels are less dramatic, and therefore, are only assigned a +10 points. However, comments and discussions are highly solicited.

Equipment failure

People and procedures

Hazard

Safety objective

Safe state

Figure 12: People and procedures act as mitigation for hazards originating from equipment failures


Assessment Report


As seen in Figure 11, all hazards (including hazards originating from equipment failures) are identified at the boundary of the system. This means that people and procedures act as mitigation to reduce the probability to evolve from an equipment failure to a hazard (cf. Figure 12). For a hazard to be raised, we need that an equipment failure occurs and that neither the people nor the procedures correctly mitigate the equipment failure. Procedures to detect equipment failures and to recover from them need to be safe, and the people need to be adequately trained to cope with such equipment failures. In other terms, part of the target level of safety (TLS) allocated to hazards originating from equipment failures needs to be allocated to equipment failure detection procedures and to training. Even though we would like to stress the importance of training controllers to face equipment failures by allocating a part of the A-SMGCS TLS to this training and these procedures, we are aware that this allocation would increase dramatically the complexity of the computations, with probably minor effects on the resulting figures. We will therefore consider that the part of the target level of safety allocated to this training and these procedures is already covered in the share of the TLS as expressed in Table 3-1. Whatever apportionment between equipment, people and procedures is agreed, it is suggested that for future system safety assessments following implementation, a mechanism is enforced to review the apportionment once safety data from several airports is available.

3.2.2.2 Hazards originating from people and procedures

This preliminary system safety assessment (PSSA) part of this document is focused on hazards originating from equipment failures. For this reason, the proposed lists of hazards related to people and procedure failure is not exhaustive, but focuses on abuse of automation. Abuse refers to an inappropriate application of automation by designers and managers or to inappropriate usage of automation by operators. The main causes of abuse of automation may be, for example, that: x the A-SMGCS implementation is recent and the controller is not used to the new equipment and procedures; x the A-SMGCS implementation is recent and the new procedures are not adapted to the use of the new

equipment or to the known performances of this equipment; x the controller does not react to changes of airport environment (airport layout, meteorological conditions,

traffic density, etc.) and continues to use unsuitable procedures, or set of tools, etc. Table 3-2 below provides an insight on some hazards that are related to automation, but whose main origin is a people or procedure failure, rather than an equipment failure. A-SMGCS scenario

implementation level

Hazard typology

Hazard description (at system level) Comments and recommendations

II Abuse Even though surveillance equipment is only supposed to be used in visibility conditions 1 or 2, due to work pressure, the controller continues to use the equipment surveillance data in visibility conditions 3 or worst.

Abuse of automation should be prevented: x either through adequate training of the supervisor, x or through automated equipment alerting17 when the

visibility conditions (automatically entered) imply that the equipment should not be used for operational purposes.

II Abuse In any visibility condition (related to SIL II), due to over-reliance on automation, the controller uses surveillance equipment to ensure ground separation.

Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV Abuse In visibility conditions 3, due to work pressure, the controller manages more traffic than he will be able to cope during a failure recovery.

Management of more traffic than controller will be able to cope during a failure recovery should be prevented: x either through adequate training of the supervisor, x or through automated equipment alerting when the

traffic conditions imply that recovery in case of equipment failure might be difficult.

V Abuse In visibility conditions 4, due to work pressure, the Management of more traffic than controller will be able

17 The listed mitigations (e.g. alerting) may introduce additional failure modes and hazards. Since the assessment of hazards originating from people

and procedures is not the object of this document, the latter have not been assessed herein. However, it is understood that this would be necessary if a thorough functional hazard assessment including people and procedures were to be made.


Assessment Report


A-SMGCS scenario implementation

level

Hazard typology

Hazard description (at system level) Comments and recommendations

controller manages more traffic than he will be able to cope during a failure recovery.

to cope during a failure recovery should be prevented: x either through adequate training of the supervisor, x or through automated equipment alerting when the

traffic conditions imply that recovery in case of equipment failure might be difficult.

II, III Abuse In any visibility condition, due to over-reliance on automation, the controller uses surveillance equipment to ensure ground guidance, using heading and speed instructions.

We assume that until guidance is automated, it is improper to use the system to ensure speed and heading guidance (open for discussion). Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV, V Abuse In visibility condition 3 or worse, due to work pressure, the controller gives responsibility to the pilot for separation with other aircraft.

Abuse of automation should be prevented: x either through adequate training of the supervisor, x or through automated equipment alerting when the


V Abuse In any visibility condition, the pilot uses surveillance information provided by the on-board surveillance display (e.g. TIS-B) to ensure tactical separation with other aircraft.

The surveillance information provided by TIS-B are not reliable enough to ensure tactical separation and the pilot does not have the responsibility for separation with other aircraft. Abuse of automation should be prevented through adequate training of the pilot and definition of procedures.

V Abuse In visibility condition 3 or worse, due to over-reliance in automation, the controller gives responsibility to the pilot for separation with other aircraft, using on-board surveillance display.

Common sources of mistake can be a misunderstanding of the performances of TIS-B. Abuse of automation should be prevented through adequate training of the pilot and definition of procedures.

II, III, IV, V Abuse In any visibility condition, due to over-reliance on automation, the controller relies on the system to detect conflicts.

Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV, V Abuse In any visibility condition, due to over-reliance on automation, the controller does not countercheck the conflict alerts provided by the conflict prediction equipment.

Conflict prediction cannot manage all the operational criteria used to determine a conflict alert. For this reason, the controller will always have to check the predicted conflict and validate the alert. Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV, V Abuse In any visibility condition, due to over-reliance on automation, the controller does not countercheck the conflict resolution proposed by the conflict prediction equipment.

Conflict prediction cannot manage all the operational criteria used to determine a conflict resolution. For this reason, the controller will always have to check the predicted conflict and validate the proposed conflict resolution. Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV, V Abuse In any visibility condition, due to over-reliance on automation, the controller does not verify the routes provided by the routing equipment.

The routing equipment cannot manage all the operational criteria used to define a route. For this reason, the controller will always have to check and validate the route. Abuse of automation should be prevented through adequate training and definition of procedures.

III, IV, V Abuse In any visibility condition, due to work pressure, the controller relies on the plan conformance monitoring function to ensure that the traffic is conforming to instructions.

Abuse of automation should be prevented through adequate training of the supervisor and definition of procedures.

III, IV Abuse Even though ground guidance equipment is only supposed to be used in visibility conditions 1, 2 or 3, due to work pressure, the controller continues to use it in visibility conditions 4.

It is likely that the pilot will announce that he is not able to taxi. Abuse of automation should be prevented: x either through adequate training of the supervisor, x or through automated equipment alerting when the



Assessment Report


Table 3-2: Hazards originating from people and procedures

3.3 Assessment of hazard severity

For each of the identified hazard originating from equipment failures, severity indicators (i.e. hazard effects at aerodrome ATC level, exposure, and mitigation means that are external to the system) have been analysed in order to assign a severity. Two hazards were assessed as catastrophic (i.e. severity 1). The two hazards are similar but apply respectively to A-SMGCS scenario implementation level III (HZ-06) and level IV (HZ-07): in visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation. In visibility condition 3, visibility is sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. To assign a severity 1, two kinds of operational effects were analysed: x A dangerous situation develops unbeknownst to the controller, e.g. a conflict between aircraft on a taxiway, a

runway incursion, a take-off without clearance, a route deviation, etc. (cf. Milano-Linate accident). The equipment provides no alert.

x Due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on December 6th, 1999, or the Überlingen accident in July 1st, 2002).

The severities 1 were first assigned by DSNA and TATM based on undeveloped hazard outcomes. After de second FHA workshop (cf. appendix H), the severities were confirmed by drafting concrete outcomes (cf. appendix F).

Scenario implementation levels

Hazards Severity

2 HZ-05 2 2 HZ-01 4 2 HZ-10 5 2 HZ-25 5 2 HZ-26 5 3 HZ-06 1 3 HZ-02 2 3 HZ-17 2 3 HZ-11 3 3 HZ-20 4 3 HZ-14 5 3 HZ-25 5 3 HZ-26 5 4 HZ-07 1 4 HZ-03 3 4 HZ-12 3 4 HZ-18 3 4 HZ-15 4 4 HZ-21 4 4 HZ-27 4 4 HZ-25 5 4 HZ-26 5


Assessment Report


Scenario implementation levels

Hazards Severity

5 HZ-08 2 5 HZ-04 3 5 HZ-19 3 5 HZ-24 3 5 HZ-13 4 5 HZ-16 4 5 HZ-22 4 5 HZ-23 4 5 HZ-27 4 5 HZ-09 5 5 HZ-25 5 5 HZ-26 5

Table 3-3: Summary of hazard severities

It is to be noted that for a scenario implementation level V, the similar hazard (HZ-08) has only been rated hazardous (i.e. severity 2) because aircraft and vehicles are supposed to be equipped with ADS-B in and to continuously receive positions and identification of other mobiles. Two other hazards were qualified with a hazardous severity (i.e. severity 2). The first one, HZ-02, is closely related to the aforementioned HZ-06; it is the hazard related to the recovery from the HZ-06 situation. The other one, HZ-17, is again a misuse, but this time related to flight data: “In visibility condition 3 the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure verbal and manual routing”. Seven hazards were qualified with a major severity (i.e. severity 3). All other hazards were qualified as having a minor or no impact on safety. For full details, please refer to appendix F. Per scenario implementation level, the following results have been obtained: x SIL II: the most severe hazard is hazardous; x SIL III: the most severe hazard is catastrophic; x SIL IV: the most severe hazard is catastrophic; x SIL V: the most severe hazard is hazardous. It is to be noted that during the 2nd EMMA FHA workshop, the severities assigned to SIL II and SIL III hazards had a clear tendency to become more dramatic then what had been previously assigned by DSNA and TATM. The hazards related to SIL IV and SIL V were not discussed: it is not to be excluded that further assessment with operational staff may lead to similar evolutions.

3.4 Specification of safety objectives

3.4.1 Introduction

The specification of safety objectives involves three notions: x the target level of safety (cf. §3.2.2.1), x the severity (cf. §3.3), x the safety objectives themselves.


Assessment Report


Safecondition

Hazard N

FailureconditionSafety Objective {

probabilities at which hazards can be expected to

occur

Severity { probabilities at which hazards can lead to an accident (using NATS mapping for SCU2 to SCU4)

Target Level of Safety= probability of an accident during aircraft movement on the aerodrome = 10-8 per movement

Hazard 1

…

Each hazard contributes at little

to create an accident

Each hazard has its own safety objective in order to

ensure the global safety objective

Mitigation can reduce severity

Set of all hazards = potentially unsafe conditions

Figure 13: Relationship between target level of safety, severities and safety objectives

Figure 13 shows the relationship between (a) a safe condition, (b) a hazard, i.e. a potentially unsafe condition and (c) a failure condition, i.e. an accident, except for “chance”: x The target level of safety is the probability that an accident occurs during an aircraft movement on the

aerodrome; it has a value set to 10-8 per movement (cf. §1.7.1). In Figure 13, it is illustrated by a blue arrow between a safe condition and a failure condition (or accident).

x The safety objective of a hazard is a requirement (or constraint) setting the highest tolerable/acceptable probability that this hazard is raised; the set of all hazard safety objectives is noted (as a vector):

Safety objective of hazard 1Global safety objective = ….

Safety objective of hazard N In Figure 13, a safety objective is illustrated by a black arrow between a safe condition and a hazard.

x It is assumed that because we have used the prescriptive approach (cf. [2]) for the setting of safety objectives that the probabilities of the hazard generating the effects (Pe) are somehow already considered when we have decided the severity class of each hazard (cf. §1.6.2 for more details). Using the risk classification scheme and NATS’ mapping for SCU2 to SCU4 (§1.7.5), the severity of a hazard can be used to retrieve the probability that this hazard leads to an accident. The severity of each identified hazard has been assigned (cf. §3.3) and is therefore known; the set of all hazard severities is noted (as a vector):

Severity of hazard 1Global severity = ….

Severity of hazard N In Figure 13, the probability that a hazard leads to a failure condition (based on hazard severity) is illustrated by a red arrow between a hazard and a failure condition (or accident).


Assessment Report


Considering that the target level of safety (TLS) and the global severity are known, the global safety objective can be computed from the following scalar product:

global TLS = global safety objective * global severity

The infinite number of solutions to this equation are part of an hyper-plan. To set down ideas, let’s suppose that: x we have identified only 2 hazards: H1

catastrophic and H2, hazardous; x we note SO1 and SO2 the safety

objectives of H1 and H2, i.e. the probability of occurrence of H1 and H2;

x we note SV1 and SV2 the severities of H1 and H2; given NATS mapping for severities18, the probabilities of accident if H1 and H2 occur are respectively 100% and 1%.

Thus, based on the above scalar product, we know that:

10-8 = SO1 * SV1 + SO2 * SV2 = SO1 * 100% + SO2 * 1%

Safe

Hazard 2

Accident

SO1Hazard 1

SV1 = catastrophic,i.e. 100%

SO2

SV2 = hazardous,i.e. 1%

Figure 14: Example of relationship between TLS, severities and SO

The set of solutions for SO1 and SO2 is given by the blue segment in Figure 15 opposite, corresponding to the following equation: SO1 + 0.01 * SO2 = 10-8. Two specific solutions have been highlighted (in red) in Figure 15: one corresponds to the equiprobability of occurrence of the two hazards (i.e. SO1 = SO2), the second to the equiprobability of occurrence of an accident when these hazards occur (i.e. SO1 * 100% = SO2 * 1% � SO1 = SO2 / 100). It is to be noted that the extremities of the segments are excluded. Indeed, if SO1 = 10-8, then SO2 = 0, which means H2 cannot occur: this is absurd for a hazard.

10-8

10-8

10-7

10-6

SO1

SO2

SO1 = SO2

Equiprobability of hazard occurrence

5. 10-7

5. 10-9

Equiprobability of accident occurrence

Figure 15: Set of safety objectives (example with 2

hazards)

10 - 8

10-8

10-7

10-6

SO1

SO2

10-8

SO3

Figure 16: Set of safety objectives (example with 3 hazards)

18 In the absence of a universally recognized method, the NATS mapping for SCU2 to SCU4 has been used, cf. §1.7.5 for more details.


Assessment Report


To conclude on the example, if we now add a third (catastrophic) hazard, we introduce a third dimension to the set of solutions, as shown in Figure 16 opposite. The specification of safety objectives usually requires the arbitrary split of the global target level of safety between the different hazards. Unlike what has been performed in the EUROCONTROL A-SMGCS safety case [27] or in the MUAC FHA [25] we do not feel it is acceptable at this stage of the safety assessment to (evenly or unevenly) split the global target level of safety between the different hazards. Indeed, imposing arbitrarily the equiprobability of occurrence of hazards or the equiprobability of occurrence of an accident when these hazards occur may dramatically increase the design and/or development costs. In our view, this assignment should be performed at a more detailed preliminary system safety assessment (PSSA) level, because at this step, the cheapest solution that will satisfy the target level of safety (TLS) can be selected.

3.4.2 Numerical illustration

Even thought the scalar product is the only correct result, it remains rather obscure. Below is a numerical illustration of the formula, using the hypothesis of equiprobability of occurrence of hazards. Based on the hypothesis that � i, � j, SOi = SOj, we can deduce, from the scalar product, a global equipment safety objective for each A-SMGCS scenario implementation level (cf. Table 3-4).

A-SMGCS scenario implementation

level (SIL)

Global safety objective per

movement allocated to equipment

Hazards ref. Maximum hazard severity that can occur

Global equipment

safety objective (per movement)

i.e. one equipment failure leading to a hazardous (for SIL II and V) or catastrophic (for SIL III & IV) hazard every

X movements

I Not applicable (no

A-SMGCS equipment)

Not identified. n/a n/a n/a

II 1.5E-09 HZ-01, HZ-05, HZ-10, HZ-25, HZ-26 Hazardous 1.50E-07 6 673 333

III 3.5E-09 HZ-02, HZ-06, HZ-11, HZ-14, HZ-17,

HZ-20, HZ-25, HZ-26 Catastrophic 3.43E-09 291 717 143

IV 4.5E-09

HZ-03, HZ-07, HZ-12, HZ-15, HZ-18, HZ-21, HZ-25, HZ-

26, HZ-27

Catastrophic 4.49E-09 222 895 556

V 5.5E-09

HZ-04, HZ-08, HZ-09, HZ-13, HZ-16, HZ-19, HZ-22, HZ-23, HZ-24, HZ-25,

HZ-26, HZ-27

Hazardous 4.21E-07 2 372 727

Table 3-4: Safety objectives per scenario implementation level

In this numerical illustration, for an A-SMGCS scenario implementation level II, an equipment failure leading to an hazardous condition may occur every 6.673.333 movements, i.e. more or less every 12 years on large airports such as Amsterdam-Schiphol, London-Heathrow, Fraport or Paris-CDG (assuming an average of 560.000 movements per year). For an A-SMGCS SIL III, an equipment failure leading to a catastrophic hazard may occur every 291.717.143 movements, i.e. more or less every 520 years on the same airports.

3.4.3 Cross-check of numerical illustration

The above numerical illustration is only one solution amongst an infinite number of valid solutions, but whatever the final choice (based on design and implementation choices), it should always be checked that it is compatible with our risk classification scheme (cf. Table 3-5).


Assessment Report


Probability of occurrence Frequent Reasonably probable Remote Extremely

remote Extremely

improbable 1 10-1 10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9

Quantitative definition (per

movement)

Qualitative definition

May occur once or several times during the system’s operational life.

Unlikely to occur

during total operational life of each system but may occur

several times when considering

several systems of the same

type.

Unlikely to occur when considering


type, but nevertheless,

has to be considered as being possible.

Should virtually

never occur.

Severity class No effect Minor Major Hazardous Catastrophic

Table 3-5: Risk classification scheme

Table 3-5 requires that catastrophic events have a probability of occurrence of the order of 10-9 (i.e. should virtually never happen) and that hazardous events have a probability of occurrence of the order of 10-7 to 10-9 (i.e. should be unlikely to occur even when considering several systems of the same type but nevertheless, has to be considered as being possible). Results provided in Table 3-4 are of the right order of magnitude, and therefore increase the confidence we have in our analysis.

3.4.4 Cross-check with EUROCONTROL A-SMGCS safety case

The mapping of the Eurocontrol A-SMGCS safety case hazards to the EMMA hazards is not straightforward, so results are difficult to compare. Let us just point out that EMMA really highlights the issue of undetected failures (whatever the function – position or identification) with a very stringent safety objective on misuse. The logic behind is the assumption that the controller(s) can revert to aerodrome ATC using a "safe" SMGCS if the A-SMGCS is detected as failed. Therefore the main risk of A-SMGCS is misusing corrupted A-SMGCS data, (more or less) whatever the origin and nature of the corrupted data. For more details on the comparison with the EUROCONTROL A-SMGCS safety case, please refer to appendix F.


Assessment Report


4 Recommendations

4.1 Recommendations for the specification, design and development

During the functional hazard assessment and the very preliminary system safety assessment a number of features have been identified as being uncommon but critical to safety. They have been gathered together below. The recommendations should be analysed in detail with respect to the system / segment specification and system / segment design documents. If appropriate, they may become safety requirements. � Choice of input device equipment should allow technical monitoring.

� Choice of input device equipment should allow online replacement.

� Choice of input device equipment should favour independent input devices (e.g. avoid mouse connected to

keyboard).

� Upon HMI input failure detection, the HMI should automatically switch to a default configuration set-up, so

as to avoid leaving the HMI in a configuration improper for control.

� In case of inconsistent data received by the surveillance data fusion (from the planning with respect to data

received from the co-operative sensors) an alert19 should be raised.

� In case of missing flight plan, manual labelling should be very easy (i.e. simply by typing the call sign) in

order not to force the controller to quit automation support.

� When defining the procedure for A-SMGCS clearance delivery, read-back, whether electronic or via voice,

should ensure that a clearance downlink corruption should not go undetected in the uplink connection.

� The contingency procedure to be defined for flight plan updates during planning input failure should

prescribe minimal updates to keep the system consistent and ease synchronization.

� The loss of the planning function should automatically disable guidance.

� In case of aerodrome mapping database (AMDB) failure, the controller, pilots & drivers should be able to

manually update the dynamic status of operational parts of the aerodrome on their display systems (display

impact only for the CWP).

� When a specific co-operative sensor is known to provide corrupted data, the control authority should be able

to selectively disconnect it.

� Fused sensor data is currently seen as the sole input to the traffic monitoring and alerting function. Re-

configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up

solution.

� Fused sensor data is currently seen as the sole input to the TIS-B function. Re-configuration to a single

sensor input in case of sensor fusion failure may represent an interesting back-up solution.

19 This is not related to the "conformance monitoring" function, but deals with integrity monitoring.


Assessment Report


� Automated guidance should not depend only upon surveillance data. Guidance should depend on clearance

inputs by the controller.

� The guidance function should send & apply positive command instructions (e.g. turn it on / off),

independently from the guidance means’ current state (e.g. not set inverse of current state).

� The supervisor should be able disconnect external flight plan data processing system (FDPS) inputs.

� Automation requires the introduction of new procedures for recovery from fault modes, as well as training

and practice.

� Abuse of automation (i.e. manage more traffic than controller will be able to cope during a failure recovery)

should be prevented, either through adequate training of the supervisor, or through automated equipment

alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult.

4.2 Recommendations to the ICAO manual on A-SMGCS

Analysis of the ICAO manual on advanced surface movement guidance and control systems [32] have lead us to provide the following recommendations with respect to the contents of the manual. � The terms system and equipment should be used with more discernment.

� In the ICAO implementation level table, the “X” in conflict prediction and/or detection means that a conflict

is detected but not solvable in visibility 3. How can that be used? ICAO should clarify what is meant here?

� This functional hazard assessment (FHA) conclusions appear to be paradoxical in the sense that, as the A-

SMGCS SIL (scenario implementation level) increases, the most worrying hazard severity classification

decreases. Some consideration ought to be given for the introduction of on-board functions in lower levels to

act as internal mitigation of catastrophic severity risks.

Some typos were also noted, in particular: � In §4.5.1 (control requirements), the manual reads: “The probability of false alert (PFA) should be less than

103.” This should be corrected to: “The probability of false alert (PFA) should be less than 10-3.”

4.3 Recommendations for the adaptation of the functional hazard assessment and very preliminary system safety assessment to a specific environment

The work presented in this document is generic. It is not directly applicable and should not be directly applied to any aerodrome. It provides a good insight into what a site specific functional hazard assessment (FHA) may look like, and it provides an approximate value for the expected safety objectives. For a site-specific study, we recommend that the preliminary system safety assessment (PSSA) part be pushed a bit further than what has been performed in this document. In particular, we recommend that the following topics be addressed: x Object of the evolution (compared to the pre-existing system, and compared to the current level of safety); x System scope and interfaces (including environment description); x Organisation (including authority jurisdictions, and system deployment steps);


Assessment Report


x Commissioning (including related risks, commissioning procedures, training); x Risk classification scheme (RCS) should be approved or adapted; x Safety objectives and safety requirements including:

x Applicable standards and documents; x Site specific hazard identification, severity allocation, safety objective determination;

x Safety evaluation (e.g. based on a fault tree analysis, mean time to failure (MTTF) and mean time to repair (MTTR) provided by the A-SMGCS supplier), including list of actions to undertake in order to ensure the target level of safety; such actions may be the design of new control procedures, specific set of tests or requirements for more system redundancy;

x Study of the transition phase, including system implementation steps and civil works, system configuration and on-site optimisation, list of actions to undertake until commissioning.


Assessment Report


5 Notes

5.1 Acronyms

The following abbreviations are used in this document. Their meanings are as shown below. ACARS Aircraft Communication(s) Addressing and Reporting System ADEXP ATS Data Exchange Presentation ADS-B Automatic Dependant Surveillance - Broadcast AENA ente público Aeropuertos Españoles y Navegación Aérea AFTN Aeronautical Fixed Telecommunication Network AGDL Air-Ground Data Link AGFA Air-Ground Functional Architecture AHA Aviation Hazard Analysis AI Airbus AIDC ATS Inter-facility Data Communications AIS Aeronautical Information System ALS Airfield Lighting System AMAN Arrival Manager AMDB Aerodrome Mapping Database ANS Air Navigation System ANS_CR Air Navigation Systems of the Czech Republic AODB Airport Operational Database APATSI Airport / Air Traffic Systems Interface ASM Air Space Management A-SMGCS Advanced-SMGCS ASTERIX All purpose STructured Eurocontrol Radar Information eXchange ATAS Airport & Terminal Automation System ATC Air Traffic Control ATCO Air Traffic Controller ATFM Air Traffic Flow Management ATIS Automatic Terminal Information Service ATM Air Traffic Management ATS Air Traffic Management Services AUEB Athens University of Economics and Business AVISO Aide à la VIsualisation au SOl AVOL Aerodrome Visibility Operational Level BAES BAE Systems Avionics Limited C-ATM Co-operative Air Traffic Management CDG Charles-de-Gaulle CDTI Cockpit Display of Traffic Information CFMU Central Flow Management Unit CNS Communication, Navigation And Surveillance CPDLC Controller Pilot Data Link Communication CSA Czech Airlines CSCI Computer Software Configuration Item CSL ýeská správa letišĢ, s.p.; Czech Airports Authority CWP Controller Working Position DAP Download Aircraft Parameter(s)


Assessment Report


DAV Diehl Avionik DFS Deutsche Flugsicherung GmbH DGPS Differential GPS DGS Docking Guidance System DLR Deutsches Zentrum für Luft und Raumfahrt DMAN Departure Manager DSNA Direction des Services de la Navigation Aérienne EATMP European Air Traffic Management Programme EEC EUROCONTROL Experimental Centre EFB Electronic Flight Bag EFS Electronic Flight Strip ENAV Ente Nazionale Assistenza al Volo ESARR EUROCONTROL Safety Regulatory Requirement ETG EuroTelematik AG EU European Union EUROCAE European Organisation for Civil Aviation Equipment EUROCONTROL EUROpean organisation for the safety of air navigation EVS Enhanced Vision System FDPS Flight Plan Data Processing System FHA Functional Hazard Assessment FHAR FHA Report FIS-B Flight Information Service - Broadcast FMEA Fault Mode and Effect Analysis (previously Failure Modes and Effects Analysis) GBAS Ground Based Augmentation System GNSS Global Navigation Satellite System GPS Global Positioning System GSC General Safety Concept HUD Head Up Display HZ Hazard ICAO International Civil Aviation Organisation IFATCA International Federation of Air Traffic Controllers Association IFSA Institut Français de la Sécurité aérienne INS Inertial Navigation System IRP Integrated Risk Picture IRS Inertial Reference System KOM Kick Off Meeting LHR London-Heathrow LVC Low Visibility Condition MASPS Minimum Aviation System Performance Standards MD Messier Dowty Ltd. MLAT Multilateration MTCD Medium Term Conflict Alert MUAC Maastricht Upper Area Control Centre NATS National Air Traffic Services (UK) NEAN North European ADS-B Network NESS Noise Monitoring System NLR Nationaal Lucht - en Ruimtevaart Laboratorium NMS Noise Monitoring System NOTAM NOTice to AirMen NTP Network Time Protocol NUP NEAN Update Programme


Assessment Report


OE Operational Effect OHA Operational Hazard Assessment OLDI On-Line Data Interchange ORD Operational Requirements Document OSED Operational Service And Environment Description OSI Open System Interconnection PAS Park Air Systems AS Pe Probability of generating the effects (of a hazard) PFA Probability of False Alert PLS Product Line Strategy POC Point of Contact Pr Probability PSR Primary Surveillance Radar PSSA Preliminary SSA RDPS Radar Data Processing System REC Record RVR Runway Visual Range RWY Runway S&G Stand & Gate SBAS Space Based Augmentation System SC Severity Classification SCA Surface Conflict Alert SCU Severity Classification Undeveloped SDF Sensor Data Fusion SICTA Sistemi Innovativi per il Controllo del Traffico Aereo SIL Scenario Implementation Level (other name for ICAO A-SMGCS implementation level) SMAN Surface Manager SMGCS Surface Movement, Guidance And Control System SMR Surface Movement Radar SO Safety Objective SP Sub-Project SPR Safety And Performance Requirements SRC Safety Regulation Commission SSA System Safety Assessment SSR Secondary Surveillance Radar SSS System / Segment Specification STAR Star Alliance STCA Short Term Conflict Alert STNA Service Technique de la Navigation Aérienne TATM Thales Air Traffic Management TCAS Traffic Alert And Collision Avoidance System THAV Thales Avionics TIS-B Traffic Information Service – Broadcast TMA Terminal Manoeuvring Area TREN Transport & Energy TRS Task Requirements Sheet TUD Technische Universität Darmstadt TWR Tower UAT Universal Access Transceiver UTA Union de Transports Aériens VCS Voice Communication System


Assessment Report


VDL VHF Data Link VHF Very High Frequency WG Working Group WP Work-Package

5.2 Term definitions

ASMGCS-DEF-001

Abuse of Automation Definition

Abuse refers to an inappropriate application of automation by designers and managers or to inappropriate usage of automation by operators. [2] See also use, misuse, and disuse of automation. ASMGCS-DEF-002

Accident Definition

An accident is an occurrence associated with the operation of an aircraft, which takes place between the time any person boards the aircraft with the intention of flight until such time as all such persons have disembarked, in which: x a person is fatally or seriously injured as a result of:

x being in the aircraft, or x direct contact with any part of the aircraft, including parts which have become detached from the aircraft,

or x direct exposure to jet blast, except when the injuries are from natural causes, self-inflicted or inflicted by other persons, or when the injuries are to stowaways hiding outside the areas normally available to the passengers and crew; or

x the aircraft sustains damage or structural failure which: x adversely affect the structural strength, performance or flight characteristics of the aircraft, and x would normally require major repair or replacement of the affected component, except for engine failure or damage, when the damage is limited to the engine, its cowlings or accessories; or for damages limited to propellers, wing tips, antennas, tires, brakes, fairings, small dents or puncture holes in the aircraft skin; or

x the aircraft is missing or is completely inaccessible. Note 1.-For statistical uniformity only, an injury resulting in death within thirty days of the date of the accident is classified as a fatal injury by ICAO. Note 2.- An aircraft is considered to be missing when the official search has been terminated and the wreckage has not been located. This definition, together with the notes, is extracted from [19], and is consistent with ICAO Appendix 13. ASMGCS-DEF-003

Aerodrome Layout Definition

An aerodrome layout is said to be basic when it has one runway with one taxiway to one apron area. An aerodrome layout is said to be simple when it has one runway, more than one taxiway to one or more apron areas. An aerodrome layout is said to be complex when it has more than one runway, many taxiways to one or more apron areas.


Assessment Report


ASMGCS-DEF-004

Aircraft Equipment Definition

The aircraft equipment co-operating with the ground A-SMGCS equipment in performing its related functions include: 1) communication equipment such as voice / radio telephony & data link; such equipment establishes point-to-

point communication; 2) surveillance equipment implementing automatic dependent surveillance broadcast (ADS-B) such as:

x mode S transponder through extended squitter, x universal access time (UAT) - in development, x VDL mode 4 - in development.

3) airport navigation equipment such as a “moving map” that provides an accurate representation of the airport configuration to the pilots, including unambiguous identification of airport objects (gates, taxiways, etc.)

ASMGCS-DEF-005

Air Navigation System Definition

An air navigation system is an aggregate of organisations, people, infrastructure, equipment, procedures, rules and information used to provide the airspace users air navigation services in order to ensure the safety, regularity and efficiency of international air navigation. [2] ASMGCS-DEF-006

Air Traffic Management Service Definition

An air traffic management service is a service for the purpose of air traffic management. [19] ASMGCS-DEF-007

Air Traffic Management System Definition

An air traffic management system is a part of an air navigation system, composed of a ground-based air traffic management (ATM) component and an airborne ATM component. Notes:- a. The ATM system includes the three constituent elements: human, procedures and equipment (hardware and software). b. The ATM system assumes the existence of a supporting communication, navigation and surveillance system. [19] ASMGCS-DEF-008

Air Traffic Management Definition

The aggregation of ground based (comprising variously ATS, ASM, ATFM) and airborne functions required to ensure the safe and efficient movement of aircraft during all appropriate phases of operations. [19] ASMGCS-DEF-009

Alert Definition

An alert is a report of an existing or pending situation during aerodrome operations (i.e. traffic alert situation, planning alert), or an indication of abnormal A-SMGCS operation, that requires attention and / or action. Note.- Priority levels of alerts are dependent upon specific application. In this document, the term alert covers 3 levels, which are, from least to most important: information (messages), warnings and alarms.


Assessment Report


ASMGCS-DEF-010

Assessment Definition

An assessment is an evaluation based on engineering, operational judgement and/or analysis methods. [2] ASMGCS-DEF-011

Assurance Definition

All planned and systematic actions necessary to provide adequate confidence that a product or service satisfies given requirements. [ARP 4754] [2] ASMGCS-DEF-012

Automation Definition

Automation is replacement of a human function, either manual or cognitive, with a machine function (usually a computer). [2] The SAM guidance material B on automation issues [2] defines ten levels of automation: 1 The computer offers no assistance: the human must take all decisions and actions. 2 The computer offers a complete set of decision/action alternatives. 3 The computer narrows the selection of decision/action alternatives down to a few. 4 The computer suggests one decision/action alternative. 5 The computer executes the suggested decision/action if the human approves it. 6 The computer allows the human a restricted time to veto before automatic execution of a decision/action. 7 The computer executes automatically the decision/action, and then necessarily informs the human. 8 The computer executes automatically the decision/action, and informs the human only if asked. 9 The computer executes automatically the decision/action, and informs the human only if it decides to. 10 The computer decides everything and acts autonomously, ignoring the human. See also use, misuse, disuse and abuse of automation. ASMGCS-DEF-013

Communication, Navigation and Surveillance System Definition

A communication, navigation and surveillance (CNS) system is all the hardware and software that make up a function, tool or application that is used to provide one or more air traffic management services. The CNS system is an enabler to the provision of ATM services. [19] ASMGCS-DEF-014

Credible Case Definition

Credible implies that it is not unreasonable to expect to experience this combination of extreme conditions within the operational lifetime of the system so that such scenario leading to generate such an effect has to be considered. The word “credible” could lead to difficulties of interpretation, as what is meant is: a combination being “a believable scenario” or “being reasonably pessimistic”. So it obviously includes a subjective part (which should be reduced as much as possible by provision of rationale, field experience data...) and requires expert judgement. So other words such as “realistic” or “reasonable” could have been chosen instead of “credible”. [2]


Assessment Report


ASMGCS-DEF-015

Criticality Definition

Criticality is synonymous to severity. Use within this document should be avoided. ASMGCS-DEF-016

Disuse of Automation Definition

Disuse refers to under-utilisation of automation. [2] See also use, misuse and abuse of automation. ASMGCS-DEF-017

External Event Definition

An external event is an occurrence that has its origin distinct from the considered system. [2] ASMGCS-DEF-018

Failure Definition

A failure is the inability of an air navigation system to perform its intended function or to perform it correctly within specified limits. [2] The causes of a function failure are numerous and often irrelevant in a functional hazard assessment, but the ways in which a failure reveals itself (at the function’s output) can be modelled, in order to analyse the effects on the air navigation system. The former are called fault modes, the latter hazards. Note that some fault modes may not have any effect for the operators, and so, are not related to any hazard. Note: the CEI 60050-191 (2002) additionally specifies that a failure is an event, as distinguished from a fault, which is a state. A failure is the transition from a safe state to an abnormal state called “fault”. ASMGCS-DEF-019

Fault Mode (previously Failure Mode) Definition

A failure of a particular function may manifest itself in a number of different ways. The fault mode is the manner in which the function failure reveals itself. In this document, referring to equipment failure only, the following models are used to designate fault modes: x “Loss of}”, when referring to the total function loss, as normally provided by the equipment; x “Temporary interruption of}”, when referring to a certain duration during which the function is not provided

by the equipment, but below the duration above which it is declared lost; x “Corruption of}” in all the other cases, including receipt of unexpected data, partial losses, and overflows;

where and when applicable (i.e. mainly for periodic data flows), this fault mode is declared only when the time to alert (i.e. the time during which corruption is allowed) is exceeded.

Further, for all fault modes, the two cases “without detection” and “with detection” are analysed separately. ASMGCS-DEF-020

Hazard Definition

A hazard is any condition, event, or circumstance that could induce an accident [2][19]. A hazard is anything that might negatively influence safety. A hazard is an event/state that may lead to a dangerous situation, or hamper resolution of such a situation, possibly in combination with other hazards or under certain conditions. It is


Assessment Report


important to note that the notion of hazard is defined in relation to safety. This makes it a much more general notion than “something going wrong”, which is rather related to reliability [2]. However, it is the feeling of the authors that this definition is improper, because much too vague. For more details on what is considered as a hazard in this document, please refer to appendix E. ASMGCS-DEF-021

Incident Definition

An occurrence, other than an accident, associated with the operation of an aircraft, which affects or could affect the safety of operation. ASMGCS-DEF-022

Layout Complexity Definition

Please refer to Aerodrome Layout definition. ASMGCS-DEF-023

Misuse of Automation Definition

Misuse refers to over-reliance on automation and inadequate monitoring of automated systems. [2] Monitoring studies indicate that automation failures are difficult to detect if the operator's attention is engaged elsewhere. See also use, disuse and abuse of automation. ASMGCS-DEF-024

Mitigation (or Risk Mitigation) Definition

Risk mitigation is the steps taken to control or prevent a hazard from causing damage, and to reduce risk to a tolerable or acceptable level. [19] ASMGCS-DEF-025

Probability of Occurrence (of a Hazard) Definition

The probability of occurrence of a hazard is defined in both qualitative and quantitative terms in the table below. In certain applications numerical analysis may not be practical, e.g. the rate of failure of a human cannot be expressed numerically with confidence. Also, qualitative assessment may be sufficient for hazards whose severity is classified as minor or major.


Assessment Report


Probability of occurrence Frequent Reasonably probable Remote Extremely

remote Extremely

improbable 1 10-1 10-2 10-3 10-4 10-5 10-6 10-7 10-8 10-9

Quantitative definition (per

movement)

Qualitative definition

May occur once or several times during the system’s operational life.

Unlikely to occur

during total operational life of each system but may occur

several times when considering


type.

Unlikely to occur when considering


type, but nevertheless,

has to be considered as being possible.

Should virtually

never occur.

Table 5-1: Definition of the probability of occurrence

Note: Some risks are dependent on the number of hours that an aircraft is exposed to risk. For aerodrome operations it is usually more appropriate to use “per operation” (instead of “per flight hour”), as system functionality is not normally time-dependent. ASMGCS-DEF-026

Procedure Definition

Procedures are written procedures and instructions used by air traffic control (ATC) personnel in the pursuance of their duties directly in connection with the provision of the air traffic management services. Note:- ATC procedures include the control and handling of traffic including transfer of control, the application of separation criteria, resolution of conflicts, methodologies for maximising traffic flows and general communication between controllers and between pilots and controllers. Procedures include also, how particular ATC tasks are executed using available equipment and action in the event of equipment failure so as to mitigate their effects. [19] Other procedures, e.g. maintenance procedures directly related to the objective of maintaining system integrity, availability or continuity, are not within the scope of this document. ASMGCS-DEF-027

Recovery Definition

Failure recovery in an automation perspective is the operator’s ability, in case of automation failure: x to manage unexpected failures of the automation, x to continue the operation manually [2]. ASMGCS-DEF-028

Residual Risk Definition

Residual risk is the risk against which risk reduction by design (i.e. prevention or reduction of hazards by proper choice of some design characteristics, and limitation of users exposure to hazards) and safeguarding (i.e. use of specific technical means in order to protect users against hazards) are not - or only partially - covering the risk.


Assessment Report


ASMGCS-DEF-029

Risk Definition

A risk is the combination of the probability or frequency of occurrence20 of a defined hazard and the magnitude of the consequences (i.e. severity) of the occurrence [2]. A risk classification scheme is a means of classifying risk by combining pre-defined categories for consequence severity and probability of occurrence. The following risk classification scheme (or risk tolerability matrix) is defined for this document.

Probability of occurrence Frequent Reasonably

probable Remote Extremely remote

Extremely improbable

Severity class No effect Minor Major Hazardous Catastrophic

Table 5-2: Risk classification scheme

Risk assessment is an assessment to establish that the achieved or perceived risk is acceptable or tolerable. An acceptable or tolerable risk is a willingness to live with a risk so as to secure certain benefits and in the confidence that it is being properly controlled. To accept or tolerate a risk means that it is not regarded as negligible or something that might be ignored, but rather as something that needs to be monitored and reduced if possible. Acceptable and tolerable can be seen as synonyms, however in practice, the tolerable risk will be defined by the regulator, whilst the acceptable risk will be defined by the air navigation service provider (and will of course comply with the regulator's request). As good practice, an order of magnitude will separate the acceptable from the tolerable risk. ASMGCS-DEF-030

Risk Mitigation Definition

Cf. mitigation. ASMGCS-DEF-031

Safety Definition

Safety is freedom from unacceptable risk. [2] In other words, safety is the expectation that a system does not, under defined conditions, lead to an accident. We can distinguish between three safety contexts: x occupational health & safety, x personnel & environment safety, x operational safety. Occupational health & safety involves the identification and mitigation of hazards in the workplace that are, or may be, directly injurious to human health. Personnel & environment safety is known as "product safety" in the industry. By requirement of criminal law, personnel & environmental safety is the expectation that throughout its lifecycle a system, or any constituent part, does not have unreasonable harmful effects on those who interact with it, e.g. user, maintainer, property, or the wider environment. This applies in manufacture, installation, operation, maintenance, modification and disposal.

20 In our formula, exposure time is assumed to be incorporated in the probability or frequency of occurrence.


Assessment Report


Operational safety is concerned with the overall effects of the system. The scope is wider than personnel & environmental safety in that the application of the system shall be safe. Thus operational safety encompasses all those who are affected by the use of the system, not just the users and maintainers. ASMGCS-DEF-032

Safety Assurance Definition

Safety assurance is all planned and systematic actions necessary to provide adequate confidence that a product, a service, an organisation or a system achieves acceptable or tolerable safety. [19] ASMGCS-DEF-033

Safety Objective Definition

A safety objective is a qualitative or quantitative statement that defines the maximum frequency or probability at which a hazard can be expected to occur. [19] ASMGCS-DEF-034

Safety Requirement Definition

A safety requirement is risk mitigation means, defined from the risk mitigation strategy, which achieves a particular safety objective. Safety requirements may take various forms, including organisational, operational, procedural, functional, performance, and interoperability requirements or environment characteristics. [19] ASMGCS-DEF-035

Severity Definition

Severity is the level of effect/consequences of hazards on the safety of flight operations (i.e. combining level of loss of separation and degree of ability to recover from the hazardous situation). [19] Note – Severity applies to hazard effects, not to hazards. ASMGCS-DEF-036

Severity Class (or Category) Definition

Severity class is a gradation, ranging from 1 (most severe) to 5 (least severe), as an expression of the magnitude of the effects of hazards on flight operations. [19]


Assessment Report


Severity class 5 4 3 2 1 Qualitative definition No impact Minor Major Hazardous Catastrophic

Effect on operations

No immediate effect on safety

Significant incidents Major incidents Serious

incidents Accidents

Examples

Nuisance. Operating limitations: emergency procedures.

A significant reduction in

safety margins. A reduction in

the ability of the flight crew to

cope with adverse

operating conditions as a

result of increase in

workload or as a result of conditions

impairing their efficiency. Injury to

occupants.

A large reduction in

safety margins. Physical

distress or a workload such that the flight

crew cannot be relied upon to perform their

tasks accurately or completely.

Serious injury or death of a

relatively small proportion of

the occupants.

The loss of an aircraft.

Multiple fatalities.

Table 5-3: Severity classification scheme

For this document, it is measured on the reference scale given in Table 5-2. ASMGCS-DEF-037

System Definition

A combination of physical components, procedures and human resources organised to perform a function. [19] ASMGCS-DEF-038

Target Level of Safety Definition

The target level of safety is the probability of an accident (fatal or hull loss) during aircraft movement on the aerodrome. [32] ASMGCS-DEF-039

Traffic Density Definition

Traffic density is said to be light when there are no more than 15 take-off or landing operations per runway or typically less than 20 total aerodrome movements per hour. Traffic density is said to be medium when there are 16 to 25 take-off or landing operations per runway or typically between 20 to 35 total aerodrome movements per hour. Traffic density is said to be heavy when there are 26 or more take-off or landing operations per runway or typically more than 35 total aerodrome movements per hour. ASMGCS-DEF-040

Use of Automation Definition

Use refers to the voluntary activation or disengagement of automation by human operators. [2] See also misuse, disuse and abuse of automation.


Assessment Report


ASMGCS-DEF-041

Verification Definition

Verification is confirmation by examination and provision of objective evidence that the requirements have been fulfilled. [ISO 8402] ASMGCS-DEF-042

Validation Definition

Validation is confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled. [ISO 8402] ASMGCS-DEF-043

Visibility Condition Definition

Visibility condition 1 is defined as a visibility sufficient for a pilot to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, and for the control authority to exercise control over all traffic on the basis of visual surveillance. Visibility condition 2 is defined as a visibility sufficient for a pilot to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, but insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. Visibility condition 3 is defined as a visibility sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. For taxiing, this is normally taken as visibility equivalent to a RVR less than 400 m but more than 75 m. Visibility condition 4 is defined as a visibility insufficient for the pilot to taxi by visual guidance only. This is normally taken as a RVR of 75 m or less. ASMGCS-DEF-044

Worst Case Definition

Worst means the most unfavourable conditions – e.g. extremely high levels of traffic or extreme weather disruption. [2]


Assessment Report


(End of main document)


Assessment Report


Appendices to the

FUNCTIONAL HAZARD ASSESSMENT AND VERY PRELIMINARY SYSTEM SAFETY ASSESSMENT

REPORT

Ref. number: D1.3.9


Assessment Report


Appendix A - Functional decomposition

Ref. number: D1.3.9


Assessment Report


Objectives

According to the ICAO manual on A-SMGCS [32], “an A-SMGCS should support the following primary functions: a) surveillance; b) routing; c) guidance; and d) control.” It is noted that “communication is considered to be an integral part of each of the primary functions.” To keep this report simple and generic, the granularity of the functional decomposition has been limited to only one level beneath the level of primary functions. In addition, the controller working position has been highlighted as a stand-alone function, and the following three technical functions have been retained: time management, technical supervision and recording. The complete high-level view is given in Figure 3, page 25. Justifications

Since the objective of this document is not to perform a functional analysis but a functional hazard assessment, the complete analysis process leading to the A-SMGCS functional decomposition is not described herein. Only the result is given in the following tables. It should however be explained that the decomposition is driven by technical considerations. Thus, if it is known that different functions (e.g. track maintenance, velocity assessment, track / flight plan association, etc.) are handled by the same piece of software or hardware, then these functions are known to work or fail as a coherent group, and are thus presented here as a unique function. Breakdown has also been limited to keep it simple and comprehensive. Function

ref. Primary function

name

Secondary function name

Brief description Comment

S0 Surveillance According §2.5.1 of the ICAO manual on A-SMGCS [32]: “The surveillance function of an A-SMGCS should: x provide accurate position information on

all movements within the movement area; x provide identification and labelling of

authorized movements; x cope with moving and static aircraft and

vehicles within the coverage area of the surveillance function;

x be capable of updating data needed for the guidance and control requirements both in time and position along the route; and

x be unaffected by operationally significant effects such as adverse weather and topographical conditions.”

Where possible the surveillance should extend to the aerodrome boundary. Within the areas specified above, surveillance shall be provided up to an altitude sufficient to cover missed approaches and low level operations.

S1 Surveillance Non co-operative sensors

Within the movement area, the non co-operative sensors sub-function shall: x provide accurate positional information of

all movements; x cope with moving and static

aircraft/vehicles.

Covers surface movement radar (SMR), normal and infrared cameras.

S2 Surveillance Co-operative sensors

Within the movement area, the co-operative sensors sub-function shall: x provide accurate positional information of

co-operative movements; x provide identification on authorised co-

operative movements; x cope with moving and static

aircraft/vehicles.

Covers automatic dependant surveillance broadcast (ADS-B), mode S multilateration. Includes vehicle & aircraft on-board equipment.


Assessment Report


Function ref.

Primary function

name



S3 Surveillance Fusion Within the movement area, the fusion sub-function shall: x be capable of updating accurate

surveillance data required for the alerting, guidance and control requirements both in time and distance;

x be unaffected by operational significant effects of weather and topographical features.

S4 Surveillance Traffic movement characterisation

Within the movement area, the traffic movement characterisation sub-function shall “understand” what the mobiles are doing.

This sub-function provides events such as aircraft entering/exiting apron or runway, aircraft pushing back, aircraft landing, etc.

Table 5-4: A-SMGCS functional decomposition – Surveillance function

Surveillance is decomposed in four sub-functions: x non co-operative sensors, x co-operative sensors, x fusion, x traffic movement characterisation. All non co-operative sensors and all co-operative sensors are grouped, because the loss of only part of each type of sensor can be modelled as a loss on certain areas (e.g. on an airport with a main SMR, which covers the manoeuvring area, and a gap filler, which covers the apron area, the loss of the SMR gap filler can be modelled as the loss of the non co-operative sensors on the apron area). The co-operative sensors sub-function covers (in a single black box) a wide range of equipment, including on-board and ground components. Thus, failures in the data link transmissions between the on-board and ground components have to be modelled as a global failure of the co-operative sensors. The fusion function is assumed to fuse the information coming from all sensor types, and perform a unique flight plan to track association. Function


name



R0 Routing According §2.5.2 of the ICAO manual on A-SMGCS [32]: “Either manually or automatically, the routing function should: x be able to designate a route for each

mobile within the movement area; x allow for a change of destination at any

time; x allow for a change of a route to the same

destination; x be capable of meeting the needs of dense

traffic patterns at complex aerodromes; and x not constrain the pilot's choice of a runway

exit following the landing.”

According §2.5.2.3 of the ICAO manual on A-SMGCS [32]: “In an automatic mode, the routing function should also: a) assign routes; and b) provide adequate information to enable manual intervention in the event of a failure or at the discretion of the control authority.”

Table 5-5: A-SMGCS functional decomposition – Routing function


Assessment Report


Routing is a simple function, which is not decomposed. Routing essentially performs itinerary search. The itinerary search is a purely computational sub-function. It can compute a route from any point to any other point on the aerodrome tarmac. It takes into account the mobile’s heading. It does not store the route. Function


name



G0 Guidance When visibility conditions are insufficient for the pilot to taxi by visual guidance only, and when the competent authorities permit operations in these visibility conditions, according §2.5.3 of the ICAO manual on A-SMGCS [27]: “The guidance function of an A-SMGCS should: x provide guidance necessary for any authorized

movement and be available for all possible route selections;

x provide clear indications to pilots and vehicle drivers to allow them to follow their assigned route;

x enable all pilots and vehicle drivers to maintain situational awareness of their position on the assigned route;

x be capable of accepting a change of route at any time;

x be capable of indicating routes and areas either restricted or not available for use;

x allow monitoring of the operational status of all guidance aids; and

x provide on-line monitoring with alerts where guidance aids are selectively switched in response to routing and control requirements.”

According §2.6.14.3 of the ICAO manual on A-SMGCS [32]: “Automated guidance should not be used by the system if aircraft control, conflict detection and conflict alert resolution are not available.”

G1 Guidance Guidance control

Decodes instructions and/or clearances provided through the planning sub-function or directly via the controller working position to effectively guide the pilots and/or vehicle drivers, using any available guidance means.

G2 Guidance Guidance aids monitoring

Monitors the serviceability of all guidance aids. Also provides feedback for the controls performed by the “Guidance control” sub-function.

G3 Guidance Vehicle on-board guidance

Provides clear indication to drivers to allow them to follow their assigned route & enables all drivers to maintain situational awareness of their position on the assigned route. Can be capable of indicating, to the driver, routes and areas either restricted or not available for use.

G4 Guidance Traffic information service – broadcast (TIS-B)

Provides a means to combine ground (e.g. radar) and on-board (e.g. ADS-B) surveillance data and a means of redistributing these data to controllers, pilots and drivers.

Table 5-6: A-SMGCS functional decomposition – Guidance function

Guidance is decomposed in four sub-functions: x guidance control; x guidance aids monitoring; x vehicle on-board guidance; x traffic information service – broadcast (TIS-B).


Assessment Report


Function ref.

Primary function

name



C0 Control Keeping pilots/vehicle drivers and controllers in the decision loop, the control function shall support the application of measures and allocate priorities: x to detect conflicts and incursions, and provide

resolutions; x to ensure safe, expeditious and efficient

aerodrome movement; x to prevent conflicts and incursions.

According §2.6.9 of the ICAO manual on A-SMGCS [32]: “Equipment which shows control data should both be fail-safe and fail-soft.”

C1 Control Traffic monitoring & alerting

Keeping pilots/vehicle drivers and controllers in the decision loop, the traffic monitoring & alerting sub-function shall support the application of measures and allocate priorities: x to detect conflicts and incursions, and provide

resolutions.

This function is similar to the short term conflict alert (STCA) of APP/ACC centres. It must not be used for control, but as a safety net only.

C2 Control Planning Keeping pilots/vehicle drivers and controllers in the decision loop, the planning sub-function shall support the application of measures and allocate priorities: x to ensure safe, expeditious and efficient

aerodrome movement.

C3 Control Plan monitoring and alerting

Keeping pilots/vehicle drivers and controllers in the decision loop, the plan monitoring and alerting sub-function shall support the application of measures and allocate priorities: x to prevent conflicts and incursions.

This function is similar to the medium term conflict detection (MTCD) of APP/ACC centres. It supports control.

Table 5-7: A-SMGCS functional decomposition – Control function

Control is decomposed in only three sub-functions: x traffic monitoring & alerting, x planning, x plan monitoring and alerting. The traffic monitoring & alerting sub-function uses only cinematic and topographic data to detect conflicts and incursions, and provide resolutions. It is totally independent from planning data. The planning sub-function is totally independent from surveillance data (i.e. planning has no surveillance inputs). The plan monitoring and alerting sub-function performs the link between the two former sub-functions. Function


name

Secondary function

name


O0 Other Controller working position

The human-machine interface (HMI) between the controller and the system.

For scenario implementation levels II and III, the controller working position is supposed to be in the tower, where there is usually no space21 for redundancy. For higher levels, head-down controller working positions and redundancy is assumed.

O1 Other Time management

The time management function is in charge of the acquisition of the time provided by an external clock, and its dispatching within the A-SMGCS.

Time accuracy and the tolerable drifts are key issues that are not addressed in the ICAO manual on A-SMGCS [32].

O2 Other Technical supervision

This supervision is merely technical (i.e. operational alerts are managed through the control function). Technical supervision is generally twofold: x it supervises the system, x it sends controls / commands to the subsystems.

According §2.7.4.3 and §2.7.4.4 of the ICAO manual on A-SMGCS [32]: “Monitoring of the performance of an A-SMGCS should be provided such that operationally significant failures are detected and appropriate remedial action is

21 Lack of space is linked to the importance of controller outside view: each given controller role usually needs a specific outside view.


Assessment Report


Function ref.

Primary function

name

Secondary function

name


initiated to restore the service or provide a reduced level of service. Automatic positive indication of the status of the system or any operationally significant failure should be given to any aircraft, vehicle or control facility that might be affected.”

O3 Other Legal recording

According §2.6.8 of the ICAO manual on A-SMGCS [32]: “Selected data on communications control activity and display information should be recorded for accident and incident investigation. There should be a function to provide direct replay of recorded data within the operational system, as part of the requirement for immediate checking of suspect equipment and initial incident investigation.”

O4 Other Aerodrome mapping database

The aerodrome mapping database provides static and dynamic information on the topology, topography and toponymy (e.g. taxiway closure, runway configuration, etc.)

O5 Other Strip printer22

Table 5-8: A-SMGCS functional decomposition – Other services

Note: The “other” services are a set of sundries. Therefore, the taxonomy does not follow the same hierarchical classification as the other main A-SMGCS functions.

22 The strip printer could have been an external function, a part of the controller working position or a part of the control function. The choice to place

it in the “Other” functions is arbitrary and disputable. However, this choice has no impact on the analysis, and the reader may re-locate the printer as he wishes.


Assessment Report


Appendix B - Data and control flows

Ref. number: D1.3.9


Assessment Report


Objectives

The objective of this appendix is to describe in a clear and non-ambiguous way the interface specifications between: x any two functions of the A-SMGCS equipment itself (internal data or control flows), x the A-SMGCS equipment and all the adjacent equipments (external data or control flows). This specification is intended to be used as baseline for the future system design and as a reference for integration and validation. Identification of data flows

Since the objective of this document is not to perform a data & control flow analysis but a hazard assessment, the complete analysis process leading to the A-SMGCS data flow is not described herein. Only the result is given in Table 5-9. It should however be explained that the data & control flows identified herein are induced by the functional decomposition (proposed in Appendix A), which in itself was driven by technical considerations. Thus, if it is known that different data or control items (e.g. track position, track speed, track heading, etc.) are handled by the same piece of software or hardware, then these data or control items are known to flow as a coherent group, and are thus presented as a unique data or control flow. This approach represents a major difference with the AGATE approach (cf. §1.7.2), which should greatly reduce the number of identified hazards. Interface profile

The interface profile is based on the OSI (Open System Interconnection) seven layers model. Information is provided only when the layer specification is standardised (because design issues will be examined later in the preliminary system safety assessment). Restrictions or deviations description are documented in the comments column. Equipment state & mode

Some flows are strictly related to specific equipment states & modes. The system shall have the following six operating states: x system stop state, x system initialisation state, x system maintenance state, x system operational state, x system playback state, x system failed state. The system stop state is the state in which at least one equipment essential for operation is powered off. In the system stop state, the system can only be in the system stop mode. In the system stop state, the system does not deliver any data to the control authority. The system initialisation state is the state in which at least one equipment essential for operation performs its start-up or test sequence. In the system initialisation state, the system can only be in the system initialisation mode. In the system initialisation state, the system does not deliver any data. The system maintenance state is the state in which at least one equipment essential for operation is in the maintenance state. In the system maintenance state, the system can only be in the system maintenance mode. In the system maintenance state, the system does not deliver any data to the control authority.


Assessment Report


The system operational state is the state in which the minimal functions required to perform the essential missions are available for use by the control authority. In the system operational state, the system can be in one of the following 2 modes: system fully functional mode, system reduced functional mode. The system fully functional mode is the mode in which all functions and items of equipment are in use, and actively processing data. The system reduced functional mode represents a broad spectrum of situations between system fully functional mode and system failed state. In essence, the loss of any function, or item of equipment or a significant overload condition (causing increased response times) causes the configuration to degrade to reduced functional mode. The system playback state is the state in which recorded data is being used to replace the normal operational inputs. In the system playback state, the system can be in one of the following two modes: system fully functional mode, system reduced functional mode. The system failed state is the state in which the minimal set of functions necessary for the continuation of the air traffic control (ATC) services is not available. In the system failed state, the system can only be in the system failed mode. In the system failed state, the system does not deliver any data to the control authority. This functional hazard assessment is performed only for the system operational state. The “system mode” column specifies if the flow is mandatory to support the control authority perform its essential missions. When this column specifies “Fully functional”, it means that the data flow can be omitted in the system reduced functional mode. When this column specifies “All”, it means that the loss of the data flow renders the system inadequate to perform its essential missions. Redundancy

Information is provided only when the redundancy specification is standardised or intrinsic to the function itself. Design issues will be examined in the preliminary system safety assessment. Acceptable outage

The acceptable outage value should be filled for all data flows for which some kind of redundancy is foreseen. It defines the maximum time within which a (data or control) flow problem should be detected and the flow restored, usually through a switchover. The acceptable outage value is the flow interruption duration above which a “temporary interruption of…” fault mode may be studied.

T0 (expected data delivery time)

T0 + acceptable outage

Temporary interruption of… Loss of… time

Technical switchover time

Figure 17: Acceptable outage

With the current technology, the technical switchover times for the communication parts23 are approximately 2 seconds when on the same physical network, and up to 6 seconds for multi-cast connections24 over a router (i.e. between different physical networks). When machines and / or process have to commute (i.e. switchover from master to slave server), additional durations of up to 30 seconds are possible, depending on the design and implementation of the hardware, the middleware and the applications concerned. For (data & control) flow outage durations above the aforementioned technical switchover times, the flows are either restored (in case of successful switchover) or modelled as a “loss of…” fault mode.

23 In this hypothesis, the servers and/or clients at each end of the communication line are unaware of the communication line switchover. 24 For ATC systems, broadcast connections are not considered.


Assessment Report


When applicable, the provision of the acceptable outage (in Table 5-9) and the study of the corresponding “temporary interruption of…” fault modes (in appendixes C and D) lead to safety recommendations related to the technology to be used for the detection of the flow loss and for the switchover management. For critical flows, the objective is to design and implement a switchover mechanism whose duration is as close as possible to the acceptable (operationally defined) outage. This must be studied carefully, as design and implementation costs may rise dramatically due to these requirements. Note: if the acceptable outage value is greater than the (worst foreseeable) technical switchover time, then it is not needed to study the “temporary interruption of…” fault mode. Key to the reading of the figures

In Figure 18 to Figure 23 below, the main data & control flows have been represented between the functions identified in Appendix A. The latter are represented by a rectangle when they are an integral part of an A-SMGCS, and represented by an oval when they are external. Data & control flows are named by bracketing the names of the source and cesspool functions; the use of a sequence number after the compound flow name allows for the definition of multiple flows between a same function couple.

O0S3_01

Non co-operative sensors (S1)

Co-operative sensors (S2)

External RDPS

Surveillance (S0)

GNSS

Traffic monitoring & alerting (C1)

S1O0_01

Technical supervision (O2)

S1O2_01 S2O2_01

S1S3_01

S2S3_01

S3C1_01S3O0_01

S3O2_01

ExS2_01

S3Ex_01 S3Ex_02 ExS3_01 ExS3_02

C2S3_01

Traffic movement characterisation (S4)

Plan monitoring and alerting (C3)

S4C3_01

S3S4_01

Fusion (S3)

Planning (C2)

Onboard guidance (G3 + Ex)

CWP (O0)

S2G3_01 S2Ex_01

Traffic information service – broadcast (G4)

S3G4_01

XxO2_01

Figure 18: Main “surveillance” data & control flows


Assessment Report



Planning (C2)


APP FDPS +AMAN/DMAN

Control (C0)

AODB

Guidance control (G1)

CWP (O0)

Surveillance Fusion (S3)

ExC2_01ExC2_02C2Ex_01C2Ex_02

Routing (R0)

S3C1_01

C1O0_01

R0C2_01C2R0_01

C2S3_01

C2C3_01C2O0_01

Traffic movement characterisation (S4)

S4C3_01

C3C2_01O0C2_01O0C2_02G1C2_01

C2G1_01

Technicalsupervision (O2)

XxO2_01

C2O5_01

Strip printer (O5)

Figure 19: Main “control” data & control flows

Planning (C2)

Routing (R0)

R0C2_01C2R0_01

Aerodrome mapping database (O4)

O4X0_01 CWP (O0) O0R0_01R0O0_01


XxO2_01

Figure 20: Main “routing” data & control flows


Assessment Report


Controllableguidance aids

Guidance (G0)

Planning (C2)

Non-controllableguidance aids

C2G1_01 G1C2_01

ExG2_01

Aerodrome mapping database (O4)

Vehicle onboard guidance (G3)


Guidance aids monitoring (G2)

Co-operative sensors (S2)

S2G3_01

ExG2_02

G1Ex_01

CWP (O0)

O0G1_01

G2O4_01

G1G3_01G4G3_01

G2G1_01

Technicalsupervision (O2) XxO2_01

Traffic information

service –broadcast (G4)

Fusion (S3) S3G4_01

O4X0_01

Aircraft onboardguidance G1Ex_02 G4Ex_01 ExG1_01

Figure 21: Main “guidance” data & control flows

It is important to note that the guidance function is not controlled by any direct input from the surveillance function: the controller is always in the control loop, either via the planning function (i.e. movement clearances) or directly via guidance commands entered on the controller working position (CWP). This excludes the "running rabbit" guidance function, which would require a specific safety assessment.


Assessment Report



Planning (C2)


CWP (O0) C1O0_01C2O0_01C3O0_01

O0C2_01O0C2_02

Routing (R0)

O0R0_01R0O0_01


O0G1_01

O0S3_01

Non co-operative sensors (S1)

S1O0_01S3O0_01

Fusion (S3) Aerodrome mapping database (O4)

O4X0_01


XxO2_01

O0Ex_01ExO0_01

Controller

O2O0_01

Figure 22: Main “controller working position” data & control flows

AIS ExO4_01 Aerodrome mapping database (O4)

Any level 0 function (i.e. Surveillance, Control, Routing, Guidance, CWP)

O4X0_01

Guidance aids monitoring (G2)

G2O4_01


XxO2_01

Figure 23: Main “aerodrome mapping database” data & control flows



N° Flow

ref. From To Data flow type

(content description)

System mode (of

operational system state)

Flow type (e.g. external

or internal

flow)

Presentation and application

protocols (if standardised)

Redundancy Periodicity Operationally acceptable

outage

Comments (usually related to

assignment of operationally

acceptable outage)

1 C1O0_01 Traffic monitoring & alerting

Controller working position

Alerts on conflicts and incursions,

resolutions

Fully functional

I - - - 1s No temporary delay fault mode acceptable.

2 C2C3_01 Planning Plan monitoring and alerting

Flight plan data Fully functional

I ICAO ATS or ADEXP

- - 6s or more

3 C2Ex_01 Planning AODB, APP FDPS or

AMAN/DMAN


X ICAO ATS or ADEXP

- - 6s or more

4 C2Ex_02 Planning APP FDPS or AMAN/DMAN

Co-ordination data Fully functional

X ICAO AIDC or ADEXP OLDI

- - 6s or more

5 C2G1_01 Planning Guidance control Instructions & clearances

Fully functional

I - - - 2s No temporary delay fault mode acceptable.

6 C2O0_01 Planning Controller working position


I ICAO ATS or ADEXP

- - 6s or more

7 C2O5_01 Planning Strip printer Flight plan data All I - - - 6s or more 8 C2R0_01 Planning Routing Taxi route request Fully

functional I - - - 6s or more

9 C2S3_01 Planning Surveillance fusion


I ASTERIX-62 - - 6s or more

10 C3C2_01 Plan monitoring and alerting

Planning Alerts on plan deviations &

automated flight progress based on

surveillance

All I - - - 2s Below 2s, an immediate route correction is still

possible. Above, a new route must be assigned and/or a

nose-to-nose situation may occur.

11 ExC2_01 AODB, APP FDPS or

AMAN/DMAN

Planning Flight plan data Fully functional

X ICAO ATS or ADEXP

- - 6s or more

12 ExC2_02 APP FDPS or AMAN/DMAN

Planning Co-ordination data Fully functional

X ICAO AIDC or ADEXP OLDI

- - 6s or more

13 ExG1_01 Aircraft on-board guidance

Guidance control Clearance requests and read-back

Fully functional

X ACARS, ARINC 623 or other

- - 6s or more



N° Flow ref.

From To Data flow type (content

description)

System mode (of



or internal

flow)




outage



acceptable outage)

14 ExG2_01 Non-controllable guidance aids

Guidance aids monitoring

Guidance aids status

All X - - - 6s

15 ExG2_02 Controllable guidance aids

Guidance aids monitoring

Guidance aids state & status

All X - - - 2s

16 ExO0_01 Controller Controller working position

Keyboard, mouse, touch screen or

other similar inputs

All X - Yes - 0.5s No temporary delay fault mode acceptable.

17 ExO4_01 AIS Aerodrome database

management

Aerodrome & meteorological data

Fully functional

X - - - 6s or more

18 ExS2_01 GNSS Surveillance co-operative sensors

Almanac and ephemeris data

Differential corrections and integrity monitor

signals

All X - ? ? ? The GNSS time information is used by aircraft equipment to

provide Time Of Applicability (TOA) for ADS-B parameters.

19 ExS3_01 External RDPS Surveillance fusion

External system tracks

Fully functional

X ASTERIX-1 or ASTERIX-30

- 4s 6s or more

20 ExS3_02 External RDPS Surveillance fusion

External RDPS live status

Fully functional

X ASTERIX-2 or ASTERIX-255

- 4s 18s

21 G1C2_01 Guidance control Planning Clearance requests and read-back

Fully functional

I ARINC 623 or other

- - 6s or more

22 G1G3_01 Guidance control Vehicle on-board guidance

Instructions & clearances

Fully functional

I - - - 6s In case of conflict or incursion, RTF will be

used instead. 23 G1Ex_01 Guidance control Controllable

ground guidance aids

Ground guidance aids commands

Fully functional

I - Guidance aids usually have

their own control &

monitoring system

- 2s No temporary delay fault mode acceptable.

24 G1Ex_02 Guidance control Aircraft on-board guidance

Instructions & clearances

Fully functional

X ? - - 2s No temporary delay fault mode acceptable.

25 G2O4_01 Guidance aids monitoring

Aerodrome mapping database

Guidance aids state & status

All I - - - 6s

26 G2G1_01 Guidance aids monitoring

Guidance control Guidance aids state & status

Fully functional

I - - - 6s



N° Flow ref.


description)

System mode (of



or internal

flow)




outage



acceptable outage)

27 G4Ex_01 Traffic information

service - broadcast

Aircraft on-board guidance

System tracks Fully functional

X ASTERIX-21 All ADS-B primary sources

1s 6s The TIS-B characteristics are not

fully known at the moment. No control delegation to pilots

based on TIS-B data. 28 G4G3_01 Traffic

information service -

broadcast

Vehicle on-board guidance


I ASTERIX-21 All ADS-B primary sources

1s 6s The TIS-B characteristics are not

fully known at the moment.

29 O0C2_01 Controller working position

Planning Flight plan data Fully functional

I ICAO ATS or ADEXP

- - 6s

30 O0C2_02 Controller working position

Planning Co-ordination data Fully functional

I OLDI AIDC

- - 6s

31 O0Ex_01 Controller working position

Controller Any multimedia data on any output device

for the attention of the controller

All X - - - 1s No temporary delay fault mode acceptable.

32 O0G1_01 Controller working position

Guidance control Guidance manual commands

Fully functional

I - - - 2s Below 2s, an immediate route correction is still

possible. Above, a new route must be assigned and/or a

nose-to-nose situation may occur.

33 O0S3_01 Controller working position

Surveillance fusion

Manual association / de-association

Fully functional

I ASTERIX-62 - - 6s

34 O0R0_01 Controller working position

Routing Taxi route constraints

Fully functional

I - - - 6s

35 O1Xx_01 Time management

Any Time and resynchronisation

data

All I NTP Yes - Several hours of GPS service interruption

In order not to overload the data & control flow figures

above, the time data flows are never

represented. 36 O2O0_01 Technical

supervision Controller working

position System status (ok,

fault, etc.) All I SNMP - - No limit, but can

be very uncomfortable

A technical supervision outage is not critical for the A-



N° Flow ref.


description)

System mode (of



or internal

flow)




outage



acceptable outage)

for the controller.

Half an hour to one hour could be acceptable.

SMGCS operation if the BITE (that

ensures the continuity of the services) is independent of the

technical supervision. 37 O2Xx_01 Technical

supervision Any Controls

(switchover, shutdown, enter

maintenance mode, etc…)

All I SNMP - - None

38 O4X0_01 Aerodrome mapping database

Any level 0 function (i.e. Surveillance,

Control, Routing, Guidance, CWP)

Topology, topography, toponymy

Fully functional

I - Guidance aids usually have

their own dynamic status management

- ? Outage is concerned only by dynamic data

39 R0C2_01 Routing Planning Taxi route Fully functional

I - - - 6s

40 R0O0_01 Routing Controller working position

Taxi route proposal (i.e. before

assignment to mobile)

Fully functional

I - - - 6s

41 S1O0_01 Non co-operative sensors


Raw or pseudo-analogue video

All I - - 1s 6s Outage configurable per area type?

Co-operative sensors are still available

42 S1O2_01 Non co-operative sensors

Technical supervision

Non co-operative sensors live status

All I ASTERIX-10 - 1s 6s The sensor live status flow is modelled

towards the technical supervision only, but

it is really present each time the sensor track data flow exists.

43 S1S3_01 Non co-operative sensors

Surveillance fusion

Sensor tracks Fully functional

I ASTERIX-10 - - 6s Co-operative sensors are still available

44 S2Ex_01 Surveillance co-operative sensors

Aircraft on-board guidance

Sensor tracks Fully functional

I - - - 6s Non co-operative sensors are still

available 45 S2G3_01 Surveillance co- Vehicle on-board Sensor tracks Fully I - - - 6s



N° Flow ref.


description)

System mode (of



or internal

flow)




outage



acceptable outage)

operative sensors

guidance functional

46 S2O2_01 Surveillance co-operative sensors


Co-operative sensors live status



it is really present each time the sensor track data flow exists.

47 S2S3_01 Surveillance co-operative sensors

Surveillance fusion

Sensor tracks Note: the ADS-B parameters are provided with an

integrity and accuracy

information.

Fully functional

I ASTERIX-10 ASTERIX-21

- - 6s Non co-operative sensors are still

available.

48 S3C1_01 Surveillance fusion

Traffic monitoring & alerting


I ASTERIX-62 - 1s 1s No temporary delay fault mode acceptable.

49 S3Ex_01 Surveillance fusion

External RDPS System tracks Fully functional

X ASTERIX-62 - 1s 6s

50 S3Ex_02 Surveillance fusion

External RDPS Surveillance sub-system live status

Fully functional

X ASTERIX-63 - 1s 6s

51 S3O0_01 Surveillance fusion



I ASTERIX-62 - 1s 2s Outage configurable per area type?

All tracks are delayed: this can lead to more critical situations than

when only a single sensor is unavailable.

52 S3O2_01 Surveillance fusion


Surveillance sub-system live status



it is really present each time the system track data flow exists.

53 S3S4_01 Surveillance fusion

Surveillance traffic movement


I ASTERIX-62 - 1s 6s



N° Flow ref.


description)

System mode (of



or internal

flow)




outage



acceptable outage)

characterisation 54 S3G4_01 Surveillance

fusion Traffic information

service - broadcast


I ASTERIX-62 - 1s 6s The TIS-B characteristics are not

fully known at the moment. No control delegation to pilots

based on TIS-B data. 55 S4C3_01 Surveillance

traffic movement characterisation

Plan monitoring and alerting

Traffic characterisation

events

Fully functional

I - - - 6s

56 XxO2_01 Any Technical supervision

Sub-system status (ok, fault, etc.)

All I SNMP - - ? Cf. O2O0_01.

57 XxO3_01 Any Recording Sub-system status (ok, fault, etc.)

Fully functional

I SNMP - - ? In order not to overload the data & control flow figures

above, the recording flows are never

represented. 58 XxO3_02 Any Recording Sub-system specific

data Fully

functional I n/a n/a n/a 2s In order not to

overload the data & control flow figures

above, the recording flows are never

represented.

Table 5-9: A-SMGCS data and control flows


Assessment Report


Appendix C - External fault modes and

effects analysis

Ref. number: D1.3.9


Assessment Report


Objectives

Robustness analysis enables the assessment of the impact of external interface problems in the A-SMGCS equipment. This analysis does not take into account the mitigations external to the A-SMGCS equipment that could provide additional safety on site. However, these external mitigations will be part of the identification of hazards (cf. appendix E). Robustness deals with external input data. External output data is addressed in the internal fault modes part (because they are generated by the equipment). Structure of the analysis tables

The robustness analysis is presented in a table that is composed of following data: x column 1, “external flow references”: this column indicates references to identify external data or control

flows, as labelled in appendix B; x columns 2 and 3, “fault modes”: these columns provide a description of the fault modes; when both “no” and

“yes” are mentioned in column 3, it means that this criterion is irrelevant (see below); x column 4, “equipment failure effects”: this column presents a synthesis of the direct effects of the equipment

fault mode for the end-users, on his working position; x column 5, “existing equipment mitigation features”: this column describes the various safety barriers that

already exist at equipment specification level [32], and that provide either prevention, or surveillance/warning of the fault mode, or mitigation of its consequences;

x column 6, “existing equipment escalation features”: even though this functional hazard assessment assumes a single point of failure, this column highlights things that are likely to go wrong simultaneously (due to the design architecture, e.g. when many flows are supported by the same physical interface), or fault modes that are likely to be induced by the considered fault mode (due to functional dependencies);

x column 7, “operational effects references”: to avoid repeating the operational effects description many times, this column provides unique identifiers of operational effects; the list of operational effects sorted by reference number can be found in appendix E;

x column 8, “operational effects”: this column presents a synthesis of the effects of the equipment fault mode on the air traffic control operations; these operational effects may have some consequences in term of safety, and therefore need further assessment (cf. appendix E); note that to avoid repetitions on text related to an OE, the full text is given (normally) at the 1st occurrence of an OE, and the ref. is provided in the dedicated (previous) column; for latter occurrences, only the reference is provided in the “Operational effects of equipment fault mode” column;

x column 9, “comments / recommendations”: self-explicit. To detect or not to detect

Except when unrealistic, both the detection and the non-detection cases of a fault mode are detailed in the tables below. Depending on the result of the analysis, recommendations will be made so that the fault mode is, or is not detected by the system. Internal equipment mitigation features: hot switchover

Hot switchover is commonly mentioned in the equipment mitigation features, without any details. Indeed, when a flow is lost, it can be due to the source of the flow (i.e. server), its destination (i.e. the client) or to the link (i.e. network). Depending of the exact causes of a fault mode, the appropriate switchover is assumed.


Assessment Report


Internal equipment escalation features

Internal equipment escalation features have be classified in three groups: x induced effects: these are fault modes which are functionally induced by the considered fault mode, whatever

the selected architecture and implementation (e.g. failure of surveillance induces the failure of traffic monitoring and alerting);

x simultaneous effects: these are fault modes which are likely to occur simultaneously to the considered fault mode if no specific care is taken during the design and implementation phases to prevent them;

x other effects. Operational effects

Many operational effects are highly dependant on the procedures that will be used. However, the description of operational effects has been slightly formalised in order to maximise their reuse for different fault modes (cf. Figure 24). When the fault mode is not detected, the operational effects are an increased25 risk due to false confidence in (or over-reliance on) the equipment.

or

or

(a) Increased risk due to false confidence

Fault mode not detected

(b) Manually substitute for the system (c) Knowingly suffer from the failure

Fault mode detected

Operational effectsof a fault mode

Figure 24: Classification of operational effects

When the fault mode is detected, the operational effects can be a workload increase only, if the controller wants (and can) manually substitute for the system, thus preventing any escalation. Alternatively, the complete substitution may be technically impossible, or the controller may decide to live with (all or part of) the failure, thus knowingly suffering from all the equipment failure effects, and having to separate the wheat from the chaff. The study of the operational effects of each of the possible choice should influence the equipment design and implementation, but also the procedures, so that the controller is not faced with the choice between the alternatives (b) and (c) when the failure occurs. Note: in the tables below, the greyed-out lines have no particular significance. They just help to identify packs of fault modes related to the same data or control flow.

25 The hypothesis that the controller may subconsciously substitute himself to the system, limiting the risk but seamlessly increasing his workload, has

not been retained.



N° External

flow ref. Fault

modes Fault mode detection26

Equipment failure effects (at equipment level but visible by

end-users)

Internal equipment mitigation features


Operational effects ref.

Operational effects of equipment fault mode

Recommendations & comments with respect to ICAO A-SMGCS manual

1 ExC2_01 Loss of… No x Planning data is not provided anymore from external systems (e.g. APP FDPS, AMAN, DMAN, etc.) or external end-users.

x Stand & gate allocations are not provided any more by the AODB.

x Flight plan data continue to arrive through the surveillance data flow (ExS3_01 and S2S3_01).

The failure induces the corruption of: x C2O0_01 x C2C3_01 x C2G1_01 x C2R0_01 x C2S3_01 x C2Ex_01 x C2Ex_02

x OE-04

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected:x Controller situational

awareness is severely compromised due to loss of, or corruption of flight plan data.

2 ExC2_01 Loss of… Yes As above + x Display on the CWP of a “Loss

of external flight plan input” alert.

As above + x Controllers can locally

create, modify, and delete flight plans: data will be synchronised with the external systems when the service is restored.

x Flight plan data exchange between TWR controllers is unaffected.

x Hot switchover

x None x OE-10

Until service is restored: x Controller workload

increase: the controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS).

3 ExC2_01 Corruption of…

No Possible corruptions are: x At least one (but not all) flight

plan sent by an external FDPS was never received.

x At least one flight plan sent by an external FDPS has missing or erroneous data.

x At least one flight plan sent by an external FDPS is sent at an inappropriate time (e.g. too early).

x A large amount of flight plans are received, which create a system overload.

x Flight plan data continue to arrive through the surveillance data flow (ExS3_01 and S2S3_01).

The failure induces the corruption of: x C2O0_01 x C2C3_01 x C2G1_01 x C2R0_01 x C2S3_01 x C2Ex_01 x C2Ex_02

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected:x OE-04

Concerning a system overload, it is not to be excluded that it could be a voluntary “attack” (cf. §1.3.6)

26 By the equipment itself.



N° External flow ref.

Fault modes

Fault mode detection26


end-users)







Yes As above + x Display on the CWP of a

“Corruption of external flight plan input” alert.

As above + x Controllers can locally

create, modify, and delete flight plans: data will be synchronised with the external systems when the service is restored.

x Flight plan data exchange between TWR controllers is unaffected.

x The supervisor can disconnect external FDPS inputs.

x Hot switchover

x None x OE-18

Until service is restored: x OE-10 or x Control procedures revert

to paper strips (because electronic strips are considered unreliable).

5 ExC2_02 Loss of… No x All automated co-ordination from the adjacent APP to the TWR is stopped.

x Surveillance data (ExS3_01 and S3Ex_01) continue to support co-ordination.

x Failure is likely to be simultaneous with loss of C2Ex_02.

x Until service is restored or failure is detected: x OE-06

The TWR and APP controllers are likely to detect the failure at 1st co-ordination mishap.

6 ExC2_02 Loss of… Yes As above + x Display on the CWP of a “Loss

of APP co-ordination” alert.

As above + x Hot switchover

x As above x Until service is restored: x OE-19


No Possible corruptions are: x At least one automated co-

ordination message sent from the adjacent APP to the TWR was never received.

x At least one automated co-ordination message from the adjacent APP to the TWR has missing or erroneous data.

x At least one automated co-ordination message from the adjacent APP to the TWR is sent at an inappropriate time (e.g. too early).


x x Until service is restored or failure is detected: x OE-06

Unlike the “loss of ExC2_02” fault mode, the erratic behaviour of the system in this fault mode makes is unlikely that the TWR and APP controllers detect the failure very quickly.



“Corruption of APP co-ordination” alert.


x x Until service is restored: x OE-19




Fault modes



end-users)






9 ExG1_01 Loss of… No x Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are not provided anymore.

x Due to compulsory logical acknowledgement messages, it is impossible not to notice this failure, so non-detection of failure is not realistic.

Not applicable. x Not applicable.

10 ExG1_01 Loss of… Yes As above + x Display on the CWP of a “Loss

of downlink communications with aircraft” alert.

x None The failure induces the loss of: x G1C2_01


11 ExG1_01 Corruption of…

No x Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are corrupted.

x Clearance delivery should be consistent with clearance request and clearance read-back, so non-detection of failure is not realistic.



Yes x Corruption will automatically and instantaneously be considered as a loss. Please refer to fault mode two lines above.

x None The failure induces the loss of: x G1C2_01


13 ExG2_01 Loss of… No x Loss of status information on non-controllable ground guidance aids.

x Ground guidance aids usually have their own monitoring tools.

The failure induces the corruption of: x G2O4_01 x G2G1_01 The failure is likely to be simultaneous with the loss of: x ExG2_02

x Until traffic is reduced, visibility conditions become acceptable, failure is detected or service is restored: x OE-07


of guidance monitor” alert.






Fault modes



end-users)







No Possible corruptions are: x At least one non-controllable

ground guidance aid does not provide its status.

x At least one non-controllable ground guidance aid provides an erroneous status.


The failure induces the corruption of: x G2O4_01 x G2G1_01 The failure is likely to be simultaneous with the corruption of: x ExG2_02




“Corruption of guidance monitor” alert.



17 ExG2_02 Loss of… No x Loss of state and status information on controllable ground guidance aids.





of guidance monitor” alert.




No Possible corruptions are: x At least one controllable ground

guidance aid does not provide its state or status.

x At least one controllable ground guidance aid provides an erroneous state or status.







Fault modes



end-users)








“Corruption of guidance monitor” alert.


x None x Until service is restored: x OE-21

21 ExO0_01 Loss of… No x All input devices inoperative. Note: It is not realistic to imagine that a controller will lose one or several input means without knowing it. In most cases (e.g. coffee spilled on keyboard and mouse) failure detection will be obvious. However, by non-detection we mean not detected before use is required.

x None. The failure induces (or equals to) the simultaneous loss of: x O0C2_01 x O0C2_02 x O0G1_01 x O0S3_01 x O0R0_01

x OE-08

Until service is restored or failure is detected: x Controller discomfort: at the

time of the failure detection, the HMI may be in an improper display set-up (e.g. some parts of the airport are not visible).

22 ExO0_01 Loss of… Yes As above + x Display on the CWP of a “Loss

of input devices” alert.

x The controller may use a redundant HMI, or may share an HMI with another active controller.

As above + x Depending on

equipment, restart of CWP may be necessary, even if all the other functions are performing well.

x Supervisor may need to perform a re-sectorisation.

x As above + until service is restored: x OE-18

x Choice of input device equipment should allow monitoring.

x Choice of input device equipment should allow online replacement.

x Choice of input device equipment should favour independent input devices (e.g. avoid mouse connected to keyboard).

x Spare input devices should be available nearby.

x Upon failure detection, the HMI could automatically switch to a default configuration set-up, so as to avoid leaving the HMI in a configuration improper for control.




Fault modes



end-users)






23 ExO0_01 Corruption of…

No Possible corruptions are: x At least one (but not all) input

device is totally or partially inoperative.

x At least one (but not all) input device generates erratic inputs (e.g. stuck key on keyboard produces a continuous input flow).

x The CWP possesses at least 2 input devices, and all the important commands can be entered by any of the input devices.

The failure induces the corruption of: x O0C2_01 x O0C2_02 x O0G1_01 x O0S3_01 x O0R0_01

x In case of overflow, alerting will be performed at operating system level, so the fault mode is not realistic: x Not applicable In all the other cases, an input device remains operative, so: x None

24 ExO0_01 Corruption of…


“Corruption of input devices” alert.

As above + x The controller may use a

redundant HMI, or may share an HMI with another active controller.

As above + x Depending on

equipment, restart of CWP may be necessary, even if all the other functions are performing well.


x Input overflow may generate system aural alerts that may hide an operational aural alert.

x In case of input overflow, until service is restored: x OE-18 Otherwise: x None.

25 ExO4_01 Loss of… Corruption

of…

No / Yes x Data concerning local weather conditions and airport configuration are not provided anymore, are delayed or are corrupted: cf. O4X0_01.

x Cf. O4X0_01. Failure induces loss of, temporary interruption of, and / or corruption of: x O4X0_01

x x Cf. O4X0_01.

26 ExS2_01 Loss of… No x All GNSS signals lost for all ADS-B mobiles.

x On-board odometers and goniometers may allow on-board computed positions to be reliably extrapolated for a significant time.

x All non ADS-B surveillance systems are unaffected.

x None x OE-35

Until service is restored or failure is detected: x OE-02 x Reliability decrease or even

complete loss of on-board surveillance information for part of the mobiles.




Fault modes



end-users)






27 ExS2_01 Loss of… Yes As above + x Within vehicles, built-in test

alert, resulting in an alarm light emitting diode (LED) being switch on.

x Within aircraft? x For the controller, display on the

CWP of a “Corruption of ADS-B surveillance data” alert.

x As above x None x Until service is restored: x OE-23 x OE-35

The ADS-B standard allows sending operational status ADS-B messages from the ADS-B source. This is sufficient.

28 ExS2_01 Corruption of…

No Possible corruptions are: x At least one mobile with ADS-B

capability stops receiving GNSS signals.

x Use of GNSS signals result in erroneous positioning for all ADS-B mobiles.

x Site monitor inoperative. x Differential corrections

inoperative.

x All non ADS-B surveillance systems are unaffected.

x None x Until service is restored or failure is detected: x OE-01 x OE-35


Yes x ? x All non ADS-B surveillance systems are unaffected.

x None x Until service is restored: x OE-25 x OE-35

30 ExS3_01 Loss of… No x Tracks for arriving traffic are no more provided by the external RDPS (thus surveillance coverage is reduced and early automatic association of arriving aircraft may be lost).

x Outbound traffic is not confirmed by the external RDPS as being departed (e.g. to set actual time of departure).

x Ground co-operative sensors should perform identification of arriving traffic before aircraft landing.

The failure induces the corruption of: x C1O0_01 (i.e.

missing target reports may lead to missing alerts).

Note: Failure may be due to RDPS itself, in which case APP is simultaneously facing an equipment failure (with impacts on AMAN). This is not A-SMGCS, but may impact co-ordination between APP and tower.

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected:x OE-06 x OE-03

Failure detection should be immediate using the ExS3_02 flow.




Fault modes



end-users)






31 ExS3_01 Loss of… Yes As above + x Display on the CWP of a “Loss

of external surveillance input” alert.

As above + x Actual time of departure

can be entered manually. x Hot switchover

x As above. x OE-20

Until service is restored: x OE-25 x Controller workload increase

& RTF congestion: the controller’s trust in the surveillance display is reduced, so the controller needs to rely (more) on pilots’ RTF reports.

x OE-27 x OE-19


No Possible corruptions are: x At least one (but not all) target

located in the coverage of the external RDPS is not reported.

x At least one target located in the coverage of the external RDPS is reported with missing or erroneous attributes (position, speed, call sign, etc.)

x The external RDPS provides at least one false target report.

x Internal sensor tracks remain reliable (but then we need to validate the priority given to the internal sensors if there is also a status for them.)

The failure induces the corruption of: x C1O0_01 (i.e. false

target reports may generate false alerts).

Note: Failure may be due to RDPS itself, in which case APP is simultaneously facing an equipment failure (with impacts on AMAN). This is not A-SMGCS, but may impact co-ordination between APP and tower.

x Until service is restored or failure is detected: x OE-06 x OE-03

Failure detection should be immediate using the ExS3_02 flow.



“Corruption of external surveillance input” alert.

As above + x In case of inconsistent

target reports between the external RDPS and the internal sensors, priority is given to internal target reports.

x Hot switchover

x As above. x Until traffic is reduced, visibility conditions become acceptable, or service is restored: x OE-25 x OE-20 x OE-27 x OE-19

Priority given to internal target reports may be dangerous: should it be a safety requirement?




Fault modes



end-users)






34 ExS3_02 Loss of… Temporary interruption

of… Corruption

of…

No x N/a x N/a x N/a x x None

35 ExS3_02 Loss of… Temporary interruption

of… Corruption

of…

Yes x Same as detected loss of, temporary interruption of, or corruption of ExS3_01.

x Same as detected loss of, temporary interruption of, or corruption of ExS3_01.

x Same as detected loss of, temporary interruption of, or corruption of ExS3_01.

x x None

Table 5-10: External fault modes and effects analysis table


Assessment Report


Appendix D - Internal fault modes and effects

analysis

Ref. number: D1.3.9


Assessment Report


Objectives

Similar to the robustness analysis, the following tables analyse the internal flows: Table 5-11 lists all the flows between two internal A-SMGCS functions, whilst Table 5-12 lists all the flows between one internal function and one external function (output flow). Structure of the analysis tables

Please refer to the introduction of appendix C. Additional note

All data and control flows are analysed separately, even when they seem completely dependant. For example, if the traffic monitoring & alerting function does not receive surveillance inputs (i.e. S3C1_01), then it surely cannot detect conflicts and send alerts to the controller working positions (i.e. C1O0_01). Thus the operational effects of a fault mode on S3C1_01 may be identical to the operational effects of the corresponding fault mode on C1O0_01. However, the analysis shows that the mitigation and escalation features are different, leading to different effects, safety objectives and recommendations.



N° Internal

flow ref. Fault

modes Fault mode detection27

Equipment failure effects (at equipment level but visible by end-users)






1 C1O0_01 Loss of… No x On the CWP, loss of all traffic monitoring alerts.

x The plan monitoring function continues to provide the controller with reliable plan deviation alerts.

x On-board traffic monitoring & alerting continues to provide reliable alerts to pilots and drivers.

x None x OE-03

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x Detection of surface

conflicts & incursions by the controller is severely compromised.

2 C1O0_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of traffic monitoring” alert.

As above + x Hot switchover.

x None x OE-27


increase: the controller is provided with missing or false traffic alerts.

Note: AGATE ranks this failure with a “major” severity.

The controller, pilots and drivers need to increase their vigilance and contingency separation procedures may be applied.

3 C1O0_01 Corruption of…

No Possible corruptions are: x At least one (but not all)

alert is not reported (to the controller in charge); missing alerts may concern a sub-set of mobiles (e.g. faulty secondary surveillance) or a part of the aerodrome.

x At least one alert is provided with erroneous attributes (e.g. foreseen accident location, resolution advice, mobiles involved);

x At least one false alert is provided (due to corruption of S3C1_01).

x Same as loss of C1O0_01 x None x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-03

27 By the equipment itself.



N° Internal flow ref.

Fault modes










“Corruption of traffic monitoring” alert.

As above + x Hot switchover (except if

corruption is due to corrupted surveillance data).

x None x Until service is restored: x OE-27

5 C2C3_01 Loss of… No / Yes x Flight plans are not provided any more to the plan conformance monitoring function.

x Hot switchover in case of failure detection, none otherwise.

The failure induces the corruption of: x C3C2_01 The failure is likely to be simultaneous with the loss of: x C2O0_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2S3_01 x C2R0_01

x x Cf. undetected / detected corruption of C3C2_01.

6 C2C3_01 Corruption of…

No / Yes Possible corruptions are: x At least one flight plan to

be monitored is provided with false or missing data (e.g. no taxi route assignment).

x At least one flight plan is missing.

x Hot switchover in case of failure detection, none otherwise.

The failure induces the corruption of: x C3C2_01 The failure is likely to be simultaneous with the corruption of: x C2O0_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2S3_01 x C2R0_01

x x Cf. undetected / detected corruption of C3C2_01.




Fault modes








7 C2G1_01 Loss of… No x Clearances given by the controller are not provided any more to the guidance function in order to be transformed into guidance indications, neither on ground guidance aids (cf. G1Ex_01), nor on vehicle / aircraft on-board equipment (cf. G1G3_01 & G1Ex_02.)

x Ground guidance aids possess their own control & monitoring tools.

x The controller, pilots, drivers are likely to identify the failure immediately due to the complete lack of guidance indications (e.g. initial instructions) and/or acknowledgement (e.g. instruction update).

The failure induces the loss or corruption of: x G1Ex_01 x G1G3_01 x G1Ex_02 The failure is likely to be simultaneous with the loss of: x C2O0_01 x C2C3_01 x C2Ex_01 x C2Ex_02 x C2S3_01 x C2R0_01

x OE-31

Until service is restored or failure is detected: x OE-30 x Pilots and/or drivers do

not receive any automated guidance from on-board equipment

x OE-34

8 C2G1_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of guidance control” alert.

As above + x Ground guidance aids can still be

manually controlled via the CWP (via O0G1_01 and G1Ex_01).

x Hot switchover.

As above + x Considering the

fault mode, it is unlikely that failure indication can be transmitted on-board (pilot / driver).

x Until service is restored: x OE-15 x OE-31 x OE-34 Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: x OE-21 x OE-30 x OE-31 x OE-34




Fault modes








9 C2G1_01 Corruption of…

No Possible corruptions are: x At least one clearance

provided to the guidance function has false or missing data (e.g. wrong taxi route assignment).

x At least one (but not all) clearance is not provided to its addressee.

x Guidance via RTF remains unaffected.

If the clearance is provided with corrupted data, on-board (cf. G1G3_01 & G1Ex_02) and ground (cf. G1Ex_01) guidance indications will be consistent (but wrong!). The failure is likely to be simultaneous with the corruption of: x C2C3_01 x C2O0_01 x C2Ex_01 x C2Ex_02 x C2S3_01 x C2R0_01 x C2O0_01

x OE-33

Until service is restored or failure is detected: x OE-32 x Pilots and/or drivers are

provided with missing or erroneous indications via the on-board equipment.

x OE-34

10 C2G1_01 Corruption of…


“Corruption of guidance control” alert.

x A-SMGCS control of ground guidance aids can be disconnected.

x Pilots & drivers can be told to ignore on-board guidance indications.

x Guidance aids possess their own control & monitoring tools, which override all A-SMGCS commands.

x Hot switchover.

x x Until traffic is reduced or service is restored: x OE-21 x OE-30 x OE-31




Fault modes








11 C2O0_01 Loss of… No x Flight plan updates (including plan monitoring alerts & creation of new flight plans) are not provided any more to the controller.

x Each CWP holds its own flight plan data base which can be modified locally, and which will be synchronised with the system flight plan data processing system when the service is restored.

x A safety net is still ensured by the traffic monitoring & alerting function.

The failure is likely to be simultaneous with the loss of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2R0_03 x O0C2_01

x OE-05

Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-04 x The detection of plan

deviations by the controller is severely compromised.

12 C2O0_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of planning” alert.

As above + x Local CWP planning data, live

surveillance data, and RTF reports by pilots & drivers provide sufficient data to the controller to allow him to perform efficient plan conformance monitoring.

x Hot switchover.

x As above x OE-11

Until service is restored: x OE-10 x Controller workload

increase: in case multiple A-SMGCS controller working positions, the controller has to manually manage the flight plans for the operations (creations, deletions, updates) that are normally handled by adjacent tower positions.

x OE-12 x OE-22 Alternatively, due to lack of confidence in the electronic stripping system, the controller may wish to forget about automation: x OE-18 x OE-30 x OE-31

When the service is restored, the controller may also have to deal with inconsistent updates made on different controller working positions or in external systems.




Fault modes









No On the CWP, possible corruptions are: x At least one missing flight

plan. x At least one flight plan with

missing or corrupted data (e.g. no taxi route, wrong gate, wrong flight state, etc.)

x At least one flight plan received at an inappropriate time (i.e. too late or too early).

x Overflow.

x None The failure is likely to be simultaneous with the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2R0_03 x O0C2_01

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-04 x OE-05



“Corruption of planning” alert.


x As above x Until traffic service is restored: x OE-18

15 C2O5_01 Loss of… Temporary interruption

of… Corruption

of…

No / Yes x Strip printer inoperative. x There are usually more than one strip printers, each capable of printing all strips in multiple copies.

x None x x None The strip printer is seen as the backup solution in case of a planning failure. Thus, the analysis of the strip printer failure in addition to a planning failure exceeds the scope of this functional hazard assessment (because of the single point of failure hypothesis). On the other hand, if the planning function is in service, the failure of the strip printer has no operational effects.




Fault modes








16 C2R0_01 Loss of… No x Default taxi routes are not assigned anymore to mobile movement plans.

x Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance and conformance monitoring). Therefore, this non-detected fault mode is not a plausible hypothesis.

The failure induces the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O0_01 The failure induces the loss of: x R0C2_01 The failure is likely to be simultaneous with the loss of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2O0_01 x O0R0_01

x x None




Fault modes








17 C2R0_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of routing” alert.

x Semi-automatic routing may remain possible, and manual route assignment should remain possible (cf. O0R0_01) – by ICAO requirement.

x Hot switchover.

x As above x OE-14 x OE-22


increase: the controller assigns all taxi routes manually (with or without semi-automatic routing support.)

Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: x OE-21 x OE-30 x OE-31 x Controller workload

increase: the controller needs to monitor plan adherence (and in particular taxi route adherence) without automated plan conformance monitoring support.




Fault modes








18 C2R0_01 Corruption of…

No Possible corruptions are: x At least one mobile (but

not all mobiles) is not assigned a default taxi route.

x At least one mobile is assigned an erroneous route.

x None The failure induces the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O0_01 x R0C2_01 The failure is likely to be simultaneous with the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2O0_01 x O0R0_01

x x None Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance). Therefore, this non-detected fault mode is not a plausible hypothesis.

19 C2R0_01 Corruption of…


“Corruption of routing” alert.

x Semi-automatic routing may remain possible, and manual route assignment should remain possible (cf. O0R0_01) – by ICAO requirement.

x Hot switchover.

x As above x Until service is restored: x OE-14 Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: x OE-21 x OE-32 x OE-33 x OE-22




Fault modes








20 C2S3_01 Loss of… No x Flight plan updates (including creation of new flight plans) are not provided any more to the surveillance fusion function: this is prejudicial to target identification.

x The surveillance fusion function holds its own flight plan data base which can be modified locally (based on flight plan data coming from the co-operative sensors), and which will be synchronised with the system flight plan data processing system when the service is restored.

The failure induces the corruption of: x S3O0_01 x S3C1_01 x S3S4_01 x S3G4_01 The failure is likely to be simultaneous with the loss of: x C2O0_01 x C2C3_01 x C2Ex_01 x C2Ex_02 x C2G1_01

x Until service is restored or failure is detected: x OE-01 x OE-03 x OE-35




Fault modes








21 C2S3_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of planning input to fusion” alert.

As above + x Manual labelling is still operative. x Hot switchover.

x As above x OE-13 x OE-26 x OE-17 x OE-35 x OE-28


increase: the controller has to manually label (some) target reports.

Alternatively, until traffic is reduced, visibility conditions become acceptable or service is restored, the controller may wish to forget about automation, leading to the following operational effects: x The controller is

provided with missing and/or erroneous mobile identification.

x Controller workload increase: the controller has to mentally maintain the association between the flight plans and the target reports.

x Through the TIS-B service, pilots and drivers are provided with missing and/or corrupted surveillance data (including mobile identification).

x OE-27 x The controller is

provided with missing and/or erroneous plan monitoring alerts.

Considering the long list of adverse effects in the alternative, and considering the small additional workload related to manual labelling, the alternative should be rejected (unreasonable hypothesis).




Fault modes








22 C2S3_01 Corruption of…


flight plan is not provided to the surveillance data fusion.

x At least one flight plan is provided to the surveillance data fusion with missing or corrupted data.

x At least one flight plan is provided to the surveillance data fusion at an inappropriate time (e.g. too early).

x Flight plan overflow.

x The surveillance fusion function holds its own flight plan data base which can be modified locally (based on flight plan data coming from the co-operative sensors), and which will be synchronised with the system flight plan data processing system when the service is restored.

x In case of inconsistent data received by the surveillance data fusion (from the planning with respect to data received from the co-operative sensors) an alert is raised.

The failure induces the corruption of: x S3O0_01 x S3C1_01 x S3S4_01 x S3G4_01 The failure is likely to be simultaneous with the corruption of: x C2O0_01 x C2C3_01 x C2Ex_01 x C2Ex_02 x C2G1_01

x Until service is restored or failure is detected: x OE-01 x OE-03 x OE-35

23 C2S3_01 Corruption of…


“Corruption of planning input to fusion” alert.

As above + x Manual labelling is still operative

(to cope with missing identification).

x Manual labelling overrides any erroneous automatic identification.

x Hot switchover.

x As above x Until service is restored: x OE-13 See also detected loss of C2S3_01.

In case of missing flight plan, manual labelling should be very easy (i.e. simply by typing the call sign) in order not to force the controller to quit automation support.

24 C3C2_01 Loss of … No x Flight plans are not updated anymore with plan monitoring alerts (i.e. plan deviations), so the latter are not conveyed to the CWP anymore.

x Flight progress based on surveillance data is not updated automatically anymore (e.g. support to silent hand-over is lost, entering of actual take-off time into the flight plan upon aircraft takeoff is not performed anymore), so the latter is not conveyed to the CWP anymore.


The failure induces the corruption of: x C2O0_01 x C2Ex_01 The failure is likely to be simultaneous with the loss of: x C2C3_01





Fault modes








25 C3C2_01 Loss of … Yes As above + x Display on the CWP of a

“Loss of plan monitoring & alerting” alert.

As above + x The controller can manually enter

the flight progress (in order to keep the flight plans up to date). Manual flight plan management helps maintaining consistent co-ordination support (based on flight plan progress).

x Hot switchover.

x As above x OE-12


increase: the controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress.

x OE-28

26 C3C2_01 Temporary delay of…

No / Yes Flight plan monitoring alerts are provided with more than 2s delay (but less than 6s).


The failure induces the temporary delay of: x C2O0_01

x OE-37 Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.




Fault modes










flight plan is incorrectly updated (e.g. erroneous actual time of departure / arrival, inconsistent flight plan progress, wrong route assignment, etc.)

x Co-ordination between controller positions is messed up (e.g. aircraft not reported in the responsibility zone of the controller who has assumed the plan).

Note: Corrupted alerts are based on (partial) loss or corruption of traffic movement characterisation events (cf. S3S4_01 and S4C3_01) or loss or corruption of routing (cf. R0C2_01, O0R0_01 and R0O0_01).


The failure induces the corruption of: x C2O0_01 x C2Ex_01 The failure is likely to be simultaneous with the corruption of: x C2C3_01




“Corruption of plan monitoring” alert.


/ correct the flight progress (in order to keep the flight plans up to date).

x Hot switchover.

x As above x OE-29

Until service is restored: x OE-12 x OE-28 Alternatively, until service is restored, the controller may wish to forget about automation, leading to the following operational effects: x OE-28 x The controller is provided

with missing and/or erroneous co-ordination support, but he knows it.




Fault modes








29 G1C2_01 Loss of… No x Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are not provided anymore.

x Due to compulsory logical acknowledgement messages, it is impossible not to notice this failure, so non-detection of failure is not realistic.


30 G1C2_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of downlink communications with aircraft” alert.

x None The failure induces the corruption of: x C2O0_01


31 G1C2_01 Corruption of…

No x Down link (i.e. from aircraft to ground) clearance requests and/or read-backs are corrupted.

x Clearance delivery should be consistent with clearance request and clearance read-back, so non-detection of failure is not realistic.


32 G1C2_01 Corruption of…

Yes x Corruption will automatically and instantaneously be considered as a loss. Please refer to fault mode two lines above.

x None The failure induces the corruption of: x C2O0_01


33 G1G3_01 Loss of… No x The taxi routes are not translated onto the vehicle moving-map.

x None of the clearances are up-linked to the vehicles.

x Ground guidance aids are unaffected (and they confirm RTF instructions).

This fault mode is likely to be detected immediately by the vehicle drivers, so this case is not a reasonable hypothesis.

The failure is likely to be simultaneous with the loss of: x G1Ex_02


34 G1G3_01 Loss of… Yes As above + x Display on the CWP and

on the driver HMI of a “Loss of AGDL guidance” alert.






Fault modes








35 G1G3_01 Corruption of…

No Possible corruptions are: x At least one taxi route is

not translated onto the vehicle moving-map.

x At least one (but not all) clearance is not up-linked to a vehicle.

x At least one false clearance is up-linked to a vehicle (i.e. incorrect instruction to intended vehicle or correct instruction sent to unintended vehicle).

x Ground guidance aids are unaffected.

x Read-back. With the above mitigation means, this fault mode is likely to be detected immediately by the vehicle drivers, so this case is not a reasonable hypothesis. However, this is strongly dependant on the procedure (undefined to date).

The failure is likely to be simultaneous with the corruption of: x G1Ex_02


When defining the procedure for A-SMGCS clearance delivery, read-back, whether electronic or via voice, should ensure that a clearance downlink corruption should not go undetected in the uplink connection.


Yes As above + x Display on the CWP and

on the driver HMI of a “Corruption of AGDL guidance” alert.


x As above x Until service is restored: x OE-21 x OE-34

37 G2G1_01 Loss of… No x Loss of feedback information (i.e. acknowledgement) on controllable ground guidance aids state and status (after a guidance control command).

x Except for the acknowledgement, ground guidance continues to correctly actuate equipment as requested.

x Feedback is redundant via the aerodrome-mapping database (cf. G2O4_01).

The failure is likely to be simultaneous with the loss of: x G2O4_01.

x x Not applicable: this flow is the confirmation of the actuation of a ground guidance aid after a guidance command. It is not reasonable to assume that its loss is undetected.

38 G2G1_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of ground guidance acknowledgement” alert.

As above + x Ground guidance aids possess

their own control & monitoring tools.

x Hot switchover


Contrarily to the detected loss of G1G3_01 and G1Ex_02, the use of RTF might be reduced since the ground guidance aids are assumed to be correctly working (single point of failure hypothesis).




Fault modes










ground guidance aid command acknowledgement is not received.

x At least one erroneous ground guidance aid command acknowledgement is received.

x Feedback is redundant via the aerodrome-mapping database (cf. G2O4_01).

The failure is likely to be simultaneous with the corruption of: x G2O4_01.

x OE-07

Until traffic is reduced, visibility conditions become acceptable or service is restored: x The controller’s context

awareness is (slightly) compromised due to loss or corruption of guidance data.



“Corruption of ground guidance acknowledgement” alert.



x Hot switchover


41 G2O4_01 Loss of… No x Loss of ground guidance aids state and status updates to the aerodrome-mapping database.

x Ground guidance aids continue to correctly actuate equipment as requested, providing a correct actuation acknowledgement.

The failure is likely to be simultaneous with the loss of: x G2G1_01.


42 G2O4_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of AMDB update” alert.



x Hot switchover

x As above x x As above

43 G2O4_01 Corruption of…


ground guidance aids state or status is not updated to the aerodrome-mapping database.

x At least one ground guidance aids state or status is erroneously updated to the aerodrome-mapping database.

x Ground guidance aids continue to correctly actuate equipment as requested, providing a correct actuation acknowledgement.

The failure is likely to be simultaneous with the corruption of: x G2G1_01.

x Until traffic is reduced, visibility conditions become acceptable or service is restored: x OE-07




Fault modes








44 G2O4_01 Corruption of…


“Corruption of AMDB update” alert.



x Hot switchover.

x As above x x As above

45 G4G3_01 Loss of… No x The traffic situation, as seen and fused by the ground systems, is not sent anymore to the vehicle tracking equipment.

x Vehicles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data.

The failure is likely to be simultaneous with the loss of: x G4Ex_01

x Until service is restored or failure is detected: x OE-35 (but the drivers do

not know it)

46 G4G3_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of TIS-B” alert.


x As above x Until service is restored: x OE-35 (but the drivers

know it)



ground system track is not reported to the vehicle tracking equipment.

x At least one part of the aerodrome (but not all) is not covered by the traffic information service broadcast (TIS-B).

x At least one false ground system track is reported to the vehicle tracking equipment.

x Vehicles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data, and this may show some inconsistencies with the TIS-B data.


x Until service is restored or failure is detected: x OE-35 (but the drivers do

not know it)



“Corruption of TIS-B” alert.


x As above x Until service is restored: x OE-35 (but the drivers

know it)




Fault modes








49 O0C2_01 Loss of… No x Controller flight plan management (i.e. creations, updates – including route assignment, deletions) is restricted to local HMI impacts (i.e. other TWR controllers and other systems are not notified of the controller actions.)

x Each CWP holds its own flight plan data base which can be modified locally, and which will be synchronised with the system flight plan data processing system when the service is restored.

The failure induces the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2R0_03 x C2O0_01 The failure is likely to be simultaneous with the loss of: x O0C2_02 x C2O0_01

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected (on a long term perspective): x OE-01 x OE-03 x OE-04 x OE-05 x OE-06 x OE-07 The impact is not as dramatic as the list of operational effects could let it believe. In fact, the operational effects appear only very slowly as time goes by.




Fault modes








50 O0C2_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of planning input” alert.


x As above x Until service is restored, as above +: x OE-10 x OE-11 x OE-12 The fault mode induces many other fault modes. The controller acting as specified above reduces the effects of a corrupted C2O0_01, so this is the recommended practice. Alternatively, due to lack of confidence in the electronic stripping system, the controller may wish to forget about automation, and thus, until service is restored, as above +: x OE-18 x OE-30 x OE-31 However, in that case, system update upon recovery may not be obvious (i.e. flight plan data inconsistent with traffic).

When the service is restored, the controller may have to deal with some inconsistent updates made on different controller working positions or in external systems. The contingency procedure to be defined for flight plan updates during this fault mode should prescribe minimal updates to keep the system consistent. The loss of the planning function should automatically disable guidance.




Fault modes








51 O0C2_01 Corruption of…


flight plan creation, update (including manual route input) and/or deletion input is not recorded in the central flight plan data processing system (FDPS).

x At least one flight plan creation, update and/or deletion input is improperly processed by the central FDPS, leading to corrupted data.

x At least one request to display a flight plan does not reach the central FDPS (thus resulting in a corrupted C2O0_01).

x Even though the controller is allowed to input nearly anything, the central FDPS performs some consistency checks and will warn in case of inappropriate inputs.

The failure induces the corruption of: x C2C3_01 x C2G1_01 x C2Ex_01 x C2Ex_02 x C2O5_01 x C2S3_01 x C2R0_03 x C2O0_01 The failure is likely to be simultaneous with the corruption of: x O0C2_02

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected (on a long term perspective): x OE-01 x OE-03 x OE-04 x OE-05 x OE-06 x OE-07

The impact is not as dramatic as the list of operational effects could let it believe. In fact, the operational effects appear only very slowly as time goes by.



“Corruption of planning input” alert.


x As above x Until traffic service is restored: x OE-18

53 O0C2_02 Loss of… No x All automated co-ordination from the TWR to the adjacent APP is lost.


The failure is likely to be simultaneous with the loss of: x O0C2_01 x C2O0_02


Fault mode very similar to loss of C2Ex_02. Please refer to latter form more details.

54 O0C2_02 Loss of… Yes As above + x Display on the CWP of a

“Loss of APP co-ordination output” alert.






Fault modes










automated co-ordination message sent from the TWR to the adjacent APP was never received.

x At least one automated co-ordination message from the TWR to the adjacent APP has missing or erroneous data.


The failure is likely to be simultaneous with the corruption of: x O0C2_01 x C2O0_02


Fault mode very similar to corruption of C2Ex_02. Please refer to latter form more details.



“Corruption of APP co-ordination output” alert.



57 O0G1_01 Loss of… No x Ground guidance aids cannot be manually controlled via the CWP.

x Automated guidance (through C2G1_01 and G1Ex_01) should still function properly.

x If automated guidance is not used, to avoid guidance aids remaining in an unsafe configuration, all stop bars automatically switch to the “closed” state after a predefined duration.

x Vehicle (cf. G1G3_01) and aircraft (cf. G1Ex_02) on-board guidance is unaffected.

The failure induces the corruption of: x G1Ex_01


Pilots and drivers are likely to detect and signal failure to the controller very quickly.

58 O0G1_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of external guidance control” alert.


their own control & monitoring tools, allowing for manual control.

x Hot switchover

x As above x x None Manual guidance being seen as a fallback solution to automated guidance and the FHA being performed with the single point of failure hypothesis, the operational effects consider that automated guidance is operative. Alternatively, the ground guidance aids own control and monitoring tools can be used.




Fault modes








59 O0G1_01 Corruption of…


manual command to a ground guidance aid does not effect correctly on the intended equipment.

x At least one (but not all) manual command to a ground guidance aid effects as intended, but on an equipment which is not the intended equipment.

x Automated guidance (through C2G1_01 and G1Ex_01) should still function properly.

x If automated guidance is not used, to avoid guidance aids remaining in an unsafe configuration, all stop bars automatically switch to the “closed” state after a predefined duration.


The failure induces the corruption of: x G1Ex_01


60 O0G1_01 Corruption of…


“Corruption of external guidance control” alert.


their own control & monitoring tools, allowing for manual control, which override all A-SMGCS commands.

x Hot switchover.

x As above x x None See comment in detected loss of O0G1_01.

61 O0R0_01 Loss of… No x The controller is not able to set taxi route constraints in order to modify the default route proposed by the system.

x None x None x x Not applicable. Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance and conformance monitoring). Therefore, this non-detected fault mode is not a plausible hypothesis.

62 O0R0_01 Loss of… Yes As above + x Display of “Loss of route

customisation” alarm.

As above + x The controller can enter the

complete routes manually, without semi-automatic routing support (cf. O0C2_01).

x Hot switchover

x None x Until service is restored, and for the (few) mobiles for which the default route is not applicable: x OE-14 (without semi-

automatic routing support.)




Fault modes








63 O0R0_01 Corruption of…


taxi route customisation request does not provide the expected result (i.e. no result or erroneous result.)

x None x None x x Not applicable. Route assignment is a process that is dissociated from taxi clearance. Before the taxi route is used by the system, the controller is bound to check and validate the route (e.g. to deliver the taxi clearance, which initiates the automatic guidance). Therefore, this non-detected fault mode is not a plausible hypothesis.

64 O0R0_01 Corruption of…


“Corruption of route customisation” alert.


x None x Until service is restored, and for the (few) mobiles for which the default route is not applicable: x OE-14 (without semi-

automatic routing support.)

65 O0S3_01 Loss of… No x Loss of controller capability to manually associate / dissociate a flight plan ID to a target.

x None x None x x Not applicable. Since this is a manual command of the controller, it is impossible for this failure to go undetected.

66 O0S3_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of manual association” alert.


x None x Until service is restored, and for the (few) mobiles for which automatic correlation is missing or erroneous: x OE-26 x OE-27 x OE-28 x OE-29 x OE-17

67 O0S3_01 Corruption of…

No Possible corruptions are: x Erratic results to manual

associations / dissociations of flight plan IDs to targets.

x None x None x x Not applicable. Since this is a manual command of the controller, it is impossible for this failure to go undetected.




Fault modes








68 O0S3_01 Corruption of…


“Corruption of manual association” alert.


x None x Until service is restored, and for the (few) mobiles for which automatic correlation is missing or erroneous: x OE-26 x OE-27 x OE-28 x OE-29 x OE-17




Fault modes








69 O1Xx_01 Loss of… No x Time distribution (and therefore synchronisation) is lost.

There is no ICAO requirement on this topic. However, most systems have their own clock: x The ADS-B ground stations each

carry their own GPS receiver to adjust the internal real time clock of the ground station's processor board. If GPS fails (i.e. the time source fails) the subsystem has the capability to support the correct time stamping for up to 4 hours using the internal real time clock.

x For MLAT, there are 2 issues: synchronisation of receivers and time stamping of the output. The inter-ground station time synchronisation is done relatively to the internal oscillator of the calibration ground station. This function is redundant. The ASTERIX time stamping is done within the central processing station based on the system clock of that computer, which is adjusted periodically using an external NTP server. If that NTP source fails, the MLAT can support correct time stamping for at least 4 hours as well.

x Other A-SMGCS subsystems have performances similar to the ADS-B or the MLAT regarding correct time stamping and management.

x None x A drift of 500ms can account for a 7m error on the position of an aircraft taxiing at 30 knots, and up to a 20m error on the position of an aircraft taxiing at 80 knots on a rapid exit taxiway. Until service is restored or failure is detected: x OE-01 x OE-03 x OE-35

In case of reference time failure, the impact of the internal drifts on the mobile positions should be assessed. In case it should become unacceptable for operation additional recovery means could be added in the system.

70 O1Xx_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of reference time” alert.

As above + x Recovery via some form of

redundancy.

x None x Until service is restored: x OE-25 x OE-27 x OE-35

Corrupted surveillance data should not be broadcast (via TIS-B).




Fault modes








71 O1Xx_01 Corruption of…

No Possible corruptions are: x Different A-SMGCS

subsystems are out of synch.

x Synch is performed to seldom and/or the configured allowed drift is too high.

x The MLAT ground stations are out of synch, leading to false positioning.

x Cf. undetected loss of O1Xx_01. x None x Cf. undetected loss of O1Xx_01.

Until service is restored or failure is detected: x OE-01 x OE-03 x OE-35



“Corruption of time” alert.

As above + x Recovery via some form of

redundancy.

x None x Until service is restored: x OE-25 x OE-27 x OE-35

Corrupted surveillance data should not be broadcast (via TIS-B).

73 O2O0_01 Loss of… No x System status (ok, fault, etc.) is not updated anymore on the CWP.

x None The failure is likely to be simultaneous with the loss of: x XxO2_01

x x None This case is not applicable: a loss of system status can always be detected. Moreover, with the single point of failure hypothesis, all other functions are nominal, so there is no operational effect.

74 O2O0_01 Loss of… Yes As above + x Display on the CWP of a

“Corruption of technical supervision” alert.

x None x As above. x x None The controller working position should monitor by itself the correct reception of the system status. Alternatively, a human operator (controller or technical supervisor) may detect the loss. In any case, with the single point of failure hypothesis, all other functions are nominal, so there is no operational effect.




Fault modes








75 O2O0_01 Corruption of…

No Possible corruptions are: x The controller is provided

with erroneous system status.

x None The failure is likely to be simultaneous with the corruption of: x XxO2_01

x Until service is restored or failure is detected: x Efficiency loss: even if the

equipment is (obviously) working, the controller’s trust in the system will fall and he will revert to fallback or manual procedures, i.e. OE-23.

With the single point of failure hypothesis, all other functions are nominal, so the erroneous system status concerns working equipment that is declared faulty.

76 O2O0_01 Corruption of…


“Corruption of technical supervision” alert.


x As above x Until service is restored: x Can a controller trust

equipment that says it is corrupted? Logically yes, because if it is working, then what it says is true, i.e. it is corrupted; else, it is corrupted; in both cases, it is corrupted! However, we can make the same assumption as above, i.e. OE-23.

As above.

77 O2Xx_01 Loss of… No Technical control commands (e.g. switchover, shutdown, enter maintenance mode, etc…) are not executed, and this non-execution is not detected.

x This case is likely to be impossible.

x

78 O2Xx_01 Loss of… Yes Technical control commands (e.g. switchover, shutdown, enter maintenance mode, etc…) are not executed, and this is reflected by the technical supervision system.

x With the single point of failure hypothesis, all other functions are nominal, so the control commands are assumed to be related to non-operational requirements (e.g. maintenance). Therefore no operational effect is considered.

x




Fault modes









No Technical control commands (e.g. switchover, shutdown, enter maintenance mode, etc…) are not executed correctly, and this incorrect execution is not detected.

x This case is likely to be impossible.

x


Yes Technical control commands (e.g. switchover, shutdown, enter maintenance mode, etc…) are not executed correctly, and this is reflected by the technical supervision system.

x With the single point of failure hypothesis, all other functions are nominal, so the control commands are assumed to be related to non-operational requirements (e.g. maintenance). Therefore no operational effect is considered.

x

81 O4X0_01 Loss of… No The loss may concern one or a combination of the following: x Updates of rules (e.g. one-

way taxiways, maximal capacity of a taxiway, allowed types of aircraft, taxiing and separation rules, etc.) & dynamic status of operational parts of the aerodrome are no more displayed to the controller nor provided to the concerned tools.

x The different aerodrome mapping databases (ground system, on-board vehicle or aircraft systems) are not synchronised anymore.

x Loss of local weather conditions for all stakeholders.

x Guidance aids possess their own control & monitoring tools, which provide the status of ground guidance aids.

x Until the service is restored, the CWP and the concerned tools maintain locally the last known dynamic status of operational parts of the aerodrome and the local weather conditions.

x The flight information service – broadcast (FIS-B) provides some redundant information.

The failure induces the corruption of: x R0C2_01 (i.e. taxi

route elaboration makes use of obsolete rules, dynamic status & weather conditions)

x Mobile on-board databases.

x Until service is restored: x OE-03 x OE-07 x OE-36

The aeronautical information system (AIS) also provides redundant information, which may be distributed through a separate digital automatic terminal information service (D-ATIS).




Fault modes








82 O4X0_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of aerodrome database” alert.

As above + x Until the service is restored, the

controller, pilots & drivers can manually update the dynamic status of operational parts of the aerodrome on their display systems (display impact only for the CWP).

x Hot switchover.

x As above x Until service is restored, and for the (few) mobiles for which the default route is not applicable: x OE-27 x OE-14 x OE-16 x OE-36

83 O4X0_01 Corruption of…

No Possible corruptions are: x Erratic updates of dynamic

status of operational parts of the aerodrome.

x The aerodrome-mapping databases maintained locally by the different sub-systems get out of synch.

x Partial loss or corruption of local weather conditions.

x Guidance aids possess their own control & monitoring tools, which provide the status of ground guidance aids.

x The flight information service – broadcast (FIS-B) provides some redundant information.

The failure induces the corruption of: x R0C2_01 (i.e. taxi

route elaboration makes use of obsolete rules, dynamic status & weather conditions)

x Mobile on-board databases.

x Until traffic service is restored: x OE-03 x OE-07 x OE-36

See comment in undetected loss of O4X0_01.

84 O4X0_01 Corruption of…


“Corruption of aerodrome database” alert.


x As above x Until service is restored, and for the (few) mobiles for which the default route is not applicable: x OE-27 x OE-14 x OE-16 x OE-36

85 R0C2_01 - - x Cf. C2R0_01 x Cf. C2R0_01 x Cf. C2R0_01 x x Cf. C2R0_01 Cf. C2R0_01 86 R0O0_01 - - x Cf. O0R0_01 x Cf. O0R0_01 x Cf. O0R0_01 x x Cf. O0R0_01 Cf. O0R0_01 87 S1O0_01 Loss of… No x Loss of the raw or pseudo-

analogue video on the controller working position

It is impossible not to notice this failure, so this case is not realistic.

x Synthetic traffic is unaffected. x Not applicable x x Not applicable

88 S1O0_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of raw video” alert.


x None x OE-02

Until traffic service is restored: x The controller is less aware

of the size or nature of the traffic.




Fault modes








89 S1O0_01 Corruption of…

No Possible corruptions are: x Part (but not all) of the

aerodrome is not covered by the primary surveillance.

x Synthetic traffic is unaffected. x None x x None



“Corruption of raw video” alert.


x None x x None

91 S1O2_01 Loss of… No x Loss of the live status of the primary surveillance messages sent to the technical supervision.

x Supervision is also performed via the XxO2_01 flow.

x None x x Not applicable. This is a control flow: non-detection of its loss is a non-realistic hypothesis.


“Loss of SMR live status” alert.


x None x x None



live status message is lost.


x None x x Not applicable. This is a control flow: non-detection of its corruption is a non-realistic hypothesis.



“Corruption of SMR live status” alert.


x None x x None

95 S1S3_01 Loss of… No x Loss of all non co-operative sensor track inputs to the sensor data fusion.

x Raw or pseudo-analogue video is unaffected (cf. S1O0_01)

x None x x Not applicable. Considering the related live status control flow (S1O2_01), the non-detection of this fault mode is highly improbable.

96 S1S3_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of SMR tracks” alert.


x None x Until traffic service is restored: x OE-25 x OE-27




Fault modes








97 S1S3_01 Corruption of…

No Possible corruptions are: x Same as loss of S1S3_01

but restricted to a subset of non co-operative sensors and/or to a defined part of the aerodrome.

x False target reports. x Loss in target report

accuracy and/or resolution, which would render fusion difficult.

x Raw or pseudo-analogue video is unaffected (cf. S1O0_01)

x None x Until service is restored or failure is detected: x OE-01 x OE-03



“Corruption of SMR tracks” alert.


x None x Until traffic service is restored: x OE-25 x OE-27

99 S2G3_01 Loss of… No x Loss of all automatic dependant surveillance between ADS-B out mobiles in ADS-B in equipped vehicles.

x Not applicable. x Not applicable. x x Not applicable. This is a distributed function between all ADS-B in and out equipped mobiles. The complete and simultaneous loss of all those flows is not within the scope of this FHA.

100 S2G3_01 Loss of… Yes As above + x Display on the CWP & on

the vehicle HMI of a “Loss of ADS-B” alert.

x As above. x As above. x x As above. As above.

101 S2G3_01 Corruption of…

No Possible corruptions are: x At least one vehicle (but

not all) does not emit its self-determined ADS-B data anymore.

x At least one vehicle (but not all) does not receive ADS-B data anymore.

x At least one vehicle emits erroneous ADS-B data.

x Even with in & out corruption, self-positioning data may be used on-board the vehicle for self-situation awareness.

The failure is likely to be simultaneous with the corruption of: x G4G3_01



Yes As above + x Display on the CWP & on

the vehicle HMI of a “Corruption of ADS-B” alert.


x As above. x Until service is restored or failure is detected: x OE-35




Fault modes








103 S2O2_01 Loss of… No x Loss of the live status of the co-operative surveillance sent to the technical supervision.




“Loss of co-operative live status” alert.


x None x x None








“Corruption of co-operative live status” alert.


x None x x None

107 S2S3_01 Loss of… No x Loss of surveillance data from co-operative sensors, including mobile self-established position, identification, heading, intentions, etc.

Considering the related live status control flow (S2O2_01), the non-detection of this fault mode is highly improbable.

x Non co-operative sensors continue to provide reliable surveillance data.

x Mobiles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data (cf. S2G3_01 and S2Ex_01).

The failure induces the corruption of: x S3C1_01 x S3O0_01 x S3S4_01 x S3G4_01

x x Not applicable.


“Loss of all co-operative sensors” alert.

As above + x Hot switchover to redundant

surveillance should be possible.

x As above x Until traffic is reduced, visibility conditions become acceptable, or service is restored: x OE-25 x OE-26 x OE-27 x OE-28 Additionally: x OE-13 Alternatively: x OE-17 x OE-20 x OE-22




Fault modes









No Possible corruptions are: x Partial loss of surveillance

data from co-operative sensors, related to a subset of mobiles or to a part of the surveillance coverage area.

x False co-operative reports (in terms of position and/or identification).

x Overflow of secondary surveillance data.

Concerning a system overload, it is not to be excluded that it could be a voluntary “attack” (cf. §1.3.6)

x Non co-operative sensors continue to provide reliable surveillance data.

x If the corruption originates from a failure of ADS-B on-board equipment (aircraft or vehicle), then the non ADS-B co-operative sensors (e.g. MLAT) continue to provide reliable surveillance data.

The failure induces the corruption of: x S3C1_01 x S3O0_01 x S3S4_01 x S3G4_01 Unlike the loss of S2S3_01, the detection of the corruption might not be obvious.

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-01 x OE-03



“Loss of co-operative sensors” alert.


As above + x In case of

discrepancy between co-operative and non co-operative sensors, priority might (erroneously) be given to co-operative target reports.

x x Same as loss of S2S3_01. When a specific co-operative sensor is known to provide corrupted data, should the control authority be able to selectively disconnect it? This may seem surprising, but is it very different from disconnecting surface conflict alerts due to too many false alerts?

111 S3C1_01 Loss of… No x Traffic data is not provided anymore to the traffic monitoring & alerting.

Considering the related live status control flow (S3O2_01), the non-detection of this fault mode is highly improbable.

x The plan monitoring function continues to provide the controller with reliable plan deviation alerts.

x On-board traffic monitoring & alerting continues to provide reliable alerts to pilots and drivers.

The failure induces the loss of: x C1O0_01 The failure is likely to be simultaneous with the loss of: x S3O0_01 x S3S4_01 x S3G4_01

x x Not applicable.




Fault modes








112 S3C1_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of traffic monitoring” alert.

As above + x Hot switchover. x Fused sensor data is currently

seen as the sole input to the traffic monitoring and alerting function. Re-configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution.


Even though the failure origin is on the surveillance, the technical alert will probably be on the traffic alerting failure.

113 S3C1_01 Corruption of…


data, related to a subset of mobiles (e.g. faulty secondary surveillance) or to a part of the surveillance coverage area.

x The target report continuity is not ensured for (at least) one target.

x One target report (at least) is provided with missing cinematic, missing identification or missing classification data.

x One target report (at least) is provided with false position, false cinematic, false identification or false classification data.

x Overflow of data. For induced corruptions, see undetected corruption of C1O0_01.

x Same as undetected loss of S3C1_01.

The failure induces the corruption of: x C1O0_01 The failure is likely to be simultaneous with the corruption of: x S3O0_01 x S3S4_01 x S3G4_01

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-03



“Corruption of traffic monitoring” alert.

x Same as detected loss of S3C1_01.


Even though the failure origin is on the surveillance, the technical alert will probably be on the traffic alerting failure.




Fault modes








115 S3G4_01 Loss of… No x The traffic situation, as seen and fused by the ground systems, is not provided anymore to the guidance function (for pilot & driver situation awareness).

x Mobiles equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data.

The failure induces the loss of: x G4G3_01 x G4Ex_01 The failure is likely to be simultaneous with the loss of: x S3O0_01 x S3S4_01 x S3C1_01

x x Not applicable. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode is highly improbable.

116 S3G4_01 Loss of… Yes As above + x Display on the CWP of a


As above + x Hot switchover. x Fused sensor data is currently

seen as the sole input to the TIS-B function. Re-configuration to a single sensor input in case of sensor fusion failure may represent an interesting back-up solution.

x As above x Until service is restored: x OE-35 (but the pilots &

drivers know it)

Even though the failure origin is on the surveillance, the technical alert will probably be on the TIS-B failure.







x Overflow of data.

x Same as undetected loss of S3G4_01.

The failure induces the corruption of: x G4G3_01 x G4Ex_01 The failure is likely to be simultaneous with the corruption of: x S3O0_01 x S3S4_01 x S3C1_01

x Until service is restored or failure is detected: x OE-35 (but the pilots &

drivers do not know it)




Fault modes











x Same as detected loss of S3G4_01.

x As above x Until service is restored: x OE-35 (but the pilots &

drivers know it)

Even though the failure origin is on the surveillance, the technical alert will probably be on the TIS-B failure.

119 S3O0_01 Loss of… No Synthetic track reports are not provided anymore to the controller working positions, and so: x Synthetic track symbols

stop moving on the CWP. x Synthetic & pseudo-

analogue target reports become inconsistent on the CWP.

x Raw or pseudo-analogue video should continue to provide reliable target localisation to the controller (cf. S1O0_01).

x Co-operative sensors should continue to provide reliable target localisation to pilots and drivers (cf. S2G3_01 & S2Ex_01).

The failure is likely to be simultaneous with the loss of: x S3C1_01 x S3S4_01 x S3G4_01

x x Not applicable. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable. Moreover, due to the stopping of all synthetic tracks and due to the inconsistencies between synthetic & pseudo-analogue target reports, failure detection by the controller is also immediate.


“Loss of synthetic surveillance” alert.


x As above x Until traffic is reduced, visibility conditions become acceptable, or service is restored: x OE-25 x OE-17 x OE-20

The synthetic track symbols should remain displayed (afterglow) at the position at which they were last received for an offline configurable duration, and they should retain all their cinematic, identification, and classification attributes. This duration should not be too long: in case of SDF failure, the primary raw video is the better information.

121 S3O0_01 Temporary interruption

of…

No Same as undetected loss of S3O0_01.

x Same as undetected loss of S3O0_01.

x Not applicable. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable.

122 S3O0_01 Temporary interruption

of…

Yes As above + Display on the CWP of a “Loss of synthetic surveillance” alert.

As above + x Hot switchover. x The controller working position

(CWP) can proceed locally with some short-term system track extrapolation.

x Until traffic is reduced, visibility conditions become acceptable, or service is restored: x OE-25




Fault modes














x Overflow of surveillance data to the CWP.

x The synthetic track symbol whose position continuity is not ensured should remain displayed (afterglow) at the position at which it was last received for an offline configurable duration, and it should retain all its cinematic, identification, and classification attributes.

x The synthetic track symbol whose identification continuity is not ensured should maintain its last received identification.

x Pseudo-analogue target reports should continue to provide reliable target localisation to the controller (cf. S1O0_01).

x Co-operative sensors should continue to provide reliable target localisation to pilots and drivers (cf. S2G3_01 & S2Ex_01).

The failure is likely to be simultaneous with the corruption of: x S3C1_01 x S3S4_01 x S3G4_01 Even though pilots and drivers are provided with reliable target localisation (and alerting) pilots or drivers might choose to trust controller instructions rather than own position display and/or alerting.

x Until traffic is reduced, visibility conditions become acceptable, service is restored or failure is detected: x OE-01

Unlike the loss of S3O0_01, the detection of the corruption by the system or by the controller might not be obvious.



“Corrupted synthetic surveillance” alert.


x As above x Until traffic is reduced, visibility conditions become acceptable, or service is restored: x OE-25 x OE-17 x OE-20

125 S3O2_01 Loss of… No x Loss of the live status of the surveillance sent to the technical supervision.




“Loss of surveillance live status” alert.


x None x x None









Fault modes










“Corruption of surveillance live status” alert.


x None x x None

129 S3S4_01 Loss of… No x The traffic situation, as seen and fused by the ground systems, is not provided anymore to the traffic movement characterisation function.

For induced equipment effects, cf. undetected loss of S4C3_01.

x None The failure induces the loss of: x S4C3_01 The failure is likely to be simultaneous with the loss of: x S3O0_01 x S3C1_01 x S3G4_01

x Not applicable. Considering the related live status control flow (S3O2_01), the non-detection of this fault mode by the system is highly improbable.


“Loss of synthetic surveillance” alert.

x Cf. detected loss of S4C3_01 x As above. x x Cf. detected loss of S4C3_01


No x Cf. undetected corruption of S4C3_01

x Cf. undetected corruption of S4C3_01

The failure induces the corruption of: x S4C3_01 The failure is likely to be simultaneous with the corruption of: x S3O0_01 x S3C1_01 x S3G4_01

x x Cf. undetected corruption of S4C3_01.


Yes x Cf. detected corruption of S4C3_01

x Cf. detected corruption of S4C3_01

x As above x x Cf. detected corruption of S4C3_01




Fault modes








133 S4C3_01 Loss of… No Traffic characterisation events are not sent anymore to the plan monitoring and alerting function so: x Flight plans are not

updated anymore with plan monitoring alerts (i.e. plan deviations), so the latter are not conveyed to the CWP anymore.

x Flight progress based on surveillance data is not updated automatically anymore (e.g. support to silent hand-over is lost, entering of actual take-off time into the flight plan upon aircraft takeoff is not performed anymore), so the latter is not conveyed to the CWP anymore.


The failure induces the corruption of: x C3C2_01


134 S4C3_01 Loss of… Yes As above + x Display on the CWP of a

“Corruption of plan monitoring & alerting” alert.


the flight progress (in order to keep the flight plans up to date).

x Hot switchover.

x As above x Until service is restored: x OE-12 x OE-28 Alternatively, until service is restored, the controller may wish to forget about part of the automation, leading to the following operational effects: x OE-28 x OE-29

Even though the failure origin is on the surveillance, the technical alert will probably be on the plan monitoring & alerting failure. Also, even though an alternative set of operational effects has been given, the manual flight plan management (i.e. OE-12) is highly recommended because it has both an impact on plan conformance monitoring and on co-ordination support.




Fault modes










traffic characterisation event is missing.

x The plan monitoring and alerting function is provided with at least on false traffic characterisation event.

x Overflow of events.


The failure induces the corruption of: x C3C2_01


The possible corruptions mentioned opposite lead to equipment effects similar to those listed in the undetected loss of S4C3_01, but the extent of the effects are limited. Thus the operational effects are also similar, but restricted to a sub-set of mobiles and/or part of the aerodrome.



“Corruption of plan monitoring & alerting” alert.


the flight progress (in order to keep the flight plans up to date).

x Hot switchover.


Even though the failure origin is on the surveillance, the technical alert will probably be on the plan monitoring & alerting failure.

137 XxO2_01 Loss of… No x Sub-system status monitoring is lost for all internal sub-systems.

This case can only happen with the hypothesis that it is the central technical supervision that fails.

x Each sub-system has its own built-in test.

The failure is likely to be simultaneous with the loss of: x S1O2_01 x S2O2_01 x S3O2_01

x x ???

138 XxO2_01 Loss of… Yes x - x - x - x x - This case is not applicable. 139 XxO2_01 Corruption

of… No x ??? x ??? x ??? x x ???

140 XxO2_01 Corruption of…

Yes x - x - x - x x - This case is not applicable.

141 XxO3_01 Loss of… No x Sub-system status recording is lost for all internal sub-systems.

x None x None x x None

142 XxO3_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of recording” alert.


x None x x None




Fault modes









No Possible corruptions are: x Sub-system status

recording is lost for at least one, but not all internal sub-systems.

x None x None x x None Reporting of operational alerts shall be carried out in a controlled manner to ensure that the recipient of the alert does not receive a cascade of messages from the recording, which may cause the operator to overlook alerts raised by other runtime applications that may have an impact on system safety.



“Corruption of recording” alert.


x None x x None

145 XxO3_02 Loss of… No x Proprietary data recording is lost for all internal sub-systems.

x None x None x x None Failure of the REC runtime application on the central recording servers in the Operational State due to software malfunction shall not degrade the operation of any other runtime application running in the system.

146 XxO3_02 Loss of… Yes As above + x Display on the CWP of a

“Loss of recording” alert.


x None x x None




Fault modes









No Possible corruptions are: x CPU overload. x LAN overflow. x Proprietary data recording

is lost for at least one, but not all internal sub-systems.

x None x None x OE-09 Until service is restored or failure is detected: x System response time

increases above tolerable values.

Recording CPU load shall be limited to 50%. The quantity of recorded data that is transmitted on the LAN when transferring data from remote nodes to the central recording server shall not exceed a load of 350 kilobytes / sec. Failure of local recording running on a remote node shall not degrade the operation of the central runtime application that is carrying out the recording or the operation of any other runtime application on that node.



“Corruption of recording” alert.

As above + x Hot switchover. x Recording interruption.

x None x x As above.

Table 5-11: Internal fault modes and effects analysis table (part 1)

N° External

flow ref. Fault

modes Fault mode

detection







149 C2Ex_01 Loss of… No x Planning data is not provided anymore to external systems (e.g. external FDPS, AODB, FIDS, etc.) or external end-users.

If the adjacent APP does not receive the expected data, the controller is likely to detect the failure very quickly. The crisis management, if any, will be on the APP side, not in the tower.

x None The failure is likely to be simultaneous with the loss of: x C2C3_01 x C2G1_01 x C2O0_01 x C2S3_01 x C2Ex_02 x ExC2_01

x x Not applicable.




Fault modes

Fault mode

detection







150 C2Ex_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of external flight plan output” alert.

x Hot switchover x As above x Until service is restored: x OE-19

151 C2Ex_01 Corruption of…

No Possible corruptions are: x Planning data provided to

external systems / users are incomplete and / or incorrect.

x The external systems suffer from overload.

If the adjacent APP receives corrupted data, the controller is less likely to detect the failure than in case of loss. However, the crisis management, if any, will be on the APP side, not in the tower.

x None The failure is likely to be simultaneous with the corruption of: x C2C3_01 x C2G1_01 x C2O0_01 x C2S3_01 x C2Ex_02 x ExC2_01

x x None



“Corruption of external flight plan output” alert.

x Hot switchover x As above x Until service is restored: x OE-19

153 C2Ex_02 Loss of… No x All automated co-ordination from the TWR to the adjacent APP is stopped.


The failure is likely to be simultaneous with the loss of: x C2C3_01 x C2G1_01 x C2O0_01 x C2S3_01 x C2Ex_01 x ExC2_02

x OE-06

Until service is restored or failure is detected: x The controller’s

awareness of the traffic situation in adjacent sectors is severely compromised.

The operational effect concerns mainly the APP controller. However, if the APP is unable to accept a flight during a hand over process, the TWR controller must handle the crisis. The TWR and APP controllers are likely to detect the failure at 1st co-ordination mishap.

154 C2Ex_02 Loss of… Yes

As above + x Display on the CWP of a

“Loss of APP co-ordination” alert.


x As above. x OE-19


increase: need to revert to RTF co-ordination with adjacent APP.




Fault modes

Fault mode

detection








No Possible corruptions are: x At least one automated co-

ordination message sent from the TWR to the adjacent APP was never received.

x At least one automated co-ordination message from the TWR to the adjacent APP has missing or erroneous data.

x At least one automated co-ordination message from the TWR to the adjacent APP is sent at an inappropriate time (e.g. too early).


The failure is likely to be simultaneous with the corruption of: x C2C3_01 x C2G1_01 x C2O0_01 x C2S3_01 x C2Ex_01 x ExC2_02


Unlike the “loss of C2Ex_02” fault mode, the erratic behaviour of the system in this fault mode makes is unlikely that the TWR and APP controllers detect the failure very quickly.



“Corruption of APP co-ordination” alert.



157 G1Ex_01 Loss of… No x The commands for the ground guidance aids are not provided anymore.


x Both automatic (cf. C2G1_01) and manual (cf. O0G1_01) commands are concerned.

x OE-30

Until service is restored or failure is detected: x Pilots and/or drivers

do not receive any automated guidance from ground guidance aids.

To avoid guidance aids remaining in an unsafe configuration, all stop bars should automatically switch to the “closed” state after a predefined duration.




Fault modes

Fault mode

detection







158 G1Ex_01 Loss of… Yes As above + x Display on the CWP of a

“Loss of external guidance control” alert.

As above + x Ground guidance aids

possess their own control & monitoring tools.

x Hot switchover

x None x OE-21 x OE-24

Until traffic is reduced or service is restored: x OE-30 x Controller workload

increase & frequency congestion: the controller reverts to RTF guidance (optionally supported by on-board guidance).

Or x Controller workload

increase: the controller uses the guidance aids own control & monitoring tools to manually control them.

159 G1Ex_01 Corruption of…


ground guidance command does not actuate the intended guidance aid.

x At least one ground guidance command actuates a guidance aid different from the intended one.

x At least one ground guidance command actuates a guidance aid differently from the expected actuation.


x None x OE-32 x OE-34

Until service is restored or failure is detected: x Pilots and/or drivers

are provided with missing or erroneous indications via the ground guidance aids (e.g. opened stop bar)

x Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board and RTF).

A guidance command modifies the state of at least one guidance aid. Supposing a single point of failure, the guidance aids monitoring (cf. G2G1_01) is supposed to be operational. It therefore ensures that the expected actuation really occurs, and so, failure detection should be immediate.




Fault modes

Fault mode

detection









“Corruption of external guidance control” alert.

As above + x A-SMGCS control of ground

guidance aids can be disconnected.

x Ground guidance aids possess their own control & monitoring tools, allowing for manual control, which override all A-SMGCS commands.

x Hot switchover

x None x Until traffic is reduced, visibility conditions become better or service is restored: x OE-21 (optionally

supported by on-board guidance.)

161 G1Ex_02 Loss of… No x The taxi routes are not translated onto the pilot CDTI.

x None of the clearances (e.g. push, start-up, take-off, etc.) are up-linked.

x Ground guidance aids are unaffected (and they confirm RTF instructions).

x Read-back.

The failure is likely to be simultaneous with the loss of: x G1G3_01 Obviously, the loss may occur when an aircraft has already been cleared for a taxi route. In this case, the loss of the route update is comparable to a corruption, and detection far from obvious.


How is the read-back to be implemented?

162 G1Ex_02 Loss of… Yes As above + x Display on the CWP and

on the pilot CDTI of a “Loss of AGDL guidance” alert.






Fault modes

Fault mode

detection








No Possible corruptions are: x At least one taxi route is

not translated onto the pilot CDTI.

x At least one (but not all) clearance is not up-linked to the aircraft.

x At least one false clearance is up-linked to an aircraft (i.e. incorrect instruction to intended aircraft or correct instruction sent to unintended aircraft)

x Ground guidance aids are unaffected.

x Read-back. This fault mode is likely to be detected immediately by the aircraft pilots (cf. operational effects), so this case is not a reasonable hypothesis.

The failure is likely to be simultaneous with the corruption of: x G1G3_01


How is the read-back to be implemented?


Yes As above + x Display on the CWP and

on the pilot CDTI of a “Corruption of AGDL guidance” alert.



165 G4Ex_01 Loss of… No x The traffic situation, as seen and fused by the ground systems, is not sent anymore to the pilot CDTI.

x Aircraft equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data.

The failure is likely to be simultaneous with the loss of: x G4G3_01

x Until service is restored or failure is detected: x OE-35 (but the pilots do

not know it)

166 G4Ex_01 Loss of… Yes As above + x Display on the CWP of a



x As above x Until service is restored: x OE-35 (but the pilots

know it)



ground system track is not reported to the CDTI.

x At least one part of the aerodrome (but not all) is not covered by the traffic information service broadcast (TIS-B).

x At least one false ground system track is reported to the CDTI.

x Aircraft equipped with ADS-B in capability continue to benefit from some direct mobile-to-mobile co-operative surveillance data, and this may show some inconsistencies with the TIS-B data.

The failure is likely to be simultaneous with the corruption of: x G4G3_01 False tracks may generate false alarms on-board the aircraft.

x Until service is restored or failure is detected: x OE-35 (but the pilots do

not know it)




Fault modes

Fault mode

detection











x As above x Until service is restored: x OE-35 (but the pilots

know it)

169 O0Ex_01 Loss of… No / Yes x Failure of all output devices: screen(s), loudspeakers, diodes, etc.

x The controller may use a redundant HMI, or may share an HMI with another active controller.

x The strip printer can rapidly provide a paper copy of all electronic strips.

x As a side effect, all input devices become unserviceable (cf. ExO0_01.)

x The level of service provided by the equipment to pilots and drivers is initially unchanged: however, the lack of controller inputs will progressively and rapidly degrade the level of service to all users.

x The supervisor may need to perform a re-sectorisation.

x OE-23

Until service is restored: x The controller returns

to SMGCS (or worst?) working procedures and conditions.

170 O0Ex_01 Corruption of…

No / yes Possible corruptions are: x At least one output device

fails partially (e.g. screen output is blurred) or totally.

x At least one output device provides erroneous data (e.g. loudspeakers beep continuously).

Same as loss of O0Ex_01 + x CWP is fail soft (i.e. all

strips & tracks remain on the screen in case of failure.)


x x A wide range of effects, from slight controller discomfort to OE-23.

171 S2Ex_01 Loss of… No x Loss of all automatic dependant surveillance between ADS-B out mobiles in ADS-B in equipped aircraft.

x Not applicable. x Not applicable. x x Not applicable. This is a distributed function between all ADS-B in and out equipped mobiles. The complete and simultaneous loss of all those flows is not within the scope of this FHA.

172 S2Ex_01 Loss of… Yes As above + x Display on the CWP & on

the CDTI of a “Loss of ADS-B” alert.

x As above. x As above. x x As above. As above.




Fault modes

Fault mode

detection







173 S2Ex_01 Corruption of…

No Possible corruptions are: x At least one aircraft (but

not all) does not emit its self-determined ADS-B data anymore.

x At least one aircraft (but not all) does not receive ADS-B in data anymore.

x At least one aircraft emits erroneous ADS-B data.

x Even with in & out corruption, self-positioning data may be used on-board the aircraft for self-situation awareness.



174 S2Ex_01 Corruption of…

Yes As above + x Display on the CWP & on

the CDTI of a “Corruption of ADS-B” alert.


x As above. x Until service is restored or failure is detected: x OE-35

Table 5-12: Internal fault modes and effects analysis table (part 2)


Assessment Report


Appendix E - Identification of hazards

Ref. number: D1.3.9


Assessment Report


Objectives

When identifying hazards, different levels of hazards can be considered, as a hazard is a potentially unsafe condition at the boundary of the scope of the system under assessment. Ideally hazards should be at the level of the air navigation system or service (cf. SAM v2.0, FHA, guidance material B1, §4). However, since the scope of an A-SMGCS is reduced to a sub-level of this air navigation system, the hazards herein are identified at the boundary of the A-SMGCS, but they encompass all elements of that sub-system, i.e. people (controllers, pilots, and drivers), procedures and equipment. Discussion

The different system safety assessment steps performed up to now (cf. appendixes A to D) have been performed independently of the A-SMGCS implementation levels (cf. §1.6.1), because focus was only on equipment. From now on (i.e. appendix E), the A-SMGCS is considered as a whole, and therefore the level of automation is relevant. How the system is used, in what environment it is used, and all the contingency procedures defined to mitigate system failures will have a dramatic impact on what can be considered the worst credible hazard. Considerations for hazard identification in relationship to aircraft equipment, with respect to surveillance

Surveillance is the function in A-SMGCS that provides position and identification of all mobiles (aircraft, vehicles & obstacles). Surveillance data is needed both for controllers and for feeding the guidance & control functions. In many airports, the surveillance function is currently implemented by direct visual acquisition, help of surface movement radar (SMR) and extensive use of pilot reports via radiotelephony (R/T). Automation of the ground surveillance function can be achieved using multilateration (MLAT) based on automatic dependant surveillance broadcast (ADS-B) mode S. Data fusion from multiple, non co-operative and co-operative sensors lead to a serious improvement in safety as the identification and position of all mobiles are known with appropriate completeness and accuracy. In addition, hazards potentially introduced by on-board co-operative equipment remain properly mitigated by primary means. On-board situation awareness is based on the airport map display, with possible use of the data link to receive traffic information, via the traffic information service - broadcast (TIS-B). Accuracy, reliability and integrity of ADS-B, TIS-B & position information from the global positioning system (GPS) and inertial reference system (IRS) have been assessed in the EMMA report on aircraft position issues (cf. D2.1.1 - ref. [12]). The main outcomes are as follows: performance required for A-SMGCS surveillance can be achieved using GPS / global navigation satellite system (GNSS) – ground based augmentation system (GBAS), and to a lower extent by GPS / GNSS – satellite based augmentation scheme (SBAS) if accuracy and integrity performance could be less than required, based on the functional hazard assessment (FHA) results. This will be even more safely achieved in the future by using the Galileo services. Indeed, the GPS itself, notwithstanding certification issues, is not sufficient to meet the performance and safety requirements. Surveillance means (ADS-B and / or MLAT combined with SMR data) contribute in mitigating hazards that may arise from possible erratic target tracking in ground surveillance system. Not mandated by the International Civil Aviation Organisation (ICAO), more advanced automation could be implemented on board via pseudo fusion of both data received from ground (e.g. via TIS-B) and on-board generated data (e.g. via ADS-B in). This would allow both a better coverage of the various airport zones, and / or to cater for the limitations of each single system. In addition, the on-board system could be able to detect misleading surveillance data, using various means such as integrity reports from ADS-B and comparisons between ADS-B and TIS-B at least for ADS-B equipped aircraft. But this remain out of the current scope of the study. Considerations for hazard identification in relationship to aircraft equipment, with respect to routing

Routing is an A-SMGCS function that is used to enhance efficiency of ground traffic in providing designation of routes for aircraft and allows change of destination for any reason (controller or pilot choice). It is currently


Assessment Report


implemented via information provided by the controllers via radiotelephony prior to taxi. Automation of route planning includes mainly automated prediction of events and resources allocation. Automation on board the aircraft is limited to the reception of ground taxi route from the air traffic control (ATC) authority. Route definition and description remain an ATC responsibility. Responsibility for the A-SMGCS routing function is never allocated to pilots in any level of ICAO A-SMGCS implementation. However, advanced on-board automation may consist in preparation of ground routes and waypoints to be displayed over the moving map. These functions are similar to those provided by a flight management system (FMS) on-board the aircraft. Then an on-board “ground path plan” function could be sought. Note that the routes as displayed should be checked for consistency with the airport configuration and with the routes as determined by the ATC controller to avoid any induced hazard. Navigation planning performance may require additional requirements beyond basic positioning information. Such performance requirements have not been reviewed as part of EMMA work. Considerations for hazard identification in relationship to aircraft equipment, with respect to guidance

Guidance is the A-SMGCS function that provides indications to pilots on the route to follow. This includes activation of ground visual aids by controllers and use of airport signs to follow the ground path. At most airports, it is currently implemented via ground visual aids (lighting, marking and signage) and clearance given to aircraft pilots via radiotelephony. For A-SMGCS level V implementation under visibility condition 4, an on-board guidance function is clearly playing a role in meeting the most demanding requirements. Guidance is currently using visual cues only. Steering cues et braking cues, possibly complemented by an head up display (HUD), to help follow an assigned route, have been proposed. More automation may be achieved via a cockpit display. An on-board moving map may include representation of airport artefacts taken from an on-board database and possibly pertinent replication of ground visual aids and clearances. The aircraft own position and orientation derived from aircraft sensors and ADS-B or TIS-B may also be visible. Automated ground path computations (routing) can be transmitted via data link to the flight crew after controller’s acceptance. With reference to EMMA D2.1.1 [12], guidance requires more stringent performance than surveillance. Those requirements remain within the scope of the future Galileo performance (GBAS) but are not fully achievable by current GPS-based equipment (mainly for accuracy and continuity reason). Nevertheless, areas of improvements of GPS-based equipment may help meet the requirements, in particular: x hybrid GPS-IRS equipment to improve continuity of the position (+ velocity) measurements, and to provide

additional heading & kinematics data needed for high rate guidance, x differential GPS (D-GPS) carrier phase measurements to improve by one order of magnitude the standard GPS

position accuracy. The most critical situation that must be considered for the on board automated guidance function is under visibility conditions 4 for an A-SMGCS implementation level V. In this case, pilots can only rely upon automated on-board guidance. Hence any loss or corruption of guidance data may induce major effects, as additional significant workload is required from the flight crew. More advanced airborne equipment may include the use of head up displays (HUD) possibly fitted with enhanced (synthetic) vision systems (EVS) and guidance symbology to help support airport surface movements. Considerations for hazard identification in relationship to aircraft equipment, with respect to control

Control is a critical function to enhance safety in detecting potential conflicts and provide alerts and resolutions. It operates by determining appropriate spacing and sequencing of aircraft and alerting aircraft for any incursion to runways, taxiways or other areas. It is implemented using data provided by the surveillance function and using algorithms to detect intrusions. Radiotelephony is also used to communicate potential conflicts to aircraft. The control activity is under the responsibility of the ATC (taxi route to follow up to the next clearance). However spacing between aircraft is under the responsibility of the pilot (taxi execution along the cleared taxi route).


Assessment Report


Automation is achieved based on the definition of safety volumes around aircraft in particular and implementation of surface conflict alerts systems. The most difficult compromise is that only hazardous situations should raise conflict alerts and there must not be too many false alerts. Control is highly dependent on surveillance, hence integrity and reliability of the surveillance function is a prerequisite. If too many false alerts are generated, the controller will no longer trust his automation. It is very difficult to identify all conflict cases and cater for all procedures to avoid false alarms. In A-SMGCS, responsibility of the control function is not allocated to pilots under visibility conditions 3 and 4. However, automation could be achieved by transmission of surface conflicts alerts via data link and by displaying such artefacts over the on-board airport moving map. In addition, on-board algorithms may provide advanced alerts based on representation of different protection areas or safety nets. Performance for on-board A-SMGCS requirements for a control function may include additional computation for traffic analysis and advisory, conflict prediction and detection and for conflict analysis and resolution. Intermediate conclusion for hazard identification in relationship to aircraft equipment

The automated functions on-board the aircraft will contribute to provide a better situational awareness of airport configuration and traffic, and possibly advanced warning of potential hazards. The purpose of this is not full on-board automation of any surveillance, routing, guidance or control functions of the A-SMGCS but improved ability to communicate useful information to airport users while increasing understanding of the airport and traffic conditions. On-board guidance is the equipment recommended by ICAO to automate to a certain extent the A-SMGCS guidance function under visibility condition 4. The severity of hazards associated with that equipment is assessed as "major" (severity 3), due to significant workload in case of failure. Structure of the analysis table

The identification of hazards analysis is presented in a table that is composed of the following data: x columns 1 and 2, “operational effects references” & “operational effects description”: these columns indicate

references and descriptions of operational effects, as identified in appendix C and D; the operational effects are sorted according to the classification presented on page 104;

x column 3, “A-SMGCS scenario implementation level”: this column sub-divides the previous ones for each step in the automation of advanced surface movement, guidance and control system; it can be expected that unless contingency procedures are correctly set-up, the higher the automation, the more severe will be the effects of an equipment failure;

x column 4, “operational mitigation”: this column describes the various safety barriers that already exist at A-SMGCS procedure (or people) level, and that provide either prevention, or surveillance/warning of the fault mode, or mitigation of its consequences;

x columns 5 and 6, “hazards references” & “hazards description”: these columns indicate references and descriptions of hazards at the boundary of the A-SMGCS;

x column 7, “comments / recommendations”: self-explicit.



ICAO A-SMGCS implementation levels

Below, the main A-SMGCS implementation levels, as defined by ICAO, are recalled. Possible mapping with the EUROCONTROL levels is also suggested. For each level, the differences with the previous level are highlighted. Opposite are also recalled the 36 types of aerodromes and the visibility conditions, traffic density, and aerodrome layout conditions in which ICAO recommends to use each A-SMGCS implementation level. Thus it can be seen that an A-SMGCS implementation level V is required only in visibility conditions 4, but that an A-SMGCS implementation level IV may be required even in visibility conditions 1 if the layout is complex, and the traffic heavy. Note: this page should be printed in colour; some readability issues may occur with black & white printouts.

NOTES: 1): Does not apply in visibility condition 3 1* Painted centre line and taxiway guidance signs 2* Fixed centre line lights 3* Manual switched centre line lights 4* Automatic switched centre line lights

ERC

0

1/2

2/3

3/4

4

Figure 25: ICAO A-SMGCS implementation levels




Operational effects description of equipment fault mode

A-SMGCS scenario implementation level

Operational mitigation (other than equipment), i.e. people and

procedures

Hazards ref.

Hazards description (at system level)

Comments and recommendations (related to the system under

assessment) HZ-01

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

Automation requires the introduction of new procedures for recovery from fault modes, as well as training and practice. Remark: HZ-01 and HZ-05 are mutually exclusive.

OE-01 The controller’s traffic situational awareness is severely compromised (due to undetected loss or undetected corruption of surveillance data as normally provided by the equipment).

II

At this implementation level, the surveillance

function is shared between controller and system. This is only possible in visibility

conditions 1 and 2. In other cases, the airport is to be closed or the system

not used. Reminder: at this level,

guidance is static.

According to the EMMA operational requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label. When that is no longer possible, i.e. in case of surveillance loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Loss of surveillance data (as normally provided by the equipment) is evident for the controller. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. Automation assists the operator in maintaining the situational awareness and hence the operator’s ability to manage higher traffic capacity, density and complexity. If automation fails it is reasonable to anticipate that manual take-over will be less efficient and with a safety impact on on-going operations.

HZ-05 In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data to ensure (limited) tactical separation (essentially on or near runways).

An aircraft / vehicle identification may be confirmed by correlating a particular target report with: x an aircraft / vehicle position reported by

the pilot / driver; x an aircraft / vehicle position reported by

the pilot / driver. Even though the identification procedure proposed by EUROCONTROL is direct recognition of aircraft / vehicle ID through the surveillance label, to prevent misuse of automation, we recommend that the identification is confirmed before first use. Remark: HZ-01 and HZ-05 are mutually exclusive.







procedures

Hazards ref.



assessment) HZ-02 In visibility condition 3, the

controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

Automation will require the introduction of new procedures for recovery from this fault mode, as well as training and practice. Abuse of automation (i.e. manage more traffic than controller will be able to cope during a failure recovery) should be prevented: x either through adequate training of the

supervisor, x or through automated equipment

alerting when the traffic conditions imply that recovery in case of equipment failure might be difficult.

Remark: HZ-01, HZ-05, HZ-02, HZ-08 are mutually exclusive.

III

At this implementation level, the surveillance function is completely

automated; guidance is dynamic but manually

controlled.

According to the EMMA operational requirement document (D135), the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label. When that is no longer possible the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Loss of surveillance data (as normally provided by the equipment) is evident for the controller in any visibility conditions. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. In visibility conditions 3, immediate detection of corruption by the controller is not a realistic hypothesis.

HZ-06 In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

An aircraft / vehicle identification may be confirmed by correlating a particular target report with: x an aircraft / vehicle position reported by

the pilot / driver. Even though the identification procedure proposed by EUROCONTROL is direct recognition of aircraft / vehicle ID through the surveillance label, to prevent misuse of automation, we recommend that the identification is confirmed before first use. Remark: HZ-02, HZ-08 are mutually exclusive.

IV

At this implementation level, ground guidance is

automated.

Same as above. HZ-03 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

Automated guidance should not depend only upon surveillance data. Guidance should depend on clearance inputs by the controller.







procedures

Hazards ref.



assessment) HZ-07 In visibility condition 3, due to

over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

HZ-04 In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.


V

At this implementation level, pilots and drivers are provided with automated

on-board guidance.

At this level, all aircraft and vehicles are capable of

assessing their own position independently

from the ground system, so surveillance

inconsistency is assumed to be immediately detected

by at least one pilot or driver.

Same as above + OE-35.

HZ-09 In visibility conditions 1 to 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected.

At this implementation level, pilots and drivers are denied the responsibility of conflict prediction or detection, analysis and resolution. On board guidance is provided for navigation purposes only.







procedures

Hazards ref.



assessment) OE-02 The controller’s traffic situational

awareness is slightly compromised (due to undetected loss or undetected corruption of some surveillance data, as normally provided by the equipment, e.g. loss of only one source of surveillance, such as raw video, co-operative sensors, non co-operative sensors, etc.). Remains at least one source of co-operative surveillance, and one source of non co-operative surveillance. Complete loss of one source is covered by OE-01. There is no significant impact on conflict detection.

II According to the EMMA operational requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label. When that is no longer possible, i.e. in case of surveillance loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Loss of surveillance data (as normally provided by the equipment) is evident for the controller. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. Automation assists the operator in maintaining the situational awareness and hence the operator’s ability to manage higher traffic capacity, density and complexity. If automation fails it is reasonable to anticipate that manual take-over will be less efficient and with a safety impact on on-going operations.

HZ-10 In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure (limited) tactical separation (essentially on or near runways).

Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to assess that an aircraft has effectively vacated a runway). Pilots may provide position reports, but those reports lack the position accuracy of automated surveillance. The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.







procedures

Hazards ref.



assessment) III According to the EMMA operational

requirement document (D135), the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label. When that is no longer possible the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system. Loss of surveillance data (as normally provided by the equipment) is evident for the controller in any visibility conditions. In visibility conditions 1 or 2, the controller should also be able to detect the corruption of surveillance data that has gone undetected by the equipment. In visibility conditions 3, immediate detection of corruption by the controller is not a realistic hypothesis.

HZ-11 In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.

Same comment as HZ-10.

IV Same as above. HZ-12 In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.


V Same as above + OE-35. HZ-09







procedures

Hazards ref.




undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures to ensure tactical separation.


II

At this implementation level, the equipment

supports the controller in the task of conflict prediction and/or

detection.

None. - Controllers should not rely on SCA to ensure that the traffic is well separated and/or does not enter a restricted area. Automation will require training with simulated conflicts to ensure controller conflict detection capability at all times.

III

IV

OE-03 Detection of surface conflicts & incursions by the controller is severely compromised (due to the undetected loss or undetected corruption of control data as normally provided by the equipment).

V

In visibility conditions 3 and 4, procedures related to use of automated surface conflict alert data in an A-SMGCS are still undefined. However, surface conflict detection is a safety net and its non-functioning does not create additional hazards.

- For more details, please refer to §1.7.8.

II Not applicable. OE-04 The controller’s projected situational awareness is severely compromised (due to the undetected loss or undetected corruption of flight plan data as normally provided by the equipment).

III

At this implementation level, routing is automated,

but guidance is manual.

Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay,

HZ-14 In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips.

Automation will require the introduction of new procedures for recovery from this fault mode, as well as training and practice. Remark: HZ-14 and HZ-17 are mutually exclusive.







procedures

Hazards ref.



assessment) whilst paper strips represent a fallback solution. The computed route is used for controller display only.

HZ-17 In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing.

Main flight plan data related to routing are the allocated stand, and runway data, plus the taxi route between the two above. Undetected corruption of runway data does not seem to be a realistic hypothesis. Since the pilot has an independent source of plan data, he should be able to detect the corruption of stand data. Remains the undetected corruption of taxi route data, e.g. the route passes via a restricted area and the controller & pilot have forgotten about this restriction (as normally published in a NOTAM). At this level, guidance is dynamic, but manual, which gives the controller an additional chance to notice the corruption. Moreover, the surface conflict alert function should detect conflicts and incursions. Remark: HZ-14 and HZ-17 are mutually exclusive.

IV Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay,

HZ-15 In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

Remark: HZ-15 and HZ-18 are mutually exclusive.







procedures

Hazards ref.



assessment) whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and potentially stop bars.

HZ-18 In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated ground guidance.

Main flight plan data related to routing are the allocated stand, and runway data, plus the taxi route between the two above. Undetected corruption of runway data does not seem to be a realistic hypothesis. Since the pilot has an independent source of plan data, he should be able to detect the corruption of stand data. Remains the undetected corruption of taxi route data, e.g. the route passes via a restricted area and the controller & pilot have forgotten about this restriction (as normally published in a NOTAM). At this level, guidance is dynamic and automated, which gives the controller no additional chance to notice the corruption. However, the surface conflict alert function should detect conflicts and incursions. Remark: HZ-15 and HZ-18 are mutually exclusive.



V Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and stop bars. The route is also up-linked to the aircraft and/or vehicles.

HZ-19 In visibility conditions 4, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

The pilot relies entirely on on-board guidance for his navigation. Remark: HZ-16 and HZ-19 are mutually exclusive.

OE-05 The detection of plan deviations by II Not applicable. -







procedures

Hazards ref.



assessment) III Procedures related to the use of plan

conformance monitoring data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display and conformance monitoring. In visibility 3, conformance monitoring is seen as non-compulsory.

-

IV Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display, conformance monitoring, and to automatically control centre line lights and potentially stop bars. In visibility 3, conformance monitoring is seen as non-compulsory.

-

the controller is severely compromised (due to the undetected loss or undetected corruption of plan conformance monitoring data as normally provided by the equipment).

V Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback

HZ-23 Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously.








procedures

Hazards ref.



assessment) solution. The computed route is used for controller display, conformance monitoring, and to automatically control centre line lights and potentially stop bars. The route is also up-linked to the aircraft and/or vehicles. In visibility 4, conformance monitoring is seen as mandatory.

HZ-24 Misuse of automation in visibility conditions 4: due to over-reliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions.


II Not applicable.

III Procedures related to use of system co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; co-ordination is still done by voice, with the support of surveillance displays, which allow to view relevant traffic in adjacent sectors.

HZ-20 In visibility conditions 3, due to over-reliance on automation, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.

OE-06 The controller’s awareness of the traffic situation in adjacent sectors is severely compromised (due to loss or corruption of flight plan and / or surveillance data related to adjacent sectors as normally provided by the equipment).

IV Procedures related to use of system co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; a standardized protocol (AIDC or OLDI) allows silent co-ordination with the approach centre; the surveillance displays allows to view relevant traffic in adjacent sectors.








procedures

Hazards ref.



assessment) V Procedures related to use of system

co-ordination between APP and tower are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution; a standardized protocol (AIDC or OLDI) allows silent co-ordination with the approach centre; the surveillance displays allows to view relevant traffic in adjacent sectors.


OE-07 The controller’s context awareness is slightly compromised (due to loss or corruption of guidance data, e.g. incorrect knowledge of equipment state and status, or due to loss or corruption of aerodrome-mapping data as normally provided by the equipment).

II Procedures related to use of aerodrome-mapping data in an A-SMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodrome-mapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03).

None. For each aircraft, the guidance function should send & apply the adequate command instructions (e.g. turn it on / off), independently from the current state.







procedures

Hazards ref.



assessment) III Procedures related to use of guidance

and procedures related to use of aerodrome-mapping data in an A-SMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodrome-mapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03) and routing. Guidance is performed through manually switched centre line lights, as a support to verbal instructions. In visibility condition 3, an A-SMGCS level III should only be used on basic or simple airport layouts; therefore the pilot should be able to detect the inconsistency between the verbal and ground guidance.







procedures

Hazards ref.



assessment) IV Procedures related to use of guidance

and procedures related to use of aerodrome-mapping data in an A-SMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is manually entered by the controller or by the supervisor. The aerodrome-mapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03), routing and guidance. Guidance is performed through automatically switched centre line lights, as a support to verbal instructions. If the guidance function checks the state & status of equipment before sending an on/off command, it might leave one or many taxiway centreline lights in an undesired state, incorrectly routing the aircraft. Any deviation from the assigned route is assumed to be detected by the conformance monitoring function. Any dangerous situation is assumed to be detected by the surface conflict alert function.

V At level V, there is no more ground guidance. Procedures related to use of aerodrome-mapping data in an A-SMGCS are still undefined. However, the following has been assumed. Aerodrome-mapping data is synchronised between ground and on-board databases. The aerodrome-mapping data is displayed on the controller HMI and used for conflict detection (cf. OE-03), routing and guidance.







procedures

Hazards ref.



assessment) II According to the EMMA operational

requirement document [7], the standard A-SMGCS surveillance identification currently procedure proposed by EUROCONTROL is direct recognition of aircraft/vehicle ID through the surveillance label. When that is no longer possible, i.e. in case of display corruption or loss, the procedures already established by ICAO in Doc 4444 should be applied. The EMMA operational requirement document also adds that, “as a contingency measure, the procedural control using the flight strips should always be kept updated”. The planning function therefore acts as a backup system.

HZ-01 In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

HZ-02 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

III Electronic flight strips and routing are introduced.


OE-08 The controller HMI is stuck in a display configuration that is improper for normal (safe) control operations.

IV HZ-03 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

Guidance will probably also be unusable due to the combined loss of surveillance and planning. Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.







procedures

Hazards ref.




controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

HZ-27 In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another.

Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

HZ-04 In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.


Guidance will probably also be unusable due to the combined loss of surveillance and planning. Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.

V

HZ-27 In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another.

Remark: hazard HZ-27 and the combined hazards HZ-02 and HZ-14 are mutually exclusive.







procedures

Hazards ref.




controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

II

HZ-05 In visibility condition 2, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data to ensure (limited) tactical separation (essentially on or near runways).



OE-09 Equipment response time increases above tolerable values (e.g. due to overload of recording), and the equipment does not detect this slowing down.

III








procedures

Hazards ref.




over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure verbal and manual routing.




IV

HZ-18 In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated ground guidance.







procedures

Hazards ref.




controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.




HZ-19 In visibility conditions 4, due to over-reliance on automation, the controller does not detect the corruption of equipment flight plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

The pilot relies entirely on on-board guidance for his navigation. Remark: HZ-16 and HZ-19 are mutually exclusive.

V

HZ-09 OE-10 The controller has to manually II Not applicable.







procedures

Hazards ref.



assessment) III Procedures related to the use of flight

plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used for controller display only.

HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

IV Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and potentially stop bars.


manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by external flight plan data processing systems (FDPS).

V Procedures related to the use of flight plan data in an A-SMGCS are still undefined. However, the following has been assumed: flight plan management is done through an electronic strip bay, whilst paper strips represent a fallback solution. The computed route is used to automatically control centre line lights and stop bars. The route is also up-linked to the aircraft and/or vehicles.


II Not applicable. OE-11 The controller has to manually manage the flight plans for the operations (i.e. creations, deletions, updates) that are normally handled by adjacent tower positions.

III Standard verbal co-ordination procedures.








procedures

Hazards ref.



assessment) IV Standard verbal co-ordination

procedures. HZ-25 Recovery in the worst visibility

condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

V Standard verbal co-ordination procedures.


II Not applicable.

III ? HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

IV ? HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

OE-12 The controller has to manually manage the flight plans for the operations (i.e. updates only) that are normally handled by automated traffic characterisation, in particular flight plan progress.

V ? HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.







procedures

Hazards ref.



assessment) II None. HZ-25 Recovery in the worst visibility




OE-13 The controller has to manually label (some) target reports.


OE-14 The controller has to assign all taxi routes manually (with or without semi-automatic routing support.)

II None. HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.







procedures

Hazards ref.



assessment) III ? HZ-25 Recovery in the worst visibility





OE-15 The controller has to manually control the ground guidance aids.








procedures

Hazards ref.



assessment) IV ? HZ-25 Recovery in the worst visibility





OE-16 The controller has to manually update the aerodrome-mapping database.








procedures

Hazards ref.



assessment) V ? HZ-25 Recovery in the worst visibility


II None. HZ-01 In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

III ? HZ-02 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

OE-17 The controller has to mentally maintain the association between the flight plans and the target reports.

IV ? HZ-03 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.







procedures

Hazards ref.



assessment) V ? HZ-04 In visibility condition 4, the

controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.

II Not applicable. III ? HZ-14 In visibility condition 3, the

controller needs to recover from an equipment flight plan failure by reverting to paper strips.

IV ? HZ-15 In visibility condition 3, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

OE-18 The control procedures have to revert to paper strips.

V ? HZ-16 In visibility condition 4, the controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

II Not applicable. OE-19 The controller has to revert to RTF co-ordination with the adjacent approach centre.








procedures

Hazards ref.







OE-20 The controller has to rely (more) on pilots’ RTF reports for mobile positioning & identification data.

III ? HZ-02 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.







procedures

Hazards ref.



assessment) IV ? HZ-03 In visibility condition 3, the

controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports). The controller may need to simultaneously reduce the traffic density and/or complexity.

V ? HZ-04 In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.

II Not applicable. III ? HZ-25 Recovery in the worst visibility


OE-21 The controller has to revert to RTF

guidance.








procedures

Hazards ref.



assessment) V ? HZ-25 Recovery in the worst visibility


II Not applicable.

III ? HZ-26 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

IV ? HZ-26 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

OE-22 The controller has to monitor plan adherence (and in particular taxi route adherence) without automated plan conformance monitoring support.

V ? HZ-26 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

OE-23 The controller has to return to SMGCS working procedures and conditions.








procedures

Hazards ref.





III ?


HZ-03 In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

IV ?


V ? HZ-04 In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 identification procedures (pilot identification and position reports based on data coming from on-board equipment). The controller may need to simultaneously reduce the traffic density and/or complexity.







procedures

Hazards ref.




controller needs to recover from an equipment flight plan failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

II Not applicable. III Not applicable. IV None. HZ-25 Recovery in the worst visibility


OE-24 The controller has to use the ground guidance aids own control & monitoring tools to manually control them.

V None. HZ-25 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

II None. HZ-26 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

OE-25 The controller is provided (by the equipment) with missing and/or corrupted traffic data. He knows it, but cannot / does not prevent it. Note: This effect includes OE-20, whose hazards are not repeated here.








procedures

Hazards ref.




condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.





OE-26 The controller is provided (by the equipment) with missing and/or erroneous mobile identification. He knows it, but cannot / does not prevent it. Note: This effect includes OE-17, whose hazards are not repeated here.


OE-27 The controller is provided (by the equipment) with missing or false traffic alerts. He knows it, but cannot / does not prevent it.


The safety impact of nuisance alerts is that the controllers becomes desensitised to alerts, and therefore they do not react adequately when real conflicts occur. In the extreme case, the surface conflict alerts are totally ignored,







procedures

Hazards ref.



assessment) III ? HZ-26 Recovery in the worst visibility




which brings us back to a complete loss of the function.

II Not applicable. HZ-26 Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.



OE-28 The controller is provided (by the equipment) with missing and/or erroneous plan monitoring alerts. He knows it, but cannot / does not prevent it.








procedures

Hazards ref.



assessment) II Not applicable. Significant increase of controller’s

workload. III ? HZ-26 Recovery in the worst visibility



OE-29 The controller is provided (by the equipment) with missing and/or erroneous co-ordination support. He knows it, but cannot / does not prevent it.


II Not applicable. Significant increase of pilot and controller’s workload.

III Not applicable.

IV ?

OE-30 Pilots and/or drivers do not receive any automated guidance from ground guidance aids. Note: This effect includes OE-34.

V ?

II Not applicable.

III Not applicable.

IV Not applicable.

OE-31 Pilots and/or drivers do not receive any automated guidance from on-board equipment. Note: This effect includes OE-34.

V Procedures related to use routing instructions are still undefined. If the failure to receive an initial clearance may be easily detectable by the pilot or driver, it is not the case for a re-clearance. Integrity of the latter should therefore be improved compared to the initial clearance.







procedures

Hazards ref.



assessment) II Not applicable. III ? IV ?

OE-32 Pilots and/or drivers are provided with missing or erroneous indications via the ground guidance aids.

V ? II Not applicable. III Not applicable. IV Not applicable.

OE-33 Pilots and/or drivers are provided with missing or erroneous guidance indications via the on-board equipment.

V II Not applicable.

III Not applicable.

IV Not applicable.

OE-34 Pilots and/or drivers are provided with inconsistent guidance indications (between ground, on-board and RTF). Note: When the failure is detected, this effect includes OE-21.

V ?

II Not applicable.

III Not applicable.

IV Not applicable.

OE-35 Pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification).

V Procedures related to use of spacing delegation in an A-SMGCS are still undefined.

II Not applicable.

III Not applicable.

IV Not applicable.

OE-36 Pilots and/or drivers are provided with inconsistent aeronautical information (between the A-SMGCS aerodrome-mapping database, the ATIS, the FIS-B, the RTF). Note: When the failure is detected, this effect includes OE-21.

V ?

OE-37 Supposing that a route deviation is detected based on down linked aircraft parameters (DAP), the information is provided too late to avoid the route deviation.

V ?

Table 5-13: Operational effects and hazards


Assessment Report


Appendix F - Assessment of hazard severity and probability of occurrence

Ref. number: D1.3.9


Assessment Report


Objectives

This annex is the core of the functional hazard assessment: it assigns a severity to each hazard (cf. Table 5-14), and draws a possible set of safety objectives (cf. Table 5-15). Severity allocation

The severity classification scheme specified by the safety regulation commission in ESARR4 provides only the “effect on operations”. The examples of effects on operations provided in the ESARR4 severity classification scheme are not directly applicable to every system under assessment, as they refer generally to hazards at overall ATM level but not to lower level hazards such as at sub-system level. Therefore as requested by ESARR4 (appendix A-2, Page 17, 2nd note a)), the approach is to customise the severity classification scheme in order to adequately reflect the operational environment and make it meaningful in the context of the A-SMGCS under assessment. Please refer to §5.2-Term definitions for more details. Another complementary and interesting approach to severity classification has been used by NATS Ltd. Because it is not always possible to be categorical about the possible consequences of a hazard, it is often necessary to limit the analysis to undeveloped outcomes (noted SCUx for severity classification undeveloped), which define merely the effect of the hazard on the ability to maintain separation. A formula is then used to map undeveloped outcomes into a probability of accident, cf. §1.7.5 for more details. In the previous annex, a set of hazards has been identified. By assigning severities to each of these hazards, we are in fact defining a probability that an accident might occur if one of these hazards occurs (i.e. global severity) – cf. §3.4.1 for more details. Considering that the target level of safety (TLS) is defined by the ICAO manual on A-SMGCS [32], the global safety objective can be defined by the following scalar product:

global TLS = global safety objective * global severity

Unlike what has been performed in [27] or [25] we do not feel it is acceptable at this stage of the safety assessment to (evenly or unevenly) split the global target level of safety between the different hazards. This assignment can be performed at a more detailed preliminary system safety assessment (PSSA) level, when more analysis of each of the fault trees and available mitigation means is performed.


Share of the target level of safety (TLS) allocated to hazards originating from equipment

failures

Share of the target level of safety (TLS) allocated to hazards originating from people & procedure

failures I 0% 100% II 15% 85% III 35% 65% IV 45% 55% V 55% 45%

Figure 26: Share of the TLS allocated to equipment

Similar to the EUROCONTROL A-SMGCS safety case (cf. §1.7.3), our safety assessment does not consider all A-SMGCS hazards, but only those hazards that originate from equipment. It is therefore needed to assume a share of the total target level of safety (TLS) that will be allocated to the equipment. In [27], 15% of the total target level of safety (TLS) was allocated to equipment for an A-SMGCS implementation level 1 & 2 (according the EUROCONTROL terminology – corresponding more or less to ICAO level II). We tend to agree with this share, and propose the following allocations for higher scenario implementation levels (to be discussed and agreed at European / international level). We propose a major step between A-SMGCS scenario implementation level II and level III (i.e. +20 points) because at level III, on basic and simple airports with light or medium traffic, the A-


Assessment Report


SMGCS is suppose to support operations in visibility conditions 3, i.e. a visibility sufficient for a pilot to taxi, but insufficient for a pilot to avoid collision with other traffic on taxiways and at intersections by visual reference with other traffic, and insufficient for the control authority to exercise control over all traffic on the basis of visual surveillance. For us, this is a major step that implies very high confidence in the equipment and new conflict prediction & resolution tools. In our view, later steps up the A-SMGCS scenario implementation levels are less dramatic, and therefore, are only assigned a +10 points. As automation increases, the share of the target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases. This will imply that for similar risks, the safety objectives set on equipment will increase with the A-SMGCS scenario implementation levels. Structure of the severity analysis table

The hazard severities are presented in a table that is composed of the following data: x columns 1 and 4, “hazard reference” & “hazard description”: these columns indicate references and

descriptions of hazards, as identified in appendix E; here, the hazards are basically described through their negative safety effects on the air navigation service;

x column 2, “A-SMGCS scenario implementation level (SIL)”: this column recalls the ICAO A-SMGCS implementation level to which this hazard relates; this is very important as the same fault mode may have different effects depending on the A-SMGCS scenario implementation level;

x column 3, “Hazard typology”: hazards are derived from the operational effects at system level (as undeveloped outcomes), taking into account people and procedures; when the operational effects of a fault mode are not detected, the corresponding hazard is classified as a misuse; when the operational effects of a fault mode are detected, the corresponding hazard is classified as recovery;

x columns 5 to 7, are descriptions that help assess the severity (in column 8); focus is set on the hazard effects at aerodrome ATC level, the exposure, and the mitigation means that are external to the system;

x column 8, “severity”: this column describes the severity of the hazard effects; in theory, different severities may be considered in different weather conditions or in different traffic load conditions, however, different hazards have been defined for different SIL, and therefore the worst case is always considered for each level;

x column 9, “probability to lead to an accident”: based on the severity, the probability that such an hazard, if raised, will lead to an accident (according to NATS mapping);

x column 10, “comments / recommendations”: self-explicit x description of the worst-case credible scenario supporting the severity assessment: these descriptions are

provided only for hazards related to scenario implementation levels (SIL) I and II; they were elaborated during a FHA workshop held in June 2005, with the help of 4 controllers from ANS-CZ, one controller from DFS, one ex-controller from DSNA, one controller from ENAV, one ex-controller from NATS and one safety expert from ANS-CZ.



Severity indicators

Hazard ref.

A-SMGCS scenario

implementation level (SIL)

Hazard typology Hazard description (at system level)

Hazard effects at aerodrome ATC level (i.e. failure condition)

Exposure (duration, number

of exposed)

Recovery (announcement

information, availability of

external contingency

measures, rate of development)

Severity Probability to lead to

an accident(with

NATS’ mapping)

Comments and recommendations (related to items

external to the system under assessment)

HZ-01 II Recovery (from a total or

partial equipment surveillance failure, e.g. loss of primary sensor, loss of time

synchronisation, loss of labelling,

etc.)

In visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or flow complexity.

Situational awareness may be slightly impaired during the recovery phase. Once the mental picture is re-established and traffic reduced, no more effects are expected.

x Duration: may persist for a short period of time28.

x Number: medium traffic if layout is basic, light traffic if layout is simple.

x Announcement information: none.

x Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by visual reference29.

x Rate of development: sudden.

4 Minor

10-3% Comments: it is irrelevant to know the exact nature of the failure; in fact the surveillance may still seem to work; the simple fact that the surveillance equipment is declaring a malfunction or that the controller suspects a malfunction is sufficient for the controller to trigger a recovery procedure. Recommendations: Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

28 Doc. 4444 is considered safe. Hazard duration is only related to the shift from Doc. 9830 to Doc 4444 (i.e. the recovery procedure itself). This duration is independent from the equipment failure duration itself. 29 It is not so much the visibility which is of interest, but the capability in that visibility for the pilot / driver to mitigate the hazard & its severity.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility conditions 1, medium traffic density. Visibility degrades to conditions 2 (e.g. sudden heavy rain).The equipment surveillance failure occurs and is detected just after the visibility conditions shift from 1 to 2.. The controllers loose nearly simultaneously visual and equipment surveillance. HAZARD: in visibility condition 2, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). Supposing five aircraft going for takeoff. Three aircraft have landed, of which two are already taxiing. One aircraft has been cleared for line-up at threshold, and a Beech 90 has been cleared for intersection line-up. One B737 is ten miles on final. The local controller has some workload related to vehicle control. Due to loss of visibility & surveillance means, the controller needs to ask last landed aircraft to report when runway is vacated, and the controller needs to check who is lined-up on intermediate. Position reports from pilots cannot be checked. After Beech 90 takeoff, the controller needs to wait for airborne report. The worst credible case foreseen is that, due to loss of time, the controller needs to request a GO AROUND to the B737 on final (with a possible issue related to slow Beech 90).

HZ-02 III Recovery (from a total or partial

equipment surveillance failure)

In visibility condition 3, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.

Situational awareness may be slightly impaired during the recovery phase. Once the mental picture is re-established, no more effects are expected.

x Duration: may persist for a short period of time30.

x Number: medium traffic if layout is basic, light traffic if layout is simple; alternatively, heavy traffic if layout is basic and visibility condition is only 2.


x Contingency measures: visibility sufficient for a pilot to taxi, supported by ground guidance.


2

Hazardous

1%

Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

30 Doc. 4444 is considered safe. Hazard duration is only related to the shift from Doc. 9830 to Doc 4444 (i.e. the recovery procedure itself). This duration is independent from the equipment failure duration itself.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility conditions 3. LVP are in force due to ILS. One landing-aircraft has just vacated the runway sensitive area. Pilot has changed frequency to ground control. Another aircraft is on final, about to land. At that moment, there is a loss of equipment surveillance. HAZARD: In visibility condition 3, the controllers need to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 (procedural control). The ground controller stops all traffic. One taxiing pilot asks why. The landing aircraft uses the same exit as the previous landed aircraft (highly probable on basic layout), but is still on TWR frequency and continues taxi, waiting for hole in frequency to report runway vacated. BANG (at low speed)!

HZ-03 IV Recovery In visibility condition 3, the



x Duration: may persist for a short period of time.

x Number: heavy traffic.


x Contingency measures: visibility sufficient for a pilot to taxi, supported by ground guidance.


3 Major

0.1% Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.

HZ-04 V Recovery In visibility condition 4, the controller needs to recover from an equipment surveillance failure by reverting to ICAO doc. 4444 chapter 8 -(procedural control). The controller may need to simultaneously reduce the traffic density and/or complexity.





x Contingency measures: on-board equipment sufficient for a pilot to taxi, supported by on-board guidance.

x Rate of development:

3 Major

0.1% Neither traffic density, nor traffic complexity should be so high to preclude the safe performance of failure recovery tasks.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



sudden. HZ-05 II Misuse

(of corrupted surveillance data)

In visibility condition 2 the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data. It is to be noted that at this level (i.e. level II) the controller is assumed to systematically check surveillance data (at least once for departing aircraft). Hazard effect must NOT include abuse of automation.

Situational awareness is impaired until an unexpected event31 alerts the controller on the corruption of equipment surveillance data.

x Duration: may persist for a substantial period of time.



x Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by visual reference.


2 Hazardous

Upon failure detection by the controller, hazard HZ-01 is triggered.

31 This hazard relates to an A-SMGCS level II, in which conflict analysis and conflict resolution is still under responsibility of the controller (i.e. not the equipment) and in which responsibility over surveillance is shared

(i.e. equipment only supports the controller, and the controller is not allowed to control based only on equipment surveillance data). Therefore, by "unexpected event" we mean that the controller detects something (e.g. a conflict), which is "unexpected" in relation to the surveillance and/or control data provided by the equipment. In accordance with controller responsibility, sufficient time for conflict processing (detection time + controller reaction time + instruction time + crew reaction time + resolution time) should still remain. The hazard is related to the "surprise effect" to detect the conflict (i.e. the worst “surprise”) simultaneously with the equipment surveillance failure identification.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



Worst-case credible scenario supporting the severity assessment: Supposing an aerodrome with a basic layout, visibility condition 2, medium traffic density. Two aircraft are waiting for line-up, one at threshold, the other at an intermediate taxiway, whilst a third aircraft is approaching. When the arriving aircraft has landed, controller gives the line-up clearance to aircraft at threshold… but the equipment is providing corrupted surveillance data such as the 2 labels of the departing aircraft have been switched. The controller did not use the “…line-up from…” phraseology. HAZARD: in visibility condition 2 the controller does not detect the corruption of equipment surveillance data, and continues to misuse this corrupted surveillance data. The controller does not notice the label switch. Whilst expecting to clear the aircraft at threshold, the controller in fact clears the aircraft at intermediate takeoff, 1000m in front of the threshold and still in front of landing traffic. With a 30° angle with the runway, this taxiway would provide absolutely no visibility to the entering aircraft on traffic coming from the threshold,. As the aircraft enters the obstacle free zone (OFZ) in front of the landing traffic, an incursion alert is triggered. The intruder stops by himself (due to visibility 2 conditions) or is stopped by the controller (due to the alert and/or because even though the labels are wrong, the position reports are correct). The worst credible case is a large reduction is safety margins.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



HZ-06 III Misuse (of corrupted or

obsolete surveillance data)

In visibility condition 3, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation.

Situational awareness is impaired until an unexpected event alerts the controller on the corruption of equipment surveillance data. Two types of hazard effects may be considered at system level: x A dangerous

situation develops unbeknownst to the controller, e.g. a conflict between aircraft on a taxiway, a runway incursion, a take-off without clearance, a route deviation, etc.. The equipment provides no alert.

x Due to his lack of situational awareness, a controller creates himself a critical loss of separation by delivering an inadequate clearance (cf. Rhodes Island incident on December 6th, 1999, or the Überlingen accident in July 1st, 2002).




x Contingency measures: visibility is just sufficient for a pilot to taxi.


1 Catastrophic

100% Upon failure detection by the controller, hazard HZ-02 is triggered. In ICAO implementation table, “X” in conflict prediction and/or detection means conflict is detected but not solvable in visibility 3. What is meant here?



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



Worst-case credible scenarios supporting the severity assessment: three scenarios were elaborated. Scenario 1: Supposing an aerodrome with a basic layout, visibility condition 3, two outbound aircraft, taxiing to holding position, correctly separated. There is no other traffic. The 1st aircraft reaches the holding position and stops. At that moment, the controller surveillance screen freezes. HAZARD: in visibility condition 3 the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation. The two aircraft seem separated and stopped, but in reality, the 2nd aircraft continues to taxi and runs into the 1st aircraft. Scenario 2: Supposing the same scenario as for HZ-05, the visibility conditions 3 make it worst because the pilot of the departing aircraft is not able to detect the approaching aircraft. The controller can only avoid the accident. Scenario 3: Supposing an aerodrome with a basic layout, visibility condition 3, medium traffic density. One aircraft is waiting for line-up whilst a second aircraft is approaching. The equipment is providing false positions: the approaching aircraft is displayed 500m in front of its actual position (corresponding to 7 to 10 seconds error in the extrapolation). HAZARD: in visibility condition 3 the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure separation. When the controller sees that the inbound aircraft has landed, he clears the outbound aircraft (at threshold) in front of the landing aircraft. The equipment does not provide any incursion alert and the pilot of the departing aircraft is not able to detect the approaching aircraft (due to visibility condition 3).

HZ-07 IV Misuse In visibility condition 3, due to over-reliance on automation, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

Same as above. x Duration: may persist for a substantial period of time.



x Contingency measures: none.


1 Catastrophic

100% Upon failure detection by the controller, hazard HZ-03 is triggered. In ICAO implementation table, “X” in conflict prediction and/or detection means conflict is detected but not solvable in visibility 3. What is meant here?

HZ-08 V Misuse In visibility condition 4, the controller does not detect the corruption of equipment surveillance data, and continues to use this corrupted surveillance data to ensure tactical separation.

Same as above. x Duration: may persist for a substantial period of time.

x Number: all aircraft in the A-SMGCS coverage area.


x Contingency measures: aircraft and vehicles are equipped with ADS-B in and continue to receive positions and identification of other mobiles.

x Rate of

2 Hazardous

1% Upon failure detection by the controller, hazard HZ-04 is triggered.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



development: sudden.

HZ-09 V Recovery In visibility condition 4, pilots and drivers are provided (potentially via TIS-B) with missing and/or erroneous surveillance data (including mobile identification), but this lack or inconsistency has been detected.

Situational awareness may be slightly impaired.

x Duration: brief. x Number: all aircraft

and vehicles in the A-SMGCS coverage area.




5 No effect

0%

II Misuse (of obsolete or

corrupted surveillance data.)

In visibility condition 2, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures32 to ensure separation (essentially on or near runways). It is to be noted that at this level (i.e. level II) surveillance responsibility is shared between the controller and equipment, and therefore controller is assumed to systematically check surveillance data. Hazard effect must NOT include abuse of automation.

Situational awareness may be slightly impaired.




x Contingency measures: visibility is sufficient for pilots and drivers to taxi and to avoid collision with other traffic on taxiways and at intersections, by visual reference.


5 No effect

0% Comment: no equivalent of RVSM is foreseen for ground control based on high precision surveillance data; therefore, some minor loss of precision, update rate or integrity will have no effect on safety.

HZ-10

Worst-case credible scenario supporting the severity assessment: Supposing an aircraft A, lined-up awaiting takeoff clearance and an aircraft B starting to vacate. EQUIPMENT FAILURE: due to corrupted surveillance, aircraft B is seen as having vacated (or starting to vacate). HAZARD: Due to stress, the controller has little time to wait and check pilot’s report: he delivers take-off clearance. Since surveillance is erroneous, there is no alerting… and NO additional RISK due to equipment (because it is already done today with advance-clearance).

32 Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to

assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



III Misuse (of obsolete or

corrupted surveillance data.)

In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures33 to ensure separation.

Safety margins may be severely impaired.






3 Major

0.1% HZ-11

Worst-case credible scenario supporting the severity assessment: Supposing 2 aircraft taxiing, one behind the other. EQUIPMENT FAILURE: undetected loss of precision & integrity. HAZARD: In visibility condition 3, the controller continues to use the equipment surveillance to allow for the separation of taxiing aircraft. The worst credible outcome is: a strong reduction in separation. Note: this supposes that the current procedural control procedure that only allows clearing an aircraft to a point to which the complete route is free, is not applied anymore.

HZ-12 IV Misuse In visibility condition 3, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures34 to ensure tactical separation.







3 Major

0.1%

HZ-13 V Misuse In visibility condition 4, due to undetected loss of surveillance precision or integrity, the controller continues to misuse some procedures35 to ensure tactical separation.





x Contingency measures: aircraft and vehicles are equipped with ADS-

4 Minor

10-3%

33 Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to

assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected. 34 Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to

assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected. 35 Procedures based on good A-SMGCS surveillance performance are not yet defined. However, it is expected that separation margins will be defined based on the knowledge of the precise mobile’s size and position (e.g. to

assess that an aircraft has effectively vacated a runway). The loss of precision or integrity may mean that these procedures may not be safely used anymore if this loss is not detected.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



B in and continue to receive positions and identification of other mobiles.


III Recovery (from an equipment

flight data processing failure)

In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips and voice communications system (VCS).

Small time during which flight plan data may not be available (time to print and arrange the paper strips.)






5 No effect

0% HZ-14

Worst-case credible scenario supporting the severity assessment: Supposing a controller controlling and performing silent co-ordination using electronic strips. EQUIPMENT FAILURE: some flight data are obviously missing. HAZARD: In visibility condition 3, the controller has to request the printout of paper strips and arrange them. Use of paper strips has become exceptional (i.e. training sessions only). Some paper strips may need to be filled in manually. The worst credible outcome is: controller overload due to visibility condition 3 and recovery procedures, some co-ordination hiccups and need to temporarily reduced traffic. NO SAFETY impact is expected.

HZ-15 IV Recovery In visibility condition 3, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

Small time during which flight plan data may not be available (time to print and arrange the paper strips.)






4 Minor

10-3%

HZ-16 V Recovery In visibility condition 4, the controller needs to recover from an equipment flight data failure by reverting to paper strips. The controller may need to simultaneously reduce the traffic density and/or complexity.

Small time during which flight data may not be available (time to print and arrange the paper strips.)






4 Minor

10-3%



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



sudden. III Misuse

(of flight data) In visibility condition 3 the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure verbal and manual routing.

An aircraft may be cleared on a wrong route, which may result in a taxiway restricted area incursion (immediately detected) or a nose-to-nose conflict with another aircraft. Runway incursion is not considered (because guidance is manual and controller misuse is not credible).




x Contingency measures: surveillance and conflict detection are unaffected, and visibility is sufficient for a pilot to taxi.


2 Hazardous

1% HZ-17

Worst-case credible scenario supporting the severity assessment: Supposing an inbound aircraft with wrong aircraft type, e.g. MD-80 instead of B747. HAZARD: In visibility condition 3, the controller continues to use this corrupted data to ensure verbal and manual routing: routing is wrongly performed thru a taxiway that is forbidden to large-winged aircraft. The worst credible outcome is: both wings are damaged, as well as some building… possibly causing death of people inside the building.

HZ-18 IV Misuse In visibility condition 3, the controller does not detect the corruption of equipment flight data, and continues to use this corrupted data to ensure routing and automated ground guidance.

An aircraft may be cleared on a wrong route, which may result in a taxiway or a runway incursion (immediately detected), or a nose-to-nose conflict with another aircraft.




x Contingency measures: surveillance and conflict detection are unaffected, and visibility is sufficient for a pilot to taxi.


3 Major

0.1%

HZ-19 V Misuse In visibility conditions 4, the controller does not detect the corruption of equipment flight

An aircraft may be cleared on a wrong route, which may

x Duration: may persist for a substantial period


3 Major

0.1%



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



plan data, and continues to use this corrupted data to ensure routing and automated on-board guidance.

result in a taxiway or a runway incursion (immediately detected), or a nose-to-nose conflict with another aircraft.

of time. x Number: heavy

traffic.

x Contingency measures: ground and on-board surveillance and ground conflict detection are unaffected.




Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



HZ-20 III Misuse (of surveillance or

flight data related to adjacent sectors)

In visibility conditions 3 the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight data), and continues to use this corrupted data to ensure co-ordination.

At 1st serious co-ordination mishap, the controller has to manage an unexpected event when assuming or transferring a flight. The event is non-critical because hand-over is usually performed in non-critical conditions.






4 Minor

10-3% Flights that are being provided with an ATC service are transferred from one ATC unit to the next in a manner designed to ensure complete safety. In order to accomplish this objective, it is a standard procedure that the passage of each flight across the boundary of the areas of responsibility of the two units is co-ordinated between them beforehand and that the control of the flight is transferred when it is at, or adjacent to, the said boundary. For ground control, at operational level, the key interoperability topic is co-ordination between controllers in the tower, and controllers of the APP/ACC centres. The controllers must have common situation awareness, and they must have the means (systems and procedures) to co-ordinate36 in order to handover the control of aircraft.

36 This interoperability is studied in the EMMA deliverable D121 (cf. [3]). The safety assessment will need to be co-ordinated with that of co-ordination between APP/ACC centres, and is out scope of this document. The

severity assessment opposite is a conservative proposal.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



Worst-case credible scenario supporting the severity assessment: (see comment above)

HZ-21 IV Misuse In visibility conditions 3, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.



x Number: one aircraft.




4 Minor

10-3%

HZ-22 V Misuse In visibility conditions 4, the controller does not detect the corruption of equipment co-ordination support (surveillance and/or flight plan data), and continues to use this corrupted data to ensure co-ordination.



x Number: one aircraft.




4 Minor

10-3%

HZ-23 V Recovery Recovery in visibility conditions 4: the controller needs to recover from an equipment conformance monitoring failure by decreasing the number of aircraft moving simultaneously.

If automation fails it is reasonable to anticipate that mental take-over will be less efficient and with a safety impact on on-going operations.



x Announcement information: system alert.



4 Minor

10-3% Severity might drop to “no effect” if conformance monitoring is provided on-board.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



HZ-24 V Misuse Misuse of automation in visibility conditions 4: due to over-reliance on automation, the controller does not detect the corruption of equipment conformance monitoring, and continues to use this corrupted data to ensure that the traffic is conforming to instructions.






3 Major

0.1% Severity might drop to “no effect” if conformance monitoring is provided on-board.

All Recovery Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by manual inputs, creating a workload increase and more head-down time.

If automation fails it is reasonable to anticipate that manual take-over will be less efficient and with a safety impact on on-going operations.


x Number: all aircraft (with respect to the level of implementation).




5 No effect

0% HZ-25

Worst-case credible scenario supporting the severity assessment: NO IMPACT ON SAFETY.

All Recovery Recovery in the worst visibility condition (with respect to the level of implementation): the controller needs to compensate an equipment failure by an increased cognitive processing.

If automation fails it is reasonable to anticipate that mental take-over will be less efficient and with a safety impact on on-going operations.


x Number: all aircraft (with respect to the level of implementation).




5 No effect

0% HZ-26

Worst-case credible scenario supporting the severity assessment: NO IMPACT ON SAFETY.



Severity indicators

Hazard ref.

A-SMGCS scenario





of exposed)






an accident(with

NATS’ mapping)



HZ-27 IV or V Recovery In visibility conditions 3 or worst, the supervisor re-sectorizes and the controller has to move from one controller working position to another.


x Number: heavy.

x Announcement information: self-evident.



4 Minor

10-3%

Table 5-14: Severity allocation


Assessment Report


Structure of the safety allocation table

The safety objectives are presented in a table that is composed of the following data: x column 1, “A-SMGCS scenario implementation level”: self-explicit; x column 2, “share of the target level of safety (TLS) allocated to hazards originating from equipment failures”:

focusing on hazards originating from equipment failures represents one of the main weaknesses of this analysis; indeed, the A-SMGCS target level of safety (i.e. 1 x 10-8 per operation) has to be divided between all hazards, not only the former; some part of the target level of safety should be set aside for other hazards; column 3 presents a possible share; as automation increases, the share of the target level of safety (TLS) allocated to hazards originating from equipment failures increases whilst the share of the TLS allocated to hazards originating from people & procedure failures decreases;

x column 3, “share of the TLS allocated to hazards originating from people & procedure failures” represents the difference between 100% and column 3;

x column 4, “global safety objective per movement allocated to equipment”: all hazards (including hazards originating from equipment failures) are identified at the boundary of the system; this means that people and procedures act as mitigation to reduce the probability to evolve from an equipment failure to a hazard; for a hazard to be raised, we need that an equipment failure occurs and that neither the people nor the procedures correctly mitigate the equipment failure; procedures to detect equipment failures and to recover from them need to be safe, and the people need to be adequately trained to cope with such equipment failures; in other terms, part of the target level of safety (TLS) allocated to hazards originating from equipment failures needs to be allocated to recovery procedures and to training; the proposal in column 4, is to use the “share of the target level of safety (TLS) allocated to hazards originating from equipment failures”, as provided in column 2, to cover all these allocation and mitigation aspects; thus, for a level II A-SMGCS implementation, the global safety objective per movement allocated to equipment is 10-8 * 15% = 1.5 10-9;

x column 5, “hazards references”: list of all the hazards likely to be raised for the given A-SMGCS scenario implementation level;

x column 6, “maximum hazard severity that can occur”: the worst case; x column 7, “equipment safety objective (per movement)”: using the hypothesis of equiprobability of occurrence

of hazards, this column provides the maximum probability at which a hazard (of the severity defined in column 6) may occur; thus, for a level II A-SMGCS scenario implementation, as there are only one hazardous and one minor hazards totalling 0.0101 SCU (using NATS mapping as explained in §1.7.5), the equipment safety objective (per movement) is equal to 1.5 10-9 / 0.0101 | 1.5 10-7.

x columns 8 and 9, present the same data as column 7, but expressed with different units. Another possible weakness of the analysis is linked to the disputable independence of hazards. Indeed, if the probability that a hazard is raised is linked to the probability that another hazard occurs, then the computations will be wrong. However, at this stage there is no known means to ensure the independence of the identified hazards, and the impact is assumed to be small.



A-SMGCS scenario

implementation level

Share of the target level of safety (TLS) allocated to hazards

originating from equipment failures

Share of the TLS allocated to hazards

originating from people & procedure

failures

Global safety objective per

movement allocated to equipment

Hazards ref. Maximum hazard severity that can occur

Equipment safety objective (per movement) for worst hazard

i.e. one equipment failure leading to a

hazard every X movements

i.e. one equipment failure leading to a

hazard at Paris CDG every

I 0% 100% Not applicable (no

A-SMGCS equipment)

Not identified. n/a n/a n/a n/a

II 15% 85% 1.35E-09 HZ-01, HZ-05, HZ-10, HZ-25, HZ-26 Hazardous 1.50E-07 6 673 333 12 years

III 35% 65% 3.5E-09 HZ-02, HZ-06, HZ-11, HZ-14, HZ-17,

HZ-20, HZ-25, HZ-26 Catastrophic 3.43E-09 291 717 143 521 years

IV 45% 55% 4.5E-09

HZ-03, HZ-07, HZ-12, HZ-15, HZ-18, HZ-21, HZ-25, HZ-

26, HZ-27

Catastrophic 4.49E-09 222 895 556 398 years

V 55% 45% 5.5E-09

HZ-04, HZ-08, HZ-09, HZ-13, HZ-16, HZ-19, HZ-22, HZ-23, HZ-24, HZ-25,

HZ-26, HZ-27

Hazardous 4.21E-07 2 372 727 4 years

Table 5-15: Derivation of safety objectives per A-SMGCS scenario implementation level


Assessment Report


Assessing the results

At this stage, it is interesting to compare our results with the results obtained by EUROCONTROL in [27], even though the scope is not exactly the same. As mentioned previously, the scenario implementation level (SIL) II is the closest scenario to the one considered in the EUROCONTROL A-SMGCS safety case. At this level, five hazards have been identified, of which only two have safety effects. The EMMA SIL II hazards and safety objective are recalled in Table 5-16. Emma (most) equivalent

hazard ref. EMMA (most) equivalent hazard description EMMA SO (per

movement) HZ-01 Recovery (from a total or partial equipment surveillance failure, e.g. loss of primary

sensor, loss of time synchronisation, loss of labelling, etc.) 1.50 E-04

HZ-05 Misuse (of highly corrupted surveillance data) 1.50 E-07 HZ-10 Misuse (of slightly corrupted surveillance data, e.g. accuracy issue) None: no safety

effects HZ-25 Recovery: the controller needs to compensate an equipment failure by manual inputs,

creating a workload increase and more head-down time. None: no safety

effects HZ-26 Recovery: the controller needs to compensate an equipment failure by an increased

cognitive processing. None: no safety

effects

Table 5-16: Summary of hazards and their associated safety objectives for SIL II

In [27], the total credible failures with safety consequences and their severity classification are illustrated in Table 5-17. These are grouped into a set of common hazards (labelled H01 through H10).

Eurocontrol safety case hazard ref.

Eurocontrol safety case hazard description Eurocontrol safety case safety objective (per movement)

H01 Total loss of A-SMGCS 2.96 E-05 H02 Loss of the position function for one aircraft 2.82 E-03 H03 Loss of the position function impacting multiple aircraft 1.51 E-05 H04 Corruption of the position function for one aircraft 1.54 E-03 H05 Corruption of the position function impacting multiple

aircraft 1.83 E-03

H06 Total loss the identification function 1.83 E-03 H07 Loss of the identification function impacting multiple

aircraft 1.83 E-03

H08 Corruption of the identification function for one aircraft 7.90 E-05 H09 Corruption of the identification function impacting

multiple aircraft 5.52 E-04

H10 Corruption of the conflict prediction function 1.67 E-04

Table 5-17: Summary of credible failures for each hazard and their associated safety objective as extracted from the EUROCONTROL A-SMGCS safety case [27]

The mapping of the Eurocontrol A-SMGCS safety case hazards to the EMMA hazards is not straightforward, so results are difficult to compare. Let us just point out that EMMA really highlights the issue of undetected failures (whatever the function – position or identification) with a very stringent safety objective on misuse. The logic behind is the assumption that the controller(s) can revert to aerodrome ATC using a "safe" SMGCS if the A-SMGCS is detected as failed. Therefore the main risk of A-SMGCS is misusing corrupted A-SMGCS data, whatever the data. Failures must be detected.


Assessment Report


Appendix G - 1st workshop questionnaire, analysis and lessons learnt

Ref. number: D1.3.9


Assessment Report


Presentation of the questionnaire

During the workshop, the audience was given, by surprise, a questionnaire pre-formatted as “Table 5-14: Severity allocation” of appendix F. Each table on each of the 4 sheets of paper (one per A-SMGCS implementation level) had 3 lines in order to allow for 3 hazards to be filled in per A-SMGCS implementation level. The audience was asked to stick, if possible, to the hazard typology (misuse, recovery, abuse), to assign the severity, to choose the most severe hazards they could think of, and to think about effects, exposure, recovery means, etc. Due to time constraints on the workshop, audience was given only 15 minutes. The results of the questionnaire are provided in Table 5-18. Objective outcomes

Six controllers, safety and/or A-SMGCS experts participated. Twenty-three hazards were collected, all but one dealing with the ground part of the A-SMGCS. None of the expert had time to fill in the 12 expected hazards. Only one participant filled in hazards for A-SMGCS implementation levels IV and V. The number of hazards filled per participant ranged from 2 to 6. The hazard typology (i.e. misuse, recovery, abuse) was used by all but one participant (3 hazards). One participant did not provide the severity of any of his identified hazards. Three other participants left one of their hazards without a severity allocation. Thus, five hazards have not been ranked on the severity scale.



Severity indicators

Hazard ref.

A-SMGCS implementation

level

Hazard typology (misuse, recovery, or abuse)

Hazard description (at system level) Hazard effects at aerodrome ATC level (i.e.

failure condition)

Exposure (duration, number of exposed)

Recovery (annunciation information,

availability of external contingency measures, rate of

development)

Severity(1 to 5)

Comments and recommendations

(related to items external to the system under

assessment)

HZ-28 II visibility 2

Loss of MLAT information. Position is determined using SMR. Loss of automatic identification.

x Duration: long x Number of

exposed: >1

x Annunciation information:

yes x Contingency measures: use of manual labelling when possible

x Rate of development: suddenly

5


Loss of surveillance data (SMR+MLAT)


exposed: >1


yes x Contingency measures: The controllers rely on procedural control and pilots positioning data.


4


Loss of surveillance data (SMR+MLAT)


exposed:

x Annunciation information: x Contingency measures: x Rate of development:

4



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

x >1

Slow

HZ-31 II Misuse Controllers get misleading aircraft position via automated surveillance without knowing it is wrong.

ATCO fooled by the error.

x Duration: x Number of

exposed: one aircraft but many possible


not detected x Contingency measures: Cross-check using radar data & visual


4 Minor

HZ-32 II Abuse ATC will use a system for surveillance during LVC 2+


exposed: 10


x Contingency measures: x Rate of development:

2



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-33 II Misuse The use of the system by ATC after the system loss (undetected)

Situational awareness impaired


exposed:



1

HZ-34 II Recovery Unidentified false alert stage 2 Possible go-around or aborted take-off

x Duration: short x Number of

exposed: 2 or more



Severity depends on visibility – can ATCO check the situation looking out of the window?

HZ-35 II Corrupt (Misuse)

Aircraft displayed on controller’s HMI as off RWY when actually not

Controller may issue take off / landing clearance when aircraft still on RWY

x Duration: Short x Number of

exposed: 1


None x Contingency measures: x Rate of development: Sudden

1



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-36 II Misuse Labels between two aircraft swapping Controller giving instruction to “wrong” aircraft


exposed: 2


x Contingency measures: x Rate of development: Sudden

2

HZ-37 II Recovery Unidentified call sign-code correlation error

Possible accident due to loss of situational awareness


exposed: ?



Severity depends on visibility conditions

HZ-38 II m Label swapping with vis 2 -Taxi conflicts - Rwy incursion

x Duration: >5sec x Number of

exposed: high


x Contingency measures: -Label drops after 5 sec of no update

- No manual labelling

3



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)


HZ-39 II m False alert with vis 2 Misinterpretation of true alerts as false alerts -> rwy incursion

x Duration: more than 2 per hour

x Number of

exposed: high


x Contingency measures: x Rate of development: slowly

4

HZ-40 II m Missed alert with vis 2 (by target loss -> surveillance failure)


exposed:





Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-41 III Misuse ATC will continue to use equipment for surveillance after a system loss (undetected)

Situational awareness strongly impaired


exposed: 10



1

HZ-42 III Misuse Wrong routing calculation provided by the system without being detected by anybody.

Wrong route taken by the aircraft with potential conflict


exposed: Potentially many aircraft affected


not detected x Contingency measures: x Rate of development:

3 Major

HZ-43 III Abuse ATC will use a system for surveillance during LVC


exposed:





Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-44 III Recovery Equipment failure over-load head-down

x Duration: 1-10 min x Number of

exposed: 10+



3

HZ-45 III Misuse (over-reliance on system) Loss of system in a situation when recovery procedures still increase risk unacceptability valid for all further levels


exposed:



HZ-46 III m Target at wrong position x Duration: > 2s x Number of

exposed: low


x Contingency measures: no idea x Rate of development:

1



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-47 III R Loss of all EFS x Duration:

> 1 min x Number of

exposed: high


x Contingency measures: Redundant EFS display that freeze the last setting


3

HZ-48 III m Wrong EFS information x Duration: x Number of

exposed:



3



Severity indicators

Hazard ref.


level



failure condition)




development)

Severity(1 to 5)



assessment)

HZ-49 IV Misuse Misleading ground guidance to aircraft remaining undetected

Aircraft deviation from ground path or wrong way


exposed: Potentially on many aircraft


not detected x Contingency measures: consistency check with on-board Moving Map


4 Minor

HZ-50 V Misuse Misleading on-board guidance data remaining undetected

Deviation from ground path


exposed: one aircraft

x Annunciation information: not detected x Contingency measures: EVS or ATCO monitoring x Rate of development:

3 Major

Table 5-18: Workshop questionnaire result


Assessment Report


Appendix H - 2nd workshop short report

Ref. number: D1.3.9


Assessment Report


The 2nd workshop has held on 24 June 2005 at the Prague, ANS training centre. The participants were Cenek Novotny, Daniel Gaspar, Filip Prahl, Lubomir Kozav and Richard Pichl from ANS-CR, Raimund Weidemann from the DFS, Nicolas Marcou and Pascale Henry-Ducos from DSNA, Maria Grazia Bechere from ENAV, Jean-Pierre Lesueur from EUROCONTROL and Stéphane Paul from TATM. After a short round table, Stéphane Paul: x explained the objectives of the meeting; x defined the notion of hazard, its causes (fault modes) and effects (severity), as well as the notion of scenario

implementation levels (SIL). The rest of the meeting was spent discussing all the hazards related to SIL I and II, trying to describe the worst credible outcomes of hazards. All the results are provided in the final release of the FHA, starting from release 0.30. For information, the curriculum vitae of four of the participants of the 2nd workshop are provided below. Please note that the presence of those curriculum vitae do not mean that these persons commit on the results of this report. Richard PICHL, Ph.D. 1996 PhD in geophysics and volcanic hazard (Charles University, Prague) 1997-98 Airborne geophysical survey (World Geoscience Corp.) 1999-2003 ATC (ACC, APP/TWR Prague - ANS of the CR) 2003- Aviation hazard analysis with a focus on the Prague airport and the TMA Praha, a member of

RWY Safety team as well as RWY capacity team (ANS of the CR). Pascale HENRY-DUCOS French Air Traffic Controller 1982-83 ATC training at the French Civil Aviation Academy (ENAC) 1983 Aerodrome Qualification 1984 Approach Qualification 1989 ATC manager in Toussus le Noble 1994 Fully qualified radar, approach and aerodrome controller 1997 Control Instructor Tower Control Simulator Instructor 1983-1991 Toussus le Noble airport 1991-2001 Roissy Charles de Gaulle airport 2001 Operational expert in charge of Validation experiments Human Machine Interfaces Studies A-SMGCS specialist Representing DSNA in Eurocontrol “A-SMGCS Procedures” Working Group 2001-05 R&D Experimental Centre – DSNA/DTI/SDER - Paris Former private pilot licence for aircraft (C152-C172-TB20-TB21) and helicopter (Hughes 300, Alouette 2) Maria Grazia BECHERE Aeronautical Technical School of Rome Former Private Pilot 1996- Air Traffic Controller since at ENAV the Italian Agency for Air Navigation Services, qualified as

Tower and Radar Approach. Present position: in force at the Airport Department at the Head Office in Rome Seven years as active controller at Genoa airport Internal expert for operations and procedures during low visibility conditions Member of the “A-SMGCS Procedure Group” within EUROCONTROL


Assessment Report


Member for ENAV of the EC project “EMMA” Jean-Pierre LESUEUR A-SMGCS Expert EUROCONTROL DAP/APT 1968-74: Cadet ATCO at the French academy (ENAC Toulouse) Transfer to Basle airport –LFSB- APP/TWR Controller Niamey airport /ACC -DRRN- Paris Le Bourget Airport -LFPB-. Paris Charles De Gaulle Airport -LFPG-. 1974-97 Part time detachment to Thomson Coop. (EU Tacis II Project in Russia) UTA Airline Training Centre (OPS agents training) and Institut Français de la Sécurité aérienne

(IFSA): Courses on CNS-ATM, Safety on manoeuvring area and airport crash rescue plan Vice –president of the French ATC guild (1986-97) Member of the IFATCA Standing Technical Committee (90-97), IFATCA representative to the

Airport Air traffic System interface – APATSI – project board and steering group on new ATC procedures (1993-97)

1974-99: ATCO, Supervisor, Instructor In charge of the training organisation of the tower side of the ATS Member of many Working Groups, notably SALADIN (SMGCS) and AVISO (A-SMGCS)

projects for ADP 1999 Paris, Air Navigation Direction, Deputy Head of the Air Traffic Control Division (DNA 2C) 2003 Contractor to ADV Systems Europe responding to a EUROCONTROL TRS as operational support

to the Head of Airport Program, mainly for A-SMGCS.


Assessment Report


(End of document)

functional hazard assessment and very preliminary system

Documents