Assessment of changes to functional systems in ATM/ANS and ... · 26th May 2015 Entry Point North...
Transcript of Assessment of changes to functional systems in ATM/ANS and ... · 26th May 2015 Entry Point North...
126th May 2015 Entry Point North Seminar – Malmo
Assessment of changes to functional systems in ATM/ANS and the oversight thereof
Jose L Garcia-Chico GomezATM/ANS Regulations Officer
FS4.2 ATM/ANS [email protected]
Flight Standards Directorate, EASA
Entry Point North Seminar: The changing landscape of ATM Safety Malmo, 26th -27th May 2015
226th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
326th May 2015 Entry Point North Seminar – Malmo
Evolution from current regulations EU 1034/2011 and 1035/2011
Less process-based support and extend current practicesReduce subjectivityAdd flexibility: alternatives to risk assessmentnot all service providers to perform safety assessments
What the new regulation introduces…
426th May 2015 Entry Point North Seminar – Malmo
Where in the future ATM/ANS rule structure? Provisions distributed in several Aneexes
Annex IDefinitions
Annex VIPart-AIS
Annex IIIPart-OR
Annex IIPart-AR
Annex IVPart-ATS
Annex VPart-MET
Annex VIIIPart-CNS
Annex VIIPart-DAT
Regulation ATM/ANS
Annex XIPart-ASD
Annex XIIPart-NM
Annex IXPart-ATFM
Annex XPart-ASM
Annex XIIIPart-PER
Part-AR: Authority requirements
Part-OR: Organisation requirements
Part-ATS: Air Traffic Services
Part-MET: Meteorological services
Part-AIS: Aeronautical Information Services
Part-DAT: Data providers
Part-CNS: Communication, Navigation, Surveillance
Part-ATFM: Air Traffic Flow Management
Part-ASM: Airspace Management
Part-ASD: Airspace Design
Part-NM: Network Manager
Part-PER: Personnel requirements
General requirements
Specific service requirements
526th May 2015 Entry Point North Seminar – Malmo
Timeline for ‘assessment of changes’
01/06/2014 31/12/2015Jul 14 Oct 14 Jan 15 Apr 15 Jul 15 Oct 15
Today24 Jun. 14NPA2014-13
(Assessment of Changes to Functional system)
Jan 15SSC 55
(Presentation)
16 Dec. 14Opinion 03-2014
(with CRD to NPA2014-13)May 15
Draft AMC/GM
Mar 15SSC 56
(SSC workshop results)
Jun 15SSC 57
(Agreed)
Dec 15NPA2
(Update AMC/GM)
Oct 15SSC 57(Vote)
2016EC Adoption
626th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
726th May 2015 Entry Point North Seminar – Malmo
Scope: what services are addressed?
alerting service
air traffic advisory service
air traffic control services•- area control service•- approach control service•- aerodrome control service
air traffic servicesATS
flight information services
communication services
navigation services
surveillance services
CNS
meteorological servicesMET
aeronautical information servicesAIS
ANSair navigation services
airspace management
air traffic flow management
ATM
ATC
ATFM
ASM
air traffic management
DATNavigation data providers
Other ATM network functionsNetworkFunction
826th May 2015 Entry Point North Seminar – Malmo
Planned changes to functional system
What is a functional system?
A combination of equipment (SW and HW), procedures and human resources organised to perform a function within the context of ATM/ANS and other ATM network functions
926th May 2015 Entry Point North Seminar – Malmo
Two types of changes
Unplanned change*: due to people adapting their behaviour to suit the operational circumstances e.g.:
seeking improvements - self motivated changing their goals/motives, adapting to unforeseen circumstances:
wrongly designed technical systems or services changes in the operational context
Planned change: Somebody notices that a change is needed and gets permission for the organisation to make a change
(*) These should be identified by monitoring the functional system and corrected where necessary…through planned changes
1026th May 2015 Entry Point North Seminar – Malmo
Examples of changes
Examples:Airspace changes-reorganisation;Changed or introduction of communication, navigation, or surveillance system;Changes or new approach procedure;Introduction of automation to replace/assist human actions;New automatic meteorological information;Introduction of time-based separation; Etc…
1126th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
1226th May 2015 Entry Point North Seminar – Malmo
Principles: ATM/ANS providers (I)
The ATM/ANS provider should be aware when a change to the operational (functional) system is necessary and it should make the change in a timely manner (Change Drivers – proactive change)
No change should be made unless it can be shown that the ATS will be acceptably safe, via a valid assurance case, prior to its implementation.
The CA is notified of the intention to make a change. Notification should give the CA sufficient time to review it.
Where a CA review is to be performed, it has to be approved by the CA, before implementation. (Notification involved – simpler for routine changes)
Even if the CA doesn’t review the change the provider must ensure that a valid assurance case exists before the change is implemented.
1326th May 2015 Entry Point North Seminar – Malmo
Changes by ATS providers require safety assessment and assurance to show they are acceptably safe. Changes by other service providers require safety support assessment and assurance to show they are acceptably trustworthy (safety assurance/safety support assurance)
Changes often involve change by many independent stakeholders, these should be managed as though they were a single change ( Coordination of multi-actor changes)
The provider must monitor the behaviour of the system using monitoring criteria included in the assurance case and, where necessary, introduce new changes. (Change Drivers – monitoring)
Principles: ATM/ANS providers (II)
1426th May 2015 Entry Point North Seminar – Malmo
The acceptable level of safety for the change must be decided and declared by the service provider in terms of safety risk or other measures related to safety risks.
(Proxies, recognised standards/practices)
Safety criteria should be based on the notion that the operational (functional) system should
support the improvement of safety whenever reasonably practicable;be at least as safe after the change as it was before; or the loss on safety is
Temporal: to be offset in the futurePermanent: other beneficial consequences
(Objective for safety)
Principles: ATM/ANS providers (III)
1526th May 2015 Entry Point North Seminar – Malmo
The CA, when notified of the intention to make a change, seeks the data on which the decision, whether to review the change or not, will be based
The CA decides whether to review the change or not The decision should use objective risk based criteria (Risk posed by the change)The rigour of the review (its breadth and depth) should be proportional to risk(Risk associated with the change)*.
Changes involving several providers may also involve several CAs. These CAs need to cooperate in reviewing the change (multi-actor change)
Principles: competent authorities
(*) Not present in the rule at the moment.
1626th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
1726th May 2015 Entry Point North Seminar – Malmo
The view of safety* - 1
ATS providers can: communicate with Aircraft provide traffic information understand the intent of
traffic provide separation
They: can intervene if they see an unsafe situation developing have a “view” of safety
*Safety related to aircraft separation
1826th May 2015 Entry Point North Seminar – Malmo
The view of safety - 2
ATM/ANS providers other thanATS providers are unable to: communicate with Aircraft provide traffic information understand the intent of traffic provide separation
They only have partial knowledge can not intervene when an unsafe situation develops do not have a “view” of safety
1926th May 2015 Entry Point North Seminar – Malmo
ATS Providers
Safety Assessment
ATM/ANS provider (other than ATS)
Safety Support
Assessment
Demonstrate the trustworthiness of the specification(Safety Support Assurance Case)
demonstrate, via safety criteria, that the change to ATS service is acceptable safe(Safety Assurance Case)
Safety assessment & Safety support assessment: The need and the focus
All service providers need to assess changes they make to their functional system, but…
Risk Analysis
Safety Risk Levels
Use of proxies
Severity x probability
e.g., head-down time at TWR
BehaviouralAnalysis
e.g., integrity, accuracy of navigation signal in space
2026th May 2015 Entry Point North Seminar – Malmo
The service is accessed and used by a conforming a/c as
part of an ATS
The service is delivered into an airspace. It may not be delivered
to a particular user.
Safety Assurance & Safety Support Assurance:an example of interaction
Separation ServiceATSP
Service Specification
Safety SupportCase
SafetyCase
2226th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
2326th May 2015 Entry Point North Seminar – Malmo
Multiactor changes (notion) 1
TextSeparationService
Text
TextOperational(functional)
SystemRules &
Procedures
Air Traffic Service Provider
Serv
ice
Text
OperationalContext
OperationalContext
Service
OperationalContext
Text
TextOperational(functional)
SystemRules &
Procedures
Navigation Data Provider
Serv
iceOperational
Context
OperationalContext
Text
Operational(functional)
SystemRules &
Procedures
Navigation Provider
Serv
ice
OperationalContext
OperationalContext
Nav ServiceDat Service
Regulated service
Unregulated serviceIndependent organisations
2426th May 2015 Entry Point North Seminar – Malmo
Multiactor changes (notion) 2
2526th May 2015 Entry Point North Seminar – Malmo
Description seems straight forward, but is it really?
Any change to the functional system of an ATM/ANS provider affecting other ATM/ANS providers and/or aviation undertakings
2626th May 2015 Entry Point North Seminar – Malmo
The need for specific provisions dealing with changes affecting multiple actors is real
Account for cascade effects of changes to third parties…and feedback effects
ATM system is a complex and interconnected system Multiple interdependencies
Different “view” of safety of ATM/ANS providers
2726th May 2015 Entry Point North Seminar – Malmo
When a change affects other stakeholders: dependencies & interdependencies
A change may modify:Service (e.g., reduction of separation)Operational environment (e.g., airspace structure)
Other ATM/ANS or aviation undertaking may be affected: (as end user)
Use the affected serviceOperate in the affected environment
(if they deliver service to others)Deliver a service making use of the affected serviceDeliver a service in the affected environment
2826th May 2015 Entry Point North Seminar – Malmo
The ATM/ANS provider proposing a change affecting multiple actors…
①
② Coordinate activities with other affected ATM/ANS providers to:
a. Identify all dependencies b. Identify assumptions and mitigations that relate to multiple
actors
Use only aligned and agreed assumptions and common mitigationsor alternatively:
a. use an additional body of evidence,b. engage a representative body of av. undertakings,
Notify all affected stakeholders to the CA
③
2926th May 2015 Entry Point North Seminar – Malmo
Competent authorities coordinating in MAC
①
②
Use the process to establish coordination arrangements with other CAs
Ultimate aim is to ensure effective selection and review of related changes
CAs will decide the best way to ensure itWithin FABs, suitable coordination may be based on current FAB arrangements
Only when the service providers are not under the oversight of a single CA
3026th May 2015 Entry Point North Seminar – Malmo
Background
Functional system
Underpinning Principles
Safety & Safety Support Assurance
Multiactor changes
Proxies
3126th May 2015 Entry Point North Seminar – Malmo
Flexibility introduced about “HOW”
Safety criteria: specific and verifiable criteria used for the safety acceptability of a change
explicit quantitative acceptable safety risk levels; orProxies; orrecognised standards and/or codes of practice; orthe safety performance of the existing system or a similar system elsewhere
3226th May 2015 Entry Point North Seminar – Malmo
Proxies used as a surrogate of safety risk
A measurable property that relates to safety risk, but is more accessible than safety riskPROXY:
① Justifiable casual relationship exists between the proxy and the safety risk
Sufficiently isolated from other proxies ②
Measurable to an adequate degree of certainty③
Examples of proxies: head-down time, workload , error rate, false alert rates, service continuity
3326th May 2015 Entry Point North Seminar – Malmo
Why the use proxies?
to facilitate the focus on the analysis and mitigations of the identified hazards: positive effects of changes
to save resources when extra effort to identify, describe, and analyse the complete sequence of events from hazards to accidents has no added value
to compensate for the lack of evidence on the probability of some events
to facilitate the recognition of safety issues by operational staffFacilitating communication and buy-in of changes
3426th May 2015 Entry Point North Seminar – Malmo
Take away messages
Evolution of current rules (less process-based)
Safety assessment vs Safety support assessment
Multiactor changes
Alternatives to use explicit risk metric
3526th May 2015 Entry Point North Seminar – Malmo
Questions?