Presented to: EUROCONTROL Safety R&D Seminar

By: Dino Piccione

Date: October 23, 2008

Federal AviationAdministration

Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

2Federal AviationAdministration

Project Objectives

• Forge a link between Human Factors and Safety activities in FAA system acquisition

• Test the HESRA tool on a system still in the concept phase

• Participate in the development of the human error portion of the safety package for SMS

• Provide a feed-forward to the Human Factors practitioners for detailed system design– Use a Human System Integration approach

3Federal AviationAdministration

The basis for HESRAHuman Error and Safety Risk Analysis

• Proactive human error analysis

• Based on engineering model (FMEA)

• Looking at human errors rather than component failures

• Based on tasks rather than component functions

• Three scales for each potential error modeLikelihood of occurrence

Severity of outcome

Likelihood of detection/mitigation*

• Scales use nominal anchors

• Goal is to produce ordered list of errors/outcomes*Not part of SMS

4Federal AviationAdministration

What are the objectives of using HESRA?

• Provide tools to support the FAA Safety Management System (SMS)

¬ Safety Risk Management (SRM) component of SMS

−Hazard identification

−Safety risk assessments

−Hazard tracking and risk mitigation

• Provide FAA human factors staff with a method that will allow them to evaluate system design and proactivelypredict elements of design that negatively influence human performance and safety.

• Allow FAA to field better and safer systems that will enhance ATM safety, and improve the ability of maintainers and service providers to successfully perform the job

5Federal AviationAdministration

What does HESRA do?

• Identifies the relative likelihood of particular errors

• Relies on relative, ordinal scaling

• Rank orders error modes

• Identifies critical single component failures

• Can utilize detection/mitigation

• Produces a task breakdown as a byproduct

6Federal AviationAdministration

How does HESRA do it?• Starts with procedural and task breakdown

• Relies on analysts to identify possible error modes

• For each error mode, analysts assign ratings forLikelihood of occurrence

Severity of outcome

Likelihood of detection/mitigation

• Rating scales follow SMS

• Ratings are multiplied to yield Hazard Index (HI) = Likelihood X Severity

Risk Priority Number (RPN) = Likelihood X Severity X Detection can be used to supplement SMS requirements

Error modes are sorted by HI, RPN, or both

7Federal AviationAdministration

HESRA Likelihood Scale

Not likely to occur more than once or twice during the operational life of the system.

Extremely Unlikely(Extremely Improbable)

5(E)

Not likely to occur more than 5-10 times over the life of the system.

Unlikely(Extremely Remote)4(D)

Likely to occur sporadically over the life of the system, on the order of once every 25 times the task is performed.

Occasional(Remote)3(C)

Likely to occur on a regular basis, on the order of once every 10 times the task is performed.

Likely(Probable)2(B)

Likely to occur on the order of once every 3-4 times the task is performed.

Extremely Likely(Frequent)1(A)

Error Likelihood Rating DefinitionCategoryError Likelihood

Rating

8Federal AviationAdministration

Severity Rating Scales (FAA SMS Category Names)

•No injury or equipment damage•No significant effect onosafetyofunction/serviceoschedule

Negligible(No Safety Effect)

5

•Minor injury or slight equipment damage•Work around•Loss of redundancy for a non-critical component•Increased risk of more serious effects•Minimal decrease of safety margin

Marginal(Minor)

4

•Moderate injury or moderate equipment damage•Loss of redundancy for a critical component•Slight increase in maintainer or ATC workload•Decreased safety margin for FAA personnel•Increased risk should additional errors or equipment failures occur•Potential increased stress on remaining functional equipment

Significant(Major)

3

•Serious injury or moderate temporary loss of equipment function•Moderate increase in maintainer or ATC workload•No safety margin for FAA personnel•Potential loss of A/C separation•Brief reduction in local safety margin

Critical(Hazardous)

2

•Serious injury, death, permanent loss of one or more equipment functions•Extended loss of function/service•Major increase in maintainer or ATC workload•Increased safety risk for FAA personnel•Loss of positive A/T control•Extended reduction of safety margin

Catastrophic(Catastrophic)

1

Severity DefinitionCategorySeverity Rating

9Federal AviationAdministration

Detection/Recovery Rating Scales

Immediate, automatic detection and/or recovery

Very High5

Immediate or very quick detection. Recovery requires manual intervention, but is likely to be done before the error causes any operational effects.

High4

Detection and/or recovery occur after a moderate delay, but in time to prevent all but minor effects on the operational system(s)

Moderate3

Detection and/or recovery are delayed until the error causes at least some serious effects on the operational system(s)

Low2

Detection and/or recovery are not likely to occur until the error propagates through the operational system(s)

Very Low1

Recovery Scale DefinitionCategoryRecovery Rating

10Federal AviationAdministration

What do we do with the results?

• Categorize results, e.g.,Slight

Moderate

Severe

Extreme

• Assign actions based on category

Determine how hazards can be managed during Acquisition Management System (AMS) process

Allocate hazard management to system design, procedures, training, etc.

• Commit resources where they will do the most good.

11Federal AviationAdministration

12Federal AviationAdministration

HESRA First Pass

WTMD Concept of Use

• The WTMD weather algorithm will determine which runways will be wake independent for the next 30 minutes.

• Send that information to the tower supervisor’s display.• Exact form of that display has yet to be determined.• If the tower supervisor decides to declare one of the eligible

runways as a Wind Independent Runway (WIR), the runway is selected and designated as a WIR

• Procedures (not yet developed) must be invoked – Updating the ATIS message to reflect the presence of the WIR(s)– Informing the appropriate ATC facilities that one, or more, WIR has

been designated– Verbally verifying with the local controllers that they know about the

WIRs and understand the implications for departure spacing.

13Federal AviationAdministration

WTMD Concept of Use

• If a WIR no longer qualifies as wake independent:– Visual and audio alert will be sent to the tower supervisor’s

display– Visual indication will appear on the local controllers’ WTMD

displays to alert them to the new non-WIR status– When the tower supervisor acknowledges the alert, the audio

portion will be silenced and all displays will revert to their pre-WIR status.

• Once WIR status is withdrawn, departure operations for that runway should revert to standard wake separation rules – When a previously declared WIR becomes a non-WIR,

communication needs to occur among the supervisor, local controllers, centers, and pilots.

14Federal AviationAdministration

HESRA Wake Turbulence

Initial Task Categories

•Start or stop the WTMD system

•Detect, recognize, select WIR(s)

•Communicate that WIR(s) are available

•Clear aircraft for departure with no wake separation

•Detect, recognize, acknowledge that WIR(s) is(are) NOT available

•Communicate that WIR(s) NOT available

•Clear aircraft for departure with wake separation

15Federal AviationAdministration

Human Error Highlights

• WTMD provides for suspending and invoking rules

• Introduces potential for new errors • Consequences of errors vary depending on

outcome of wake turbulence encounter• Identified errors can be mitigated through:

– Proper human factors in system design– Development of procedures– Training

16Federal AviationAdministration

Highlights of Human Errors

• Aircraft on wrong runway cleared with no wake delay– Misinterpretation of display

• Failure to detect that runway is no longer wind independent

• Failure to communicate non-WIR status– Position relief brief– Supervisor distraction

17Federal AviationAdministration

Hazard Index Results

• Assessment of hazard severity was curtailed due to lack of information– Several human error modes could result in a wake

turbulence encounter– Consequences of an encounter were not available at

the time of the analysis• Controller and system SMEs used for the analysis had no

credible basis for making this judgment– At the early stages of system development this may

be a frequent analytical problem– Results of the analysis are still valuable for hazard

management

18Federal AviationAdministration

Mitigation and Hazard Management

• Proper design of display system– Use of audio and visual display alerts

• Alerts should orient toward safety – not capacity– Need redundant displays to allow verification of WIR status by

supervisor and local controller

• Procedures and training to require verification – Readback-hearback procedures within tower cab– Verification of verbal instructions prior to suspending wake

separation rules– Integration of WTMD procedures in position relief– Monitoring of WTMD to assure procedures match runway

status

19Federal AviationAdministration

Conclusions

• Proactive analysis of human error is a viable and valuable tool for hazard management

• Results of the analysis were passed on to the system design and human factors teams

• Tool still needs refinement and validation– Validation trials scheduled– Unclear use of Risk Priority Number (RPN) = Likelihood X

Severity X Detection – How to proceed when severity information is not available?

20Federal AviationAdministration

Next Steps

• Validation trials for HESRA• Tool refinement to finalize and introduce to

SMS toolbox• Follow-up to assure mitigation

recommendations are incorporated– System design– Procedure design– Training