IN THE NEIGHBOURS GARDEN - eurocontrol.int THE NEIGHBOURS GARDEN: ... AMC 25.1309, System Design and...

Boeing Research and Technology EuropeBoeing Research and Technology

EUROCONTROL Safety R&D Seminar, Munich, 21st & 22nd October 2009

IN THE NEIGHBOURS GARDEN: Contrasting Safety Assurance Approaches in the

Flight Deck & ATM Domains

Lars Fucke, New Programs and Safety

Richard J. Kennedy, New Programs and Safety

Boeing Research and Technology Europe

2 / 13EUROCONTROL Safety R&D Seminar, Munich, 21st & 22nd October 2009

_ The ATM Safety Case approachHow is Human Reliability treated in the ATM Safety Case?

_ Airplane Certification and Airworthiness processHuman Reliability in Certification

_ How do the two approaches compare?

_ Challenges of increasing ATM / Airborne integration

Overview



ATM Safety Assurance Approach

Safety Considerations

Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation

Transfer into Operation

Safety Plan

Project

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration

Operation & Maintenance

Safety Considerations

Operational Concept

Initial Safety

Argument

FHA

PSSA

Implementation

Transfer into Operation

Safety Plan

Project

Safety

Case

UnitSafetyCase

Evidence

Approval

Evidence

Evidence

Evidence

Evidence

Update, if required

Safety Monitoring

Reports

Update

UpdateEvidence

SSA

Integration

Operation & Maintenance

_ Operator Responsibility

_ Safety Case-based

_ Covering complete system life cycle

_ ESARR 4 compliant

_ Process and Methods proposed by EUROCONTROL ANS SAM

_ Mandatory / Voluntary Occurrence Reports



Human Reliability in the ATM Safety Case

Task Analysis

Human Involvement in Accident Sequences

Error Probabilities

Integral part of failure / event analysis

Quantification of Human Reliability (CARA, etc.)

Detailed Task Analysis

Select GTT EPC

Representation

Detailed Operation/system Description

Problem Scoping

Evaluation

Final document

Remedial Measures

CalculationCalculation

PSF

CARA Process



Airplane Safety Assurance Process

_ Manufacturer responsibility (Type Certification)

_ FAR, CS & national regulations and Means of Compliance (FAR/CS 25 for Transport category)

_ Operators (FAR 125), part manufacturers, maintenance, training organizations and personnel require certification

_ In-service reports to regulator & manufacturer



Safety in Type Certification

_ AMC 25.1309, System Design and Analysis

Fail-Safe Design Concept: redundancy, isolation, proven reliability, checkability, failure warning, crew procedures

Qualitative evaluation of failure condition: effect on airplane, crew and pax

Airplane / system level safety analysis: qualitative or quantitative

Minor?

Similar?

Major? Simple?

Redundant?

Simple & conventional?



How to demonstrate a system is safe?

Effects on _ A/C_ Occupants_ Flight crew

10-5

10-7

10-9

10-3

_ Qualitative

FHA, design and installation appraisal, service history of similar equipment, FMEA, fault trees (redundancy)

_ Quantitative

Fault tree analysis, Markov analysis, system dependency analysis

25.1309: e.g. stall



How is flight crew action considered?

“… quantitative assessments of crew errors are not considered feasible. …”

(AMC 25.1309)

Which tasks?_ Alleviating failure conditions

_ Periodic checks

_ Discovery of obvious failures

Under which conditions?_ Tasks assumable to be executed correctly

(full credit only!)

_ No exceptional skill or strength required

_ Not compromising other safety related tasks

_ Workload and time permits



Design Guidance Provided

_ AMC 25.1309, System Design and AnalysisPresence of suitable alerting indications (additional guidance in 25.1322,

Warning, Caution, and Advisory Lights)Guidance in AFM if not normal airmanshipPlacing and protection of switches (high workload!)Monitoring systems preferred over periodic checks for identification of

latent failures

_ CS 25.1302, Installed Systems and Equipment for Use by the Flight Crew

Human factors guidance on design of controls, displays, systems behavior



How do ATM & airplane approaches compare?

_ Approval to operate, safety case covering complete life-cycle

_ Operator

_ Quantitative Human Reliability assessment

_ Freedom of choice for SSA methods

_ Severity based on effect on ATC / a/c

_ Greater design freedom

_ Certification / continued airworthiness process

_ Manufacturer

_ Full credit for crew actions only (conditions)

_ Guidance on methods and depth of SSA

_ Based on effects on a/c, pax, crew

_ Detailed design guidance

ATM Airplanes



Challenges of ATM / Airborne integration?

ATM AIRCRAFT

Operator OEM

Approval toOperate

Certification

OperationalReporting

ContinuedAirworthiness

Pre-implementation

Post-implementation

EUROCONTROL SRC

EASA

Does increased integration pose new challenges in certification and require increased communication between ANSPs and aircraft OEMs?

Is a harmonization of ATM and airplane regulations required?



We should spend more time in the neighbour’s garden!

IN THE NEIGHBOURS GARDEN - eurocontrol.int THE NEIGHBOURS GARDEN: ... AMC 25.1309, System Design and...

Documents

Transcript of IN THE NEIGHBOURS GARDEN - eurocontrol.int THE NEIGHBOURS GARDEN: ... AMC 25.1309, System Design and...